SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG
DONATE


YUM REPOSITORY

 
 

MAN page from RedHat 7.X ethereal-0.8.20-1.i386.rpm

ETHEREAL

Section: The Ethereal Network Analyzer (1)
Updated: 0.8.20
Index 

NAME

ethereal - Interactively browse network traffic 

SYNOPSYS

ethereal-B byte view height ][ -c count ][ -f capture filter expression ][ -h ][ -i interface ] [ -k ][ -l ][ -m font ][ -n ][ -N resolving flags ] ...[ -o preference setting ] ...[ -p ][ -P packet list height ][ -Q ][ -r infile ][ -R display filter expression ][ -S ][ -s snaplen ][ -T tree view height ][ -t time stamp format ][ -v ][ -w savefile] 

DESCRIPTION

Ethereal is a GUI network protocol analyzer. It lets youinteractively browse packet data from a live network or from apreviously saved capture file. Ethereal knows how to read libpcapcapture files, including those of tcpdump. In addition, Etherealcan read capture files from snoop (including Shomiti) andatmsnoop, LanAlyzer, Sniffer (compressed or uncompressed),Microsoft Network Monitor, AIX's iptrace, NetXray, SnifferPro, Etherpeek, RADCOM's WAN/LAN analyzer, Lucent/Ascendrouter debug output, HP-UX's nettl, the dump output from Toshiba'sISDN routers, the output from i4btrace from the ISDN4BSD project, theoutput in IPLog format from the Cisco Secure Intrusion DetectionSystem, and pppd logs (pppdump format). There is no need to tellEthereal what type of file you are reading; it will determine thefile type by itself. Ethereal is also capable of reading any ofthese file formats if they are compressed using gzip. Etherealrecognizes this directly from the file; the '.gz' extension is notrequired for this purpose.

Like other protocol analyzers, Ethereal's main window shows 3 viewsof a packet. It shows a summary line, briefly describing what thepacket is. A protocol tree is shown, allowing you to drill down toexact protocol or field that you interested in. Finally, a hex dumpshows you exactly what the packet looks like when it goes over the wire.

In addition, Ethereal has some features that make it unique. It canassemble all the packets in a TCP conversation and show you the ASCII(or EBCDIC, or hex) data in that conversation. Display filters inEthereal are very powerful; more fields are filterable in Etherealthan in other protocol analyzers, and the syntax you can use to createyour filters is richer. As Ethereal progresses, expect more and moreprotocol fields to be allowed in display filters.

Packet capturing is performed with the pcap library. The capture filtersyntax follows the rules of the pcap library. This syntax is differentfrom the display filter syntax.

Compressed file support uses (and therefore requires) the zlib library. If the zlib library is not present, Ethereal will compile, but willbe unable to read compressed files. 

OPTIONS


-B
Sets the initial height of the byte view (bottom) pane.
-c
Sets the default number of packets to read when capturing livedata.
-f
Sets the capture filter expression.
-h
Prints the version and options and exits.
-i
Sets the name of the network interface or pipe to use for live packet capture.Network interface names should match one of the names listed in "netstat -i``or ''ifconfig -a".Pipe names should be either the name of a FIFO (named pipe) or ``-'' to readdata from the standard input. Data read from pipes must be in libpcap format.
-k
Starts the capture session immediately. If the -i flag wasspecified, the capture uses the specified interface. Otherwise,Ethereal searches the list of interfaces, choosing the firstnon-loopback interface if there are any non-loopback interfaces, andchoosing the first loopback interface if there are no non-loopbackinterfaces; if there are no interfaces, Ethereal reports an error anddoesn't start the capture.
-l
Turns on automatic scrolling if the packet display is being updatedautomatically as packets arrive during a capture (as specified by the-S flag).
-m
Sets the name of the font used by Ethereal for most text. Ethereal will construct the name of the bold font used for the datain the byte view pane that corresponds to the field selected in theprotocol tree pane from the name of the main text font.
-n
Disables network object name resolution (such as hostname, TCP and UDP portnames).
-N
Turns on name resolving for particular types of addresses and portnumbers; the argument is a string that may contain the letters m toenable MAC address resolution, n to enable network addressresolution, and t to enable transport-layer port number resolution. This overrides -n if both -N and -n are present.
-o
Sets a preference value, overriding the default value and any value readfrom a preference file. The argument to the flag is a string of theform prefname:value, where prefname is the name of thepreference (which is the same name that would appear in the preferencefile), and value is the value to which it should be set.
-p
Don't put the interface into promiscuous mode. Note that theinterface might be in promiscuous mode for some other reason; hence,-p cannot be used to ensure that the only traffic that is captured istraffic sent to or from the machine on which Ethereal is running,broadcast traffic, and multicast traffic to addresses received by thatmachine.
-P
Sets the initial height of the packet list (top) pane.
-Q
Causes Ethereal to exit after the end of capture session (useful inbatch mode with -c option for instance); this option requires the-i and -w parameters.
-r
Reads packet data from file.
-R
When reading a capture file specified with the -r flag, causes thespecified filter (which uses the syntax of display filters, rather thanthat of capture filters) to be applied to all packets read from thecapture file; packets not matching the filter are discarded.
-S
Specifies that the live packet capture will be performed in a separateprocess, and that the packet display will automatically be updated aspackets are seen.
-s
Sets the default snapshot length to use when capturing live data. No more than snaplen bytes of each network packet will be read intomemory, or saved to disk.
-T
Sets the initial height of the tree view (middle) pane.
-t
Sets the format of the packet timestamp displayed in the packet listwindow. The format can be one of 'r' (relative), 'a' (absolute), 'ad'(absolute with date), or 'd' (delta). The relative time is the timeelapsed between the first packet and the current packet. The absolutetime is the actual time the packet was captured, with no date displayed;the absolute date and time is the actual time and date the packet wascaptured. The delta time is the time since the previous packet wascaptured. The default is relative.
-v
Prints the version and exits.
-w
Sets the default capture file name.
 

INTERFACE

 

MENU ITEMS


File:Open, File:Close, File:Reload
Open, close, or reload a capture file. The File:Open dialog boxallows a filter to be specified; when the capture file is read, thefilter is applied to all packets read from the file, and packets notmatching the filter are discarded.
File:Save, File:Save As
Save the current capture, or the packets currently displayed from thatcapture, to a file. Check boxes let you select whether to save allpackets, or just those that have passed the current display filter and/orthose that are currently marked, and an option menu lets you select (from a list of file formats in which at particular capture, or the packets currently displayed from that capture, can be saved), a file format in which to save it.
File:Print
Prints, for all the packets in the current capture, either the summaryline for the packet or the protocol tree view of the packet; whenprinting the protocol tree view, the hex dump of the packet can beprinted as well. Printing options can be set with theEdit:Preferences menu item, or in the dialog box popped up by thisitem.
File:Print Packet
Print a fully-expanded protocol tree view of the currently-selectedpacket. Printing options can be set with the Edit:Preferences menuitem.
File:Quit
Exits the application.
Edit:Find Frame
Allows you to search forward or backward, starting with the currentlyselected packet (or the most recently selected packet, if no packet isselected), for a packet matching a given display filter.
Edit:Go To Frame
Allows you to go to a particular numbered packet.
Edit:Mark Frame
Allows you to mark (or unmark if currently marked) the selected packet.
Edit:Mark All Frames
Allows you to mark all packets that are currently displayed.
Edit:Unmark All Frames
Allows you to unmark all packets that are currently displayed.
Edit:Preferences
Sets the packet printing, column display, TCP stream coloring, and GUIoptions (see the section on "Preferences" below).
Edit:Capture Filters
Edits the saved list of capture filters, allowing filters to be added,changed, or deleted.
Edit:Display Filters
Edits the saved list of display filters, allowing filters to be added,changed, or deleted.
Edit:Protocols
Edits the list of protocols, allowing protocol dissection to be enabled or disabled.
Capture:Start
Initiates a live packet capture (see the section on "Capture Preferences" below). Atemporary file will be created to hold the capture. The location of thefile can be chosen by setting your TMPDIR environment variable beforestarting Ethereal. Otherwise, the default TMPDIR location issystem-dependent, but is likely either /var/tmp or /tmp.
Capture:Stop
In a capture that updates the packet display as packets arrive (so thatEthereal responds to user input other than pressing the ``Stop'' button inthe capture packet statistics dialog box), stops the capture.
Display:Options
Allows you to sets the format of the packet timestamp displayed in thepacket list window to relative, absolute, absolute date and time, ordelta, to enable or disable the automatic scrolling of the packet listwhile a live capture is in progress or to enable or disable translationof addresses to names in the display.
Display:Match Selected
Creates and applies a display filter based on the data that is currentlyhighlighted in the protocol tree. If that data is a field that can betested in a display filter expression, the display filter will test thatfield; otherwise, the display filter will be based on absolute offsetwithin the packet, and so could be unreliable if the packet containsprotocols with variable-length headers, such as a source-routedtoken-ring packet.
Display:Colorize Display
Allows you to change the foreground and background colors of the packetinformation in the list of packets, based upon display filters. The listof display filters is applied to each packet sequentially. After the firstdisplay filter matches a packet, any additional display filters in the listare ignored. Therefore, if you are filtering on the existence of protocols,you should list the higher-level protocols first, and the lower-levelprotocols last.
Display:Collapse All
Collapses the protocol tree branches.
Display:Expand All
Expands all branches of the protocol tree.
Display:Expand All
Expands all branches of the protocol tree.
Display:Show Packet In New Window
Creates a new window containing a protocol tree view and a hex dumpwindow of the currently selected packet; this window will continue todisplay that packet's protocol tree and data even if another packet isselected.
Display:User Specified Decodes
Creates a new window showing whether any protocol ID to dissectormappings have been changed by the user. This window also allows theuser to reset all decodes to their default values.
Tools:Plugins
Allows you to see what dynamically loadable dissector plugin moduleshave been loaded (see ``Plugins'' below).
Tools:Follow TCP Stream
If you have a TCP packet selected, it will display the contents of thedata stream for the TCP connection to which that packet belongs, astext, in a separate window, and will leave the list of packets in afiltered state, with only those packets that are part of that TCPconnection being displayed. You can revert to your old view by pressingENTER in the display filter text box, thereby invoking your old displayfilter (or resetting it back to no display filter).

The window in which the data stream is displayed lets you select whetherto display:


whether to display the entire conversation, or one or the other side ofit;
whether the data being displayed is to be treated as ASCII or EBCDICtext or as raw hex data;

and lets you print what's currently being displayed, using the sameprint options that are used for the File:Print Packet menu item, orsave it as text to a file.
Tools:Decode As
If you have a packet selected, this menu item will present a dialogallowing you to change which dissectors are used to decode thispacket. The dialog has one panel each for the link layer, networklayer and transport layer protocol/port numbers, and will allow eachof these to be changed independently. For example, if the selectedpacket is a TCP packet to port 12345, using this dialog you caninstruct Ethereal to decode all packets to or from that TCP port asHTTP packets.
Tools:Protocol Hierarchy Statistics
This shows the number of packets, and the number of bytesin those packets, for each protocol in the trace. Itorganizes the protocols in the same hierarchy in whichthey were found in the trace. Besides counting the packetsin which the protocol exists, a count is also madefor packets in which the protocol is the last protocol inthe stack. These last-protocol counts show you how many packets(and the byte count associated with those packets) ended in a particularprotocol. In the table, they are listed under ``End Packets'' and``End Bytes''.
 

WINDOWS


Main Window
The main window is split into three panes. You can resize each pane usinga ``thumb'' at the right end of each divider line. Below the panes is astrip that shows the current filter and informational text.

Top Pane
The top pane contains the list of network packets that you can scrollthrough and select. By default, the packet number, packet timestamp,source and destination addresses, protocol, and description aredisplayed for each packet; the Columns page in the dialog box poppedup by Edit:Preferences lets you change this (although, unfortunately,you currently have to save the preferences, and exit and restartEthereal, for those changes to take effect).

If you click on the heading for a column, the display will be sorted bythat column; clicking on the heading again will reverse the sort orderfor that column.

An effort is made to display information as high up the protocol stackas possible, e.g. IP addresses are displayed for IP packets, but theMAC layer address is displayed for unknown packet types.

The right mouse button can be used to pop up a menu of operations.

The middle mouse button can be used to mark a packet.

Middle Pane
The middle pane contains a protocol tree for the currently-selectedpacket. The tree displays each field and its value in each protocolheader in the stack. The right mouse button can be used to pop up amenu of operations.
Bottom Pane
The lowest pane contains a hex dump of the actual packet data. Selecting a field in the protocol tree highlights the correspondingbytes in this section.

The right mouse button can be used to pop up a menu of operations.

Current Filter
A display filter can be entered into the strip at the bottom. A filter for HTTP, HTTPS, and DNS traffic might look like this:

  tcp.port == 80 || tcp.port == 443 || tcp.port == 53
Selecting the Filter: button lets you choose from a list of namedfilters that you can optionally save. Pressing the Return or Enterkeys will cause the filter to be applied to the current list of packets.Selecting the Reset button clears the display filter so that allpackets are displayed.

Preferences
The Preferences dialog lets you control various personal preferencesfor the behavior of Ethereal.

Printing Preferences
The radio buttons at the top of the Printing page allow you choosebetween printing packets with the File:Print Packet menu item as textor PostScript, and sending the output directly to a command or saving itto a file. The Command: text entry box is the command to send filesto (usually lpr), and the File: entry box lets you enter the nameof the file you wish to save to. Additionally, you can select theFile: button to browse the file system for a particular save file.
Column Preferences
The Columns page lets you specify the number, title, and formatof each column in the packet list.

The Column title entry is used to specify the title of the columndisplayed at the top of the packet list. The type of data that the columndisplays can be specified using the Column format option menu.The row of buttons on the left perform the following actions:


New
Adds a new column to the list.
Change
Modifies the currently selected list item.
Delete
Deletes the currently selected list item.
Up / Down
Moves the selected list item up or down one position.
OK
Currently has no effect.
Save
Saves the current column format as the default.
Cancel
Closes the dialog without making any changes.

TCP Stream Preferences
The TCP Streams page can be used to change the color of the textdisplayed in the TCP stream window. To change a color, simply selectan attribute from the ``Set:'' menu and use the color selector to get thedesired color. The new text colors are displayed in a sample window.
GUI Preferences
The GUI page is used to modify small aspects of the GUI to your ownpersonal taste:

Scrollbars
The vertical scrollbars in the three panes can be set to be either onthe left or the right.
Selection Bars
The selection bar in thepacket list and protocol tree can have either a ``browse'' or ``select''behavior. If the selection bar has a ``browse'' behavior, the arrow keyswill move an outline of the selection bar, allowing you to browsethe rest of the list or tree without changing the selectionuntil you press the space bar. If the selection bar has a ``select''behavior, the arrow keys will move the selection bar and changethe selection to the new item in the packet list or protocol tree.The highlight method in the hex dump display for the selected protocolitem can be set to use either inverse video, or bold characters.
Fonts
The ``Font...'' button lets you select the font to be used for most text.
Colors
The ``Colors...'' button lets you select the colors to be used for instancefor the marked frames.

Protocol Preferences
There are also pages for various protocols that Ethereal dissects,controlling the way Ethereal handles those protocols.

Edit Capture Filter List

Edit Display Filter List

Capture Filter

Display Filter

Read Filter

Search Filter
The Edit Capture Filter List dialog lets you create, modify, anddelete capture filters, and the Edit Display Filter List dialog letsyou create, modify, and delete display filters.

The Capture Filter dialog lets you do all of the editing operationslisted, and also lets you choose or construct a filter to be used whencapturing packets.

The Display Filter dialog lets you do all of the editing operationslisted, and also lets you choose or construct a filter to be used tofilter the current capture being viewed.

The Read Filter dialog lets you do all of the editing operationslisted, and also lets you choose or construct a filter to be used toas a read filter for a capture file you open.

The Search Filter dialog lets you do all of the editing operationslisted, and also lets you choose or construct a filter expression to beused in a find operation.

In all of those dialogs, the Filter name entry specifies adescriptive name for a filter, e.g. Web and DNS traffic. TheFilter string entry is the text that actually describes the filteringaction to take, as described above.The dialog buttons perform thefollowing actions:


New
If there is text in the two entry boxes, creates a new associated listitem.
Change
Modifies the currently selected list item to match what's in the entryboxes.
Copy
Makes a copy of the currently selected list item.
Delete
Deletes the currently selected list item.
Add Expression...
For display filter expressions, pops up a dialog box to allow you toconstruct a filter expression to test a particular field; it offerslists of field names, and, when appropriate, lists from which to selecttests to perform on the field and values with which to compare it. Inthat dialog box, the OK button will cause the filter expression youconstructed to be entered into the Filter string entry at the currentcursor position.
OK
In the Capture Filter dialog, closes the dialog box and makes thefilter in the Filter string entry the filter in the CapturePreferences dialog. In the Display Filter dialog, closes the dialogbox and makes the filter in the Filter string entry the currentdisplay filter, and applies it to the current capture. In the ReadFilter dialog, closes the dialog box and makes the filter in theFilter string entry the filter in the Open Capture File dialog. In the Search Filter dialog, closes the dialog box and makes thefilter in the Filter string entry the filter in the Find Framedialog.
Apply
Makes the filter in the Filter string entry the current displayfilter, and applies it to the current capture.
Save
Saves the current filter list in $HOME/.ethereal/cfilters if the listof filters being edited is the list of capture filters or in$HOME/.ethereal/dfilters if the list of filters being edited is thelist of display filters.
Close
Closes the dialog without doing anything with the filter in the Filterstring entry.

Capture Preferences
The Capture Preferences dialog lets you specify various parameters forcapturing live packet data.

The Interface: combo box lets you specify the interface from which tocapture packet data, or the name of a FIFO from which to get the packetdata. The Count: entry specifies the number of packets to capture. Entering 0 will capture packets indefinitely. The Filter: entry letsyou specify the capture filter using a tcpdump-style filter string asdescribed above. The File: entry specifies the file to save to, asin the Printer Options dialog above. You can specify the maximumnumber of bytes to capture per packet with the Capture length entry,can specify whether the interface is to be put in promiscuous mode ornot with the Capture packets in promiscuous mode check box, canspecify that the display should be updated as packets are captured withthe Update list of packets in real time check box, can specifywhether in such a capture the packet list pane should scroll to show themost recently captured packets with the Automatic scrolling in livecapture check box, and can specify whether addresses should betranslated to names in the display with the Enable MAC name resolution,Enable network name resolution and Enable transport name resolutioncheck boxes.

Display Options
The Display Options dialog lets you specify the format of the timestamp in the packet list. You can select ``Time of day'' for absolutetime stamps, ``Date and time of day'' for absolute time stamps with thedate, ``Seconds since beginning of capture'' for relative time stamps, or``Seconds since previous frame'' for delta time stamps. You can alsospecify whether, when the display is updated as packets are captured,the list should automatically scroll to show the most recently capturedpackets or not and whether addresses or port numbers should betranslated to names in the display on a MAC, network and transport layerbasis.
Plugins
The Plugins dialog lets you view the dissector plugin modulesavailable on your system.

The Plugins List shows the name and version of each dissector pluginmodule found on your system. The plugins are searched in the followingdirectories: /usr/share/ethereal/plugins,/usr/local/share/ethereal/plugins and ~/.ethereal/plugins. Notethat a dissector plugin module may support more than one protocol; thereis not necessarily a one-to-one correspondence between dissector pluginmodules and protocols. Protocols supported by a dissector plugin moduleare enabled and disabled using the Edit:Protocols dialog box, just asprotocols built into Ethereal are.

 

CAPTURE FILTER SYNTAX

See manual page of tcpdump(8). 

DISPLAY FILTER SYNTAX

Display filters help you remove the noise from a packet trace and letyou see only the packets that interest you. If a packet meets therequirements expressed in your display filter, then it is displayed inthe list of packets. Display filters let you compare the fields withina protocol against a specific value, compare fields against fields, andto check the existence of specified fields or protocols.

The simplest display filter allows you to check for the existence of aprotocol or field. If you want to see all packets which contain the IPXprotocol, the filter would be ``ipx''. (Without the quotation marks) Tosee all packets that contain a Token-Ring RIF field, use ``tr.rif''.

Fields can also be compared against values. The comparison operatorscan be expressed either through C-like symbols, or through English-likeabbreviations:

    eq, ==    Equal    ne, !=    Not equal    gt, >     Greater than    lt, <     Less Than    ge, >=    Greater than or Equal to    le, <=    Less than or Equal to
Furthermore, each protocol field is typed. The types are:

    Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit)    Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit)    Boolean    Ethernet address (6 bytes)    Byte string (n-number of bytes)    IPv4 address    IPv6 address    IPX network number    String (text)    Double-precision floating point number
An integer may be expressed in decimal, octal, or hexadecimal notation. The following three display filters are equivalent:

    frame.pkt_len > 10    frame.pkt_len > 012    frame.pkt_len > 0xa
Boolean values are either true or false. In a display filter expressiontesting the value of a Boolean field, ``true'' is expressed as 1 or anyother non-zero value, and ``false'' is expressed as zero. For example, atoken-ring packet's source route field is boolean. To find anysource-routed packets, a display filter would be:

    tr.sr == 1
Non source-routed packets can be found with:

    tr.sr == 0
Ethernet addresses, as well as a string of bytes, are represented in hexdigits. The hex digits may be separated by colons, periods, or hyphens:

    fddi.dst eq ff:ff:ff:ff:ff:ff    ipx.srcnode == 0.0.0.0.0.1    eth.src == aa-aa-aa-aa-aa-aa
If a string of bytes contains only one byte, then it is represented asan unsigned integer. That is, if you are testing for hex value 'ff' ina one-byte byte-string, you must compare it agains '0xff' and not 'ff'.

IPv4 addresses can be represented in either dotted decimal notation, orby using the hostname:

    ip.dst eq www.mit.edu    ip.src == 192.168.1.1
IPv4 addresses can be compared with the same logical relations as numbers:eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,so you do not have to worry about how the endianness of an IPv4 addresswhen using it in a display filter.

Classless InterDomain Routing (CIDR) notation can be used to test if anIPv4 address is in a certain subnet. For example, this display filterwill find all packets in the 129.111 Class-B network:

    ip.addr == 129.111.0.0/16
Remember, the number after the slash represents the number of bits usedto represent the network. CIDR notation can also be used withhostnames, in this example of finding IP addresses on the same Class Cnetwork as 'sneezy':

    ip.addr eq sneezy/24
The CIDR notation can only be used on IP addresses or hostnames, not invariable names. So, a display filter like ``ip.src/24 == ip.dst/24'' isnot valid. (yet)

IPX networks are represented by unsigned 32-bit integers. Most likelyyou will be using hexadecimal when testing for IPX network values:

    ipx.srcnet == 0xc0a82c00
A slice operator also exists. You can check the substring(byte-string) of any protocol or field. For example, you can filter onthe vendor portion of an ethernet address (the first three bytes) likethis:

    eth.src[0:3] == 00:00:83
If the length of your byte-slice is only one byte, then it is stillrepresented in hex, but without the preceding ``0x'':

    llc[3] == aa
You can use the slice operator on a protocol name, too. Andremember, the ``frame'' protocol encompasses the entire packet, allowingyou to look at the nth byte of a packet regardless of its frame type(Ethernet, token-ring, etc.).

    token[0:5] ne 0.0.0.1.1    ipx[0:2] == ff:ff    llc[3:1] eq 0xaa
The following syntax governs slices:

        [i:j]   i = start_offset, j = length        [i-j]   i = start_offet, j = end_offset, inclusive.        [i]     i = start_offset, length = 1        [:j]    start_offset = 0, length = j        [i:]    start_offset = i, end_offset = end_of_field
Offsets and lengths can be negative, in which case they indicate theoffset from the end of the field. Here's how to check the last 4bytes of a frame:

    frame[-4:4] == 0.1.2.3
or

    frame[-4:] == 0.1.2.3
You can create complex concatenations of slices using the comma operator:

        field[1,3-5,9:] == 01:03:04:05:09:0a:0b
All the above tests can be combined together with logical expressions. These too are expressable in C-like syntax or with English-likeabbreviations:

    and, &&   Logical AND    or, ||    Logical OR    not, !    Logical NOT
Expressions can be grouped by parentheses as well. The following areall valid display filter expression:

    tcp.port == 80 and ip.src == 192.168.2.1    not llc    (ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip    tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
A special caveat must be given regarding fields that occur more thanonce per packet. ``ip.addr'' occurs twice per IP packet, once for thesource address, and once for the destination address. Likewise,tr.rif.ring fields can occur more than once per packet. The followingtwo expressions are not equivalent:

        ip.addr ne 192.168.4.1    not ip.addr eq 192.168.4.1
The first filter says ``show me all packets where an ip.addr exists thatdoes not equal 192.168.4.1''. That is, as long as one ip.addr in thepacket does not equal 192.168.44.1, the packet passes the displayfilter. The second filter ``don't show me any packets that have at leastone ip.addr field equal to 192.168.4.1''. If one ip.addr is 192.168.4.1,the packet does not pass. If neither ip.addr fields is 192.168.4.1,then the packet passes.

It is easy to think of the 'ne' and 'eq' operators as having an implict``exists'' modifier when dealing with multiply-recurring fields. ``ip.addrne 192.168.4.1'' can be thought of as ``there exists an ip.addr that doesnot equal 192.168.4.1''.

Be careful with multiply-recurring fields; they can be confusing.

The following is a table of protocol and protocol fields that arefilterable in Ethereal. The abbreviation of the protocol or field isgiven. This abbreviation is what you use in the display filter. Thetype of the field is also given. 

802.1q Virtual LAN (vlan)

    vlan.cfi  CFI        Unsigned 16-bit integer
    vlan.etype  Type        Unsigned 16-bit integer
    vlan.id  ID        Unsigned 16-bit integer
    vlan.len  Length        Unsigned 16-bit integer
    vlan.priority  Priority        Unsigned 16-bit integer
    vlan.trailer  Trailer        Byte array
 

AOL Instant Messenger (aim)

    aim.channel  Channel ID        Unsigned 8-bit integer
    aim.cmd_start  Command Start        Unsigned 8-bit integer
    aim.datalen  Data Field Length        Unsigned 16-bit integer
    aim.fnac.family  FNAC Family ID        Unsigned 16-bit integer
    aim.fnac.subtype  FNAC Subtype ID        Unsigned 16-bit integer
    aim.seqno  Sequence Number        Unsigned 16-bit integer
 

ATM (atm)

    atm.vci  VCI        Unsigned 16-bit integer
    atm.vpi  VPI        Unsigned 8-bit integer
 

ATM LAN Emulation (lane)

 

Address Resolution Protocol (arp)

    arp.dst.atm_num_e164  Target ATM number (E.164)        String
    arp.dst.atm_num_nsap  Target ATM number (NSAP)        Byte array
    arp.dst.atm_subaddr  Target ATM subaddress        Byte array
    arp.dst.hlen  Target ATM number length        Unsigned 8-bit integer
    arp.dst.htype  Target ATM number type        Boolean
    arp.dst.hw  Target hardware address        Byte array
    arp.dst.pln  Target protocol size        Unsigned 8-bit integer
    arp.dst.proto  Target protocol address        Byte array
    arp.dst.slen  Target ATM subaddress length        Unsigned 8-bit integer
    arp.dst.stype  Target ATM subaddress type        Boolean
    arp.hw.size  Hardware size        Unsigned 8-bit integer
    arp.hw.type  Hardware type        Unsigned 16-bit integer
    arp.opcode  Opcode        Unsigned 16-bit integer
    arp.proto.size  Protocol size        Unsigned 8-bit integer
    arp.proto.type  Protocol type        Unsigned 16-bit integer
    arp.src.atm_num_e164  Sender ATM number (E.164)        String
    arp.src.atm_num_nsap  Sender ATM number (NSAP)        Byte array
    arp.src.atm_subaddr  Sender ATM subaddress        Byte array
    arp.src.hlen  Sender ATM number length        Unsigned 8-bit integer
    arp.src.htype  Sender ATM number type        Boolean
    arp.src.hw  Sender hardware address        Byte array
    arp.src.pln  Sender protocol size        Unsigned 8-bit integer
    arp.src.proto  Sender protocol address        Byte array
    arp.src.slen  Sender ATM subaddress length        Unsigned 8-bit integer
    arp.src.stype  Sender ATM subaddress type        Boolean
 

Andrew File System (AFS) (afs)

    afs.backup  Backup        Boolean
    afs.backup.errcode  Error Code        Unsigned 32-bit integer
    afs.backup.opcode  Operation        Unsigned 32-bit integer
    afs.bos  BOS        Boolean
    afs.bos.baktime  Backup Time        Date/Time stamp
    afs.bos.cell  Cell        String
    afs.bos.cmd  Command        String
    afs.bos.content  Content        String
    afs.bos.data  Data        Byte array
    afs.bos.date  Date        Unsigned 32-bit integer
    afs.bos.errcode  Error Code        Unsigned 32-bit integer
    afs.bos.error  Error        String
    afs.bos.file  File        String
    afs.bos.flags  Flags        Unsigned 32-bit integer
    afs.bos.host  Host        String
    afs.bos.instance  Instance        String
    afs.bos.key  Key        Byte array
    afs.bos.keychecksum  Key Checksum        Unsigned 32-bit integer
    afs.bos.keymodtime  Key Modification Time        Date/Time stamp
    afs.bos.keyspare2  Key Spare 2        Unsigned 32-bit integer
    afs.bos.kvno  Key Version Number        Unsigned 32-bit integer
    afs.bos.newtime  New Time        Date/Time stamp
    afs.bos.number  Number        Unsigned 32-bit integer
    afs.bos.oldtime  Old Time        Date/Time stamp
    afs.bos.opcode  Operation        Unsigned 32-bit integer
    afs.bos.parm  Parm        String
    afs.bos.path  Path        String
    afs.bos.size  Size        Unsigned 32-bit integer
    afs.bos.spare1  Spare1        String
    afs.bos.spare2  Spare2        String
    afs.bos.spare3  Spare3        String
    afs.bos.status  Status        Signed 32-bit integer
    afs.bos.statusdesc  Status Description        String
    afs.bos.type  Type        String
    afs.bos.user  User        String
    afs.cb  Callback        Boolean
    afs.cb.callback.expires  Expires        Date/Time stamp
    afs.cb.callback.type  Type        Unsigned 32-bit integer
    afs.cb.callback.version  Version        Unsigned 32-bit integer
    afs.cb.errcode  Error Code        Unsigned 32-bit integer
    afs.cb.fid.uniq  FileID (Uniqifier)        Unsigned 32-bit integer
    afs.cb.fid.vnode  FileID (VNode)        Unsigned 32-bit integer
    afs.cb.fid.volume  FileID (Volume)        Unsigned 32-bit integer
    afs.cb.opcode  Operation        Unsigned 32-bit integer
    afs.error  Error        Boolean
    afs.error.opcode  Operation        Unsigned 32-bit integer
    afs.fs  File Server        Boolean
    afs.fs.acl.a  _A_dminister        Unsigned 8-bit integer
    afs.fs.acl.count.negative  ACL Count (Negative)        Unsigned 32-bit integer
    afs.fs.acl.count.positive  ACL Count (Positive)        Unsigned 32-bit integer
    afs.fs.acl.d  _D_elete        Unsigned 8-bit integer
    afs.fs.acl.datasize  ACL Size        Unsigned 32-bit integer
    afs.fs.acl.entity  Entity (User/Group)        String
    afs.fs.acl.i  _I_nsert        Unsigned 8-bit integer
    afs.fs.acl.k  _L_ock        Unsigned 8-bit integer
    afs.fs.acl.l  _L_ookup        Unsigned 8-bit integer
    afs.fs.acl.r  _R_ead        Unsigned 8-bit integer
    afs.fs.acl.w  _W_rite        Unsigned 8-bit integer
    afs.fs.callback.expires  Expires        Date/Time stamp
    afs.fs.callback.type  Type        Unsigned 32-bit integer
    afs.fs.callback.version  Version        Unsigned 32-bit integer
    afs.fs.cps.spare1  CPS Spare1        Unsigned 32-bit integer
    afs.fs.cps.spare2  CPS Spare2        Unsigned 32-bit integer
    afs.fs.cps.spare3  CPS Spare3        Unsigned 32-bit integer
    afs.fs.data  Data        Byte array
    afs.fs.errcode  Error Code        Unsigned 32-bit integer
    afs.fs.fid.uniq  FileID (Uniqifier)        Unsigned 32-bit integer
    afs.fs.fid.vnode  FileID (VNode)        Unsigned 32-bit integer
    afs.fs.fid.volume  FileID (Volume)        Unsigned 32-bit integer
    afs.fs.flength  FLength        Unsigned 32-bit integer
    afs.fs.ipaddr  IP Address        IPv4 address
    afs.fs.length  Length        Unsigned 32-bit integer
    afs.fs.motd  Message of the Day        String
    afs.fs.name  Name        String
    afs.fs.newname  New Name        String
    afs.fs.offlinemsg  Offline Message        String
    afs.fs.offset  Offset        Unsigned 32-bit integer
    afs.fs.oldname  Old Name        String
    afs.fs.opcode  Operation        Unsigned 32-bit integer
    afs.fs.status.anonymousaccess  Anonymous Access        Unsigned 32-bit integer
    afs.fs.status.author  Author        Unsigned 32-bit integer
    afs.fs.status.calleraccess  Caller Access        Unsigned 32-bit integer
    afs.fs.status.clientmodtime  Client Modification Time        Date/Time stamp
    afs.fs.status.dataversion  Data Version        Unsigned 32-bit integer
    afs.fs.status.dataversionhigh  Data Version (High)        Unsigned 32-bit integer
    afs.fs.status.filetype  File Type        Unsigned 32-bit integer
    afs.fs.status.group  Group        Unsigned 32-bit integer
    afs.fs.status.interfaceversion  Interface Version        Unsigned 32-bit integer
    afs.fs.status.length  Length        Unsigned 32-bit integer
    afs.fs.status.linkcount  Link Count        Unsigned 32-bit integer
    afs.fs.status.mask  Mask        Unsigned 32-bit integer
    afs.fs.status.mask.fsync  FSync        Unsigned 32-bit integer
    afs.fs.status.mask.setgroup  Set Group        Unsigned 32-bit integer
    afs.fs.status.mask.setmode  Set Mode        Unsigned 32-bit integer
    afs.fs.status.mask.setmodtime  Set Modification Time        Unsigned 32-bit integer
    afs.fs.status.mask.setowner  Set Owner        Unsigned 32-bit integer
    afs.fs.status.mask.setsegsize  Set Segment Size        Unsigned 32-bit integer
    afs.fs.status.mode  Unix Mode        Unsigned 32-bit integer
    afs.fs.status.owner  Owner        Unsigned 32-bit integer
    afs.fs.status.parentunique  Parent Unique        Unsigned 32-bit integer
    afs.fs.status.parentvnode  Parent VNode        Unsigned 32-bit integer
    afs.fs.status.segsize  Segment Size        Unsigned 32-bit integer
    afs.fs.status.servermodtime  Server Modification Time        Date/Time stamp
    afs.fs.status.spare2  Spare 2        Unsigned 32-bit integer
    afs.fs.status.spare3  Spare 3        Unsigned 32-bit integer
    afs.fs.status.spare4  Spare 4        Unsigned 32-bit integer
    afs.fs.status.synccounter  Sync Counter        Unsigned 32-bit integer
    afs.fs.symlink.content  Symlink Content        String
    afs.fs.symlink.name  Symlink Name        String
    afs.fs.timestamp  Timestamp        Date/Time stamp
    afs.fs.token  Token        Byte array
    afs.fs.viceid  Vice ID        Unsigned 32-bit integer
    afs.fs.vicelocktype  Vice Lock Type        Unsigned 32-bit integer
    afs.fs.volid  Volume ID        Unsigned 32-bit integer
    afs.fs.volname  Volume Name        String
    afs.fs.volsync.spare1  Spare 1        Unsigned 32-bit integer
    afs.fs.volsync.spare2  Spare 2        Unsigned 32-bit integer
    afs.fs.volsync.spare3  Spare 3        Unsigned 32-bit integer
    afs.fs.volsync.spare4  Spare 4        Unsigned 32-bit integer
    afs.fs.volsync.spare5  Spare 5        Unsigned 32-bit integer
    afs.fs.volsync.spare6  Spare 6        Unsigned 32-bit integer
    afs.fs.xstats.clientversion  Client Version        Unsigned 32-bit integer
    afs.fs.xstats.collnumber  Collection Number        Unsigned 32-bit integer
    afs.fs.xstats.timestamp  XStats Timestamp        Unsigned 32-bit integer
    afs.fs.xstats.version  XStats Version        Unsigned 32-bit integer
    afs.kauth  KAuth        Boolean
    afs.kauth.data  Data        Byte array
    afs.kauth.domain  Domain        String
    afs.kauth.errcode  Error Code        Unsigned 32-bit integer
    afs.kauth.kvno  Key Version Number        Unsigned 32-bit integer
    afs.kauth.name  Name        String
    afs.kauth.opcode  Operation        Unsigned 32-bit integer
    afs.kauth.princ  Principal        String
    afs.kauth.realm  Realm        String
    afs.prot  Protection        Boolean
    afs.prot.count  Count        Unsigned 32-bit integer
    afs.prot.errcode  Error Code        Unsigned 32-bit integer
    afs.prot.flag  Flag        Unsigned 32-bit integer
    afs.prot.gid  Group ID        Unsigned 32-bit integer
    afs.prot.id  ID        Unsigned 32-bit integer
    afs.prot.maxgid  Maximum Group ID        Unsigned 32-bit integer
    afs.prot.maxuid  Maximum User ID        Unsigned 32-bit integer
    afs.prot.name  Name        String
    afs.prot.newid  New ID        Unsigned 32-bit integer
    afs.prot.oldid  Old ID        Unsigned 32-bit integer
    afs.prot.opcode  Operation        Unsigned 32-bit integer
    afs.prot.pos  Position        Unsigned 32-bit integer
    afs.prot.uid  User ID        Unsigned 32-bit integer
    afs.rmtsys  Rmtsys        Boolean
    afs.rmtsys.opcode  Operation        Unsigned 32-bit integer
    afs.ubik  Ubik        Boolean
    afs.ubik.activewrite  Active Write        Unsigned 32-bit integer
    afs.ubik.addr  Address        IPv4 address
    afs.ubik.amsyncsite  Am Sync Site        Unsigned 32-bit integer
    afs.ubik.anyreadlocks  Any Read Locks        Unsigned 32-bit integer
    afs.ubik.anywritelocks  Any Write Locks        Unsigned 32-bit integer
    afs.ubik.beaconsincedown  Beacon Since Down        Unsigned 32-bit integer
    afs.ubik.currentdb  Current DB        Unsigned 32-bit integer
    afs.ubik.currenttran  Current Transaction        Unsigned 32-bit integer
    afs.ubik.epochtime  Epoch Time        Date/Time stamp
    afs.ubik.errcode  Error Code        Unsigned 32-bit integer
    afs.ubik.file  File        Unsigned 32-bit integer
    afs.ubik.interface  Interface Address        IPv4 address
    afs.ubik.isclone  Is Clone        Unsigned 32-bit integer
    afs.ubik.lastbeaconsent  Last Beacon Sent        Date/Time stamp
    afs.ubik.lastvote  Last Vote        Unsigned 32-bit integer
    afs.ubik.lastvotetime  Last Vote Time        Date/Time stamp
    afs.ubik.lastyesclaim  Last Yes Claim        Date/Time stamp
    afs.ubik.lastyeshost  Last Yes Host        IPv4 address
    afs.ubik.lastyesstate  Last Yes State        Unsigned 32-bit integer
    afs.ubik.lastyesttime  Last Yes Time        Date/Time stamp
    afs.ubik.length  Length        Unsigned 32-bit integer
    afs.ubik.lockedpages  Locked Pages        Unsigned 32-bit integer
    afs.ubik.locktype  Lock Type        Unsigned 32-bit integer
    afs.ubik.lowesthost  Lowest Host        IPv4 address
    afs.ubik.lowesttime  Lowest Time        Date/Time stamp
    afs.ubik.now  Now        Date/Time stamp
    afs.ubik.nservers  Number of Servers        Unsigned 32-bit integer
    afs.ubik.opcode  Operation        Unsigned 32-bit integer
    afs.ubik.position  Position        Unsigned 32-bit integer
    afs.ubik.recoverystate  Recovery State        Unsigned 32-bit integer
    afs.ubik.site  Site        IPv4 address
    afs.ubik.state  State        Unsigned 32-bit integer
    afs.ubik.synchost  Sync Host        IPv4 address
    afs.ubik.syncsiteuntil  Sync Site Until        Date/Time stamp
    afs.ubik.synctime  Sync Time        Date/Time stamp
    afs.ubik.tidcounter  TID Counter        Unsigned 32-bit integer
    afs.ubik.up  Up        Unsigned 32-bit integer
    afs.ubik.version.counter  Counter        Unsigned 32-bit integer
    afs.ubik.version.epoch  Epoch        Date/Time stamp
    afs.ubik.voteend  Vote Ends        Date/Time stamp
    afs.ubik.votestart  Vote Started        Date/Time stamp
    afs.ubik.votetype  Vote Type        Unsigned 32-bit integer
    afs.ubik.writelockedpages  Write Locked Pages        Unsigned 32-bit integer
    afs.ubik.writetran  Write Transaction        Unsigned 32-bit integer
    afs.update  Update        Boolean
    afs.update.opcode  Operation        Unsigned 32-bit integer
    afs.vldb  VLDB        Boolean
    afs.vldb.bkvol  Backup Volume ID        Unsigned 32-bit integer
    afs.vldb.bump  Bumped Volume ID        Unsigned 32-bit integer
    afs.vldb.count  Volume Count        Unsigned 32-bit integer
    afs.vldb.errcode  Error Code        Unsigned 32-bit integer
    afs.vldb.id  Volume ID        Unsigned 32-bit integer
    afs.vldb.index  Volume Index        Unsigned 32-bit integer
    afs.vldb.name  Volume Name        String
    afs.vldb.nextindex  Next Volume Index        Unsigned 32-bit integer
    afs.vldb.numservers  Number of Servers        Unsigned 32-bit integer
    afs.vldb.opcode  Operation        Unsigned 32-bit integer
    afs.vldb.partition  Partition        String
    afs.vldb.rovol  Read-Only Volume ID        Unsigned 32-bit integer
    afs.vldb.rwvol  Read-Write Volume ID        Unsigned 32-bit integer
    afs.vldb.server  Server        IPv4 address
    afs.vldb.serveruuid  Server UUID        Byte array
    afs.vldb.type  Volume Type        Unsigned 32-bit integer
    afs.vol  Volume Server        Boolean
    afs.vol.count  Volume Count        Unsigned 32-bit integer
    afs.vol.errcode  Error Code        Unsigned 32-bit integer
    afs.vol.id  Volume ID        Unsigned 32-bit integer
    afs.vol.name  Volume Name        String
    afs.vol.opcode  Operation        Unsigned 32-bit integer
 

Appletalk Address Resolution Protocol (aarp)

    aarp.dst.ether  Target ether        Byte array
    aarp.dst.id  Target ID        Byte array
    aarp.hard.size  Hardware size        Unsigned 8-bit integer
    aarp.hard.type  Hardware type        Unsigned 16-bit integer
    aarp.opcode  Opcode        Unsigned 16-bit integer
    aarp.proto.size  Protocol size        Unsigned 8-bit integer
    aarp.proto.type  Protocol type        Unsigned 16-bit integer
    aarp.src.ether  Sender ether        Byte array
    aarp.src.id  Sender ID        Byte array
 

Async data over ISDN (V.120) (v120)

    v120.address  Link Address        Unsigned 16-bit integer
    v120.control  Control Field        Unsigned 16-bit integer
    v120.header  Header Field        String
 

Authentication Header (ah)

    ah.sequence  Sequence        Unsigned 32-bit integer
    ah.spi  SPI        Unsigned 32-bit integer
 

BACnet Virtual Link Control (bvlc)

    bvlc.bdt_ip  IP        IPv4 address
    bvlc.bdt_mask  Mask        Byte array
    bvlc.bdt_port  Port        Unsigned 16-bit integer
    bvlc.fdt_ip  IP        IPv4 address
    bvlc.fdt_port  Port        Unsigned 16-bit integer
    bvlc.fdt_timeout  Timeout        Unsigned 16-bit integer
    bvlc.fdt_ttl  TTL        Unsigned 16-bit integer
    bvlc.function  Function        Unsigned 8-bit integer
    bvlc.fwd_ip  IP        IPv4 address
    bvlc.fwd_port  Port        Unsigned 16-bit integer
    bvlc.length  Length        Unsigned 16-bit integer
    bvlc.reg_ttl  TTL        Unsigned 16-bit integer
    bvlc.result  Result        Unsigned 16-bit integer
    bvlc.type  Type        Unsigned 8-bit integer
 

Banyan Vines (vines)

    vines.protocol  Protocol        Unsigned 8-bit integer
 

Banyan Vines Fragmentation Protocol (vines_frp)

 

Banyan Vines SPP (vines_spp)

 

Blocks eXtensible eXchange Protocol (bxxp)

    bxxp.channel  Channel        Unsigned 32-bit integer
    bxxp.end  End        Boolean
    bxxp.more.complete  Complete        Boolean
    bxxp.more.intermediate  Intermediate        Boolean
    bxxp.req  Request        Boolean
    bxxp.req.channel  Request Channel Number        Unsigned 32-bit integer
    bxxp.rsp  Response        Boolean
    bxxp.rsp.channel  Response Channel Number        Unsigned 32-bit integer
    bxxp.seq  Sequence        Boolean
    bxxp.seq.ackno  Ackno        Unsigned 32-bit integer
    bxxp.seq.channel  Sequence Channel Number        Unsigned 32-bit integer
    bxxp.seq.window  Window        Unsigned 32-bit integer
    bxxp.seqno  Seqno        Unsigned 32-bit integer
    bxxp.serial  Serial        Unsigned 32-bit integer
    bxxp.size  Size        Unsigned 32-bit integer
    bxxp.status.negative  Negative        Boolean
    bxxp.status.positive  Positive        Boolean
    bxxp.violation  Protocol Violation        Boolean
 

Boot Parameters (bootparams)

    bootparams.domain  Client Domain        String
    bootparams.fileid  File ID        String
    bootpara