Table of Contents
Ethereal - Interactively browse network traffic
ethereal [ -B byte view height ] [ -b bold font ]
[ -c count ] [ -F ] [ -f filter expression ] [ -G ] [ -h ]
[ -i interface ] [ -k ] [ -m font ] [ -n ]
[ -P packet list height ] [ -Q ] [ -r infile ] [ -S ]
[ -s snaplen ] [ -T tree view height ]
[ -t time stamp format ] [ -v ] [ -w savefile]
Ethereal is a GUI network protocol analyzer. It lets you
interactively browse packet data from a live network or
from a previously saved capture file. Ethereal knows how
to read libpcap capture files, including those of tcpdump.
In addition, Ethereal can read capture files from snoop
(including Shomiti), LanAlyzer, uncompressed Sniffer,
Microsoft Network Monitor, AIX's iptrace, NetXray, Sniffer
Pro, and RADCOM's WAN/LAN analyzer. There is no need to
tell Ethereal what type of file you are reading; it will
determine the file type by itself.
Like other protocol analyzers, Ethereal's main window
shows 3 views of a packet. It shows a summary line,
briefly describing what the packet is. A protocol tree is
shown, allowing you to drill down to exact protocol or
field that you interested in. Finally, a hex dump shows
you exactly what the packet looks like when it goes over
the wire.
In addition, Ethereal has some features that make it
unique. It can assemble all the packets in a TCP
conversation and show you the ASCII data in that
conversation. Display filters in Ethereal are very
powerful; more fields are filterable in Ethereal than in
other protocol analyzers, and the syntax you can use to
create your filters is richer. As Ethereal progresses,
expect more and more protocol fields to be allowed in
display filters.
Packet capturing is performed with the pcap library. The
capture filter syntax follows the rules of the pcap
library. This syntax is different from the display filter
syntax.
-B Sets the initial height of the byte view (bottom)
pane.
- -b
- Sets the name of the bold font used for the data in
the byte view pane that corresponds to the field
selected in the protocol tree pane.
- -c
- Sets the default number of packets to read when
capturing live data.
- -F
- Specifies that the live packet capture will be
performed in a separate process. It is then possible
to open/reload the file to display the packets
actually captured.
- -f
- Sets the capture filter expression.
- -G
- Dumps a glossary of display filter keywords to stdout
and exits.
- -h
- Prints the version and options and exits.
- -i
- Sets the name of the interface to use for live packet
capture. It should match one of the names listed in
�netstat -i� or �ifconfig -a".
- -k
- Starts the capture session immediately; this option
requires the -i and -w parameters.
- -m
- Sets the name of the font used by Ethereal for most
text.
- -n
- Disables network object name resolution (such as
hostname, TCP and UDP port names).
- -P
- Sets the initial height of the packet list (top) pane.
- -Q
- Causes Ethereal to exit after the end of capture
session (useful in batch mode with -c option for
instance); this option requires the -i and -w
parameters.
- -r
- Reads packet data from file.
- -S
- Specifies that the live packet capture will be
performed in a separate process (same as option -F)
and that the packet displaying should be synchronized
with the capture session without human operation (i.e.
without load/reload). This is an experimental feature.
- -s
- Sets the default snapshot length to use when capturing
live data. No more than snaplen bytes of each network
packet will be read into memory, or saved to disk.
- -T
- Sets the initial height of the tree view (middle) pane
- -t
- Sets the format of the packet timestamp displayed in
the packet list window. The format can be one of `r'
(relative), `a' (absolute), or `d' (delta). The
relative time is the time elapsed between the first
packet and the current packet. The absolute time is
the actual date and time the packet was captured. The
delta time is the time since the previous packet was
captured. The default is relative.
- -v
- Prints the version and exits.
- -w
- Sets the default capture file name.
MENU ITEMS
File:Open, File:Close, File:Reload
Open, close, or reload a capture file.
File:Print
Prints, for all the packets in the current capture,
the packet number, followed by a description of each
protocol header found in the packet, followed by the
packet data itself. Printing options can be set with
the Edit:Preferences menu item, or in the dialog box
popped up by this item.
File:Print Packet
Print a description of each protocol header found in
the packet, followed by the packet data itself.
Printing options can be set with the Edit:Preferences
menu item.
File:Quit
Exits the application.
Edit:Preferences
Sets the packet printing and filter options (see the
section on Preferences below).
Capture:Start
Initiates a live packet capture (see the section on
Capture Preferences below). A temporary file will be
created to hold the capture. The location of the file
can be chosen by setting your TMPDIR environment
variable before starting ethereal. Otherwise, the
default TMPDIR location is system-dependent, but is
likely either /var/tmp or /tmp.
Display:Options
Sets the format of the packet timestamp displayed in
the packet list window to relative, absolute, or
delta.
Tools:Follow TCP Stream
If you have a TCP packet selected, it will display the
contents of the TCP data stream in a separate window.
- WINDOWS
-
Main Window
The main window is split into three panes. You can
resize each pane using a �thumb� at the right end of
each divider line. Below the panes is a strip that
shows the file load progress, current filter, and
informational text.
The top pane contains the list of network packets that
you can scroll through and select. The packet number,
packet timestamp, source and destination addresses,
protocol, and description are printed for each packet.
An effort is made to display information as high up
the protocol stack as possible, e.g. IP addresses are
displayed for IP packets, but the MAC layer address is
displayed for unknown packet types.
The middle pane contains a protocol tree for the
currently-selected packet. The tree displays each
field and its value in each protocol header in the
stack.
The lowest pane contains a hex dump of the actual
packet data. Selecting a field in the protocol tree
highlights the corresponding bytes in this section.
A display filter can be entered into the strip at the
bottom. A filter for HTTP, HTTPS, and DNS traffic
might look like this:
tcp.port == 80 || tcp.port == 443 || tcp.port == 53
Selecting the Filter: button lets you choose from a
list of named filters that you can optionally save.
Pressing the Return or Enter keys will cause the
filter to be applied to the current list of packets.
Preferences
The Preferences dialog lets you select the output
format of packets printed using the File:Print Packet
menu item and configure commonly-used filters.
Printing Preferences
The radio buttons at the top of the Printing
page allow you choose between printing the
packets as text or PostScript, and sending the
output directly to a command or saving it to a
file. The Command: text entry box is the
command to send files to (usually lpr), and the
File: entry box lets you enter the name of the
file you wish to save to. Additinally, you can
select the File: button to browse the file
system for a particular save file.
Filter Preferences
The Filters page lets you create and modify
filters, and set the default filter to use when
capturing data or opening a capture file.
The Filter name entry specifies a descriptive
name for a filter, e.g. Web and DNS traffic.
The Filter string entry is the text that
actually describes the filtering action to take,
as described above.The dialog buttons perform
the following actions:
- New
- If there is text in the two entry boxes,
it creates a new associated list item.
- Change
- Modifies the currently selected list item
to match what's in the entry boxes.
- Copy
- Makes a copy of the currently selected
list item.
- Delete
- Deletes the currently selected list item.
- OK
- Sets the currently selected list item as
the active filter. If nothing is
selected, turns filtering off.
- Save
- Saves the current filter list in
$HOME/.ethereal/filters.
- Cancel
- Closes the dialog without making any
changes.
Column Preferences
The Columns page lets you specify the number,
title, and format of each column in the packet
list.
The Column title entry is used to specify the
title of the column displayed at the top of the
packet list. The type of data that the column
displays can be specified using the Column
format option menu. The row of buttons on the
left perform the following actions:
- New
- Adds a new column to the list.
- Change
- Modifies the currently selected list item.
- Delete
- Deletes the currently selected list item.
- Up / Down
- Moves the selected list item up or down
one position.
- OK
- Currently has no effect.
- Save
- Saves the current column format as the
default.
- Cancel
- Closes the dialog without making any
changes.
Capture Preferences
The Capture Preferences dialog lets you specify
various parameters for capturing live packet data.
The Interface: entry box lets you specify the
interface from which to capture packet data. The
Count: entry specifies the number of packets to
capture. Entering 0 will capture packets
indefinitely. The Filter: entry lets you specify the
capture filter using a tcpdump-style filter string as
described above. The File: entry specifies the file
to save to, as in the Printer Options dialog above.
You can choose to open the file after capture, and you
can also specify the maximum number of bytes to
capture per packet with the Capture length entry.
Display Options
The Display Options dialog lets you specify the format
of the time stamp in the packet list. You can select
�Time of day� for absolute time stamps, �Seconds since
beginning of capture� for relative time stamps, or
�Seconds since previous frame� for delta time stamps.
Display filters help you remove the noise from a packet
trace and let you see only the packets that interest you.
If a packet meets the requirements expressed in your
display filter, then it is displayed in the list of
packets. Display filters let you compare the fields within
a protocol against a specific value, compare fields
against fields, and to check the existence of specified
fields or protocols.
The simplest display filter allows you to check for the
existence of a protocol or field. If you want to see all
packets which contain the IPX protocol, the filter would
be �ipx". (Without the quotation marks) To see all packets
that contain a Token-Ring RIF field, use �tr.rif".
Fields can also be compared against values. The comparison
operators can be expressed either through C-like symbols,
or through English-like abbreviations:
- eq, ==
- Equal
- ne, !=
- Not equal
- gt, >
- Greater than
- lt, <
- Less Than
- ge, >=
- Greater than or Equal to
- le, <=
- Less than or Equal to
Furthermore, each protocol field is typed. The types are:
Unsigned integer (either 8-bit, 16-bit, or 32-bit)
Boolean (true or false)
Ethernet address (6 bytes)
Byte string (n-number of bytes)
IPv4 address
IPX network
An integer may be expressed in decimal, octal, or
hexadecimal notation. The following three display filters
are equivalent:
frame.pkt_len > 10
frame.pkt_len > 012
frame.pkt_len > 0xa
Boolean values are either true or false. For example, a
token-ring packet's source route field is boolean:
tr.sr == true
Ethernet addresses, as well as a string of bytes, are
represented in hex digits. The hex digits may be separated
by colons, periods, or hyphens:
fddi.dst eq ff:ff:ff:ff:ff:ff
ipx.srcnode == 0.0.0.0.0.1
ether.src == aa-aa-aa-aa-aa-aa
If a string of bytes contains only one byte, then it is
represented as an unsigned integer. That is, if you are
testing for hex value `ff' in a one-byte byte-string, you
must compare it agains `0xff' and not `ff'.
IPv4 addresses can be represented in either dotted decimal
notation, or by using the hostname:
ip.dst eq www.mit.edu
ip.src == 192.168.1.1
IPX networks are represented by unsigned 32-bit integers.
Most likely you will be using hexadecimal when testing for
IPX network values:
ipx.srcnet == 0xc0a82c00
A substring operator also exists. You can check the
substring (byte-string) of any protocol or field. For
example, you can filter on the vendor portion of an
ethernet address (the first three bytes) like this:
ether.src[0:3] == 00:00:83
You can use the substring operator on a protocol name,
too. And remember, the �frame� protocol encompasses the
entire packet, allowing you to look at the nth byte of a
packet regardless of its frame type (ethernet, token-ring,
etc.).
token[0:5] ne 0.0.0.1.1
ipx[0:2] == ff:ff
llc[3:1] eq 0xaa
The above tests can be combined together with logical
expressions. These too are expressable in C-like syntax or
with English-like abbreviations:
- and, &&
- Logical AND
- or, ||
- Logical OR
- xor, ^^
- Logical XOR
- not, !
- Logical NOT
Expressions can be grouped by parentheses as well. The
following are all valid display filter expression:
tcp.port == 80 and ip.src == 192.168.2.1
not llc
(ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip
tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
A special caveat must be given regarding fields that occur
more than once per packet. �ip.addr� occurs twice per IP
packet, once for the source address, and once for the
destination address. Likewise, tr.rif.ring fields can
occur more than once per packet. The following two
expressions are not equivalent:
ip.addr ne 192.168.4.1
not ip.addr eq 192.168.4.1
The first filter says �show me all packets where an
ip.addr exists that does not equal 192.168.4.1". That is,
as long as one ip.addr in the packet does not equal
192.168.44.1, the packet passes the display filter. The
second filter �don't show me any packets that have at
least one ip.addr field equal to 192.168.4.1". If one
ip.addr is 192.168.4.1, the packet does not pass. If
neither ip.addr fields is 192.168.4.1, then the packet
passes.
It is easy to think of the `ne' and `eq' operators as
having an implict �exists� modifier when dealing with
multiply-recurring fields. �ip.addr ne 192.168.4.1� can be
thought of as �there exists an ip.addr that does not equal
192.168.4.1".
Be careful with multiply-recurring fields; they can be
confusing.
The following is a table of protocol and protocol fields
that are filterable in Ethereal. The abbreviation of the
protocol or field is given. This abbreviation is what you
use in the display filter. The type of the field is also
given.
Address Resolution Protocol (arp)
Appletalk Address Resolution Protocol (aarp)
Authentication Header (ah)
Bootstrap Protocol (bootp)
Cisco Discovery Protocol (cdp)
Data (data)
Datagram Delivery Protocol (ddp)
Domain Name Service (dns)
Encapsulated Security Payload (esp)
Ethernet (eth)
eth.dst Destination
6-byte Hardware (MAC) Address
eth.len Length
Unsigned 16-bit integer
eth.src Source
6-byte Hardware (MAC) Address
eth.type Type
Unsigned 16-bit integer
Fiber Distributed Data Interface (fddi)
fddi.dst Destination
6-byte Hardware (MAC) Address
fddi.fc Frame Control
Unsigned 8-bit integer
fddi.src Source
6-byte Hardware (MAC) Address
File Transfer Protocol (ftp)
Frame (frame)
frame.cap_len Capture Frame Length
Unsigned 32-bit integer
frame.pkt_len Total Frame Length
Unsigned 32-bit integer
frame.time Arrival Time
Date/Time stamp
General Inter-ORB Protocol (giop)
Generic Routing Encapsulation (gre)
Hypertext Transfer Protocol (http)
ICMPv6 (icmpv6)
IPX Routing Information Protocol (ipxrip)
ISO COTP (osi)
Internet Control Message Protocol (icmp)
Internet Group Management Protocol (igmp)
igmp.checksum Checksum
Unsigned 16-bit integer
igmp.group Group address
IPv4 address
igmp.type Type
Unsigned 8-bit integer
igmp.unused Unused
Unsigned 8-bit integer
igmp.version Version
Unsigned 8-bit integer
Internet Protocol (ip)
ip.addr Source or Destination Address
IPv4 address
ip.dst Destination
IPv4 address
ip.hdr_len Header Length
Unsigned 8-bit integer
ip.id Identification
Unsigned 32-bit integer
ip.len Total Length
Unsigned 16-bit integer
ip.src Source
IPv4 address
ip.tos Type of Service
Unsigned 8-bit integer
ip.tos.precedence Precedence
Unsigned 8-bit integer
ip.version Version
Unsigned 8-bit integer
Internet Protocol Version 6 (ipv6)
Internet Security Association and Key Management Protocol
(isakmp)
Internetwork Packet eXchange (ipx)
ipx.checksum Checksum
Unsigned 16-bit integer
ipx.dstnet Destination Network
IPX network or server name
ipx.dstnode Destination Node
6-byte Hardware (MAC) Address
ipx.dstsocket Destination Socket
Unsigned 16-bit integer
ipx.hops Transport Control (Hops)
Unsigned 8-bit integer
ipx.len Length
Unsigned 16-bit integer
ipx.packet_type Packet Type
Unsigned 8-bit integer
ipx.srcnet Source Network
IPX network or server name
ipx.srcnode Source Node
6-byte Hardware (MAC) Address
ipx.srcsocket Source Socket
Unsigned 16-bit integer
LAPB (lapb)
lapb.address Address Field
Unsigned 8-bit integer
lapb.control Control Field
String
Logical-Link Control (llc)
llc.control Control
Unsigned 8-bit integer
llc.dsap DSAP
Unsigned 8-bit integer
llc.oui Organization Code
Unsigned 24-bit integer
llc.ssap SSAP
Unsigned 8-bit integer
llc.type Type
Unsigned 16-bit integer
NetBIOS Datagram Service (nbdgm)
NetBIOS Name Service (nbns)
NetBIOS Session Service (nbss)
NetBIOS over IPX (nbipx)
NetWare Core Protocol (ncp)
Network News Transfer Protocol (nntp)
Null/Loopback (null)
null.family Family
Unsigned 16-bit integer
null.len Length
Unsigned 8-bit integer
null.next Next
Unsigned 8-bit integer
Open Shortest Path First (ospf)
Point-to-Point Protocol (ppp)
Post Office Protocol (pop)
Radius Protocol (radius)
radius.code Code
Unsigned 8-bit integer
radius.id Identifier
Unsigned 8-bit integer
radius.length Length
Unsigned 16-bit integer
Real Time Streaming Protocol (rtsp)
Resource ReserVation Protocol (RSVP) (rsvp)
Routing Information Protocol (rip)
Sequenced Packet eXchange (spx)
Server Message Block Protocol (smb)
Service Advertisement Protocol (sap)
Session Description Protocol (sdp)
Telnet (telnet)
Token-Ring (tr)
tr.ac Access Control
Unsigned 8-bit integer
tr.broadcast Broadcast Type
Unsigned 8-bit integer
tr.direction Direction
Unsigned 8-bit integer
tr.dst Destination
6-byte Hardware (MAC) Address
tr.fc Frame Control
Unsigned 8-bit integer
tr.frame Frame
Unsigned 8-bit integer
tr.frame_pcf Frame PCF
Unsigned 8-bit integer
tr.frame_type Frame Type
Unsigned 8-bit integer
tr.max_frame_size Maximum Frame Size
Unsigned 8-bit integer
tr.monitor_cnt Monitor Count
Unsigned 8-bit integer
tr.priority Priority
Unsigned 8-bit integer
tr.priority_reservation Priority Reservation
Unsigned 8-bit integer
tr.rif Ring-Bridge Pairs
String
tr.rif.bridge RIF Bridge
Unsigned 8-bit integer
tr.rif.ring RIF Ring
Unsigned 16-bit integer
tr.rif_bytes RIF Bytes
Unsigned 8-bit integer
tr.sr Source Routed
Boolean
tr.src Source
6-byte Hardware (MAC) Address
Token-Ring Media Access Control (trmac)
Transmission Control Protocol (tcp)
tcp.ack Acknowledgement number
Unsigned 32-bit integer
tcp.dstport Destination Port
Unsigned 16-bit integer
tcp.port Source or Destination Port
Unsigned 16-bit integer
tcp.seq Sequence number
Unsigned 32-bit integer
tcp.srcport Source Port
Unsigned 16-bit integer
Trivial File Transfer Protocol (tftp)
User Datagram Protocol (udp)
udp.checksum Checksum
Unsigned 16-bit integer
udp.dstport Destination Port
Unsigned 16-bit integer
udp.length Length
Unsigned 16-bit integer
udp.port Source or Destination Port
Unsigned 16-bit integer
udp.srcport Source Port
Unsigned 16-bit integer
X.25 (x25)
x25.lcn Logical Channel
Unsigned 16-bit integer
x25.type Packet Type
String
the tcpdump(8) manpage, the pcap(3) manpage
The latest version of ethereal can be found at
http://ethereal.zing.org.
Original Author
-------- -----Gerald
Combs <gerald@zing.org>
Contributors
-----------Gilbert
- Ramirez
- <gramirez@tivoli.com>
- Hannes R. Boehm
- <hannes@boehm.org>
- Mike Hall
- <mlh@io.com>
- Bobo Rajec
- <bobo@bsp-consulting.sk>
- Laurent Deniel
- <deniel@worldnet.fr>
- Don Lafontaine
- <lafont02@cn.ca>
- Guy Harris
- <guy@netapp.com>
- Simon Wilkinson
- <sxw@dcs.ed.ac.uk>
- Joerg Mayer
- <jmayer@telemation.de>
- Martin Maciaszek
- <fastjack@i-s-o.net>
- Didier Jorand
- <Didier.Jorand@alcatel.fr>
Jun-ichiro itojun Hagino <itojun@iijlab.net>
- Richard Sharpe
- <sharpe@ns.aus.com>
- John McDermott
- <jjm@jkintl.com>
- Jeff Jahr
- <jjahr@shastanets.com>
- Brad Robel-Forrest
- <bradr@watchguard.com>
- Ashok Narayanan
- <ashokn@cisco.com>
- Aaron Hillegass
- <aaron@classmax.com>
- Jason Lango
- <jal@netapp.com>
- Johan Feyaerts
- <Johan.Feyaerts@siemens.atea.be>
- Olivier Abad
- <abad@daba.dhis.org>
- Thierry Andry
- <Thierry.Andry@advalvas.be>
Alain Magloire <alainm@rcsm.ece.mcgill.ca> was kind enough
to give his permission to use his version of snprintf.c.
Dan Lasley <dlasley@promus.com> gave permission for his
dumpit() hex-dump routine to be used.
Table of Contents