MAN page from RedHat 7.X ethereal-0.8.20-1.i386.rpm
Section: The Ethereal Network Analyzer (1)
ethereal - Interactively browse network traffic
byte view height ][ -c
count ][ -f
capture filter expression ][ -h
interface ] [ -k
font ][ -n
resolving flags ] ...[ -o
preference setting ] ...[ -p
packet list height ][ -Q
infile ][ -R
display filter expression ][ -S
snaplen ][ -T
tree view height ][ -t
time stamp format ][ -v
is a GUI
network protocol analyzer. It lets youinteractively browse packet data from a live network or from apreviously saved capture file. Ethereal
knows how to read libpcap
capture files, including those of tcpdump
. In addition, Ethereal
can read capture files from snoop
(compressed or uncompressed),Microsoft Network Monitor
router debug output, HP-UX
, the dump output from Toshiba'sISDN
routers, the output from i4btrace
from the ISDN4BSD
project, theoutput in IPLog
format from the Cisco Secure Intrusion DetectionSystem, and pppd logs
(pppdump format). There is no need to tellEthereal
what type of file you are reading; it will determine thefile type by itself. Ethereal
is also capable of reading any ofthese file formats if they are compressed using gzip. Ethereal
recognizes this directly from the file; the '.gz' extension is notrequired for this purpose.
Like other protocol analyzers, Ethereal's main window shows 3 viewsof a packet. It shows a summary line, briefly describing what thepacket is. A protocol tree is shown, allowing you to drill down toexact protocol or field that you interested in. Finally, a hex dumpshows you exactly what the packet looks like when it goes over the wire.
In addition, Ethereal has some features that make it unique. It canassemble all the packets in a TCP conversation and show you the ASCII(or EBCDIC, or hex) data in that conversation. Display filters inEthereal are very powerful; more fields are filterable in Etherealthan in other protocol analyzers, and the syntax you can use to createyour filters is richer. As Ethereal progresses, expect more and moreprotocol fields to be allowed in display filters.
Packet capturing is performed with the pcap library. The capture filtersyntax follows the rules of the pcap library. This syntax is differentfrom the display filter syntax.
Compressed file support uses (and therefore requires) the zlib library. If the zlib library is not present, Ethereal will compile, but willbe unable to read compressed files.
- Sets the initial height of the byte view (bottom) pane.
- Sets the default number of packets to read when capturing livedata.
- Sets the capture filter expression.
- Prints the version and options and exits.
- Sets the name of the network interface or pipe to use for live packet capture.Network interface names should match one of the names listed in "netstat -i``or ''ifconfig -a".Pipe names should be either the name of a FIFO (named pipe) or ``-'' to readdata from the standard input. Data read from pipes must be in libpcap format.
- Starts the capture session immediately. If the -i flag wasspecified, the capture uses the specified interface. Otherwise,Ethereal searches the list of interfaces, choosing the firstnon-loopback interface if there are any non-loopback interfaces, andchoosing the first loopback interface if there are no non-loopbackinterfaces; if there are no interfaces, Ethereal reports an error anddoesn't start the capture.
- Turns on automatic scrolling if the packet display is being updatedautomatically as packets arrive during a capture (as specified by the-S flag).
- Sets the name of the font used by Ethereal for most text. Ethereal will construct the name of the bold font used for the datain the byte view pane that corresponds to the field selected in theprotocol tree pane from the name of the main text font.
- Disables network object name resolution (such as hostname, TCP and UDP portnames).
- Turns on name resolving for particular types of addresses and portnumbers; the argument is a string that may contain the letters m toenable MAC address resolution, n to enable network addressresolution, and t to enable transport-layer port number resolution. This overrides -n if both -N and -n are present.
- Sets a preference value, overriding the default value and any value readfrom a preference file. The argument to the flag is a string of theform prefname:value, where prefname is the name of thepreference (which is the same name that would appear in the preferencefile), and value is the value to which it should be set.
- Don't put the interface into promiscuous mode. Note that theinterface might be in promiscuous mode for some other reason; hence,-p cannot be used to ensure that the only traffic that is captured istraffic sent to or from the machine on which Ethereal is running,broadcast traffic, and multicast traffic to addresses received by thatmachine.
- Sets the initial height of the packet list (top) pane.
- Causes Ethereal to exit after the end of capture session (useful inbatch mode with -c option for instance); this option requires the-i and -w parameters.
- Reads packet data from file.
- When reading a capture file specified with the -r flag, causes thespecified filter (which uses the syntax of display filters, rather thanthat of capture filters) to be applied to all packets read from thecapture file; packets not matching the filter are discarded.
- Specifies that the live packet capture will be performed in a separateprocess, and that the packet display will automatically be updated aspackets are seen.
- Sets the default snapshot length to use when capturing live data. No more than snaplen bytes of each network packet will be read intomemory, or saved to disk.
- Sets the initial height of the tree view (middle) pane.
- Sets the format of the packet timestamp displayed in the packet listwindow. The format can be one of 'r' (relative), 'a' (absolute), 'ad'(absolute with date), or 'd' (delta). The relative time is the timeelapsed between the first packet and the current packet. The absolutetime is the actual time the packet was captured, with no date displayed;the absolute date and time is the actual time and date the packet wascaptured. The delta time is the time since the previous packet wascaptured. The default is relative.
- Prints the version and exits.
- Sets the default capture file name.
- File:Open, File:Close, File:Reload
- Open, close, or reload a capture file. The File:Open dialog boxallows a filter to be specified; when the capture file is read, thefilter is applied to all packets read from the file, and packets notmatching the filter are discarded.
- File:Save, File:Save As
- Save the current capture, or the packets currently displayed from thatcapture, to a file. Check boxes let you select whether to save allpackets, or just those that have passed the current display filter and/orthose that are currently marked, and an option menu lets you select (from a list of file formats in which at particular capture, or the packets currently displayed from that capture, can be saved), a file format in which to save it.
- Prints, for all the packets in the current capture, either the summaryline for the packet or the protocol tree view of the packet; whenprinting the protocol tree view, the hex dump of the packet can beprinted as well. Printing options can be set with theEdit:Preferences menu item, or in the dialog box popped up by thisitem.
- File:Print Packet
- Print a fully-expanded protocol tree view of the currently-selectedpacket. Printing options can be set with the Edit:Preferences menuitem.
- Exits the application.
- Edit:Find Frame
- Allows you to search forward or backward, starting with the currentlyselected packet (or the most recently selected packet, if no packet isselected), for a packet matching a given display filter.
- Edit:Go To Frame
- Allows you to go to a particular numbered packet.
- Edit:Mark Frame
- Allows you to mark (or unmark if currently marked) the selected packet.
- Edit:Mark All Frames
- Allows you to mark all packets that are currently displayed.
- Edit:Unmark All Frames
- Allows you to unmark all packets that are currently displayed.
- Sets the packet printing, column display, TCP stream coloring, and GUIoptions (see the section on "Preferences" below).
- Edit:Capture Filters
- Edits the saved list of capture filters, allowing filters to be added,changed, or deleted.
- Edit:Display Filters
- Edits the saved list of display filters, allowing filters to be added,changed, or deleted.
- Edits the list of protocols, allowing protocol dissection to be enabled or disabled.
- Initiates a live packet capture (see the section on "Capture Preferences" below). Atemporary file will be created to hold the capture. The location of thefile can be chosen by setting your TMPDIR environment variable beforestarting Ethereal. Otherwise, the default TMPDIR location issystem-dependent, but is likely either /var/tmp or /tmp.
- In a capture that updates the packet display as packets arrive (so thatEthereal responds to user input other than pressing the ``Stop'' button inthe capture packet statistics dialog box), stops the capture.
- Allows you to sets the format of the packet timestamp displayed in thepacket list window to relative, absolute, absolute date and time, ordelta, to enable or disable the automatic scrolling of the packet listwhile a live capture is in progress or to enable or disable translationof addresses to names in the display.
- Display:Match Selected
- Creates and applies a display filter based on the data that is currentlyhighlighted in the protocol tree. If that data is a field that can betested in a display filter expression, the display filter will test thatfield; otherwise, the display filter will be based on absolute offsetwithin the packet, and so could be unreliable if the packet containsprotocols with variable-length headers, such as a source-routedtoken-ring packet.
- Display:Colorize Display
- Allows you to change the foreground and background colors of the packetinformation in the list of packets, based upon display filters. The listof display filters is applied to each packet sequentially. After the firstdisplay filter matches a packet, any additional display filters in the listare ignored. Therefore, if you are filtering on the existence of protocols,you should list the higher-level protocols first, and the lower-levelprotocols last.
- Display:Collapse All
- Collapses the protocol tree branches.
- Display:Expand All
- Expands all branches of the protocol tree.
- Display:Expand All
- Expands all branches of the protocol tree.
- Display:Show Packet In New Window
- Creates a new window containing a protocol tree view and a hex dumpwindow of the currently selected packet; this window will continue todisplay that packet's protocol tree and data even if another packet isselected.
- Display:User Specified Decodes
- Creates a new window showing whether any protocol ID to dissectormappings have been changed by the user. This window also allows theuser to reset all decodes to their default values.
- Allows you to see what dynamically loadable dissector plugin moduleshave been loaded (see ``Plugins'' below).
- Tools:Follow TCP Stream
- If you have a TCP packet selected, it will display the contents of thedata stream for the TCP connection to which that packet belongs, astext, in a separate window, and will leave the list of packets in afiltered state, with only those packets that are part of that TCPconnection being displayed. You can revert to your old view by pressingENTER in the display filter text box, thereby invoking your old displayfilter (or resetting it back to no display filter).
The window in which the data stream is displayed lets you select whetherto display:
- whether to display the entire conversation, or one or the other side ofit;
- whether the data being displayed is to be treated as ASCII or EBCDICtext or as raw hex data;
- and lets you print what's currently being displayed, using the sameprint options that are used for the File:Print Packet menu item, orsave it as text to a file.
- Tools:Decode As
- If you have a packet selected, this menu item will present a dialogallowing you to change which dissectors are used to decode thispacket. The dialog has one panel each for the link layer, networklayer and transport layer protocol/port numbers, and will allow eachof these to be changed independently. For example, if the selectedpacket is a TCP packet to port 12345, using this dialog you caninstruct Ethereal to decode all packets to or from that TCP port asHTTP packets.
- Tools:Protocol Hierarchy Statistics
- This shows the number of packets, and the number of bytesin those packets, for each protocol in the trace. Itorganizes the protocols in the same hierarchy in whichthey were found in the trace. Besides counting the packetsin which the protocol exists, a count is also madefor packets in which the protocol is the last protocol inthe stack. These last-protocol counts show you how many packets(and the byte count associated with those packets) ended in a particularprotocol. In the table, they are listed under ``End Packets'' and``End Bytes''.
- Main Window
- The main window is split into three panes. You can resize each pane usinga ``thumb'' at the right end of each divider line. Below the panes is astrip that shows the current filter and informational text.
- Top Pane
- The top pane contains the list of network packets that you can scrollthrough and select. By default, the packet number, packet timestamp,source and destination addresses, protocol, and description aredisplayed for each packet; the Columns page in the dialog box poppedup by Edit:Preferences lets you change this (although, unfortunately,you currently have to save the preferences, and exit and restartEthereal, for those changes to take effect).
If you click on the heading for a column, the display will be sorted bythat column; clicking on the heading again will reverse the sort orderfor that column.
An effort is made to display information as high up the protocol stackas possible, e.g. IP addresses are displayed for IP packets, but theMAC layer address is displayed for unknown packet types.
The right mouse button can be used to pop up a menu of operations.
The middle mouse button can be used to mark a packet.
- Middle Pane
- The middle pane contains a protocol tree for the currently-selectedpacket. The tree displays each field and its value in each protocolheader in the stack. The right mouse button can be used to pop up amenu of operations.
- Bottom Pane
- The lowest pane contains a hex dump of the actual packet data. Selecting a field in the protocol tree highlights the correspondingbytes in this section.
The right mouse button can be used to pop up a menu of operations.
- Current Filter
- A display filter can be entered into the strip at the bottom. A filter for HTTP, HTTPS, and DNS traffic might look like this:
tcp.port == 80 || tcp.port == 443 || tcp.port == 53Selecting the Filter: button lets you choose from a list of namedfilters that you can optionally save. Pressing the Return or Enterkeys will cause the filter to be applied to the current list of packets.Selecting the Reset button clears the display filter so that allpackets are displayed.
- The Preferences dialog lets you control various personal preferencesfor the behavior of Ethereal.
- Printing Preferences
- The radio buttons at the top of the Printing page allow you choosebetween printing packets with the File:Print Packet menu item as textor PostScript, and sending the output directly to a command or saving itto a file. The Command: text entry box is the command to send filesto (usually lpr), and the File: entry box lets you enter the nameof the file you wish to save to. Additionally, you can select theFile: button to browse the file system for a particular save file.
- Column Preferences
- The Columns page lets you specify the number, title, and formatof each column in the packet list.
The Column title entry is used to specify the title of the columndisplayed at the top of the packet list. The type of data that the columndisplays can be specified using the Column format option menu.The row of buttons on the left perform the following actions:
- Adds a new column to the list.
- Modifies the currently selected list item.
- Deletes the currently selected list item.
- Up / Down
- Moves the selected list item up or down one position.
- Currently has no effect.
- Saves the current column format as the default.
- Closes the dialog without making any changes.
- TCP Stream Preferences
- The TCP Streams page can be used to change the color of the textdisplayed in the TCP stream window. To change a color, simply selectan attribute from the ``Set:'' menu and use the color selector to get thedesired color. The new text colors are displayed in a sample window.
- GUI Preferences
- The GUI page is used to modify small aspects of the GUI to your ownpersonal taste:
- The vertical scrollbars in the three panes can be set to be either onthe left or the right.
- Selection Bars
- The selection bar in thepacket list and protocol tree can have either a ``browse'' or ``select''behavior. If the selection bar has a ``browse'' behavior, the arrow keyswill move an outline of the selection bar, allowing you to browsethe rest of the list or tree without changing the selectionuntil you press the space bar. If the selection bar has a ``select''behavior, the arrow keys will move the selection bar and changethe selection to the new item in the packet list or protocol tree.The highlight method in the hex dump display for the selected protocolitem can be set to use either inverse video, or bold characters.
- The ``Font...'' button lets you select the font to be used for most text.
- The ``Colors...'' button lets you select the colors to be used for instancefor the marked frames.
- Protocol Preferences
- There are also pages for various protocols that Ethereal dissects,controlling the way Ethereal handles those protocols.
- Edit Capture Filter List
- Edit Display Filter List
- Capture Filter
- Display Filter
- Read Filter
- Search Filter
- The Edit Capture Filter List dialog lets you create, modify, anddelete capture filters, and the Edit Display Filter List dialog letsyou create, modify, and delete display filters.
The Capture Filter dialog lets you do all of the editing operationslisted, and also lets you choose or construct a filter to be used whencapturing packets.
The Display Filter dialog lets you do all of the editing operationslisted, and also lets you choose or construct a filter to be used tofilter the current capture being viewed.
The Read Filter dialog lets you do all of the editing operationslisted, and also lets you choose or construct a filter to be used toas a read filter for a capture file you open.
The Search Filter dialog lets you do all of the editing operationslisted, and also lets you choose or construct a filter expression to beused in a find operation.
In all of those dialogs, the Filter name entry specifies adescriptive name for a filter, e.g. Web and DNS traffic. TheFilter string entry is the text that actually describes the filteringaction to take, as described above.The dialog buttons perform thefollowing actions:
- If there is text in the two entry boxes, creates a new associated listitem.
- Modifies the currently selected list item to match what's in the entryboxes.
- Makes a copy of the currently selected list item.
- Deletes the currently selected list item.
- Add Expression...
- For display filter expressions, pops up a dialog box to allow you toconstruct a filter expression to test a particular field; it offerslists of field names, and, when appropriate, lists from which to selecttests to perform on the field and values with which to compare it. Inthat dialog box, the OK button will cause the filter expression youconstructed to be entered into the Filter string entry at the currentcursor position.
- In the Capture Filter dialog, closes the dialog box and makes thefilter in the Filter string entry the filter in the CapturePreferences dialog. In the Display Filter dialog, closes the dialogbox and makes the filter in the Filter string entry the currentdisplay filter, and applies it to the current capture. In the ReadFilter dialog, closes the dialog box and makes the filter in theFilter string entry the filter in the Open Capture File dialog. In the Search Filter dialog, closes the dialog box and makes thefilter in the Filter string entry the filter in the Find Framedialog.
- Makes the filter in the Filter string entry the current displayfilter, and applies it to the current capture.
- Saves the current filter list in $HOME/.ethereal/cfilters if the listof filters being edited is the list of capture filters or in$HOME/.ethereal/dfilters if the list of filters being edited is thelist of display filters.
- Closes the dialog without doing anything with the filter in the Filterstring entry.
- Capture Preferences
- The Capture Preferences dialog lets you specify various parameters forcapturing live packet data.
The Interface: combo box lets you specify the interface from which tocapture packet data, or the name of a FIFO from which to get the packetdata. The Count: entry specifies the number of packets to capture. Entering 0 will capture packets indefinitely. The Filter: entry letsyou specify the capture filter using a tcpdump-style filter string asdescribed above. The File: entry specifies the file to save to, asin the Printer Options dialog above. You can specify the maximumnumber of bytes to capture per packet with the Capture length entry,can specify whether the interface is to be put in promiscuous mode ornot with the Capture packets in promiscuous mode check box, canspecify that the display should be updated as packets are captured withthe Update list of packets in real time check box, can specifywhether in such a capture the packet list pane should scroll to show themost recently captured packets with the Automatic scrolling in livecapture check box, and can specify whether addresses should betranslated to names in the display with the Enable MAC name resolution,Enable network name resolution and Enable transport name resolutioncheck boxes.
- Display Options
- The Display Options dialog lets you specify the format of the timestamp in the packet list. You can select ``Time of day'' for absolutetime stamps, ``Date and time of day'' for absolute time stamps with thedate, ``Seconds since beginning of capture'' for relative time stamps, or``Seconds since previous frame'' for delta time stamps. You can alsospecify whether, when the display is updated as packets are captured,the list should automatically scroll to show the most recently capturedpackets or not and whether addresses or port numbers should betranslated to names in the display on a MAC, network and transport layerbasis.
- The Plugins dialog lets you view the dissector plugin modulesavailable on your system.
The Plugins List shows the name and version of each dissector pluginmodule found on your system. The plugins are searched in the followingdirectories: /usr/share/ethereal/plugins,/usr/local/share/ethereal/plugins and ~/.ethereal/plugins. Notethat a dissector plugin module may support more than one protocol; thereis not necessarily a one-to-one correspondence between dissector pluginmodules and protocols. Protocols supported by a dissector plugin moduleare enabled and disabled using the Edit:Protocols dialog box, just asprotocols built into Ethereal are.
CAPTURE FILTER SYNTAX
See manual page of tcpdump
DISPLAY FILTER SYNTAX
Display filters help you remove the noise from a packet trace and letyou see only the packets that interest you. If a packet meets therequirements expressed in your display filter, then it is displayed inthe list of packets. Display filters let you compare the fields withina protocol against a specific value, compare fields against fields, andto check the existence of specified fields or protocols.
The simplest display filter allows you to check for the existence of aprotocol or field. If you want to see all packets which contain the IPXprotocol, the filter would be ``ipx''. (Without the quotation marks) Tosee all packets that contain a Token-Ring RIF field, use ``tr.rif''.
Fields can also be compared against values. The comparison operatorscan be expressed either through C-like symbols, or through English-likeabbreviations:
eq, == Equal ne, != Not equal gt, > Greater than lt, < Less Than ge, >= Greater than or Equal to le, <= Less than or Equal to
Furthermore, each protocol field is typed. The types are:
Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit) Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit) Boolean Ethernet address (6 bytes) Byte string (n-number of bytes) IPv4 address IPv6 address IPX network number String (text) Double-precision floating point number
An integer may be expressed in decimal, octal, or hexadecimal notation. The following three display filters are equivalent:
frame.pkt_len > 10 frame.pkt_len > 012 frame.pkt_len > 0xa
Boolean values are either true or false. In a display filter expressiontesting the value of a Boolean field, ``true'' is expressed as 1 or anyother non-zero value, and ``false'' is expressed as zero. For example, atoken-ring packet's source route field is boolean. To find anysource-routed packets, a display filter would be:
tr.sr == 1
Non source-routed packets can be found with:
tr.sr == 0
Ethernet addresses, as well as a string of bytes, are represented in hexdigits. The hex digits may be separated by colons, periods, or hyphens:
fddi.dst eq ff:ff:ff:ff:ff:ff ipx.srcnode == 0.0.0.0.0.1 eth.src == aa-aa-aa-aa-aa-aa
If a string of bytes contains only one byte, then it is represented asan unsigned integer. That is, if you are testing for hex value 'ff' ina one-byte byte-string, you must compare it agains '0xff' and not 'ff'.
IPv4 addresses can be represented in either dotted decimal notation, orby using the hostname:
ip.dst eq www.mit.edu ip.src == 192.168.1.1
IPv4 addresses can be compared with the same logical relations as numbers:eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,so you do not have to worry about how the endianness of an IPv4 addresswhen using it in a display filter.
Classless InterDomain Routing (CIDR) notation can be used to test if anIPv4 address is in a certain subnet. For example, this display filterwill find all packets in the 129.111 Class-B network:
ip.addr == 188.8.131.52/16
Remember, the number after the slash represents the number of bits usedto represent the network. CIDR
notation can also be used withhostnames, in this example of finding IP
addresses on the same Class Cnetwork as 'sneezy':
ip.addr eq sneezy/24
notation can only be used on IP
addresses or hostnames, not invariable names. So, a display filter like ``ip.src/24 == ip.dst/24'' isnot valid. (yet)
IPX networks are represented by unsigned 32-bit integers. Most likelyyou will be using hexadecimal when testing for IPX network values:
ipx.srcnet == 0xc0a82c00
A slice operator also exists. You can check the substring(byte-string) of any protocol or field. For example, you can filter onthe vendor portion of an ethernet address (the first three bytes) likethis:
eth.src[0:3] == 00:00:83
If the length of your byte-slice is only one byte, then it is stillrepresented in hex, but without the preceding ``0x'':
llc == aa
You can use the slice operator on a protocol name, too. Andremember, the ``frame'' protocol encompasses the entire packet, allowingyou to look at the nth byte of a packet regardless of its frame type(Ethernet, token-ring, etc.).
token[0:5] ne 0.0.0.1.1 ipx[0:2] == ff:ff llc[3:1] eq 0xaa
The following syntax governs slices:
[i:j] i = start_offset, j = length [i-j] i = start_offet, j = end_offset, inclusive. [i] i = start_offset, length = 1 [:j] start_offset = 0, length = j [i:] start_offset = i, end_offset = end_of_field
Offsets and lengths can be negative, in which case they indicate theoffset from the end
of the field. Here's how to check the last 4bytes of a frame:
frame[-4:4] == 0.1.2.3
frame[-4:] == 0.1.2.3
You can create complex concatenations of slices using the comma operator:
field[1,3-5,9:] == 01:03:04:05:09:0a:0b
All the above tests can be combined together with logical expressions. These too are expressable in C-like syntax or with English-likeabbreviations:
and, && Logical AND or, || Logical OR not, ! Logical NOT
Expressions can be grouped by parentheses as well. The following areall valid display filter expression:
tcp.port == 80 and ip.src == 192.168.2.1 not llc (ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
A special caveat must be given regarding fields that occur more thanonce per packet. ``ip.addr'' occurs twice per IP
packet, once for thesource address, and once for the destination address. Likewise,tr.rif.ring fields can occur more than once per packet. The followingtwo expressions are not equivalent:
ip.addr ne 192.168.4.1 not ip.addr eq 192.168.4.1
The first filter says ``show me all packets where an ip.addr exists thatdoes not equal 192.168.4.1''. That is, as long as one ip.addr in thepacket does not equal 192.168.44.1, the packet passes the displayfilter. The second filter ``don't show me any packets that have at leastone ip.addr field equal to 192.168.4.1''. If one ip.addr is 192.168.4.1,the packet does not pass. If neither
ip.addr fields is 192.168.4.1,then the packet passes.
It is easy to think of the 'ne' and 'eq' operators as having an implict``exists'' modifier when dealing with multiply-recurring fields. ``ip.addrne 192.168.4.1'' can be thought of as ``there exists an ip.addr that doesnot equal 192.168.4.1''.
Be careful with multiply-recurring fields; they can be confusing.
The following is a table of protocol and protocol fields that arefilterable in Ethereal. The abbreviation of the protocol or field isgiven. This abbreviation is what you use in the display filter. Thetype of the field is also given.
802.1q Virtual LAN (vlan)
vlan.cfi CFI Unsigned 16-bit integer
vlan.etype Type Unsigned 16-bit integer
vlan.id ID Unsigned 16-bit integer
vlan.len Length Unsigned 16-bit integer
vlan.priority Priority Unsigned 16-bit integer
vlan.trailer Trailer Byte array
AOL Instant Messenger (aim)
aim.channel Channel ID Unsigned 8-bit integer
aim.cmd_start Command Start Unsigned 8-bit integer
aim.datalen Data Field Length Unsigned 16-bit integer
aim.fnac.family FNAC Family ID Unsigned 16-bit integer
aim.fnac.subtype FNAC Subtype ID Unsigned 16-bit integer
aim.seqno Sequence Number Unsigned 16-bit integer
atm.vci VCI Unsigned 16-bit integer
atm.vpi VPI Unsigned 8-bit integer
ATM LAN Emulation (lane)
Address Resolution Protocol (arp)
arp.dst.atm_num_e164 Target ATM number (E.164) String
arp.dst.atm_num_nsap Target ATM number (NSAP) Byte array
arp.dst.atm_subaddr Target ATM subaddress Byte array
arp.dst.hlen Target ATM number length Unsigned 8-bit integer
arp.dst.htype Target ATM number type Boolean
arp.dst.hw Target hardware address Byte array
arp.dst.pln Target protocol size Unsigned 8-bit integer
arp.dst.proto Target protocol address Byte array
arp.dst.slen Target ATM subaddress length Unsigned 8-bit integer
arp.dst.stype Target ATM subaddress type Boolean
arp.hw.size Hardware size Unsigned 8-bit integer
arp.hw.type Hardware type Unsigned 16-bit integer
arp.opcode Opcode Unsigned 16-bit integer
arp.proto.size Protocol size Unsigned 8-bit integer
arp.proto.type Protocol type Unsigned 16-bit integer
arp.src.atm_num_e164 Sender ATM number (E.164) String
arp.src.atm_num_nsap Sender ATM number (NSAP) Byte array
arp.src.atm_subaddr Sender ATM subaddress Byte array
arp.src.hlen Sender ATM number length Unsigned 8-bit integer
arp.src.htype Sender ATM number type Boolean
arp.src.hw Sender hardware address Byte array
arp.src.pln Sender protocol size Unsigned 8-bit integer
arp.src.proto Sender protocol address Byte array
arp.src.slen Sender ATM subaddress length Unsigned 8-bit integer
arp.src.stype Sender ATM subaddress type Boolean
Andrew File System (AFS) (afs)
afs.backup Backup Boolean
afs.backup.errcode Error Code Unsigned 32-bit integer
afs.backup.opcode Operation Unsigned 32-bit integer
afs.bos BOS Boolean
afs.bos.baktime Backup Time Date/Time stamp
afs.bos.cell Cell String
afs.bos.cmd Command String
afs.bos.content Content String
afs.bos.data Data Byte array
afs.bos.date Date Unsigned 32-bit integer
afs.bos.errcode Error Code Unsigned 32-bit integer
afs.bos.error Error String
afs.bos.file File String
afs.bos.flags Flags Unsigned 32-bit integer
afs.bos.host Host String
afs.bos.instance Instance String
afs.bos.key Key Byte array
afs.bos.keychecksum Key Checksum Unsigned 32-bit integer
afs.bos.keymodtime Key Modification Time Date/Time stamp
afs.bos.keyspare2 Key Spare 2 Unsigned 32-bit integer
afs.bos.kvno Key Version Number Unsigned 32-bit integer
afs.bos.newtime New Time Date/Time stamp
afs.bos.number Number Unsigned 32-bit integer
afs.bos.oldtime Old Time Date/Time stamp
afs.bos.opcode Operation Unsigned 32-bit integer
afs.bos.parm Parm String
afs.bos.path Path String
afs.bos.size Size Unsigned 32-bit integer
afs.bos.spare1 Spare1 String
afs.bos.spare2 Spare2 String
afs.bos.spare3 Spare3 String
afs.bos.status Status Signed 32-bit integer
afs.bos.statusdesc Status Description String
afs.bos.type Type String
afs.bos.user User String
afs.cb Callback Boolean
afs.cb.callback.expires Expires Date/Time stamp
afs.cb.callback.type Type Unsigned 32-bit integer
afs.cb.callback.version Version Unsigned 32-bit integer
afs.cb.errcode Error Code Unsigned 32-bit integer
afs.cb.fid.uniq FileID (Uniqifier) Unsigned 32-bit integer
afs.cb.fid.vnode FileID (VNode) Unsigned 32-bit integer
afs.cb.fid.volume FileID (Volume) Unsigned 32-bit integer
afs.cb.opcode Operation Unsigned 32-bit integer
afs.error Error Boolean
afs.error.opcode Operation Unsigned 32-bit integer
afs.fs File Server Boolean
afs.fs.acl.a _A_dminister Unsigned 8-bit integer
afs.fs.acl.count.negative ACL Count (Negative) Unsigned 32-bit integer
afs.fs.acl.count.positive ACL Count (Positive) Unsigned 32-bit integer
afs.fs.acl.d _D_elete Unsigned 8-bit integer
afs.fs.acl.datasize ACL Size Unsigned 32-bit integer
afs.fs.acl.entity Entity (User/Group) String
afs.fs.acl.i _I_nsert Unsigned 8-bit integer
afs.fs.acl.k _L_ock Unsigned 8-bit integer
afs.fs.acl.l _L_ookup Unsigned 8-bit integer
afs.fs.acl.r _R_ead Unsigned 8-bit integer
afs.fs.acl.w _W_rite Unsigned 8-bit integer
afs.fs.callback.expires Expires Date/Time stamp
afs.fs.callback.type Type Unsigned 32-bit integer
afs.fs.callback.version Version Unsigned 32-bit integer
afs.fs.cps.spare1 CPS Spare1 Unsigned 32-bit integer
afs.fs.cps.spare2 CPS Spare2 Unsigned 32-bit integer
afs.fs.cps.spare3 CPS Spare3 Unsigned 32-bit integer
afs.fs.data Data Byte array
afs.fs.errcode Error Code Unsigned 32-bit integer
afs.fs.fid.uniq FileID (Uniqifier) Unsigned 32-bit integer
afs.fs.fid.vnode FileID (VNode) Unsigned 32-bit integer
afs.fs.fid.volume FileID (Volume) Unsigned 32-bit integer
afs.fs.flength FLength Unsigned 32-bit integer
afs.fs.ipaddr IP Address IPv4 address
afs.fs.length Length Unsigned 32-bit integer
afs.fs.motd Message of the Day String
afs.fs.name Name String
afs.fs.newname New Name String
afs.fs.offlinemsg Offline Message String
afs.fs.offset Offset Unsigned 32-bit integer
afs.fs.oldname Old Name String
afs.fs.opcode Operation Unsigned 32-bit integer
afs.fs.status.anonymousaccess Anonymous Access Unsigned 32-bit integer
afs.fs.status.author Author Unsigned 32-bit integer
afs.fs.status.calleraccess Caller Access Unsigned 32-bit integer
afs.fs.status.clientmodtime Client Modification Time Date/Time stamp
afs.fs.status.dataversion Data Version Unsigned 32-bit integer
afs.fs.status.dataversionhigh Data Version (High) Unsigned 32-bit integer
afs.fs.status.filetype File Type Unsigned 32-bit integer
afs.fs.status.group Group Unsigned 32-bit integer
afs.fs.status.interfaceversion Interface Version Unsigned 32-bit integer
afs.fs.status.length Length Unsigned 32-bit integer
afs.fs.status.linkcount Link Count Unsigned 32-bit integer
afs.fs.status.mask Mask Unsigned 32-bit integer
afs.fs.status.mask.fsync FSync Unsigned 32-bit integer
afs.fs.status.mask.setgroup Set Group Unsigned 32-bit integer
afs.fs.status.mask.setmode Set Mode Unsigned 32-bit integer
afs.fs.status.mask.setmodtime Set Modification Time Unsigned 32-bit integer
afs.fs.status.mask.setowner Set Owner Unsigned 32-bit integer
afs.fs.status.mask.setsegsize Set Segment Size Unsigned 32-bit integer
afs.fs.status.mode Unix Mode Unsigned 32-bit integer
afs.fs.status.owner Owner Unsigned 32-bit integer
afs.fs.status.parentunique Parent Unique Unsigned 32-bit integer
afs.fs.status.parentvnode Parent VNode Unsigned 32-bit integer
afs.fs.status.segsize Segment Size Unsigned 32-bit integer
afs.fs.status.servermodtime Server Modification Time Date/Time stamp
afs.fs.status.spare2 Spare 2 Unsigned 32-bit integer
afs.fs.status.spare3 Spare 3 Unsigned 32-bit integer
afs.fs.status.spare4 Spare 4 Unsigned 32-bit integer
afs.fs.status.synccounter Sync Counter Unsigned 32-bit integer
afs.fs.symlink.content Symlink Content String
afs.fs.symlink.name Symlink Name String
afs.fs.timestamp Timestamp Date/Time stamp
afs.fs.token Token Byte array
afs.fs.viceid Vice ID Unsigned 32-bit integer
afs.fs.vicelocktype Vice Lock Type Unsigned 32-bit integer
afs.fs.volid Volume ID Unsigned 32-bit integer
afs.fs.volname Volume Name String
afs.fs.volsync.spare1 Spare 1 Unsigned 32-bit integer
afs.fs.volsync.spare2 Spare 2 Unsigned 32-bit integer
afs.fs.volsync.spare3 Spare 3 Unsigned 32-bit integer
afs.fs.volsync.spare4 Spare 4 Unsigned 32-bit integer
afs.fs.volsync.spare5 Spare 5 Unsigned 32-bit integer
afs.fs.volsync.spare6 Spare 6 Unsigned 32-bit integer
afs.fs.xstats.clientversion Client Version Unsigned 32-bit integer
afs.fs.xstats.collnumber Collection Number Unsigned 32-bit integer
afs.fs.xstats.timestamp XStats Timestamp Unsigned 32-bit integer
afs.fs.xstats.version XStats Version Unsigned 32-bit integer
afs.kauth KAuth Boolean
afs.kauth.data Data Byte array
afs.kauth.domain Domain String
afs.kauth.errcode Error Code Unsigned 32-bit integer
afs.kauth.kvno Key Version Number Unsigned 32-bit integer
afs.kauth.name Name String
afs.kauth.opcode Operation Unsigned 32-bit integer
afs.kauth.princ Principal String
afs.kauth.realm Realm String
afs.prot Protection Boolean
afs.prot.count Count Unsigned 32-bit integer
afs.prot.errcode Error Code Unsigned 32-bit integer
afs.prot.flag Flag Unsigned 32-bit integer
afs.prot.gid Group ID Unsigned 32-bit integer
afs.prot.id ID Unsigned 32-bit integer
afs.prot.maxgid Maximum Group ID Unsigned 32-bit integer
afs.prot.maxuid Maximum User ID Unsigned 32-bit integer
afs.prot.name Name String
afs.prot.newid New ID Unsigned 32-bit integer
afs.prot.oldid Old ID Unsigned 32-bit integer
afs.prot.opcode Operation Unsigned 32-bit integer
afs.prot.pos Position Unsigned 32-bit integer
afs.prot.uid User ID Unsigned 32-bit integer
afs.rmtsys Rmtsys Boolean
afs.rmtsys.opcode Operation Unsigned 32-bit integer
afs.ubik Ubik Boolean
afs.ubik.activewrite Active Write Unsigned 32-bit integer
afs.ubik.addr Address IPv4 address
afs.ubik.amsyncsite Am Sync Site Unsigned 32-bit integer
afs.ubik.anyreadlocks Any Read Locks Unsigned 32-bit integer
afs.ubik.anywritelocks Any Write Locks Unsigned 32-bit integer
afs.ubik.beaconsincedown Beacon Since Down Unsigned 32-bit integer
afs.ubik.currentdb Current DB Unsigned 32-bit integer
afs.ubik.currenttran Current Transaction Unsigned 32-bit integer
afs.ubik.epochtime Epoch Time Date/Time stamp
afs.ubik.errcode Error Code Unsigned 32-bit integer
afs.ubik.file File Unsigned 32-bit integer
afs.ubik.interface Interface Address IPv4 address
afs.ubik.isclone Is Clone Unsigned 32-bit integer
afs.ubik.lastbeaconsent Last Beacon Sent Date/Time stamp
afs.ubik.lastvote Last Vote Unsigned 32-bit integer
afs.ubik.lastvotetime Last Vote Time Date/Time stamp
afs.ubik.lastyesclaim Last Yes Claim Date/Time stamp
afs.ubik.lastyeshost Last Yes Host IPv4 address
afs.ubik.lastyesstate Last Yes State Unsigned 32-bit integer
afs.ubik.lastyesttime Last Yes Time Date/Time stamp
afs.ubik.length Length Unsigned 32-bit integer
afs.ubik.lockedpages Locked Pages Unsigned 32-bit integer
afs.ubik.locktype Lock Type Unsigned 32-bit integer
afs.ubik.lowesthost Lowest Host IPv4 address
afs.ubik.lowesttime Lowest Time Date/Time stamp
afs.ubik.now Now Date/Time stamp
afs.ubik.nservers Number of Servers Unsigned 32-bit integer
afs.ubik.opcode Operation Unsigned 32-bit integer
afs.ubik.position Position Unsigned 32-bit integer
afs.ubik.recoverystate Recovery State Unsigned 32-bit integer
afs.ubik.site Site IPv4 address
afs.ubik.state State Unsigned 32-bit integer
afs.ubik.synchost Sync Host IPv4 address
afs.ubik.syncsiteuntil Sync Site Until Date/Time stamp
afs.ubik.synctime Sync Time Date/Time stamp
afs.ubik.tidcounter TID Counter Unsigned 32-bit integer
afs.ubik.up Up Unsigned 32-bit integer
afs.ubik.version.counter Counter Unsigned 32-bit integer
afs.ubik.version.epoch Epoch Date/Time stamp
afs.ubik.voteend Vote Ends Date/Time stamp
afs.ubik.votestart Vote Started Date/Time stamp
afs.ubik.votetype Vote Type Unsigned 32-bit integer
afs.ubik.writelockedpages Write Locked Pages Unsigned 32-bit integer
afs.ubik.writetran Write Transaction Unsigned 32-bit integer
afs.update Update Boolean
afs.update.opcode Operation Unsigned 32-bit integer
afs.vldb VLDB Boolean
afs.vldb.bkvol Backup Volume ID Unsigned 32-bit integer
afs.vldb.bump Bumped Volume ID Unsigned 32-bit integer
afs.vldb.count Volume Count Unsigned 32-bit integer
afs.vldb.errcode Error Code Unsigned 32-bit integer
afs.vldb.id Volume ID Unsigned 32-bit integer
afs.vldb.index Volume Index Unsigned 32-bit integer
afs.vldb.name Volume Name String
afs.vldb.nextindex Next Volume Index Unsigned 32-bit integer
afs.vldb.numservers Number of Servers Unsigned 32-bit integer
afs.vldb.opcode Operation Unsigned 32-bit integer
afs.vldb.partition Partition String
afs.vldb.rovol Read-Only Volume ID Unsigned 32-bit integer
afs.vldb.rwvol Read-Write Volume ID Unsigned 32-bit integer
afs.vldb.server Server IPv4 address
afs.vldb.serveruuid Server UUID Byte array
afs.vldb.type Volume Type Unsigned 32-bit integer
afs.vol Volume Server Boolean
afs.vol.count Volume Count Unsigned 32-bit integer
afs.vol.errcode Error Code Unsigned 32-bit integer
afs.vol.id Volume ID Unsigned 32-bit integer
afs.vol.name Volume Name String
afs.vol.opcode Operation Unsigned 32-bit integer
Appletalk Address Resolution Protocol (aarp)
aarp.dst.ether Target ether Byte array
aarp.dst.id Target ID Byte array
aarp.hard.size Hardware size Unsigned 8-bit integer
aarp.hard.type Hardware type Unsigned 16-bit integer
aarp.opcode Opcode Unsigned 16-bit integer
aarp.proto.size Protocol size Unsigned 8-bit integer
aarp.proto.type Protocol type Unsigned 16-bit integer
aarp.src.ether Sender ether Byte array
aarp.src.id Sender ID Byte array
Async data over ISDN (V.120) (v120)
v120.address Link Address Unsigned 16-bit integer
v120.control Control Field Unsigned 16-bit integer
v120.header Header Field String
Authentication Header (ah)
ah.sequence Sequence Unsigned 32-bit integer
ah.spi SPI Unsigned 32-bit integer
BACnet Virtual Link Control (bvlc)
bvlc.bdt_ip IP IPv4 address
bvlc.bdt_mask Mask Byte array
bvlc.bdt_port Port Unsigned 16-bit integer
bvlc.fdt_ip IP IPv4 address
bvlc.fdt_port Port Unsigned 16-bit integer
bvlc.fdt_timeout Timeout Unsigned 16-bit integer
bvlc.fdt_ttl TTL Unsigned 16-bit integer
bvlc.function Function Unsigned 8-bit integer
bvlc.fwd_ip IP IPv4 address
bvlc.fwd_port Port Unsigned 16-bit integer
bvlc.length Length Unsigned 16-bit integer
bvlc.reg_ttl TTL Unsigned 16-bit integer
bvlc.result Result Unsigned 16-bit integer
bvlc.type Type Unsigned 8-bit integer
Banyan Vines (vines)
vines.protocol Protocol Unsigned 8-bit integer
Banyan Vines Fragmentation Protocol (vines_frp)
Banyan Vines SPP (vines_spp)
Blocks eXtensible eXchange Protocol (bxxp)
bxxp.channel Channel Unsigned 32-bit integer
bxxp.end End Boolean
bxxp.more.complete Complete Boolean
bxxp.more.intermediate Intermediate Boolean
bxxp.req Request Boolean
bxxp.req.channel Request Channel Number Unsigned 32-bit integer
bxxp.rsp Response Boolean
bxxp.rsp.channel Response Channel Number Unsigned 32-bit integer
bxxp.seq Sequence Boolean
bxxp.seq.ackno Ackno Unsigned 32-bit integer
bxxp.seq.channel Sequence Channel Number Unsigned 32-bit integer
bxxp.seq.window Window Unsigned 32-bit integer
bxxp.seqno Seqno Unsigned 32-bit integer
bxxp.serial Serial Unsigned 32-bit integer
bxxp.size Size Unsigned 32-bit integer
bxxp.status.negative Negative Boolean
bxxp.status.positive Positive Boolean
bxxp.violation Protocol Violation Boolean
Boot Parameters (bootparams)
bootparams.domain Client Domain String
bootparams.fileid File ID String