96a18fb8cf
IO-Users is a feature for tethereal that will print statistics on io usage similar to top talkers in other tools. It needs to be ported to ethereal with a nice graph sometime later. try: -z io,users,ip see man-page svn path=/trunk/; revision=6972
761 lines
29 KiB
Text
761 lines
29 KiB
Text
|
|
=head1 NAME
|
|
|
|
tethereal - Dump and analyze network traffic
|
|
|
|
=head1 SYNOPSYS
|
|
|
|
B<tethereal>
|
|
S<[ B<-a> capture autostop condition ] ...>
|
|
S<[ B<-b> number of ring buffer files ]>
|
|
S<[ B<-c> count ]>
|
|
S<[ B<-D> ]>
|
|
S<[ B<-f> capture filter expression ]>
|
|
S<[ B<-F> file format ]>
|
|
S<[ B<-h> ]>
|
|
S<[ B<-i> interface ]>
|
|
S<[ B<-l> ]>
|
|
S<[ B<-n> ]>
|
|
S<[ B<-N> resolving flags ]>
|
|
S<[ B<-o> preference setting ] ...>
|
|
S<[ B<-p> ]>
|
|
S<[ B<-q> ]>
|
|
S<[ B<-r> infile ]>
|
|
S<[ B<-R> display filter expression ]>
|
|
S<[ B<-s> snaplen ]>
|
|
S<[ B<-S> ]>
|
|
S<[ B<-t> time stamp format ]>
|
|
S<[ B<-v> ]>
|
|
S<[ B<-V> ]>
|
|
S<[ B<-w> savefile ]>
|
|
S<[ B<-x> ]>
|
|
S<[ B<-z> statistics-string ]>
|
|
S<[ filter expression ]>
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
B<Tethereal> is a network protocol analyzer. It lets you capture packet
|
|
data from a live network, or read packets from a previously saved
|
|
capture file, either printing a decoded form of those packets to the
|
|
standard output or writing the packets to a file. B<Tethereal>'s native
|
|
capture file format is B<libpcap> format, which is also the format used
|
|
by B<tcpdump> and various other tools. In addition, B<Tethereal> can
|
|
read capture files from B<snoop> and B<atmsnoop>, Shomiti/Finisar
|
|
B<Surveyor>, Novell B<LANalyzer>, Network General/Network Associates
|
|
DOS-based B<Sniffer> (compressed or uncompressed), Microsoft B<Network
|
|
Monitor>, AIX's B<iptrace>, Cinco Networks B<NetXRay>, Network
|
|
Associates Windows-based B<Sniffer>, AG Group/WildPackets
|
|
B<EtherPeek>/B<TokenPeek>/B<AiroPeek>, B<RADCOM>'s WAN/LAN analyzer,
|
|
B<Lucent/Ascend> router debug output, HP-UX's B<nettl>, the dump output
|
|
from B<Toshiba's> ISDN routers, the output from B<i4btrace> from the
|
|
ISDN4BSD project, the output in B<IPLog> format from the Cisco Secure
|
|
Intrusion Detection System, B<pppd logs> (pppdump format), the output
|
|
from VMS's B<TCPIPtrace> utility, the text output from the B<DBS
|
|
Etherwatch> VMS utility, traffic capture files from Visual Networks'
|
|
Visual UpTime, and the output from B<CoSine> L2 debug. There is no
|
|
need to tell B<Tethereal> what type of file you are reading; it will
|
|
determine the file type by itself. B<Tethereal> is also capable of
|
|
reading any of these file formats if they are compressed using gzip.
|
|
B<Tethereal> recognizes this directly from the file; the '.gz' extension
|
|
is not required for this purpose.
|
|
|
|
If the B<-w> flag is not specified, B<Tethereal> prints a decoded form
|
|
of the packets it captures or reads; otherwise, it writes those packets
|
|
to the file specified by that flag.
|
|
|
|
When printing a decoded form of packets, B<Tethereal> prints, by
|
|
default, a summary line containing the fields specified by the
|
|
preferences file (which are also the fields displayed in the packet list
|
|
pane in B<Ethereal>), although if it's printing packets as it captures
|
|
them, rather than printing packets from a saved capture file, it won't
|
|
print the "frame number" field. If the B<-V> flag is specified, it
|
|
prints intead a protocol tree, showing all the fields of all protocols
|
|
in the packet.
|
|
|
|
When writing packets to a file, B<Tethereal>, by default, writes the
|
|
file in B<libpcap> format, and writes all of the packets it sees to the
|
|
output file. The B<-F> flag can be used to specify the format in which
|
|
to write the file; it can write the file in B<libpcap> format (standard
|
|
B<libpcap> format, a modified format used by some patched versions of
|
|
B<libpcap>, or the format used by Red Hat Linux 6.1), B<snoop> format,
|
|
uncompressed B<Sniffer> format, Microsoft B<Network Monitor> 1.x format,
|
|
the format used by Windows-based versions of the B<Sniffer>
|
|
software, and the format used by Visual Networks' software.
|
|
|
|
Read filters in B<Tethereal>, which allow you to select which packets
|
|
are to be decoded or written to a file, are very powerful; more fields
|
|
are filterable in B<Tethereal> than in other protocol analyzers, and the
|
|
syntax you can use to create your filters is richer. As B<Tethereal>
|
|
progresses, expect more and more protocol fields to be allowed in read
|
|
filters.
|
|
|
|
Packet capturing is performed with the pcap library. The capture filter
|
|
syntax follows the rules of the pcap library. This syntax is different
|
|
from the read filter syntax. A read filter can also be specified when
|
|
capturing, and only packets that pass the read filter will be displayed
|
|
or saved to the output file; note, however, that capture filters are much
|
|
more efficient than read filters, and it may be more difficult for
|
|
B<Tethereal> to keep up with a busy network if a read filter is
|
|
specified for a live capture.
|
|
|
|
Compressed file support uses (and therefore requires) the zlib library.
|
|
If the zlib library is not present, B<Tethereal> will compile, but will
|
|
be unable to read compressed files.
|
|
|
|
A capture or read filter can either be specified with the B<-f> or B<-R>
|
|
option, respectively, in which case the entire filter expression must be
|
|
specified as a single argument (which means that if it contains spaces,
|
|
it must be quoted), or can be specified with command-line arguments
|
|
after the option arguments, in which case all the arguments after the
|
|
filter arguments are treated as a filter expression. If the filter is
|
|
specified with command-line arguments after the option arguments, it's a
|
|
capture filter if a capture is being done (i.e., if no B<-r> flag was
|
|
specified) and a read filter if a capture file is being read (i.e., if a
|
|
B<-r> flag was specified).
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over 4
|
|
|
|
=item -a
|
|
|
|
Specify a criterion that specifies when B<Tethereal> is to stop writing
|
|
to a capture file. The criterion is of the form I<test>B<:>I<value>,
|
|
where I<test> is one of:
|
|
|
|
=for man .RS
|
|
|
|
=for html <P><DL>
|
|
|
|
=item duration
|
|
|
|
Stop writing to a capture file after I<value> seconds have elapsed.
|
|
|
|
=item filesize
|
|
|
|
Stop writing to a capture file after it reaches a size of I<value>
|
|
kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes).
|
|
|
|
=for man .RE
|
|
|
|
=for html </DL>
|
|
|
|
=item -b
|
|
|
|
If a maximum capture file size was specified, cause B<Tethereal> to run
|
|
in "ring buffer" mode, with the specified number of files. In "ring
|
|
buffer" mode, B<Tethereal> will write to several capture files; the name
|
|
of the first file, while the capture is in progress, will be the name
|
|
specified by the B<-w> flag, and subsequent files with have .I<n>
|
|
appended, with I<n> counting up.
|
|
|
|
When the first capture file fills up, B<Tethereal> will switch to
|
|
writing to the next file, until it fills up the last file, at which
|
|
point it'll discard the data in the first file and start writing to that
|
|
file. When that file fills up, B<Tethereal> will discard the data in
|
|
the next file and start writing to it, and so on.
|
|
|
|
When the capture completes, the files will be renamed to have names
|
|
based on the number of the file and on the date and time at which
|
|
packets most recently started being written to the file.
|
|
|
|
You can only save files in B<libpcap> format when using a ring buffer.
|
|
|
|
=item -c
|
|
|
|
Set the default number of packets to read when capturing live
|
|
data.
|
|
|
|
=item -D
|
|
|
|
Print a list of the interfaces on which B<Tethereal> can capture, and
|
|
exit. Note that "can capture" means that B<Tethereal> was able to open
|
|
that device to do a live capture; if, on your system, a program doing a
|
|
network capture must be run from an account with special privileges (for
|
|
example, as root), then, if B<Tethereal> is run with the B<-D> flag and
|
|
is not run from such an account, it will not list any interfaces.
|
|
|
|
=item -f
|
|
|
|
Set the capture filter expression.
|
|
|
|
=item -F
|
|
|
|
Set the file format of the output capture file.
|
|
|
|
=item -h
|
|
|
|
Print the version and options and exits.
|
|
|
|
=item -i
|
|
|
|
Set the name of the network interface or pipe to use for live packet
|
|
capture.
|
|
|
|
Network interface names should match one of the names listed in
|
|
"B<tethereal -D>" (described above). If you're using Unix, "B<netstat
|
|
-i>" or "B<ifconfig -a>" might also work to list interface names,
|
|
although not all versions of Unix support the B<-a> flag to B<ifconfig>.
|
|
If no interface is specified, B<Tethereal> searches the list of
|
|
interfaces, choosing the first non-loopback interface if there are any
|
|
non-loopback interfaces, and choosing the first loopback interface if
|
|
there are no non-loopback interfaces; if there are no interfaces,
|
|
B<Tethereal> reports an error and doesn't start the capture.
|
|
|
|
Pipe names should be either the name of a FIFO (named pipe) or ``-'' to
|
|
read data from the standard input. Data read from pipes must be in
|
|
standard libpcap format.
|
|
|
|
=item -l
|
|
|
|
Flush the standard output after the information for each packet is
|
|
printed. (This is not, strictly speaking, line-buffered if B<-V>
|
|
was specified; however, it is the same as line-buffered if B<-V> wasn't
|
|
specified, as only one line is printed for each packet, and, as B<-l> is
|
|
normally used when piping a live capture to a program or script, so that
|
|
output for a packet shows up as soon as the packet is seen and
|
|
dissected, it should work just as well as true line-buffering. We do
|
|
this as a workaround for a deficiency in the Microsoft Visual C++ C
|
|
library.)
|
|
|
|
This may be useful when piping the output of B<Tethereal> to another
|
|
program, as it means that the program to which the output is piped will
|
|
see the dissected data for a packet as soon as B<Tethereal> sees the
|
|
packet and generates that output, rather than seeing it only when the
|
|
standard output buffer containing that data fills up.
|
|
|
|
=item -n
|
|
|
|
Disable network object name resolution (such as hostname, TCP and UDP port
|
|
names).
|
|
|
|
=item -N
|
|
|
|
Turn on name resolving for particular types of addresses and port
|
|
numbers, with name resolving for other types of addresses and port
|
|
numbers turned off; the argument is a string that may contain the
|
|
letters B<m> to enable MAC address resolution, B<n> to enable network
|
|
address resolution, and B<t> to enable transport-layer port number
|
|
resolution. This overrides B<-n> if both B<-N> and B<-n> are present.
|
|
|
|
=item -o
|
|
|
|
Set a preference value, overriding the default value and any value read
|
|
from a preference file. The argument to the flag is a string of the
|
|
form I<prefname>B<:>I<value>, where I<prefname> is the name of the
|
|
preference (which is the same name that would appear in the preference
|
|
file), and I<value> is the value to which it should be set.
|
|
|
|
=item -p
|
|
|
|
I<Don't> put the interface into promiscuous mode. Note that the
|
|
interface might be in promiscuous mode for some other reason; hence,
|
|
B<-p> cannot be used to ensure that the only traffic that is captured is
|
|
traffic sent to or from the machine on which B<Tethereal> is running,
|
|
broadcast traffic, and multicast traffic to addresses received by that
|
|
machine.
|
|
|
|
=item -q
|
|
|
|
Don't display the continuous count of packets captured that is normally
|
|
shown when saving a capture to a file; instead, just display, at the end
|
|
of the capture, a count of packets captured. On systems that support
|
|
the SIGINFO signal, such as various BSDs, typing your "status" character
|
|
(typically control-T) will cause the current count to be displayed.
|
|
|
|
=item -r
|
|
|
|
Read packet data from I<infile>.
|
|
|
|
=item -R
|
|
|
|
Cause the specified filter (which uses the syntax of read filters,
|
|
rather than that of capture filters) to be applied before printing a
|
|
decoded form of packets or writing packets to a file; packets not
|
|
matching the filter are discarded rather than being printed or written.
|
|
|
|
=item -s
|
|
|
|
Set the default snapshot length to use when capturing live data.
|
|
No more than I<snaplen> bytes of each network packet will be read into
|
|
memory, or saved to disk.
|
|
|
|
=item -S
|
|
|
|
Decode and display packets even while writing to file.
|
|
|
|
=item -t
|
|
|
|
Set the format of the packet timestamp printed in summary lines. The
|
|
format can be one of 'r' (relative), 'a' (absolute), 'ad' (absolute with
|
|
date), or 'd' (delta). The relative time is the time elapsed between
|
|
the first packet and the current packet. The absolute time is the
|
|
actual time the packet was captured, with no date displayed; the
|
|
absolute date and time is the actual time and date the packet was
|
|
captured. The delta time is the time since the previous packet was
|
|
captured. The default is relative.
|
|
|
|
=item -v
|
|
|
|
Print the version and exit.
|
|
|
|
=item -V
|
|
|
|
Cause B<Tethereal> to print a protocol tree for each packet rather than
|
|
a one-line summary of the packet.
|
|
|
|
=item -w
|
|
|
|
Write packet data to I<savefile> or to the standard output if
|
|
I<savefile> is "-".
|
|
|
|
=item -x
|
|
|
|
Cause B<Tethereal> to print a hex and ASCII dump of the packet data
|
|
after printing the summary or protocol tree.
|
|
|
|
=item -z
|
|
|
|
Get B<Tethereal> to collect various types of statistics and display the result
|
|
after finishing reading the capture file.
|
|
Currently implemented statistics are:
|
|
|
|
B<-z> dcerpc,rtt,I<uuid>,I<major>.I<minor>[,I<filter>]
|
|
|
|
Collect call/reply RTT data for DCERPC interface I<uuid>,
|
|
version I<major>.I<minor>.
|
|
Data collected is number of calls for each procedure, MinRTT, MaxRTT
|
|
and AvgRTT.
|
|
Example: use B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0> to collect data for CIFS SAMR Interface.
|
|
This option can be used multiple times on the command line.
|
|
|
|
If the optional filterstring is provided, the stats will only be calculated
|
|
on those calls that match that filter.
|
|
Example: use B<-z dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4> to collect SAMR
|
|
RTT statistics for a specific host.
|
|
|
|
|
|
B<-z> io,phs[,I<filter>]
|
|
|
|
Create Protocol Hierarchy Statistics listing both number of frames and bytes.
|
|
If no I<filter> is specified the statistics will be calculated for all frames.
|
|
If a I<filters> is specified statistics will be only calculated for those
|
|
packets that match the filter.
|
|
|
|
This option can be used multiple times on the command line.
|
|
|
|
|
|
B<-z> io,stat,I<interval>[,I<filter>][,I<filter>][,I<filter>]...
|
|
|
|
Collect frame/bytes statistics for the capture in intervals of I<interval>
|
|
seconds.
|
|
If no I<filter> is specified the statistics will be calculated for all frames.
|
|
If one or more I<filters> are specified statistics will be calculated for
|
|
all filters and presented with one column of statistics for each filter.
|
|
|
|
This option can be used multiple times on the command line.
|
|
|
|
|
|
B<-z> io,users,I<type>[,I<filter>]
|
|
|
|
Create a table that lists all conversations that could be seen in the capture.
|
|
I<type> specifies which type of conversation we want to generate the
|
|
statistics for, currently the supported ones are
|
|
"eth" Ethernet
|
|
"ip" IP addresses
|
|
"tr" TokenRing
|
|
|
|
If the optional filter string is specified, only those packets that match the
|
|
filter will be used in the calculations.
|
|
|
|
The table is presented with one line for each conversation and displays
|
|
number of frames/bytes in each direction as well as total number of
|
|
frames/bytes.
|
|
The table is sorted according to total number of bytes.
|
|
|
|
|
|
B<-z> proto,colinfo,I<filter>,I<field>
|
|
|
|
Append all I<field> values for the packet to the COL_INFO information line.
|
|
This feature can be used to append arbitrary fields to the COL_INFO line
|
|
in addition to the normal content of the COL_INFO line.
|
|
I<field> is the display-filter name of a field which value should be placed
|
|
on the COL_INFO line.
|
|
I<filter> is a filter string that controls for which packets the field value
|
|
will be presented on COL_INFO line. I<field> will only be presented on the
|
|
COL_INFO line for the packets which match I<filter>.
|
|
|
|
NOTE: In order for I<tethereal> to be able to extract the I<field> value from
|
|
the packet, I<field> MUST be part of the I<filter> string. If not, I<tethereal>
|
|
will not be able to extract its value.
|
|
|
|
For a simple example to add the "nfs.fh.hash" field to COL_INFO for all
|
|
packets containing the "nfs.fh.hash" field, use
|
|
|
|
B<-z proto,colinfo,nfs.fh.hash,nfs.fh.hash>
|
|
|
|
|
|
To put "nfs.fh.hash" on COL_INFO but only for packets coming from host 1.2.3.4
|
|
use :
|
|
|
|
B<-z "proto,colinfo,nfs.fh.hash && ip.src==1.2.3.4,nfs.fh.hash">
|
|
|
|
This option can be used multiple times on the command line.
|
|
|
|
|
|
B<-z> rpc,rtt,I<program>,I<version>[,I<filter>]
|
|
|
|
Collect call/reply RTT data for I<program>/I<version>. Data collected
|
|
is number of calls for each procedure, MinRTT, MaxRTT and AvgRTT.
|
|
Example: use B<-z rpc,rtt,100003,3> to collect data for NFS v3. This
|
|
option can be used multiple times on the command line.
|
|
|
|
If the optional filterstring is provided, the stats will only be calculated
|
|
on those calls that match that filter.
|
|
Example: use B<-z rpc,rtt,100003,3,nfs.fh.hash==0x12345678> to collect NFS v3
|
|
RTT statistics for a specific file.
|
|
|
|
|
|
B<-z> rpc,programs
|
|
|
|
Collect call/reply RTT data for all known ONC-RPC programs/versions.
|
|
Data collected is number of calls for each protocol/version, MinRTT,
|
|
MaxRTT and AvgRTT.
|
|
This option can only be used once on the command line.
|
|
|
|
B<-z> smb,rtt[,I<filter>]
|
|
|
|
Collect call/reply RTT data for SMB. Data collected
|
|
is number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT.
|
|
Example: use B<-z smb,rtt>.
|
|
The data will be presented as separate tables for all normal SMB commands,
|
|
all Transaction2 commands and all NT Transaction commands.
|
|
Only those commands that are seen in the capture will have its stats
|
|
displayed.
|
|
Only the first command in a xAndX command chain will be used in the
|
|
calculation. So for common SessionSetupAndX + TreeConnectAndX chains,
|
|
only the SessionSetupAndX call will be used in the statistics.
|
|
This is a flaw that might be fixed in the future.
|
|
|
|
This option can be used multiple times on the command line.
|
|
|
|
If the optional filterstring is provided, the stats will only be calculated
|
|
on those calls that match that filter.
|
|
Example: use B<-z "smb,rtt,ip.addr==1.2.3.4"> to only collect stats for
|
|
SMB packets echanged by the host at IP address 1.2.3.4 .
|
|
|
|
|
|
=back
|
|
|
|
=head1 CAPTURE FILTER SYNTAX
|
|
|
|
See manual page of tcpdump(8).
|
|
|
|
=head1 READ FILTER SYNTAX
|
|
|
|
Read filters help you remove the noise from a packet trace and let you
|
|
see only the packets that interest you. If a packet meets the
|
|
requirements expressed in your read filter, then it is printed. Read
|
|
filters let you compare the fields within a protocol against a specific
|
|
value, compare fields against fields, and to check the existence of
|
|
specified fields or protocols.
|
|
|
|
The simplest read filter allows you to check for the existence of a
|
|
protocol or field. If you want to see all packets which contain the IPX
|
|
protocol, the filter would be "ipx". (Without the quotation marks) To
|
|
see all packets that contain a Token-Ring RIF field, use "tr.rif".
|
|
|
|
Fields can also be compared against values. The comparison operators
|
|
can be expressed either through C-like symbols, or through English-like
|
|
abbreviations:
|
|
|
|
eq, == Equal
|
|
ne, != Not equal
|
|
gt, > Greater than
|
|
lt, < Less Than
|
|
ge, >= Greater than or Equal to
|
|
le, <= Less than or Equal to
|
|
|
|
Furthermore, each protocol field is typed. The types are:
|
|
|
|
Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
|
|
Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
|
|
Boolean
|
|
Ethernet address (6 bytes)
|
|
Byte string (n-number of bytes)
|
|
IPv4 address
|
|
IPv6 address
|
|
IPX network number
|
|
String (text)
|
|
Double-precision floating point number
|
|
|
|
An integer may be expressed in decimal, octal, or hexadecimal notation.
|
|
The following three read filters are equivalent:
|
|
|
|
frame.pkt_len > 10
|
|
frame.pkt_len > 012
|
|
frame.pkt_len > 0xa
|
|
|
|
Boolean values are either true or false. In a read filter expression
|
|
testing the value of a Boolean field, "true" is expressed as 1 or any
|
|
other non-zero value, and "false" is expressed as zero. For example, a
|
|
token-ring packet's source route field is boolean. To find any
|
|
source-routed packets, a read filter would be:
|
|
|
|
tr.sr == 1
|
|
|
|
Non source-routed packets can be found with:
|
|
|
|
tr.sr == 0
|
|
|
|
Ethernet addresses, as well as a string of bytes, are represented in hex
|
|
digits. The hex digits may be separated by colons, periods, or hyphens:
|
|
|
|
fddi.dst eq ff:ff:ff:ff:ff:ff
|
|
ipx.srcnode == 0.0.0.0.0.1
|
|
eth.src == aa-aa-aa-aa-aa-aa
|
|
|
|
If a string of bytes contains only one byte, then it is represented as
|
|
an unsigned integer. That is, if you are testing for hex value 'ff' in
|
|
a one-byte byte-string, you must compare it agains '0xff' and not 'ff'.
|
|
|
|
IPv4 addresses can be represented in either dotted decimal notation, or
|
|
by using the hostname:
|
|
|
|
ip.dst eq www.mit.edu
|
|
ip.src == 192.168.1.1
|
|
|
|
IPv4 addresses can be compared with the same logical relations as numbers:
|
|
eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,
|
|
so you do not have to worry about how the endianness of an IPv4 address
|
|
when using it in a read filter.
|
|
|
|
Classless InterDomain Routing (CIDR) notation can be used to test if an
|
|
IPv4 address is in a certain subnet. For example, this display filter
|
|
will find all packets in the 129.111 Class-B network:
|
|
|
|
ip.addr == 129.111.0.0/16
|
|
|
|
Remember, the number after the slash represents the number of bits used
|
|
to represent the network. CIDR notation can also be used with
|
|
hostnames, in this example of finding IP addresses on the same Class C
|
|
network as 'sneezy':
|
|
|
|
ip.addr eq sneezy/24
|
|
|
|
The CIDR notation can only be used on IP addresses or hostnames, not in
|
|
variable names. So, a display filter like "ip.src/24 == ip.dst/24" is
|
|
not valid. (yet)
|
|
|
|
IPX networks are represented by unsigned 32-bit integers. Most likely
|
|
you will be using hexadecimal when testing for IPX network values:
|
|
|
|
ipx.srcnet == 0xc0a82c00
|
|
|
|
A slice operator also exists. You can check the substring
|
|
(byte-string) of any protocol or field. For example, you can filter on
|
|
the vendor portion of an ethernet address (the first three bytes) like
|
|
this:
|
|
|
|
eth.src[0:3] == 00:00:83
|
|
|
|
If the length of your byte-slice is only one byte, then it is still
|
|
represented in hex, but without the preceding "0x":
|
|
|
|
llc[3] == aa
|
|
|
|
You can use the slice operator on a protocol name, too. And
|
|
remember, the "frame" protocol encompasses the entire packet, allowing
|
|
you to look at the nth byte of a packet regardless of its frame type
|
|
(Ethernet, token-ring, etc.).
|
|
|
|
token[0:5] ne 0.0.0.1.1
|
|
ipx[0:2] == ff:ff
|
|
llc[3:1] eq 0xaa
|
|
|
|
The following syntax governs slices:
|
|
|
|
[i:j] i = start_offset, j = length
|
|
[i-j] i = start_offet, j = end_offset, inclusive.
|
|
[i] i = start_offset, length = 1
|
|
[:j] start_offset = 0, length = j
|
|
[i:] start_offset = i, end_offset = end_of_field
|
|
|
|
Offsets and lengths can be negative, in which case they indicate the
|
|
offset from the B<end> of the field. Here's how to check the last 4
|
|
bytes of a frame:
|
|
|
|
frame[-4:4] == 0.1.2.3
|
|
|
|
or
|
|
|
|
frame[-4:] == 0.1.2.3
|
|
|
|
You can create complex concatenations of slices using the comma operator:
|
|
|
|
field[1,3-5,9:] == 01:03:04:05:09:0a:0b
|
|
|
|
All the above tests can be combined together with logical expressions.
|
|
These too are expressable in C-like syntax or with English-like
|
|
abbreviations:
|
|
|
|
and, && Logical AND
|
|
or, || Logical OR
|
|
not, ! Logical NOT
|
|
|
|
Expressions can be grouped by parentheses as well. The following are
|
|
all valid read filter expression:
|
|
|
|
tcp.port == 80 and ip.src == 192.168.2.1
|
|
not llc
|
|
(ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip
|
|
tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
|
|
|
|
A special caveat must be given regarding fields that occur more than
|
|
once per packet. "ip.addr" occurs twice per IP packet, once for the
|
|
source address, and once for the destination address. Likewise,
|
|
tr.rif.ring fields can occur more than once per packet. The following
|
|
two expressions are not equivalent:
|
|
|
|
ip.addr ne 192.168.4.1
|
|
not ip.addr eq 192.168.4.1
|
|
|
|
The first filter says "show me IP packets where an ip.addr exists that
|
|
does not equal 192.168.4.1". That is, as long as one ip.addr in the
|
|
packet does not equal 192.168.44.1, the packet passes the read
|
|
filter. The second filter "don't show me any packets that have at least
|
|
one ip.addr field equal to 192.168.4.1". If one ip.addr is 192.168.4.1,
|
|
the packet does not pass. If B<neither> ip.addr fields is 192.168.4.1,
|
|
then the packet passes.
|
|
|
|
It is easy to think of the 'ne' and 'eq' operators as having an implict
|
|
"exists" modifier when dealing with multiply-recurring fields. "ip.addr
|
|
ne 192.168.4.1" can be thought of as "there exists an ip.addr that does
|
|
not equal 192.168.4.1".
|
|
|
|
Be careful with multiply-recurring fields; they can be confusing.
|
|
|
|
Care must also be taken when using the read filter to remove noise
|
|
from the packet trace. If you want to e.g. filter out all IP multicast
|
|
packets to address 224.1.2.3, then using:
|
|
|
|
ip.dst ne 224.1.2.3
|
|
|
|
may be too restrictive. Filtering with "ip.dst" selects only those
|
|
B<IP> packets that satisfy the rule. Any other packets, including all
|
|
non-IP packets, will not printed. For printing also the non-IP
|
|
packets, you can use one of the following two expressions:
|
|
|
|
not ip or ip.dst ne 224.1.2.3
|
|
not ip.addr eq 224.1.2.3
|
|
|
|
The first filter uses "not ip" to include all non-IP packets and then
|
|
lets "ip.dst ne 224.1.2.3" to filter out the unwanted IP packets. The
|
|
second filter has already been explained above where filtering with
|
|
multiply occuring fields was discussed.
|
|
|
|
The following is a table of protocol and protocol fields that are
|
|
filterable in B<Tethereal>. The abbreviation of the protocol or field is
|
|
given. This abbreviation is what you use in the read filter. The
|
|
type of the field is also given.
|
|
|
|
=insert_dfilter_table
|
|
|
|
=head1 FILES
|
|
|
|
The F<ethereal.conf> file, which is installed in the F<etc> directory
|
|
under the main installation directory (for example, F</usr/local/etc>)
|
|
on UNIX-compatible systems, and in the main installation directory (for
|
|
example, F<C:\Program Files\Ethereal>) on Windows systems, and the
|
|
personal preferences file, which is F<$HOME/.ethereal/preferences> on
|
|
UNIX-compatible systems and F<%APPDATA%\Ethereal\preferences> (or, if
|
|
%APPDATA% isn't defined,
|
|
F<%USERPROFILE%\Application Data\Ethereal\preferences>) on
|
|
Windows systems, contain system-wide and personal preference settings,
|
|
respectively. The file contains preference settings of the form
|
|
I<prefname>B<:>I<value>, one per line, where I<prefname> is the name of
|
|
the preference (which is the same name that would appear in the
|
|
preference file), and I<value> is the value to which it should be set;
|
|
white space is allowed between B<:> and I<value>. A preference setting
|
|
can be continued on subsequent lines by indenting the continuation lines
|
|
with white space. A B<#> character starts a comment that runs to the
|
|
end of the line.
|
|
|
|
The system-wide preference file is read first, if it exists, overriding
|
|
B<Tethereal>'s default values; the personal preferences file is then
|
|
read, if it exists, overriding default values and values read from the
|
|
system-wide preference file.
|
|
|
|
The F<ethers> file, which is found in the F</etc> directory on
|
|
UNIX-compatible systems, and in the main installation directory (for
|
|
example, F<C:\Program Files\Ethereal>) on Windows systems, is consulted
|
|
to correlate 6-byte hardware addresses to names. If an address is not
|
|
found in the F<ethers> file, the F<$HOME/.ethereal/ethers> file on
|
|
UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ethers> file (or, if
|
|
%APPDATA% isn't defined, the
|
|
F<%USERPROFILE%\Application Data\Ethereal\ethers> file) on Windows
|
|
systems is consulted next. Each line contains one hardware
|
|
address and name, separated by whitespace. The digits of the hardware
|
|
address are separated by either a colon (:), a dash (-), or a period
|
|
(.). The following three lines are valid lines of an ethers file:
|
|
|
|
ff:ff:ff:ff:ff:ff Broadcast
|
|
c0-00-ff-ff-ff-ff TR_broadcast
|
|
00.00.00.00.00.00 Zero_broadcast
|
|
|
|
The F<manuf> file, which is installed in the F<etc> directory under the
|
|
main installation directory (for example, F</usr/local/etc>) on
|
|
UNIX-compatible systems, and in the main installation directory (for
|
|
example, F<C:\Program Files\Ethereal>) on Windows systems, matches the
|
|
3-byte vendor portion of a 6-byte hardware address with the
|
|
manufacturer's name; it can also contain well-known MAC addresses and
|
|
address ranges specified with a netmask. The format of the file is the
|
|
same as the F<ethers> file, except that entries of the form
|
|
|
|
00:00:0C Cisco
|
|
|
|
can be provided, with the 3-byte OUI and the name for a vendor, and
|
|
entries of the form
|
|
|
|
00-00-0C-07-AC/40 All-HSRP-routers
|
|
|
|
can be specified, with a MAC address and a mask indicating how many bits
|
|
of the address must match. Trailing zero bytes can be omitted from
|
|
address ranges. That entry, for example, will match addresses from
|
|
00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
|
|
multiple of 8.
|
|
|
|
The F<ipxnets> file, which is found in the F</etc> directory on
|
|
UNIX-compatible systems, and in the main installation directory (for
|
|
example, F<C:\Program Files\Ethereal>) on Windows systems, correlates
|
|
4-byte IPX network numbers to names. If a network number is not found
|
|
in the F<ipxnets> file, the F<$HOME/.ethereal/ipxnets> file on
|
|
UNIX-compatible systems, and the F<%APPDATA%\Ethereal\ipxnets> file (or,
|
|
if %APPDATA% isn't defined, the
|
|
F<%USERPROFILE%\Application Data\Ethereal\ipxnets> file)
|
|
on Windows systems, is consulted next. The format is the same as the
|
|
F<ethers> file, except that each address if four bytes instead of six.
|
|
Additionally, the address can be represented a single hexadecimal
|
|
number, as is more common in the IPX world, rather than four hex octets.
|
|
For example, these four lines are valid lines of an ipxnets file.
|
|
|
|
C0.A8.2C.00 HR
|
|
c0-a8-1c-00 CEO
|
|
00:00:BE:EF IT_Server1
|
|
110f FileServer3
|
|
|
|
=head1 SEE ALSO
|
|
|
|
I<ethereal(1)>, I<editcap(1)>, I<tcpdump(8)>, I<pcap(3)>
|
|
|
|
=head1 NOTES
|
|
|
|
B<Tethereal> is part of the B<Ethereal> distribution. The latest version
|
|
of B<Ethereal> can be found at B<http://www.ethereal.com>.
|
|
|
|
=head1 AUTHORS
|
|
|
|
B<Tethereal> uses the same packet dissection code that B<Ethereal> does,
|
|
as well as using many other modules from B<Ethereal>; see the list of
|
|
authors in the B<Ethereal> man page for a list of authors of that code.
|