MAN page from RedHat 7.X ethereal-0.9.2-1.i386.rpm


Section: The Ethereal Network Analyzer (1)
Updated: 0.9.2


tethereal - Dump and analyze network traffic 


tethereal-a capture autostop condition ] ...[ -b number of ring buffer files ][ -c count ][ -D ][ -f capture filter expression ][ -F file format ][ -h ][ -i interface ] [ -l ][ -n ][ -N resolving flags ][ -o preference setting ] ...[ -p ][ -r infile ][ -R display filter expression ][ -s snaplen ][ -t time stamp format ][ -v ][ -V ][ -w savefile ][ -x ][ filter expression ] 


Tethereal is a network protocol analyzer. It lets you capture packetdata from a live network, or read packets from a previously savedcapture file, either printing a decoded form of those packets to thestandard output or writing the packets to a file. Tethereal's nativecapture file format is libpcap format, which is also the format usedby tcpdump and various other tools. In addition, Tethereal canread capture files from snoop and atmsnoop, Shomiti/FinisarSurveyor, Novell LANalyzer, Network General/Network AssociatesDOS-based Sniffer (compressed or uncompressed), Microsoft NetworkMonitor, AIX's iptrace, Cinco Networks NetXRay, NetworkAssociates Windows-based Sniffer, AG Group/WildPacketsEtherPeek/TokenPeek/AiroPeek, RADCOM's WAN/LAN analyzer,Lucent/Ascend router debug output, HP-UX's nettl, the dump outputfrom Toshiba's ISDN routers, the output from i4btrace from theISDN4BSD project, the output in IPLog format from the Cisco SecureIntrusion Detection System, pppd logs (pppdump format), the outputfrom VMS's TCPIPtrace utility, the text output from the DBSEtherwatch VMS utility, and traffic capture files from Visual Networks'Visual UpTime. There is no need to tell Tethereal what type of fileyou are reading; it will determine the file type by itself. Tethereal is also capable of reading any of these file formats ifthey are compressed using gzip. Tethereal recognizes this directlyfrom the file; the '.gz' extension is not required for this purpose.

If the -w flag is not specified, Tethereal prints a decoded formof the packets it captures or reads; otherwise, it writes those packetsto the file specified by that flag.

When printing a decoded form of packets, Tethereal prints, bydefault, a summary line containing the fields specified by thepreferences file (which are also the fields displayed in the packet listpane in Ethereal), although if it's printing packets as it capturesthem, rather than printing packets from a saved capture file, it won'tprint the ``frame number'' field. If the -V flag is specified, itprints intead a protocol tree, showing all the fields of all protocolsin the packet.

When writing packets to a file, Tethereal, by default, writes thefile in libpcap format, and writes all of the packets it sees to theoutput file. The -F flag can be used to specify the format in whichto write the file; it can write the file in libpcap format (standardlibpcap format, a modified format used by some patched versions oflibpcap, or the format used by Red Hat Linux 6.1), snoop format,uncompressed Sniffer format, Microsoft Network Monitor 1.x format,the format used by Windows-based versions of the Sniffersoftware, and the format used by Visual Networks' software.

Read filters in Tethereal, which allow you to select which packetsare to be decoded or written to a file, are very powerful; more fieldsare filterable in Tethereal than in other protocol analyzers, and thesyntax you can use to create your filters is richer. As Tetherealprogresses, expect more and more protocol fields to be allowed in readfilters.

Packet capturing is performed with the pcap library. The capture filtersyntax follows the rules of the pcap library. This syntax is differentfrom the read filter syntax. A read filter can also be specified whencapturing, and only packets that pass the read filter will be displayedor saved to the output file; note, however, that capture filters are muchmore efficient than read filters, and it may be more difficult forTethereal to keep up with a busy network if a read filter isspecified for a live capture.

Compressed file support uses (and therefore requires) the zlib library. If the zlib library is not present, Tethereal will compile, but willbe unable to read compressed files.

A capture or read filter can either be specified with the -f or -Roption, respectively, in which case the entire filter expression must bespecified as a single argument (which means that if it contains spaces,it must be quoted), or can be specified with command-line argumentsafter the option arguments, in which case all the arguments after thefilter arguments are treated as a filter expression. If the filter isspecified with command-line arguments after the option arguments, it's acapture filter if a capture is being done (i.e., if no -r flag wasspecified) and a read filter if a capture file is being read (i.e., if a-r flag was specified). 


Specify a criterion that specifies when Tethereal is to stop writingto a capture file. The criterion is of the form test:value,where test is one of:

Stop writing to a capture file after value seconds have elapsed.
Stop writing to a capture file after it reaches a size of valuekilobytes (where a kilobyte is 1000 bytes, not 1024 bytes).

If a maximum capture file size was specified, causes Tethereal to runin ``ring buffer'' mode, with the specified number of files. In ``ringbuffer'' mode, Tethereal will write to several capture files; the nameof the first file, while the capture is in progress, will be the namespecified by the -w flag, and subsequent files with have .nappended, with n counting up.

When the first capture file fills up, Tethereal will switch towriting to the next file, until it fills up the last file, at whichpoint it'll discard the data in the first file and start writing to thatfile. When that file fills up, Tethereal will discard the data inthe next file and start writing to it, and so on.

When the capture completes, the files will be renamed to have namesbased on the number of the file and on the date and time at whichpackets most recently started being written to the file.

You can only save files in libpcap format when using a ring buffer.

Sets the default number of packets to read when capturing livedata.
Prints a list of the interfaces on which Tethereal can capture, andexits. Note that ``can capture'' means that Tethereal was able to openthat device to do a live capture; if, on your system, a program doing anetwork capture must be run from an account with special privileges (forexample, as root), then, if Tethereal is run with the -D flag andis not run from such an account, it will not list any interfaces.
Sets the capture filter expression.
Sets the file format of the output capture file.
Prints the version and options and exits.
Sets the name of the network interface to use for live packet capture. It should match one of the names listed in "netstat -i`` or''ifconfig -a". If no interface is specified, Tethereal searchesthe list of interfaces, choosing the first non-loopback interface ifthere are any non-loopback interfaces, and choosing the first loopbackinterface if there are no non-loopback interfaces; if there are nointerfaces, Tethereal reports an error and doesn't start the capture.
Flush the standard output after the information for each packet isprinted. (This is not, strictly speaking, line-buffered if -Vwas specified; however, it is the same as line-buffered if -V wasn'tspecified, as only one line is printed for each packet, and, as -l isnormally used when piping a live capture to a program or script, so thatoutput for a packet shows up as soon as the packet is seen anddissected, it should work just as well as true line-buffering. We dothis as a workaround for a deficiency in the Microsoft Visual C++ Clibrary.)

This may be useful when piping the output of Tethereal to anotherprogram, as it means that the program to which the output is piped willsee the dissected data for a packet as soon as Tethereal sees thepacket and generates that output, rather than seeing it only when thestandard output buffer containing that data fills up.

Disables network object name resolution (such as hostname, TCP and UDP portnames).
Turns on name resolving for particular types of addresses and portnumbers; the argument is a string that may contain the letters m toenable MAC address resolution, n to enable network addressresolution, and t to enable transport-layer port number resolution. This overrides -n if both -N and -n are present.
Sets a preference value, overriding the default value and any value readfrom a preference file. The argument to the flag is a string of theform prefname:value, where prefname is the name of thepreference (which is the same name that would appear in the preferencefile), and value is the value to which it should be set.
Don't put the interface into promiscuous mode. Note that theinterface might be in promiscuous mode for some other reason; hence,-p cannot be used to ensure that the only traffic that is captured istraffic sent to or from the machine on which Tethereal is running,broadcast traffic, and multicast traffic to addresses received by thatmachine.
Reads packet data from infile.
Causes the specified filter (which uses the syntax of read filters,rather than that of capture filters) to be applied before printing adecoded form of packets or writing packets to a file; packets notmatching the filter are discarded rather than being printed or written.
Sets the default snapshot length to use when capturing live data. No more than snaplen bytes of each network packet will be read intomemory, or saved to disk.
Sets the format of the packet timestamp printed in summary lines. Theformat can be one of 'r' (relative), 'a' (absolute), 'ad' (absolute withdate), or 'd' (delta). The relative time is the time elapsed betweenthe first packet and the current packet. The absolute time is theactual time the packet was captured, with no date displayed; theabsolute date and time is the actual time and date the packet wascaptured. The delta time is the time since the previous packet wascaptured. The default is relative.
Prints the version and exits.
Causes Tethereal to print a protocol tree for each packet rather thana one-line summary of the packet.
Writes packet data to savefile.
Causes Tethereal to print a hex and ASCII dump of the packet dataafter printing the summary or protocol tree.


See manual page of tcpdump(8). 


Read filters help you remove the noise from a packet trace and let yousee only the packets that interest you. If a packet meets therequirements expressed in your read filter, then it is printed. Readfilters let you compare the fields within a protocol against a specificvalue, compare fields against fields, and to check the existence ofspecified fields or protocols.

The simplest read filter allows you to check for the existence of aprotocol or field. If you want to see all packets which contain the IPXprotocol, the filter would be ``ipx''. (Without the quotation marks) Tosee all packets that contain a Token-Ring RIF field, use ``tr.rif''.

Fields can also be compared against values. The comparison operatorscan be expressed either through C-like symbols, or through English-likeabbreviations:

    eq, ==    Equal    ne, !=    Not equal    gt, >     Greater than    lt, <     Less Than    ge, >=    Greater than or Equal to    le, <=    Less than or Equal to
Furthermore, each protocol field is typed. The types are:

    Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit)    Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit)    Boolean    Ethernet address (6 bytes)    Byte string (n-number of bytes)    IPv4 address    IPv6 address    IPX network number    String (text)    Double-precision floating point number
An integer may be expressed in decimal, octal, or hexadecimal notation. The following three read filters are equivalent:

    frame.pkt_len > 10    frame.pkt_len > 012    frame.pkt_len > 0xa
Boolean values are either true or false. In a read filter expressiontesting the value of a Boolean field, ``true'' is expressed as 1 or anyother non-zero value, and ``false'' is expressed as zero. For example, atoken-ring packet's source route field is boolean. To find anysource-routed packets, a read filter would be: == 1
Non source-routed packets can be found with: == 0
Ethernet addresses, as well as a string of bytes, are represented in hexdigits. The hex digits may be separated by colons, periods, or hyphens:

    fddi.dst eq ff:ff:ff:ff:ff:ff    ipx.srcnode ==    eth.src == aa-aa-aa-aa-aa-aa
If a string of bytes contains only one byte, then it is represented asan unsigned integer. That is, if you are testing for hex value 'ff' ina one-byte byte-string, you must compare it agains '0xff' and not 'ff'.

IPv4 addresses can be represented in either dotted decimal notation, orby using the hostname:

    ip.dst eq    ip.src ==
IPv4 addresses can be compared with the same logical relations as numbers:eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,so you do not have to worry about how the endianness of an IPv4 addresswhen using it in a read filter.

Classless InterDomain Routing (CIDR) notation can be used to test if anIPv4 address is in a certain subnet. For example, this display filterwill find all packets in the 129.111 Class-B network:

    ip.addr ==
Remember, the number after the slash represents the number of bits usedto represent the network. CIDR notation can also be used withhostnames, in this example of finding IP addresses on the same Class Cnetwork as 'sneezy':

    ip.addr eq sneezy/24
The CIDR notation can only be used on IP addresses or hostnames, not invariable names. So, a display filter like ``ip.src/24 == ip.dst/24'' isnot valid. (yet)

IPX networks are represented by unsigned 32-bit integers. Most likelyyou will be using hexadecimal when testing for IPX network values:

    ipx.srcnet == 0xc0a82c00
A slice operator also exists. You can check the substring(byte-string) of any protocol or field. For example, you can filter onthe vendor portion of an ethernet address (the first three bytes) likethis:

    eth.src[0:3] == 00:00:83
If the length of your byte-slice is only one byte, then it is stillrepresented in hex, but without the preceding ``0x'':

    llc[3] == aa
You can use the slice operator on a protocol name, too. Andremember, the ``frame'' protocol encompasses the entire packet, allowingyou to look at the nth byte of a packet regardless of its frame type(Ethernet, token-ring, etc.).

    token[0:5] ne    ipx[0:2] == ff:ff    llc[3:1] eq 0xaa
The following syntax governs slices:

        [i:j]   i = start_offset, j = length        [i-j]   i = start_offet, j = end_offset, inclusive.        [i]     i = start_offset, length = 1        [:j]    start_offset = 0, length = j        [i:]    start_offset = i, end_offset = end_of_field
Offsets and lengths can be negative, in which case they indicate theoffset from the end of the field. Here's how to check the last 4bytes of a frame:

    frame[-4:4] ==

    frame[-4:] ==
You can create complex concatenations of slices using the comma operator:

        field[1,3-5,9:] == 01:03:04:05:09:0a:0b
All the above tests can be combined together with logical expressions. These too are expressable in C-like syntax or with English-likeabbreviations:

    and, &&   Logical AND    or, ||    Logical OR    not, !    Logical NOT
Expressions can be grouped by parentheses as well. The following areall valid read filter expression:

    tcp.port == 80 and ip.src ==    not llc    (ipx.srcnet == 0xbad && ipx.srnode == || ip    tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
A special caveat must be given regarding fields that occur more thanonce per packet. ``ip.addr'' occurs twice per IP packet, once for thesource address, and once for the destination address. Likewise,tr.rif.ring fields can occur more than once per packet. The followingtwo expressions are not equivalent:

        ip.addr ne    not ip.addr eq
The first filter says ``show me all packets where an ip.addr exists thatdoes not equal''. That is, as long as one ip.addr in thepacket does not equal, the packet passes the displayfilter. The second filter ``don't show me any packets that have at leastone ip.addr field equal to''. If one ip.addr is,the packet does not pass. If neither ip.addr fields is,then the packet passes.

It is easy to think of the 'ne' and 'eq' operators as having an implict``exists'' modifier when dealing with multiply-recurring fields. ``ip.addrne'' can be thought of as ``there exists an ip.addr that doesnot equal''.

Be careful with multiply-recurring fields; they can be confusing.

The following is a table of protocol and protocol fields that arefilterable in Tethereal. The abbreviation of the protocol or field isgiven. This abbreviation is what you use in the read filter. Thetype of the field is also given. 

802.1q Virtual LAN (vlan)

    vlan.cfi  CFI        Unsigned 16-bit integer
    vlan.etype  Type        Unsigned 16-bit integer  ID        Unsigned 16-bit integer
    vlan.len  Length        Unsigned 16-bit integer
    vlan.priority  Priority        Unsigned 16-bit integer
    vlan.trailer  Trailer        Byte array

802.1x Authentication (eapol)

    eapol.keydes.index.indexnum  Index Number        Unsigned 8-bit integer
    eapol.keydes.index.keytype  Key Type        Boolean
    eapol.keydes.key  Key        Byte array
    eapol.keydes.key_iv  Key IV        Byte array
    eapol.keydes.key_signature  Key Signature        Byte array
    eapol.keydes.keylen  Key Length        Unsigned 16-bit integer
    eapol.keydes.replay_counter  Replay Counter
    eapol.keydes.type  Descriptor Type        Unsigned 8-bit integer
    eapol.len  Length        Unsigned 16-bit integer
    eapol.type  Type        Unsigned 8-bit integer
    eapol.version  Version        Unsigned 8-bit integer

AOL Instant Messenger (aim)  Channel ID        Unsigned 8-bit integer
    aim.cmd_start  Command Start        Unsigned 8-bit integer
    aim.datalen  Data Field Length        Unsigned 16-bit integer  FNAC Family ID        Unsigned 16-bit integer
    aim.fnac.subtype  FNAC Subtype ID        Unsigned 16-bit integer
    aim.seqno  Sequence Number        Unsigned 16-bit integer

ATM (atm)

    atm.vci  VCI        Unsigned 16-bit integer
    atm.vpi  VPI        Unsigned 8-bit integer

ATM LAN Emulation (lane)


Address Resolution Protocol (arp)

    arp.dst.atm_num_e164  Target ATM number (E.164)        String
    arp.dst.atm_num_nsap  Target ATM number (NSAP)        Byte array
    arp.dst.atm_subaddr  Target ATM subaddress        Byte array
    arp.dst.hlen  Target ATM number length        Unsigned 8-bit integer
    arp.dst.htype  Target ATM number type        Boolean
    arp.dst.hw  Target hardware address        Byte array
    arp.dst.hw_mac  Target MAC address        6-byte Hardware (MAC) Address
    arp.dst.pln  Target protocol size        Unsigned 8-bit integer
    arp.dst.proto  Target protocol address        Byte array
    arp.dst.proto_ipv4  Target IP address        IPv4 address
    arp.dst.slen  Target ATM subaddress length        Unsigned 8-bit integer
    arp.dst.stype  Target ATM subaddress type        Boolean
    arp.hw.size  Hardware size        Unsigned 8-bit integer
    arp.hw.type  Hardware type        Unsigned 16-bit integer
    arp.opcode  Opcode        Unsigned 16-bit integer
    arp.proto.size  Protocol size        Unsigned 8-bit integer
    arp.proto.type  Protocol type        Unsigned 16-bit integer
    arp.src.atm_num_e164  Sender ATM number (E.164)        String
    arp.src.atm_num_nsap  Sender ATM number (NSAP)        Byte array
    arp.src.atm_subaddr  Sender ATM subaddress        Byte array
    arp.src.hlen  Sender ATM number length        Unsigned 8-bit integer
    arp.src.htype  Sender ATM number type        Boolean
    arp.src.hw  Sender hardware address        Byte array
    arp.src.hw_mac  Sender MAC address        6-byte Hardware (MAC) Address
    arp.src.pln  Sender protocol size        Unsigned 8-bit integer
    arp.src.proto  Sender protocol address        Byte array
    arp.src.proto_ipv4  Sender IP address        IPv4 address
    arp.src.slen  Sender ATM subaddress length        Unsigned 8-bit integer
    arp.src.stype  Sender ATM subaddress type        Boolean

AiroPeek radio information (airopeek)  Channel        Unsigned 8-bit integer
    airopeek.data_rate  Data Rate        Unsigned 8-bit integer
    airopeek.signal_strength  Signal Strength        Unsigned 8-bit integer

Andrew File System (AFS) (afs)

    afs.backup  Backup        Boolean
    afs.backup.errcode  Error Code        Unsigned 32-bit integer
    afs.backup.opcode  Operation        Unsigned 32-bit integer
    afs.bos  BOS        Boolean
    afs.bos.baktime  Backup Time        Date/Time stamp
    afs.bos.cell  Cell        String
    afs.bos.cmd  Command        String
    afs.bos.content  Content        String  Data        Byte array  Date        Unsigned 32-bit integer
    afs.bos.errcode  Error Code        Unsigned 32-bit integer
    afs.bos.error  Error        String
    afs.bos.file  File        String
    afs.bos.flags  Flags        Unsigned 32-bit integer  Host        String
    afs.bos.instance  Instance        String
    afs.bos.key  Key        Byte array
    afs.bos.keychecksum  Key Checksum        Unsigned 32-bit integer
    afs.bos.keymodtime  Key Modification Time        Date/Time stamp
    afs.bos.keyspare2  Key Spare 2        Unsigned 32-bit integer
    afs.bos.kvno  Key Version Number        Unsigned 32-bit integer
    afs.bos.newtime  New Time        Date/Time stamp
    afs.bos.number  Number        Unsigned 32-bit integer
    afs.bos.oldtime  Old Time        Date/Time stamp
    afs.bos.opcode  Operation        Unsigned 32-bit integer
    afs.bos.parm  Parm        String
    afs.bos.path  Path        String
    afs.bos.size  Size        Unsigned 32-bit integer
    afs.bos.spare1  Spare1        String
    afs.bos.spare2  Spare2        String
    afs.bos.spare3  Spare3        String
    afs.bos.status  Status        Signed 32-bit integer
    afs.bos.statusdesc  Status Description        String
    afs.bos.type  Type        String
    afs.bos.user  User        String
    afs.cb  Callback        Boolean
    afs.cb.callback.expires  Expires        Date/Time stamp
    afs.cb.callback.type  Type        Unsigned 32-bit integer
    afs.cb.callback.version  Version        Unsigned 32-bit integer
    afs.cb.errcode  Error Code        Unsigned 32-bit integer
    afs.cb.fid.uniq  FileID (Uniqifier)        Unsigned 32-bit integer
    afs.cb.fid.vnode  FileID (VNode)        Unsigned 32-bit integer
    afs.cb.fid.volume  FileID (Volume)        Unsigned 32-bit integer
    afs.cb.opcode  Operation        Unsigned 32-bit integer
    afs.error  Error        Boolean
    afs.error.opcode  Operation        Unsigned 32-bit integer
    afs.fs  File Server        Boolean
    afs.fs.acl.a  _A_dminister        Boolean
    afs.fs.acl.count.negative  ACL Count (Negative)        Unsigned 32-bit integer
    afs.fs.acl.count.positive  ACL Count (Positive)        Unsigned 32-bit integer
    afs.fs.acl.d  _D_elete        Boolean
    afs.fs.acl.datasize  ACL Size        Unsigned 32-bit integer
    afs.fs.acl.entity  Entity (User/Group)        String
    afs.fs.acl.i  _I_nsert        Boolean
    afs.fs.acl.k  _L_ock        Boolean
    afs.fs.acl.l  _L_ookup        Boolean
    afs.fs.acl.r  _R_ead        Boolean
    afs.fs.acl.w  _W_rite        Boolean
    afs.fs.callback.expires  Expires        Date/Time stamp
    afs.fs.callback.type  Type        Unsigned 32-bit integer
    afs.fs.callback.version  Version        Unsigned 32-bit integer
    afs.fs.cps.spare1  CPS Spare1        Unsigned 32-bit integer
    afs.fs.cps.spare2  CPS Spare2        Unsigned 32-bit integer
    afs.fs.cps.spare3  CPS Spare3        Unsigned 32-bit integer  Data        Byte array
    afs.fs.errcode  Error Code        Unsigned 32-bit integer
    afs.fs.fid.uniq  FileID (Uniqifier)        Unsigned 32-bit integer
    afs.fs.fid.vnode  FileID (VNode)        Unsigned 32-bit integer
    afs.fs.fid.volume  FileID (Volume)        Unsigned 32-bit integer
    afs.fs.flength  FLength        Unsigned 32-bit integer
    afs.fs.ipaddr  IP Address        IPv4 address
    afs.fs.length  Length        Unsigned 32-bit integer
    afs.fs.motd  Message of the Day        String  Name        String
    afs.fs.newname  New Name        String
    afs.fs.offlinemsg  Offline Message        String
    afs.fs.offset  Offset        Unsigned 32-bit integer
    afs.fs.oldname  Old Name        String
    afs.fs.opcode  Operation        Unsigned 32-bit integer
    afs.fs.status.anonymousaccess  Anonymous Access        Unsigned 32-bit integer  Author        Unsigned 32-bit integer
    afs.fs.status.calleraccess  Caller Access        Unsigned 32-bit integer
    afs.fs.status.clientmodtime  Client Modification Time        Date/Time stamp
    afs.fs.status.dataversion  Data Version        Unsigned 32-bit integer
    afs.fs.status.dataversionhigh  Data Version (High)        Unsigned 32-bit integer
    afs.fs.status.filetype  File Type        Unsigned 32-bit integer  Group        Unsigned 32-bit integer
    afs.fs.status.interfaceversion  Interface Version        Unsigned 32-bit integer
    afs.fs.status.length  Length        Unsigned 32-bit integer
    afs.fs.status.linkcount  Link Count        Unsigned 32-bit integer
    afs.fs.status.mask  Mask        Unsigned 32-bit integer
    afs.fs.status.mask.fsync  FSync        Boolean
    afs.fs.status.mask.setgroup  Set Group        Boolean
    afs.fs.status.mask.setmode  Set Mode        Boolean
    afs.fs.status.mask.setmodtime  Set Modification Time        Boolean
    afs.fs.status.mask.setowner  Set Owner        Boolean
    afs.fs.status.mask.setsegsize  Set Segment Size        Boolean
    afs.fs.status.mode  Unix Mode        Unsigned 32-bit integer
    afs.fs.status.owner  Owner        Unsigned 32-bit integer
    afs.fs.status.parentunique  Parent Unique        Unsigned 32-bit integer
    afs.fs.status.parentvnode  Parent VNode        Unsigned 32-bit integer
    afs.fs.status.segsize  Segment Size        Unsigned 32-bit integer
    afs.fs.status.servermodtime  Server Modification Time        Date/Time stamp
    afs.fs.status.spare2  Spare 2        Unsigned 32-bit integer
    afs.fs.status.spare3  Spare 3        Unsigned 32-bit integer
    afs.fs.status.spare4  Spare 4        Unsigned 32-bit integer
    afs.fs.status.synccounter  Sync Counter        Unsigned 32-bit integer
    afs.fs.symlink.content  Symlink Content        String  Symlink Name        String
    afs.fs.timestamp  Timestamp        Date/Time stamp
    afs.fs.token  Token        Byte array
    afs.fs.viceid  Vice ID        Unsigned 32-bit integer
    afs.fs.vicelocktype  Vice Lock Type        Unsigned 32-bit integer
    afs.fs.volid  Volume ID        Unsigned 32-bit integer
    afs.fs.volname  Volume Name        String
    afs.fs.volsync.spare1  Volume Creation Timestamp        Date/Time stamp
    afs.fs.volsync.spare2  Spare 2        Unsigned 32-bit integer
    afs.fs.volsync.spare3  Spare 3        Unsigned 32-bit integer
    afs.fs.volsync.spare4  Spare 4        Unsigned 32-bit integer
    afs.fs.volsync.spare5  Spare 5        Unsigned 32-bit integer
    afs.fs.volsync.spare6  Spare 6        Unsigned 32-bit integer
    afs.fs.xstats.clientversion  Client Version        Unsigned 32-bit integer
    afs.fs.xstats.collnumber  Collection Number        Unsigned 32-bit integer
    afs.fs.xstats.timestamp  XStats Timestamp        Unsigned 32-bit integer
    afs.fs.xstats.version  XStats Version        Unsigned 32-bit integer
    afs.kauth  KAuth        Boolean  Data        Byte array
    afs.kauth.domain  Domain        String
    afs.kauth.errcode  Error Code        Unsigned 32-bit integer
    afs.kauth.kvno  Key Version Number        Unsigned 32-bit integer  Name        String
    afs.kauth.opcode  Operation        Unsigned 32-bit integer
    afs.kauth.princ  Principal        String
    afs.kauth.realm  Realm        String
    afs.prot  Protection        Boolean
    afs.prot.count  Count        Unsigned 32-bit integer
    afs.prot.errcode  Error Code        Unsigned 32-bit integer
    afs.prot.flag  Flag        Unsigned 32-bit integer
    afs.prot.gid  Group ID        Unsigned 32-bit integer  ID        Unsigned 32-bit integer
    afs.prot.maxgid  Maximum Group ID        Unsigned 32-bit integer
    afs.prot.maxuid  Maximum User ID        Unsigned 32-bit integer  Name        String
    afs.prot.newid  New ID        Unsigned 32-bit integer
    afs.prot.oldid  Old ID        Unsigned 32-bit integer
    afs.prot.opcode  Operation        Unsigned 32-bit integer
    afs.prot.pos  Position        Unsigned 32-bit integer
    afs.prot.uid  User ID        Unsigned 32-bit integer
    afs.rmtsys  Rmtsys        Boolean
    afs.rmtsys.opcode  Operation        Unsigned 32-bit integer
    afs.ubik  Ubik        Boolean
    afs.ubik.activewrite  Active Write        Unsigned 32-bit integer
    afs.ubik.addr  Address        IPv4 address
    afs.ubik.amsyncsite  Am Sync Site        Unsigned 32-bit integer
    afs.ubik.anyreadlocks  Any Read Locks        Unsigned 32-bit integer
    afs.ubik.anywritelocks  Any Write Locks        Unsigned 32-bit integer
    afs.ubik.beaconsincedown  Beacon Since Down        Unsigned 32-bit integer
    afs.ubik.currentdb  Current DB        Unsigned 32-bit integer
    afs.ubik.currenttran  Current Transaction        Unsigned 32-bit integer
    afs.ubik.epochtime  Epoch Time        Date/Time stamp
    afs.ubik.errcode  Error Code        Unsigned 32-bit integer
    afs.ubik.file  File        Unsigned 32-bit integer
    afs.ubik.interface  Interface Address        IPv4 address
    afs.ubik.isclone  Is Clone        Unsigned 32-bit integer
    afs.ubik.lastbeaconsent  Last Beacon Sent        Date/Time stamp
    afs.ubik.lastvote  Last Vote        Unsigned 32-bit integer
    afs.ubik.lastvotetime  Last Vote Time        Date/Time stamp
    afs.ubik.lastyesclaim  Last Yes Claim        Date/Time stamp
    afs.ubik.lastyeshost  Last Yes Host        IPv4 address
    afs.ubik.lastyesstate  Last Yes State        Unsigned 32-bit integer
    afs.ubik.lastyesttime  Last Yes Time        Date/Time stamp
    afs.ubik.length  Length        Unsigned 32-bit integer
    afs.ubik.lockedpages  Locked Pages        Unsigned 32-bit integer
    afs.ubik.locktype  Lock Type        Unsigned 32-bit integer
    afs.ubik.lowesthost  Lowest Host        IPv4 address
    afs.ubik.lowesttime  Lowest Time        Date/Time stamp  Now        Date/Time stamp
    afs.ubik.nservers  Number of Servers        Unsigned 32-bit integer
    afs.ubik.opcode  Operation        Unsigned 32-bit integer
    afs.ubik.position  Position        Unsigned 32-bit integer
    afs.ubik.recoverystate  Recovery State        Unsigned 32-bit integer  Site        IPv4 address
    afs.ubik.state  State        Unsigned 32-bit integer
    afs.ubik.synchost  Sync Host        IPv4 address
    afs.ubik.syncsiteuntil  Sync Site Until        Date/Time stamp
    afs.ubik.synctime  Sync Time        Date/Time stamp
    afs.ubik.tidcounter  TID Counter        Unsigned 32-bit integer
    afs.ubik.up  Up        Unsigned 32-bit integer
    afs.ubik.version.counter  Counter        Unsigned 32-bit integer
    afs.ubik.version.epoch  Epoch        Date/Time stamp
    afs.ubik.voteend  Vote Ends        Date/Time stamp
    afs.ubik.votestart  Vote Started        Date/Time stamp
    afs.ubik.votetype  Vote Type        Unsigned 32-bit integer
    afs.ubik.writelockedpages  Write Locked Pages        Unsigned 32-bit integer
    afs.ubik.writetran  Write Transaction        Unsigned 32-bit integer
    afs.update  Update        Boolean
    afs.update.opcode  Operation        Unsigned 32-bit integer
    afs.vldb  VLDB        Boolean
    afs.vldb.bkvol  Backup Volume ID        Unsigned 32-bit integer
    afs.vldb.bump  Bumped Volume ID        Unsigned 32-bit integer
    afs.vldb.clonevol  Clone Volume ID        Unsigned 32-bit integer
    afs.vldb.count  Volume Count        Unsigned 32-bit integer
    afs.vldb.errcode  Error Code        Unsigned 32-bit integer
    afs.vldb.flags  Flags        Unsigned 32-bit integer
    afs.vldb.flags.bkexists  Backup Exists        Boolean
    afs.vldb.flags.dfsfileset  DFS Fileset        Boolean
    afs.vldb.flags.roexists  Read-Only Exists        Boolean
    afs.vldb.flags.rwexists  Read/Write Exists        Boolean  Volume ID        Unsigned 32-bit integer
    afs.vldb.index  Volume Index        Unsigned 32-bit integer  Volume Name        String
    afs.vldb.nextindex  Next Volume Index        Unsigned 32-bit integer
    afs.vldb.numservers  Number of Servers        Unsigned 32-bit integer
    afs.vldb.opcode  Operation        Unsigned 32-bit integer
    afs.vldb.partition  Partition        String
    afs.vldb.rovol  Read-Only Volume ID        Unsigned 32-bit integer
    afs.vldb.rwvol  Read-Write Volume ID        Unsigned 32-bit integer
    afs.vldb.server  Server        IPv4 address
    afs.vldb.serverflags  Server Flags        Unsigned 32-bit integer
    afs.vldb.serverip  Server IP        IPv4 address
    afs.vldb.serveruniq  Server Unique Address        Unsigned 32-bit integer
    afs.vldb.serveruuid  Server UUID        Byte array
    afs.vldb.spare1  Spare 1        Unsigned 32-bit integer
    afs.vldb.spare2  Spare 2        Unsigned 32-bit integer
    afs.vldb.spare3  Spare 3        Unsigned 32-bit integer
    afs.vldb.spare4  Spare 4        Unsigned 32-bit integer
    afs.vldb.spare5  Spare 5        Unsigned 32-bit integer
    afs.vldb.spare6  Spare 6        Unsigned 32-bit integer
    afs.vldb.spare7  Spare 7        Unsigned 32-bit integer
    afs.vldb.spare8  Spare 8        Unsigned 32-bit integer
    afs.vldb.spare9  Spare 9        Unsigned 32-bit integer
    afs.vldb.type  Volume Type        Unsigned 32-bit integer
    afs.vol  Volume Server        Boolean
    afs.vol.count  Volume Count        Unsigned 32-bit integer
    afs.vol.errcode  Error Code        Unsigned 32-bit integer  Volume ID        Unsigned 32-bit integer  Volume Name        String
    afs.vol.opcode  Operation        Unsigned 32-bit integer

Appletalk Address Resolution Protocol (aarp)

    aarp.dst.hw  Target hardware address        Byte array
    aarp.dst.hw_mac  Target MAC address        6-byte Hardware (MAC) Address
    aarp.dst.proto  Target protocol address        Byte array
    aarp.dst.proto_id  Target ID        Byte array
    aarp.hard.size  Hardware size        Unsigned 8-bit integer
    aarp.hard.type  Hardware type        Unsigned 16-bit integer
    aarp.opcode  Opcode        Unsigned 16-bit integer
    aarp.proto.size  Protocol size        Unsigned 8-bit integer
    aarp.proto.type  Protocol type        Unsigned 16-bit integer
    aarp.src.hw  Sender hardware address        Byte array
    aarp.src.hw_mac  Sender MAC address        6-byte Hardware (MAC) Address
    aarp.src.proto  Sender protocol address        Byte array
    aarp.src.proto_id  Sender ID        Byte array

Async data over ISDN (V.120) (v120)

    v120.address  Link Address        Unsigned 16-bit integer
    v120.control  Control Field        Unsigned 16-bit integer
    v120.header  Header Field        String

Authentication Header (ah)

    ah.sequence  Sequence        Unsigned 32-bit integer
    ah.spi  SPI        Unsigned 32-bit integer

BACnet Virtual Link Control (bvlc)

    bvlc.bdt_ip  IP        IPv4 address
    bvlc.bdt_mask  Mask        Byte array
    bvlc.bdt_port  Port        Unsigned 16-bit integer
    bvlc.fdt_ip  IP        IPv4 address
    bvlc.fdt_port  Port        Unsigned 16-bit integer
    bvlc.fdt_timeout  Timeout        Unsigned 16-bit integer
    bvlc.fdt_ttl  TTL        Unsigned 16-bit integer
    bvlc.function  Function        Unsigned 8-bit integer
    bvlc.fwd_ip  IP        IPv4 address
    bvlc.fwd_port  Port        Unsigned 16-bit integer
    bvlc.length  Length        Unsigned 16-bit integer
    bvlc.reg_ttl  TTL        Unsigned 16-bit integer
    bvlc.result  Result        Unsigned 16-bit integer
    bvlc.type  Type        Unsigned 8-bit integer

Banyan Vines (vines)

    vines.protocol  Protocol        Unsigned 8-bit integer

Banyan Vines Fragmentation Protocol (vines_frp)


Banyan Vines SPP (vines_spp)


Blocks Extensible Exchange Protocol (beep)

    beep.ansno  Ansno        Unsigned 32-bit integer  Channel        Unsigned 32-bit integer
    beep.end  End        Boolean
    beep.more.complete  Complete        Boolean
    beep.more.intermediate  Intermediate        Boolean
    beep.msgno  Msgno        Unsigned 32-bit integer
    beep.req  Request        Boolean  Request Channel Number        Unsigned 32-bit integer
    beep.rsp  Response        Boolean  Response Channel Number        Unsigned 32-bit integer
    beep.seq  Sequence        Boolean
    beep.seq.ackno  Ackno        Unsigned 32-bit integer  Sequence Channel Number        Unsigned 32-bit integer
    beep.seq.window  Window        Unsigned 32-bit integer
    beep.seqno  Seqno        Unsigned 32-bit integer
    beep.size  Size        Unsigned 32-bit integer
    beep.status.negative  Negative        Boolean
    beep.status.positive  Positive        Boolean
    beep.violation  Protocol Violation        Boolean

Boot Parameters (bootparams)

    bootparams.domain  Client Domain        String
    bootparams.fileid  File ID        String
    bootparams.filepath  File Path        String  Client Host        String
    bootparams.hostaddr  Client Address        IPv4 address
    bootparams.routeraddr  Router Address        IPv4 address
    bootparams.type  Address Type        Unsigned 32-bit integer

Bootstrap Protocol (bootp)

    bootp.cookie  Magic cookie        IPv4 address
    bootp.dhcp  Frame is DHCP        Boolean
    bootp.file  Boot file name        String
    bootp.flag  Broadcast flag        Unsigned 16-bit integer
    bootp.hops  Hops        Unsigned 8-bit integer
    bootp.hw.addr  Client hardware address        Byte array
    bootp.hw.len  Hardware address length        Unsigned 8-bit integer
    bootp.hw.type  Hardware type        Unsigned 8-bit integer  Transaction ID        Unsigned 32-bit integer
    bootp.ip.client  Client IP address        IPv4 address
    bootp.ip.relay  Relay agent IP address        IPv4 address
    bootp.ip.server  Next server IP address        IPv4 address
    bootp.ip.your  Your (client) IP address        IPv4 address
    bootp.secs  Seconds elapsed        Unsigned 16-bit integer
    bootp.server  Server host name        String
    bootp.type  Message type        Unsigned 8-bit integer

Border Gateway Protocol (bgp)

    bgp.type  BGP message type        Unsigned 8-bit integer

Building Automation and Control Network APDU (bacapp)

    bacapp.bacapp_type  APDU Type        Unsigned 8-bit integer

Building Automation and Control Network NPDU (bacnet)

    bacnet.control  Control        Unsigned 8-bit integer
    bacnet.control_dest  Destination Specifier        Boolean
    bacnet.control_expect  Expecting Reply        Boolean
    bacnet.control_net  NSDU contains        Boolean
    bacnet.control_prio_high  Priority        Boolean
    bacnet.control_prio_low  Priority        Boolean
    bacnet.control_res1  Reserved        Boolean
    bacnet.control_res2  Reserved        Boolean
    bacnet.control_src  Source specifier        Boolean
    bacnet.dadr_eth  Destination ISO 8802-3 MAC Address        6-byte Hardware (MAC) Address
    bacnet.dadr_tmp  Unknown Destination MAC        Byte array
    bacnet.dlen  Destination MAC Layer Address Length        Unsigned 8-bit integer
    bacnet.dnet  Destination Network Address        Unsigned 16-bit integer
    bacnet.hopc  Hop Count        Unsigned 8-bit integer
    bacnet.mesgtyp  Message Type        Unsigned 8-bit integer
    bacnet.perf  Performance Index        Unsigned 8-bit integer
    bacnet.pinfo  Port Info        Unsigned 8-bit integer
    bacnet.pinfolen  Port Info Length        Unsigned 8-bit integer
    bacnet.portid  Port ID        Unsigned 8-bit integer
    bacnet.rejectreason  Reject Reason        Unsigned 8-bit integer
    bacnet.rportnum  Number of Port Mappings        Unsigned 8-bit integer
    bacnet.sadr_eth  SADR        6-byte Hardware (MAC) Address
    bacnet.sadr_tmp  Unknown Source MAC        Byte array
    bacnet.slen  Source MAC Layer Address Length        Unsigned 8-bit integer
    bacnet.snet  Source Network Address        Unsigned 16-bit integer
    bacnet.vendor  Vendor ID        Unsigned 16-bit integer
    bacnet.version  Version        Unsigned 8-bit integer

Cisco Auto-RP (auto_rp)

    auto_rp.group_prefix  Prefix        IPv4 address
    auto_rp.holdtime  Holdtime        Unsigned 16-bit integer
    auto_rp.mask_len  Mask length        Unsigned 8-bit integer
    auto_rp.pim_ver  Version        Unsigned 8-bit integer
    auto_rp.prefix_sign  Sign        Unsigned 8-bit integer
    auto_rp.rp_addr  RP address        IPv4 address
    auto_rp.rp_count  RP count        Unsigned 8-bit integer
    auto_rp.type  Packet type        Unsigned 8-bit integer
    auto_rp.version  Protocol version        Unsigned 8-bit integer

Cisco Discovery Protocol (cdp)

    cdp.checksum  Checksum        Unsigned 16-bit integer
    cdp.tlv.len  Length        Unsigned 16-bit integer
    cdp.tlv.type  Type        Unsigned 16-bit integer
    cdp.ttl  TTL        Unsigned 16-bit integer
    cdp.version  Version        Unsigned 8-bit integer

Cisco Group Management Protocol (cgmp)

    cgmp.count  Count        Unsigned 8-bit integer
    cgmp.gda  Group Destination Address        6-byte Hardware (MAC) Address
    cgmp.type  Type        Unsigned 8-bit integer
    cgmp.usa  Unicast Source Address        6-byte Hardware (MAC) Address
    cgmp.version  Version        Unsigned 8-bit integer

Cisco HDLC (chdlc)

    chdlc.address  Address        Unsigned 8-bit integer
    chdlc.protocol  Protocol        Unsigned 16-bit integer

Cisco Hot Standby Router Protocol (hsrp)

    hsrp.auth_data  Authentication Data        String  Group        Unsigned 8-bit integer
    hsrp.hellotime  Hellotime        Unsigned 8-bit integer
    hsrp.holdtime  Holdtime        Unsigned 8-bit integer
    hsrp.opcode  Op Code        Unsigned 8-bit integer
    hsrp.priority  Priority        Unsigned 8-bit integer
    hsrp.reserved  Reserved        Unsigned 8-bit integer
    hsrp.state  State        Unsigned 8-bit integer
    hsrp.version  Version        Unsigned 8-bit integer
    hsrp.virt_ip  Virtual IP Address        IPv4 address

Cisco ISL (isl)

    isl.addr  Source or Destination Address        6-byte Hardware (MAC) Address
    isl.bpdu  BPDU        Boolean
    isl.crc  CRC        Unsigned 32-bit integer
    isl.dst  Destination        6-byte Hardware (MAC) Address
    isl.dst_route_desc  Destination route descriptor        Unsigned 16-bit integer
    isl.esize  Esize        Unsigned 8-bit integer
    isl.explorer  Explorer        Boolean
    isl.fcs_not_incl  FCS Not Included        Boolean
    isl.hsa  HSA        Unsigned 24-bit integer
    isl.index  Index        Unsigned 16-bit integer
    isl.len  Length        Unsigned 16-bit integer
    isl.src  Source        6-byte Hardware (MAC) Address
    isl.src_route_desc  Source-route descriptor        Unsigned 16-bit integer
    isl.src_vlan_id  Source VLAN ID        Unsigned 16-bit integer
    isl.type  Type        Unsigned 8-bit integer
    isl.user  User        Unsigned 8-bit integer
    isl.user_eth  User        Unsigned 8-bit integer
    isl.vlan_id  VLAN ID        Unsigned 16-bit integer

Cisco Interior Gateway Routing Protocol (igrp)  Autonomous System        Unsigned 16-bit integer
    igrp.update  Update Release        Unsigned 8-bit integer

Cisco SLARP (slarp)

    slarp.address  Address        IPv4 address
    slarp.mysequence  Outgoing sequence number        Unsigned 32-bit integer
    slarp.ptype  Packet type        Unsigned 32-bit integer
    slarp.yoursequence  Returned sequence number        Unsigned 32-bit integer

Common Open Policy Service (cops)

    cops.accttimer.value  Contents: ACCT Timer Value        Unsigned 16-bit integer
    cops.c_num  C-Num        Unsigned 8-bit integer
    cops.c_type  C-Type        Unsigned 8-bit integer
    cops.client_type  Client Type        Unsigned 16-bit integer
    cops.context.m_type  M-Type        Unsigned 16-bit integer
    cops.context.r_type  R-Type        Unsigned 16-bit integer
    cops.cperror  Error        Unsigned 16-bit integer
    cops.cperror_sub  Error Sub-code        Unsigned 16-bit integer
    cops.decision.cmd  Command-Code        Unsigned 16-bit integer
    cops.decision.flags  Flags        Unsigned 16-bit integer
    cops.error  Error        Unsigned 16-bit integer
    cops.error_sub  Error Sub-code        Unsigned 16-bit integer
    cops.flags  Flags        Unsigned 8-bit integer
    cops.gperror  Error        Unsigned 16-bit integer
    cops.gperror_sub  Error Sub-code        Unsigned 16-bit integer  IPv4 address        IPv4 address  IPv6 address        IPv6 address  ifIndex        Unsigned 32-bit integer
    cops.integrity.key_id  Contents: Key ID        Unsigned 32-bit integer
    cops.integrity.seq_num  Contents: Sequence Number        Unsigned 32-bit integer
    cops.katimer.value  Contents: KA Timer Value        Unsigned 16-bit integer
    cops.lastpdpaddr.ipv4  IPv4 address        IPv4 address
    cops.lastpdpaddr.ipv6  IPv6 address        IPv6 address
    cops.msg_len  Message Length        Unsigned 32-bit integer
    cops.obj.len  Object Length        Unsigned 32-bit integer
    cops.op_code  Op Code        Unsigned 8-bit integer
    cops.out-int.ipv4  IPv4 address        IPv4 address
    cops.out-int.ipv6  IPv6 address        IPv6 address
    cops.pdp.tcp_port  TCP Port Number        Unsigned 32-bit integer
    cops.pdprediraddr.ipv4  IPv4 address        IPv4 address
    cops.pdprediraddr.ipv6  IPv6 address        IPv6 address  Contents: PEP Id        String
    cops.reason  Reason        Unsigned 16-bit integer
    cops.reason_sub  Reason Sub-code        Unsigned 16-bit integer
    cops.report_type  Contents: Report-Type        Unsigned 16-bit integer
    cops.s_num  S-Num        Unsigned 8-bit integer
    cops.s_type  S-Type        Unsigned 8-bit integer
    cops.ver_flags  Version and Flags        Unsigned 8-bit integer
    cops.version  Version        Unsigned 8-bit integer

Common Unix Printing System (CUPS) Browsing Protocol (cups)

    cups.ptype  Type        Unsigned 32-bit integer
    cups.state  State        Unsigned 8-bit integer

DCE RPC (dcerpc)

    dcerpc.array.actual_count  Actual Count        Unsigned 32-bit integer
    dcerpc.array.max_count  Max Count        Unsigned 32-bit integer
    dcerpc.array.offset  Offset        Unsigned 32-bit integer
    dcerpc.auth_ctx_id  Auth Context ID        Unsigned 32-bit integer
    dcerpc.auth_level  Auth level        Unsigned 8-bit integer
    dcerpc.auth_pad_len  Auth pad len        Unsigned 8-bit integer
    dcerpc.auth_rsrvd  Auth Rsrvd        Unsigned 8-bit integer
    dcerpc.auth_type  Auth type        Unsigned 8-bit integer
    dcerpc.cn_ack_reason  Ack reason        Unsigned 16-bit integer
    dcerpc.cn_ack_result  Ack result        Unsigned 16-bit integer
    dcerpc.cn_ack_trans_id  Transfer Syntax        String
    dcerpc.cn_ack_trans_ver  Syntax ver        Unsigned 32-bit integer
    dcerpc.cn_alloc_hint  Alloc hint        Unsigned 32-bit integer
    dcerpc.cn_assoc_group  Assoc Group        Unsigned 32-bit integer
    dcerpc.cn_auth_len  Auth Length        Unsigned 16-bit integer
    dcerpc.cn_bind_if_ver  Interface Ver        Unsigned 16-bit integer
    dcerpc.cn_bind_if_ver_minor  Interface Ver Minor        Unsigned 16-bit integer
    dcerpc.cn_bind_to_uuid  Interface UUID        String