465 lines
12 KiB
Groff
465 lines
12 KiB
Groff
.rn '' }`
|
|
''' $RCSfile: ethereal.1,v $$Revision: 1.4 $$Date: 1998/10/13 02:10:53 $
|
|
'''
|
|
''' $Log: ethereal.1,v $
|
|
''' Revision 1.4 1998/10/13 02:10:53 gerald
|
|
''' * Pod page update
|
|
''' * Minor tweaks to the filter prefs
|
|
'''
|
|
'''
|
|
.de Sh
|
|
.br
|
|
.if t .Sp
|
|
.ne 5
|
|
.PP
|
|
\fB\\$1\fR
|
|
.PP
|
|
..
|
|
.de Sp
|
|
.if t .sp .5v
|
|
.if n .sp
|
|
..
|
|
.de Ip
|
|
.br
|
|
.ie \\n(.$>=3 .ne \\$3
|
|
.el .ne 3
|
|
.IP "\\$1" \\$2
|
|
..
|
|
.de Vb
|
|
.ft CW
|
|
.nf
|
|
.ne \\$1
|
|
..
|
|
.de Ve
|
|
.ft R
|
|
|
|
.fi
|
|
..
|
|
'''
|
|
'''
|
|
''' Set up \*(-- to give an unbreakable dash;
|
|
''' string Tr holds user defined translation string.
|
|
''' Bell System Logo is used as a dummy character.
|
|
'''
|
|
.tr \(*W-|\(bv\*(Tr
|
|
.ie n \{\
|
|
.ds -- \(*W-
|
|
.ds PI pi
|
|
.if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
|
.if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
|
.ds L" ""
|
|
.ds R" ""
|
|
''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of
|
|
''' \*(L" and \*(R", except that they are used on ".xx" lines,
|
|
''' such as .IP and .SH, which do another additional levels of
|
|
''' double-quote interpretation
|
|
.ds M" """
|
|
.ds S" """
|
|
.ds N" """""
|
|
.ds T" """""
|
|
.ds L' '
|
|
.ds R' '
|
|
.ds M' '
|
|
.ds S' '
|
|
.ds N' '
|
|
.ds T' '
|
|
'br\}
|
|
.el\{\
|
|
.ds -- \(em\|
|
|
.tr \*(Tr
|
|
.ds L" ``
|
|
.ds R" ''
|
|
.ds M" ``
|
|
.ds S" ''
|
|
.ds N" ``
|
|
.ds T" ''
|
|
.ds L' `
|
|
.ds R' '
|
|
.ds M' `
|
|
.ds S' '
|
|
.ds N' `
|
|
.ds T' '
|
|
.ds PI \(*p
|
|
'br\}
|
|
.\" If the F register is turned on, we'll generate
|
|
.\" index entries out stderr for the following things:
|
|
.\" TH Title
|
|
.\" SH Header
|
|
.\" Sh Subsection
|
|
.\" Ip Item
|
|
.\" X<> Xref (embedded
|
|
.\" Of course, you have to process the output yourself
|
|
.\" in some meaninful fashion.
|
|
.if \nF \{
|
|
.de IX
|
|
.tm Index:\\$1\t\\n%\t"\\$2"
|
|
..
|
|
.nr % 0
|
|
.rr F
|
|
.\}
|
|
.TH ETHEREAL 1 "0.4.0" "12/Oct/98" "The Ethereal Network Analyzer"
|
|
.UC
|
|
.if n .hy 0
|
|
.if n .na
|
|
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
|
.de CQ \" put $1 in typewriter font
|
|
.ft CW
|
|
'if n "\c
|
|
'if t \\&\\$1\c
|
|
'if n \\&\\$1\c
|
|
'if n \&"
|
|
\\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
|
|
'.ft R
|
|
..
|
|
.\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
|
|
. \" AM - accent mark definitions
|
|
.bd B 3
|
|
. \" fudge factors for nroff and troff
|
|
.if n \{\
|
|
. ds #H 0
|
|
. ds #V .8m
|
|
. ds #F .3m
|
|
. ds #[ \f1
|
|
. ds #] \fP
|
|
.\}
|
|
.if t \{\
|
|
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
|
|
. ds #V .6m
|
|
. ds #F 0
|
|
. ds #[ \&
|
|
. ds #] \&
|
|
.\}
|
|
. \" simple accents for nroff and troff
|
|
.if n \{\
|
|
. ds ' \&
|
|
. ds ` \&
|
|
. ds ^ \&
|
|
. ds , \&
|
|
. ds ~ ~
|
|
. ds ? ?
|
|
. ds ! !
|
|
. ds /
|
|
. ds q
|
|
.\}
|
|
.if t \{\
|
|
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
|
|
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
|
|
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
|
|
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
|
|
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
|
|
. ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
|
|
. ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
|
|
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
|
|
. ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
|
|
.\}
|
|
. \" troff and (daisy-wheel) nroff accents
|
|
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
|
|
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
|
|
.ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
|
|
.ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
|
|
.ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
|
|
.ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
|
|
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
|
|
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
|
|
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
|
|
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
|
|
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
|
|
.ds ae a\h'-(\w'a'u*4/10)'e
|
|
.ds Ae A\h'-(\w'A'u*4/10)'E
|
|
.ds oe o\h'-(\w'o'u*4/10)'e
|
|
.ds Oe O\h'-(\w'O'u*4/10)'E
|
|
. \" corrections for vroff
|
|
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
|
|
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
|
|
. \" for low resolution devices (crt and lpr)
|
|
.if \n(.H>23 .if \n(.V>19 \
|
|
\{\
|
|
. ds : e
|
|
. ds 8 ss
|
|
. ds v \h'-1'\o'\(aa\(ga'
|
|
. ds _ \h'-1'^
|
|
. ds . \h'-1'.
|
|
. ds 3 3
|
|
. ds o a
|
|
. ds d- d\h'-1'\(ga
|
|
. ds D- D\h'-1'\(hy
|
|
. ds th \o'bp'
|
|
. ds Th \o'LP'
|
|
. ds ae ae
|
|
. ds Ae AE
|
|
. ds oe oe
|
|
. ds Oe OE
|
|
.\}
|
|
.rm #[ #] #H #V #F C
|
|
.SH "NAME"
|
|
Ethereal \- Interactively browse network traffic
|
|
.SH "SYNOPSYS"
|
|
\fBethereal\fR
|
|
[\ \fB\-B\fR\ byte\ view\ height\ ]
|
|
[\ \fB\-b\fR\ bold\ font\ ]
|
|
[\ \fB\-c\fR\ count\ ]
|
|
[\ \fB\-h\fR\ ]
|
|
[\ \fB\-i\fR\ interface\ ]
|
|
[\ \fB\-m\fR\ font\ ]
|
|
[\ \fB\-n\fR\ ]
|
|
[\ \fB\-P\fR\ packet\ list\ height\ ]
|
|
[\ \fB\-r\fR\ infile\ ]
|
|
[\ \fB\-s\fR\ snaplen\ ]
|
|
[\ \fB\-T\fR\ tree\ view\ height\ ]
|
|
[\ \fB\-t\fR\ time\ stamp\ format\ ]
|
|
[\ \fB\-v\fR\ ]
|
|
[\ \fB\-w\fR\ savefile]
|
|
.SH "DESCRIPTION"
|
|
\fBEthereal\fR is a network protocol analyzer based on the \fBGTK+\fR GUI toolkit. It lets
|
|
you interactively browse packet data from a live network or from a \fBpcap\fR
|
|
/ \fBtcpdump()\fR formatted capture file.
|
|
.SH "OPTIONS"
|
|
.Ip "-B" 4
|
|
Sets the initial height of the byte view (bottom) pane
|
|
.Ip "-b" 4
|
|
The bold font name used for packet fied display.
|
|
.Ip "-c" 4
|
|
The default number of packets to read when capturing live data.
|
|
.Ip "-h" 4
|
|
Prints the version and options and exits.
|
|
.Ip "-i" 4
|
|
The name of the interface to use for live packet capture. It should match
|
|
one of the names listed in \*(L"\fBnetstat \-i\fR\*(R" or \*(L"\fBifconfig \-a\fR\*(R".
|
|
.Ip "-m" 4
|
|
The font name used by \fBEthereal\fR.
|
|
.Ip "-n" 4
|
|
Disable network object name resolution (such as hostname, \s-1TCP\s0 and \s-1UDP\s0 port
|
|
names).
|
|
.Ip "-P" 4
|
|
Sets the initial height of the packet list (top) pane
|
|
.Ip "-r" 4
|
|
Read packet data from \fIfile\fR. Currently, \fBEthereal\fR only understands
|
|
\fBpcap\fR / \fBtcpdump\fR formatted files.
|
|
.Ip "-s" 4
|
|
The default snapshot length to use when capturing live data. No more than
|
|
\fIsnaplen\fR bytes of each network packet will be read into memory, or saved
|
|
to disk.
|
|
.Ip "-T" 4
|
|
Sets the initial height of the tree view (top) pane
|
|
.Ip "-t" 4
|
|
Sets the format of the packet timestamp displayed in the packet list
|
|
window.
|
|
.Ip "-v" 4
|
|
Prints the version and exits.
|
|
.Ip "-w" 4
|
|
Sets the default capture file name.
|
|
.SH "INTERFACE"
|
|
.Sh "\s-1MENU\s0 \s-1ITEMS\s0"
|
|
.Ip "File:Open, File:Close, File:Reload" 4
|
|
Open, close, or reload a capture file.
|
|
.Ip "File:Print Packet" 4
|
|
Print a description of each protocol header found in the packet, followed
|
|
by the packet data itself. Printing options can be set with the
|
|
\fIEdit:Menu Options\fR menu item.
|
|
.Ip "File:Quit" 4
|
|
Exits the application.
|
|
.Ip "Edit:Preferences" 4
|
|
Sets the packet printing and filter options (see the section on \fIPreferences\fR below).
|
|
.Ip "Tools:Capture" 4
|
|
Initiates a live packet capture (see the section on \fICapture Preferences\fR below).
|
|
.Ip "Tools:Follow \s-1TCP\s0 Stream" 4
|
|
If you have a \s-1TCP\s0 packet selected, it will display the contents of the \s-1TCP\s0
|
|
data stream in a separate window.
|
|
.Sh "\s-1WINDOWS\s0"
|
|
.Ip "Main Window" 4
|
|
The main window is split into three panes. You can resize each pane using
|
|
a \*(L"thumb\*(R" at the right end of each divider line. Below the panes is a
|
|
strip that shows the file load progress, current filter, and informational
|
|
text.
|
|
.Sp
|
|
The top pane contains the list of network packets that you can scroll
|
|
through and select. The packet number, packet timestamp, source and
|
|
destination addresses, protocol, and description are printed for each
|
|
packet. An effort is made to display information as high up the protocol
|
|
stack as possible, e.g. \s-1IP\s0 addresses are displayed for \s-1IP\s0 packets, but the
|
|
\s-1MAC\s0 layer address is displayed for unknown packet types.
|
|
.Sp
|
|
The middle pane contains a \fIprotocol tree\fR for the currently-selected
|
|
packet. The tree displays each field and its value in each protocol header
|
|
in the stack.
|
|
.Sp
|
|
The lowest pane contains a hex dump of the actual packet data.
|
|
Selecting a field in the \fIprotocol tree\fR highlights the corresponding
|
|
bytes in this section.
|
|
.Sp
|
|
A display filter can be entered into the strip at the bottom. It must
|
|
have the same format as \fBtcpdump\fR filter strings, since both programs use
|
|
the same underlying library. A filter for \s-1HTTP\s0, \s-1HTTPS\s0, and \s-1DNS\s0 traffic
|
|
might look like this:
|
|
.Sp
|
|
.Vb 1
|
|
\& tcp port 80 or tcp port 443 or port 53
|
|
.Ve
|
|
Selecting the \fIFilter:\fR button lets you choose from a list of named
|
|
filters that you can optionally save.
|
|
.Ip "Preferences" 4
|
|
The \fIPreferences\fR dialog lets you select the output format of packets
|
|
printed using the \fIFile:Print Packet\fR menu item and configure
|
|
commonly-used filters.
|
|
.Ip "Printing Preferences" 10
|
|
The radio buttons at the top of the \fIPrinting\fR page allow you choose
|
|
between printing the packets as text or PostScript, and sending the
|
|
output directly to a command or saving it to a file. The \fICommand:\fR text
|
|
entry box is the command to send files to (usually \fBlpr\fR), and the
|
|
\fIFile:\fR entry box lets you enter the name of the file you wish to save
|
|
to. Additinally, you can select the \fIFile:\fR button to browse the file
|
|
system for a particular save file.
|
|
.Ip "Filters" 10
|
|
The \fIFilters\fR page lets you create and modify filters, and set the
|
|
default filter to use when capturing data or opening a capture file.
|
|
.Sp
|
|
The \fIFilter name\fR entry specifies a descriptive name for a filter, e.g.
|
|
\fBWeb and \s-1DNS\s0 traffic\fR. The \fIFilter string\fR entry is the text that
|
|
actually describes the filtering action to take, as described above.The
|
|
dialog buttons perform the following actions:
|
|
.Ip "New" 18
|
|
If there is text in the two entry boxes, it creates a new associated list
|
|
item.
|
|
.Ip "Change" 18
|
|
Modifies the currently selected list item to match what's in the entry
|
|
boxes.
|
|
.Ip "Copy" 18
|
|
Makes a copy of the currently selected list item.
|
|
.Ip "Delete" 18
|
|
Deletes the currently selected list item.
|
|
.Ip "\s-1OK\s0" 18
|
|
Sets the currently selected list item as the active filter. If nothing
|
|
is selected, turns filtering off.
|
|
.Ip "Save" 18
|
|
Saves the current filter list in \fI$\s-1HOME\s0/.ethereal/filters\fR.
|
|
.Ip "Cancel" 18
|
|
Closes the dialog without making any changes.
|
|
.Ip "Capture Preferences" 4
|
|
The \fICapture Preferences\fR dialog lets you specify various parameters for
|
|
capturing live packet data.
|
|
.Sp
|
|
The \fIInterface:\fR entry box lets you specify the interface from which to
|
|
capture packet data. The \fICount:\fR entry specifies the number of packets
|
|
to capture. Entering 0 will capture packets indefinitely. The \fIFilter:\fR
|
|
entry lets you specify the capture filter using a tcpdump-style filter
|
|
string as described above. The \fIFile:\fR entry specifies the file to save
|
|
to, as in the \fIPrinter Options\fR dialog above. You can choose to open the
|
|
file after capture, and you can also specify the maximum number of bytes
|
|
to capture per packet with the \fICapture length\fR entry.
|
|
.SH "SEE ALSO"
|
|
the \fItcpdump(1)\fR manpage, the \fIpcap(3)\fR manpage
|
|
.SH "NOTES"
|
|
The latest version of \fBethereal\fR can be found at
|
|
\fBhttp://ethereal.zing.org\fR.
|
|
.SH "AUTHORS"
|
|
.PP
|
|
.Vb 3
|
|
\& Original Author
|
|
\& -------- ------
|
|
\& Gerald Combs <gerald@zing.org>
|
|
.Ve
|
|
.Vb 8
|
|
\& Contributors
|
|
\& ------------
|
|
\& Gilbert Ramirez Jr. <gram@verdict.uthscsa.edu>
|
|
\& Hannes R. Boehm <hannes@boehm.org>
|
|
\& Mike Hall <mlh@io.com>
|
|
\& Bobo Rajec <bobo@bsp-consulting.sk>
|
|
\& Laurent Deniel <deniel@worldnet.fr>
|
|
\& Don Lafontaine <lafont02@cn.ca>
|
|
.Ve
|
|
Alain Magloire <alainm@rcsm.ece.mcgill.ca> was kind enough to give his
|
|
permission to use his version of snprintf.c.
|
|
.PP
|
|
Dan Lasley <dlasley@promus.com> gave permission for his \fIdumpit()\fR hex-dump
|
|
routine to be used.
|
|
|
|
.rn }` ''
|
|
.IX Title "ETHEREAL 1"
|
|
.IX Name "Ethereal - Interactively browse network traffic"
|
|
|
|
.IX Header "NAME"
|
|
|
|
.IX Header "SYNOPSYS"
|
|
|
|
.IX Header "DESCRIPTION"
|
|
|
|
.IX Header "OPTIONS"
|
|
|
|
.IX Item "-B"
|
|
|
|
.IX Item "-b"
|
|
|
|
.IX Item "-c"
|
|
|
|
.IX Item "-h"
|
|
|
|
.IX Item "-i"
|
|
|
|
.IX Item "-m"
|
|
|
|
.IX Item "-n"
|
|
|
|
.IX Item "-P"
|
|
|
|
.IX Item "-r"
|
|
|
|
.IX Item "-s"
|
|
|
|
.IX Item "-T"
|
|
|
|
.IX Item "-t"
|
|
|
|
.IX Item "-v"
|
|
|
|
.IX Item "-w"
|
|
|
|
.IX Header "INTERFACE"
|
|
|
|
.IX Subsection "\s-1MENU\s0 \s-1ITEMS\s0"
|
|
|
|
.IX Item "File:Open, File:Close, File:Reload"
|
|
|
|
.IX Item "File:Print Packet"
|
|
|
|
.IX Item "File:Quit"
|
|
|
|
.IX Item "Edit:Preferences"
|
|
|
|
.IX Item "Tools:Capture"
|
|
|
|
.IX Item "Tools:Follow \s-1TCP\s0 Stream"
|
|
|
|
.IX Subsection "\s-1WINDOWS\s0"
|
|
|
|
.IX Item "Main Window"
|
|
|
|
.IX Item "Preferences"
|
|
|
|
.IX Item "Printing Preferences"
|
|
|
|
.IX Item "Filters"
|
|
|
|
.IX Item "New"
|
|
|
|
.IX Item "Change"
|
|
|
|
.IX Item "Copy"
|
|
|
|
.IX Item "Delete"
|
|
|
|
.IX Item "\s-1OK\s0"
|
|
|
|
.IX Item "Save"
|
|
|
|
.IX Item "Cancel"
|
|
|
|
.IX Item "Capture Preferences"
|
|
|
|
.IX Header "SEE ALSO"
|
|
|
|
.IX Header "NOTES"
|
|
|
|
.IX Header "AUTHORS"
|
|
|