diff options
author | Gerald Combs <gerald@wireshark.org> | 2008-02-15 23:20:32 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2008-02-15 23:20:32 +0000 |
commit | 98bacb3556206a81f78c1568f7703f28ba137f91 (patch) | |
tree | 17f802e592331df786136ba5638c6844d94dc855 /doc/rawshark.pod | |
parent | 6537c76fb62d583eb5f98308c15ae31c1712a31a (diff) |
Add rawshark, a utility that, when given raw pcap-formatted packets and
a list of fields, prints the field values found in each packet.
Packet data can be specified as a libpcap DLT, e.g. "EN10MB" or an upper-layer protocol, e.g. "http".
svn path=/trunk/; revision=24339
Diffstat (limited to 'doc/rawshark.pod')
-rw-r--r-- | doc/rawshark.pod | 1504 |
1 files changed, 1504 insertions, 0 deletions
diff --git a/doc/rawshark.pod b/doc/rawshark.pod new file mode 100644 index 0000000000..2724e85616 --- /dev/null +++ b/doc/rawshark.pod @@ -0,0 +1,1504 @@ + +=head1 NAME + +rawshark - Dump and analyze raw libpcap data + +=head1 SYNOPSYS + +B<rawshark> +S<[ B<-d> E<lt>encap:dltE<gt>|E<lt>proto:protonameE<gt> ]> +S<[ B<-F> E<lt>field to displayE<gt> ]> +S<[ B<-h> ]> +S<[ B<-l> ]> +S<[ B<-n> ]> +S<[ B<-N> E<lt>name resolving flagsE<gt> ]> +S<[ B<-o> E<lt>preference settingE<gt> ] ...> +S<[ B<-r> E<lt>infile or pipeE<gt> ]> +S<[ B<-R> E<lt>read (display) filterE<gt> ]> +S<[ B<-S> E<lt>field formatE<gt> ]> +S<[ B<-t> ad|a|r|d|e ]> +S<[ B<-v> ]> + +=head1 DESCRIPTION + +B<Rawshark> reads a stream of packets from a file or pipe, and prints a line +describing its output, followed by a set of matching fields for each packet +on stdout. + +=head1 INPUT + +Unlike B<TShark>, B<Rawshark> makes no assumptions about encapsulation or +input. The B<-d> and B<-r> flags must be specified in order for it to run. +One or more B<-F> flags should be specified in order for the output to be +useful. The other flags listed above follow the same conventions as +B<Wireshark> and B<TShark>. + +B<Rawshark> expects input records with the following format. Note that this +matches the pcap_pkthdr struct and packet data used in libpcap. + +struct rawshark_rec_s { + struct timeval ts; /* Time stamp */ + uint32_t caplen; /* Length of the packet buffer */ + uint32_t len; /* "On the wire" length of the packet */ + uint8_t *data; /* Packet data */ +}; + +=head1 OUTPUT + +If one or more fields are specified via the B<-F> flag, B<Rawshark> prints +the number, field type, and display format for each field on the first line +as "packet number" 0. For each record, the packet number, matching fields, +and a "1" or "0" are printed to indicate if the field matched any supplied +display filter. A "-" is used to signal the end of a field description and +at the end of each packet line. For example, the flags B<-F ip.src -F +dns.qry.type> might generate the following output: + +0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX - +1 1="1" 0="192.168.77.10" 1 - +2 1="1" 0="192.168.77.250" 1 - +3 0="192.168.77.10" 1 - +4 0="74.125.19.104" 1 - + +Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding B<-R "not dns"> still prints each line, but there's an indication +that packets 1 and 2 didn't pass the filter: + +0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX - +1 1="1" 0="192.168.77.10" 0 - +2 1="1" 0="192.168.77.250" 0 - +3 0="192.168.77.10" 1 - +4 0="74.125.19.104" 1 - + +Also note that the output may be in any order, and that multiple matching +fields might be displayed. + +=head1 OPTIONS + +=over 4 + +=item -d E<lt>encapsulationE<gt> + +Specify how the packet data should be dissected. The encapsulation is of the +form I<type>B<:>I<value>, where I<type> is one of: + +B<encap>:I<name> Packet data should be dissected using the libpcap data +link type I<name>, e.g. B<encap:EN10MB> for Ethernet. + +B<encap>:I<name> Packet data should be dissected using the libpcap data link +type (DLT) I<name>, e.g. B<encap:EN10MB> for Ethernet. Names are converted +using pcap_datalink_name_to_val(). + +B<encap>:I<number> Packet data should be dissected using the libpcap DLT +I<number>, e.g. B<encap:105> for raw IEEE 802.11. A complete list of DLTs +can be found in pcap-bpf.h in the libpcap sources. + +B<proto>:I<protocol> Packet data should be passed to the specified Wireshark +protocol dissector, e.g. B<proto:http> for HTTP data. + +=item -F E<lt>field to displayE<gt> + +Add the matching field to the output. Fields are any valid display filter +field. More than one B<-F> flag may be specified, and each field can match +multiple times in a given packet. A single field may be specified per B<-F> +flag. If you want to apply a display filter, use the B<-R> flag. + +=item -h + +Print the version and options and exits. + +=item -l + +Flush the standard output after the information for each packet is +printed. (This is not, strictly speaking, line-buffered if B<-V> +was specified; however, it is the same as line-buffered if B<-V> wasn't +specified, as only one line is printed for each packet, and, as B<-l> is +normally used when piping a live capture to a program or script, so that +output for a packet shows up as soon as the packet is seen and +dissected, it should work just as well as true line-buffering. We do +this as a workaround for a deficiency in the Microsoft Visual C++ C +library.) + +This may be useful when piping the output of B<TShark> to another +program, as it means that the program to which the output is piped will +see the dissected data for a packet as soon as B<TShark> sees the +packet and generates that output, rather than seeing it only when the +standard output buffer containing that data fills up. + +=item -n + +Disable network object name resolution (such as hostname, TCP and UDP port +names), the B<-N> flag might override this one. + +=item -N E<lt>name resolving flagsE<gt> + +Turn on name resolving only for particular types of addresses and port +numbers, with name resolving for other types of addresses and port +numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are +present. If both B<-N> and B<-n> flags are not present, all name resolutions are +turned on. + +The argument is a string that may contain the letters: + +B<m> to enable MAC address resolution + +B<n> to enable network address resolution + +B<t> to enable transport-layer port number resolution + +B<C> to enable concurrent (asynchronous) DNS lookups + +=item -o E<lt>preferenceE<gt>:E<lt>valueE<gt> + +Set a preference value, overriding the default value and any value read +from a preference file. The argument to the option is a string of the +form I<prefname>B<:>I<value>, where I<prefname> is the name of the +preference (which is the same name that would appear in the preference +file), and I<value> is the value to which it should be set. + +=item -r E<lt>input file or pipeE<gt> + +Read packet data from I<input source>. It can be a regular file or pipe, +and must be have the record format specified above. + +=item -R E<lt>read (display) filterE<gt> + +Cause the specified filter (which uses the syntax of read/display filters, +rather than that of capture filters) to be applied before printing the output. Packets not +matching the filter are discarded rather than being printed or written. + +=item -s E<lt>capture snaplenE<gt> + +Set the default snapshot length to use when capturing live data. +No more than I<snaplen> bytes of each network packet will be read into +memory, or saved to disk. + +=item -S + +Use the specified format string to print each field. The following formats +are supported: + +=over 4 + +B<%D> Field name or description, e.g. "Type" for dns.qry.type +B<%N> Base 10 numeric value of the field. +B<%S> String value of the field. + +=back + +For something similar to Wireshark's standard display ("Type: A (1)") you +could use B<%D: %S (%N)>. + +=item -t ad|a|r|d|e + +Set the format of the packet timestamp printed in summary lines, the default +is relative. The format can be one of: + +B<ad> absolute with date: The absolute date and time is the actual time and +date the packet was captured + +B<a> absolute: The absolute time is the actual time the packet was captured, +with no date displayed + +B<r> relative: The relative time is the time elapsed between the first packet +and the current packet + +B<d> delta: The delta time is the time since the previous packet was +captured + +B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00) + +=item -v + +Print the version and exit. + + +=back + +=head1 READ FILTER SYNTAX + +For a complete table of protocol and protocol fields that are filterable +in B<TShark> see the wireshark-filter(4) manual page. + +=head1 FILES + +These files contains various B<Wireshark> configuration values. + +=over 4 + +=item Preferences + +The F<preferences> files contain global (system-wide) and personal +preference settings. If the system-wide preference file exists, it is +read first, overriding the default settings. If the personal preferences +file exists, it is read next, overriding any previous values. Note: If +the command line option B<-o> is used (possibly more than once), it will +in turn override values from the preferences files. + +The preferences settings are in the form I<prefname>B<:>I<value>, +one per line, +where I<prefname> is the name of the preference +and I<value> is the value to +which it should be set; white space is allowed between B<:> and +I<value>. A preference setting can be continued on subsequent lines by +indenting the continuation lines with white space. A B<#> character +starts a comment that runs to the end of the line: + + # Capture in promiscuous mode? + # TRUE or FALSE (case-insensitive). + capture.prom_mode: TRUE + +The global preferences file is looked for in the F<wireshark> directory +under the F<share> subdirectory of the main installation directory (for +example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible +systems, and in the main installation directory (for example, +F<C:\Program Files\Wireshark\preferences>) on Windows systems. + +The personal preferences file is looked for in +F<$HOME/.wireshark/preferences> on +UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if +%APPDATA% isn't defined, F<%USERPROFILE%\Application +Data\Wireshark\preferences>) on Windows systems. + +=item Disabled (Enabled) Protocols + +The F<disabled_protos> files contain system-wide and personal lists of +protocols that have been disabled, so that their dissectors are never +called. The files contain protocol names, one per line, where the +protocol name is the same name that would be used in a display filter +for the protocol: + + http + tcp # a comment + +The global F<disabled_protos> file uses the same directory as the global +preferences file. + +The personal F<disabled_protos> file uses the same directory as the +personal preferences file. + +=item Name Resolution (hosts) + +If the personal F<hosts> file exists, it is +used to resolve IPv4 and IPv6 addresses before any other +attempts are made to resolve them. The file has the standard F<hosts> +file syntax; each line contains one IP address and name, separated by +whitespace. The same directory as for the personal preferences file is +used. + +=item Name Resolution (ethers) + +The F<ethers> files are consulted to correlate 6-byte hardware addresses to +names. First the personal F<ethers> file is tried and if an address is not +found there the global F<ethers> file is tried next. + +Each line contains one hardware address and name, separated by +whitespace. The digits of the hardware address are separated by colons +(:), dashes (-) or periods (.). The same separator character must be +used consistently in an address. The following three lines are valid +lines of an F<ethers> file: + + ff:ff:ff:ff:ff:ff Broadcast + c0-00-ff-ff-ff-ff TR_broadcast + 00.00.00.00.00.00 Zero_broadcast + +The global F<ethers> file is looked for in the F</etc> directory on +UNIX-compatible systems, and in the main installation directory (for +example, F<C:\Program Files\Wireshark>) on Windows systems. + +The personal F<ethers> file is looked for in the same directory as the personal +preferences file. + +=item Name Resolution (manuf) + +The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte +hardware address with the manufacturer's name; it can also contain well-known +MAC addresses and address ranges specified with a netmask. The format of the +file is the same as the F<ethers> files, except that entries of the form: + + 00:00:0C Cisco + +can be provided, with the 3-byte OUI and the name for a vendor, and +entries such as: + + 00-00-0C-07-AC/40 All-HSRP-routers + +can be specified, with a MAC address and a mask indicating how many bits +of the address must match. The above entry, for example, has 40 +significant bits, or 5 bytes, and would match addresses from +00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a +multiple of 8. + +The F<manuf> file is looked for in the same directory as the global +preferences file. + +=item Name Resolution (ipxnets) + +The F<ipxnets> files are used to correlate 4-byte IPX network numbers to +names. First the global F<ipxnets> file is tried and if that address is not +found there the personal one is tried next. + +The format is the same as the F<ethers> +file, except that each address is four bytes instead of six. +Additionally, the address can be represented as a single hexadecimal +number, as is more common in the IPX world, rather than four hex octets. +For example, these four lines are valid lines of an F<ipxnets> file: + + C0.A8.2C.00 HR + c0-a8-1c-00 CEO + 00:00:BE:EF IT_Server1 + 110f FileServer3 + +The global F<ipxnets> file is looked for in the F</etc> directory on +UNIX-compatible systems, and in the main installation directory (for +example, F<C:\Program Files\Wireshark>) on Windows systems. + +The personal F<ipxnets> file is looked for in the same directory as the +personal preferences file. + +=back + +=head1 SEE ALSO + +wireshark-filter(4), wireshark(1), tshark(1), editcap(1), tcpdump(8), +pcap(3), dumpcap(1), text2pcap(1) + +=head1 NOTES + +B<Rawshark> is part of the B<Wireshark> distribution. The latest version of +B<Wireshark> can be found at L<http://www.wireshark.org>. + +HTML versions of the Wireshark project man pages are available at: +L<http://www.wireshark.org/docs/man-pages>. + +=head1 AUTHORS + +B<Rawshark> uses the same packet dissection code that B<Wireshark> does, as +well as using many other modules from B<Wireshark>; see the list of authors +in the B<Wireshark> man page for a list of authors of that code. + +=head1 NAME + +rawshark - Dump and analyze raw libpcap data + +=head1 SYNOPSYS + +B<rawshark> +S<[ B<-d> E<lt>encap:dltE<gt>|E<lt>proto:protonameE<gt> ]> +S<[ B<-F> E<lt>field to displayE<gt> ]> +S<[ B<-h> ]> +S<[ B<-l> ]> +S<[ B<-n> ]> +S<[ B<-N> E<lt>name resolving flagsE<gt> ]> +S<[ B<-o> E<lt>preference settingE<gt> ] ...> +S<[ B<-r> E<lt>infile or pipeE<gt> ]> +S<[ B<-R> E<lt>read (display) filterE<gt> ]> +S<[ B<-S> E<lt>field formatE<gt> ]> +S<[ B<-t> ad|a|r|d|e ]> +S<[ B<-v> ]> + +=head1 DESCRIPTION + +B<Rawshark> reads a stream of packets from a file or pipe, and prints a line +describing its output, followed by a set of matching fields for each packet +on stdout. + +=head1 INPUT + +Unlike B<TShark>, B<Rawshark> makes no assumptions about encapsulation or +input. The B<-d> and B<-r> flags must be specified in order for it to run. +One or more B<-F> flags should be specified in order for the output to be +useful. The other flags listed above follow the same conventions as +B<Wireshark> and B<TShark>. + +B<Rawshark> expects input records with the following format. Note that this +matches the pcap_pkthdr struct and packet data used in libpcap. + +struct rawshark_rec_s { + struct timeval ts; /* Time stamp */ + uint32_t caplen; /* Length of the packet buffer */ + uint32_t len; /* "On the wire" length of the packet */ + uint8_t *data; /* Packet data */ +}; + +=head1 OUTPUT + +If one or more fields are specified via the B<-F> flag, B<Rawshark> prints +the number, field type, and display format for each field on the first line +as "packet number" 0. For each record, the packet number, matching fields, +and a "1" or "0" are printed to indicate if the field matched any supplied +display filter. A "-" is used to signal the end of a field description and +at the end of each packet line. For example, the flags B<-F ip.src -F +dns.qry.type> might generate the following output: + +0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX - +1 1="1" 0="192.168.77.10" 1 - +2 1="1" 0="192.168.77.250" 1 - +3 0="192.168.77.10" 1 - +4 0="74.125.19.104" 1 - + +Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding B<-R "not dns"> still prints each line, but there's an indication +that packets 1 and 2 didn't pass the filter: + +0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX - +1 1="1" 0="192.168.77.10" 0 - +2 1="1" 0="192.168.77.250" 0 - +3 0="192.168.77.10" 1 - +4 0="74.125.19.104" 1 - + +Also note that the output may be in any order, and that multiple matching +fields might be displayed. + +=head1 OPTIONS + +=over 4 + +=item -d E<lt>encapsulationE<gt> + +Specify how the packet data should be dissected. The encapsulation is of the +form I<type>B<:>I<value>, where I<type> is one of: + +B<encap>:I<name> Packet data should be dissected using the libpcap data +link type I<name>, e.g. B<encap:EN10MB> for Ethernet. + +B<encap>:I<name> Packet data should be dissected using the libpcap data link +type (DLT) I<name>, e.g. B<encap:EN10MB> for Ethernet. Names are converted +using pcap_datalink_name_to_val(). + +B<encap>:I<number> Packet data should be dissected using the libpcap DLT +I<number>, e.g. B<encap:105> for raw IEEE 802.11. A complete list of DLTs +can be found in pcap-bpf.h in the libpcap sources. + +B<proto>:I<protocol> Packet data should be passed to the specified Wireshark +protocol dissector, e.g. B<proto:http> for HTTP data. + +=item -F E<lt>field to displayE<gt> + +Add the matching field to the output. Fields are any valid display filter +field. More than one B<-F> flag may be specified, and each field can match +multiple times in a given packet. A single field may be specified per B<-F> +flag. If you want to apply a display filter, use the B<-R> flag. + +=item -h + +Print the version and options and exits. + +=item -l + +Flush the standard output after the information for each packet is +printed. (This is not, strictly speaking, line-buffered if B<-V> +was specified; however, it is the same as line-buffered if B<-V> wasn't +specified, as only one line is printed for each packet, and, as B<-l> is +normally used when piping a live capture to a program or script, so that +output for a packet shows up as soon as the packet is seen and +dissected, it should work just as well as true line-buffering. We do +this as a workaround for a deficiency in the Microsoft Visual C++ C +library.) + +This may be useful when piping the output of B<TShark> to another +program, as it means that the program to which the output is piped will +see the dissected data for a packet as soon as B<TShark> sees the +packet and generates that output, rather than seeing it only when the +standard output buffer containing that data fills up. + +=item -n + +Disable network object name resolution (such as hostname, TCP and UDP port +names), the B<-N> flag might override this one. + +=item -N E<lt>name resolving flagsE<gt> + +Turn on name resolving only for particular types of addresses and port +numbers, with name resolving for other types of addresses and port +numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are +present. If both B<-N> and B<-n> flags are not present, all name resolutions are +turned on. + +The argument is a string that may contain the letters: + +B<m> to enable MAC address resolution + +B<n> to enable network address resolution + +B<t> to enable transport-layer port number resolution + +B<C> to enable concurrent (asynchronous) DNS lookups + +=item -o E<lt>preferenceE<gt>:E<lt>valueE<gt> + +Set a preference value, overriding the default value and any value read +from a preference file. The argument to the option is a string of the +form I<prefname>B<:>I<value>, where I<prefname> is the name of the +preference (which is the same name that would appear in the preference +file), and I<value> is the value to which it should be set. + +=item -r E<lt>input file or pipeE<gt> + +Read packet data from I<input source>. It can be a regular file or pipe, +and must be have the record format specified above. + +=item -R E<lt>read (display) filterE<gt> + +Cause the specified filter (which uses the syntax of read/display filters, +rather than that of capture filters) to be applied before printing the output. Packets not +matching the filter are discarded rather than being printed or written. + +=item -s E<lt>capture snaplenE<gt> + +Set the default snapshot length to use when capturing live data. +No more than I<snaplen> bytes of each network packet will be read into +memory, or saved to disk. + +=item -S + +Use the specified format string to print each field. The following formats +are supported: + +=over 4 + +B<%D> Field name or description, e.g. "Type" for dns.qry.type +B<%N> Base 10 numeric value of the field. +B<%S> String value of the field. + +=back + +For something similar to Wireshark's standard display ("Type: A (1)") you +could use B<%D: %S (%N)>. + +=item -t ad|a|r|d|e + +Set the format of the packet timestamp printed in summary lines, the default +is relative. The format can be one of: + +B<ad> absolute with date: The absolute date and time is the actual time and +date the packet was captured + +B<a> absolute: The absolute time is the actual time the packet was captured, +with no date displayed + +B<r> relative: The relative time is the time elapsed between the first packet +and the current packet + +B<d> delta: The delta time is the time since the previous packet was +captured + +B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00) + +=item -v + +Print the version and exit. + + +=back + +=head1 READ FILTER SYNTAX + +For a complete table of protocol and protocol fields that are filterable +in B<TShark> see the wireshark-filter(4) manual page. + +=head1 FILES + +These files contains various B<Wireshark> configuration values. + +=over 4 + +=item Preferences + +The F<preferences> files contain global (system-wide) and personal +preference settings. If the system-wide preference file exists, it is +read first, overriding the default settings. If the personal preferences +file exists, it is read next, overriding any previous values. Note: If +the command line option B<-o> is used (possibly more than once), it will +in turn override values from the preferences files. + +The preferences settings are in the form I<prefname>B<:>I<value>, +one per line, +where I<prefname> is the name of the preference +and I<value> is the value to +which it should be set; white space is allowed between B<:> and +I<value>. A preference setting can be continued on subsequent lines by +indenting the continuation lines with white space. A B<#> character +starts a comment that runs to the end of the line: + + # Capture in promiscuous mode? + # TRUE or FALSE (case-insensitive). + capture.prom_mode: TRUE + +The global preferences file is looked for in the F<wireshark> directory +under the F<share> subdirectory of the main installation directory (for +example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible +systems, and in the main installation directory (for example, +F<C:\Program Files\Wireshark\preferences>) on Windows systems. + +The personal preferences file is looked for in +F<$HOME/.wireshark/preferences> on +UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if +%APPDATA% isn't defined, F<%USERPROFILE%\Application +Data\Wireshark\preferences>) on Windows systems. + +=item Disabled (Enabled) Protocols + +The F<disabled_protos> files contain system-wide and personal lists of +protocols that have been disabled, so that their dissectors are never +called. The files contain protocol names, one per line, where the +protocol name is the same name that would be used in a display filter +for the protocol: + + http + tcp # a comment + +The global F<disabled_protos> file uses the same directory as the global +preferences file. + +The personal F<disabled_protos> file uses the same directory as the +personal preferences file. + +=item Name Resolution (hosts) + +If the personal F<hosts> file exists, it is +used to resolve IPv4 and IPv6 addresses before any other +attempts are made to resolve them. The file has the standard F<hosts> +file syntax; each line contains one IP address and name, separated by +whitespace. The same directory as for the personal preferences file is +used. + +=item Name Resolution (ethers) + +The F<ethers> files are consulted to correlate 6-byte hardware addresses to +names. First the personal F<ethers> file is tried and if an address is not +found there the global F<ethers> file is tried next. + +Each line contains one hardware address and name, separated by +whitespace. The digits of the hardware address are separated by colons +(:), dashes (-) or periods (.). The same separator character must be +used consistently in an address. The following three lines are valid +lines of an F<ethers> file: + + ff:ff:ff:ff:ff:ff Broadcast + c0-00-ff-ff-ff-ff TR_broadcast + 00.00.00.00.00.00 Zero_broadcast + +The global F<ethers> file is looked for in the F</etc> directory on +UNIX-compatible systems, and in the main installation directory (for +example, F<C:\Program Files\Wireshark>) on Windows systems. + +The personal F<ethers> file is looked for in the same directory as the personal +preferences file. + +=item Name Resolution (manuf) + +The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte +hardware address with the manufacturer's name; it can also contain well-known +MAC addresses and address ranges specified with a netmask. The format of the +file is the same as the F<ethers> files, except that entries of the form: + + 00:00:0C Cisco + +can be provided, with the 3-byte OUI and the name for a vendor, and +entries such as: + + 00-00-0C-07-AC/40 All-HSRP-routers + +can be specified, with a MAC address and a mask indicating how many bits +of the address must match. The above entry, for example, has 40 +significant bits, or 5 bytes, and would match addresses from +00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a +multiple of 8. + +The F<manuf> file is looked for in the same directory as the global +preferences file. + +=item Name Resolution (ipxnets) + +The F<ipxnets> files are used to correlate 4-byte IPX network numbers to +names. First the global F<ipxnets> file is tried and if that address is not +found there the personal one is tried next. + +The format is the same as the F<ethers> +file, except that each address is four bytes instead of six. +Additionally, the address can be represented as a single hexadecimal +number, as is more common in the IPX world, rather than four hex octets. +For example, these four lines are valid lines of an F<ipxnets> file: + + C0.A8.2C.00 HR + c0-a8-1c-00 CEO + 00:00:BE:EF IT_Server1 + 110f FileServer3 + +The global F<ipxnets> file is looked for in the F</etc> directory on +UNIX-compatible systems, and in the main installation directory (for +example, F<C:\Program Files\Wireshark>) on Windows systems. + +The personal F<ipxnets> file is looked for in the same directory as the +personal preferences file. + +=back + +=head1 SEE ALSO + +wireshark-filter(4), wireshark(1), tshark(1), editcap(1), tcpdump(8), +pcap(3), dumpcap(1), text2pcap(1) + +=head1 NOTES + +B<Rawshark> is part of the B<Wireshark> distribution. The latest version of +B<Wireshark> can be found at L<http://www.wireshark.org>. + +HTML versions of the Wireshark project man pages are available at: +L<http://www.wireshark.org/docs/man-pages>. + +=head1 AUTHORS + +B<Rawshark> uses the same packet dissection code that B<Wireshark> does, as +well as using many other modules from B<Wireshark>; see the list of authors +in the B<Wireshark> man page for a list of authors of that code. + +=head1 NAME + +rawshark - Dump and analyze raw libpcap data + +=head1 SYNOPSYS + +B<rawshark> +S<[ B<-d> E<lt>encap:dltE<gt>|E<lt>proto:protonameE<gt> ]> +S<[ B<-F> E<lt>field to displayE<gt> ]> +S<[ B<-h> ]> +S<[ B<-l> ]> +S<[ B<-n> ]> +S<[ B<-N> E<lt>name resolving flagsE<gt> ]> +S<[ B<-o> E<lt>preference settingE<gt> ] ...> +S<[ B<-r> E<lt>infile or pipeE<gt> ]> +S<[ B<-R> E<lt>read (display) filterE<gt> ]> +S<[ B<-S> E<lt>field formatE<gt> ]> +S<[ B<-t> ad|a|r|d|e ]> +S<[ B<-v> ]> + +=head1 DESCRIPTION + +B<Rawshark> reads a stream of packets from a file or pipe, and prints a line +describing its output, followed by a set of matching fields for each packet +on stdout. + +=head1 INPUT + +Unlike B<TShark>, B<Rawshark> makes no assumptions about encapsulation or +input. The B<-d> and B<-r> flags must be specified in order for it to run. +One or more B<-F> flags should be specified in order for the output to be +useful. The other flags listed above follow the same conventions as +B<Wireshark> and B<TShark>. + +B<Rawshark> expects input records with the following format. Note that this +matches the pcap_pkthdr struct and packet data used in libpcap. + +struct rawshark_rec_s { + struct timeval ts; /* Time stamp */ + uint32_t caplen; /* Length of the packet buffer */ + uint32_t len; /* "On the wire" length of the packet */ + uint8_t *data; /* Packet data */ +}; + +=head1 OUTPUT + +If one or more fields are specified via the B<-F> flag, B<Rawshark> prints +the number, field type, and display format for each field on the first line +as "packet number" 0. For each record, the packet number, matching fields, +and a "1" or "0" are printed to indicate if the field matched any supplied +display filter. A "-" is used to signal the end of a field description and +at the end of each packet line. For example, the flags B<-F ip.src -F +dns.qry.type> might generate the following output: + +0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX - +1 1="1" 0="192.168.77.10" 1 - +2 1="1" 0="192.168.77.250" 1 - +3 0="192.168.77.10" 1 - +4 0="74.125.19.104" 1 - + +Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding B<-R "not dns"> still prints each line, but there's an indication +that packets 1 and 2 didn't pass the filter: + +0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX - +1 1="1" 0="192.168.77.10" 0 - +2 1="1" 0="192.168.77.250" 0 - +3 0="192.168.77.10" 1 - +4 0="74.125.19.104" 1 - + +Also note that the output may be in any order, and that multiple matching +fields might be displayed. + +=head1 OPTIONS + +=over 4 + +=item -d E<lt>encapsulationE<gt> + +Specify how the packet data should be dissected. The encapsulation is of the +form I<type>B<:>I<value>, where I<type> is one of: + +B<encap>:I<name> Packet data should be dissected using the libpcap data +link type I<name>, e.g. B<encap:EN10MB> for Ethernet. + +B<encap>:I<name> Packet data should be dissected using the libpcap data link +type (DLT) I<name>, e.g. B<encap:EN10MB> for Ethernet. Names are converted +using pcap_datalink_name_to_val(). + +B<encap>:I<number> Packet data should be dissected using the libpcap DLT +I<number>, e.g. B<encap:105> for raw IEEE 802.11. A complete list of DLTs +can be found in pcap-bpf.h in the libpcap sources. + +B<proto>:I<protocol> Packet data should be passed to the specified Wireshark +protocol dissector, e.g. B<proto:http> for HTTP data. + +=item -F E<lt>field to displayE<gt> + +Add the matching field to the output. Fields are any valid display filter +field. More than one B<-F> flag may be specified, and each field can match +multiple times in a given packet. A single field may be specified per B<-F> +flag. If you want to apply a display filter, use the B<-R> flag. + +=item -h + +Print the version and options and exits. + +=item -l + +Flush the standard output after the information for each packet is +printed. (This is not, strictly speaking, line-buffered if B<-V> +was specified; however, it is the same as line-buffered if B<-V> wasn't +specified, as only one line is printed for each packet, and, as B<-l> is +normally used when piping a live capture to a program or script, so that +output for a packet shows up as soon as the packet is seen and +dissected, it should work just as well as true line-buffering. We do +this as a workaround for a deficiency in the Microsoft Visual C++ C +library.) + +This may be useful when piping the output of B<TShark> to another +program, as it means that the program to which the output is piped will +see the dissected data for a packet as soon as B<TShark> sees the +packet and generates that output, rather than seeing it only when the +standard output buffer containing that data fills up. + +=item -n + +Disable network object name resolution (such as hostname, TCP and UDP port +names), the B<-N> flag might override this one. + +=item -N E<lt>name resolving flagsE<gt> + +Turn on name resolving only for particular types of addresses and port +numbers, with name resolving for other types of addresses and port +numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are +present. If both B<-N> and B<-n> flags are not present, all name resolutions are +turned on. + +The argument is a string that may contain the letters: + +B<m> to enable MAC address resolution + +B<n> to enable network address resolution + +B<t> to enable transport-layer port number resolution + +B<C> to enable concurrent (asynchronous) DNS lookups + +=item -o E<lt>preferenceE<gt>:E<lt>valueE<gt> + +Set a preference value, overriding the default value and any value read +from a preference file. The argument to the option is a string of the +form I<prefname>B<:>I<value>, where I<prefname> is the name of the +preference (which is the same name that would appear in the preference +file), and I<value> is the value to which it should be set. + +=item -r E<lt>input file or pipeE<gt> + +Read packet data from I<input source>. It can be a regular file or pipe, +and must be have the record format specified above. + +=item -R E<lt>read (display) filterE<gt> + +Cause the specified filter (which uses the syntax of read/display filters, +rather than that of capture filters) to be applied before printing the output. Packets not +matching the filter are discarded rather than being printed or written. + +=item -s E<lt>capture snaplenE<gt> + +Set the default snapshot length to use when capturing live data. +No more than I<snaplen> bytes of each network packet will be read into +memory, or saved to disk. + +=item -S + +Use the specified format string to print each field. The following formats +are supported: + +=over 4 + +B<%D> Field name or description, e.g. "Type" for dns.qry.type +B<%N> Base 10 numeric value of the field. +B<%S> String value of the field. + +=back + +For something similar to Wireshark's standard display ("Type: A (1)") you +could use B<%D: %S (%N)>. + +=item -t ad|a|r|d|e + +Set the format of the packet timestamp printed in summary lines, the default +is relative. The format can be one of: + +B<ad> absolute with date: The absolute date and time is the actual time and +date the packet was captured + +B<a> absolute: The absolute time is the actual time the packet was captured, +with no date displayed + +B<r> relative: The relative time is the time elapsed between the first packet +and the current packet + +B<d> delta: The delta time is the time since the previous packet was +captured + +B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00) + +=item -v + +Print the version and exit. + + +=back + +=head1 READ FILTER SYNTAX + +For a complete table of protocol and protocol fields that are filterable +in B<TShark> see the wireshark-filter(4) manual page. + +=head1 FILES + +These files contains various B<Wireshark> configuration values. + +=over 4 + +=item Preferences + +The F<preferences> files contain global (system-wide) and personal +preference settings. If the system-wide preference file exists, it is +read first, overriding the default settings. If the personal preferences +file exists, it is read next, overriding any previous values. Note: If +the command line option B<-o> is used (possibly more than once), it will +in turn override values from the preferences files. + +The preferences settings are in the form I<prefname>B<:>I<value>, +one per line, +where I<prefname> is the name of the preference +and I<value> is the value to +which it should be set; white space is allowed between B<:> and +I<value>. A preference setting can be continued on subsequent lines by +indenting the continuation lines with white space. A B<#> character +starts a comment that runs to the end of the line: + + # Capture in promiscuous mode? + # TRUE or FALSE (case-insensitive). + capture.prom_mode: TRUE + +The global preferences file is looked for in the F<wireshark> directory +under the F<share> subdirectory of the main installation directory (for +example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible +systems, and in the main installation directory (for example, +F<C:\Program Files\Wireshark\preferences>) on Windows systems. + +The personal preferences file is looked for in +F<$HOME/.wireshark/preferences> on +UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if +%APPDATA% isn't defined, F<%USERPROFILE%\Application +Data\Wireshark\preferences>) on Windows systems. + +=item Disabled (Enabled) Protocols + +The F<disabled_protos> files contain system-wide and personal lists of +protocols that have been disabled, so that their dissectors are never +called. The files contain protocol names, one per line, where the +protocol name is the same name that would be used in a display filter +for the protocol: + + http + tcp # a comment + +The global F<disabled_protos> file uses the same directory as the global +preferences file. + +The personal F<disabled_protos> file uses the same directory as the +personal preferences file. + +=item Name Resolution (hosts) + +If the personal F<hosts> file exists, it is +used to resolve IPv4 and IPv6 addresses before any other +attempts are made to resolve them. The file has the standard F<hosts> +file syntax; each line contains one IP address and name, separated by +whitespace. The same directory as for the personal preferences file is +used. + +=item Name Resolution (ethers) + +The F<ethers> files are consulted to correlate 6-byte hardware addresses to +names. First the personal F<ethers> file is tried and if an address is not +found there the global F<ethers> file is tried next. + +Each line contains one hardware address and name, separated by +whitespace. The digits of the hardware address are separated by colons +(:), dashes (-) or periods (.). The same separator character must be +used consistently in an address. The following three lines are valid +lines of an F<ethers> file: + + ff:ff:ff:ff:ff:ff Broadcast + c0-00-ff-ff-ff-ff TR_broadcast + 00.00.00.00.00.00 Zero_broadcast + +The global F<ethers> file is looked for in the F</etc> directory on +UNIX-compatible systems, and in the main installation directory (for +example, F<C:\Program Files\Wireshark>) on Windows systems. + +The personal F<ethers> file is looked for in the same directory as the personal +preferences file. + +=item Name Resolution (manuf) + +The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte +hardware address with the manufacturer's name; it can also contain well-known +MAC addresses and address ranges specified with a netmask. The format of the +file is the same as the F<ethers> files, except that entries of the form: + + 00:00:0C Cisco + +can be provided, with the 3-byte OUI and the name for a vendor, and +entries such as: + + 00-00-0C-07-AC/40 All-HSRP-routers + +can be specified, with a MAC address and a mask indicating how many bits +of the address must match. The above entry, for example, has 40 +significant bits, or 5 bytes, and would match addresses from +00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a +multiple of 8. + +The F<manuf> file is looked for in the same directory as the global +preferences file. + +=item Name Resolution (ipxnets) + +The F<ipxnets> files are used to correlate 4-byte IPX network numbers to +names. First the global F<ipxnets> file is tried and if that address is not +found there the personal one is tried next. + +The format is the same as the F<ethers> +file, except that each address is four bytes instead of six. +Additionally, the address can be represented as a single hexadecimal +number, as is more common in the IPX world, rather than four hex octets. +For example, these four lines are valid lines of an F<ipxnets> file: + + C0.A8.2C.00 HR + c0-a8-1c-00 CEO + 00:00:BE:EF IT_Server1 + 110f FileServer3 + +The global F<ipxnets> file is looked for in the F</etc> directory on +UNIX-compatible systems, and in the main installation directory (for +example, F<C:\Program Files\Wireshark>) on Windows systems. + +The personal F<ipxnets> file is looked for in the same directory as the +personal preferences file. + +=back + +=head1 SEE ALSO + +wireshark-filter(4), wireshark(1), tshark(1), editcap(1), tcpdump(8), +pcap(3), dumpcap(1), text2pcap(1) + +=head1 NOTES + +B<Rawshark> is part of the B<Wireshark> distribution. The latest version of +B<Wireshark> can be found at L<http://www.wireshark.org>. + +HTML versions of the Wireshark project man pages are available at: +L<http://www.wireshark.org/docs/man-pages>. + +=head1 AUTHORS + +B<Rawshark> uses the same packet dissection code that B<Wireshark> does, as +well as using many other modules from B<Wireshark>; see the list of authors +in the B<Wireshark> man page for a list of authors of that code. + +=head1 NAME + +rawshark - Dump and analyze raw libpcap data + +=head1 SYNOPSYS + +B<rawshark> +S<[ B<-d> E<lt>encap:dltE<gt>|E<lt>proto:protonameE<gt> ]> +S<[ B<-F> E<lt>field to displayE<gt> ]> +S<[ B<-h> ]> +S<[ B<-l> ]> +S<[ B<-n> ]> +S<[ B<-N> E<lt>name resolving flagsE<gt> ]> +S<[ B<-o> E<lt>preference settingE<gt> ] ...> +S<[ B<-r> E<lt>infile or pipeE<gt> ]> +S<[ B<-R> E<lt>read (display) filterE<gt> ]> +S<[ B<-S> E<lt>field formatE<gt> ]> +S<[ B<-t> ad|a|r|d|e ]> +S<[ B<-v> ]> + +=head1 DESCRIPTION + +B<Rawshark> reads a stream of packets from a file or pipe, and prints a line +describing its output, followed by a set of matching fields for each packet +on stdout. + +=head1 INPUT + +Unlike B<TShark>, B<Rawshark> makes no assumptions about encapsulation or +input. The B<-d> and B<-r> flags must be specified in order for it to run. +One or more B<-F> flags should be specified in order for the output to be +useful. The other flags listed above follow the same conventions as +B<Wireshark> and B<TShark>. + +B<Rawshark> expects input records with the following format. Note that this +matches the pcap_pkthdr struct and packet data used in libpcap. + +struct rawshark_rec_s { + struct timeval ts; /* Time stamp */ + uint32_t caplen; /* Length of the packet buffer */ + uint32_t len; /* "On the wire" length of the packet */ + uint8_t *data; /* Packet data */ +}; + +=head1 OUTPUT + +If one or more fields are specified via the B<-F> flag, B<Rawshark> prints +the number, field type, and display format for each field on the first line +as "packet number" 0. For each record, the packet number, matching fields, +and a "1" or "0" are printed to indicate if the field matched any supplied +display filter. A "-" is used to signal the end of a field description and +at the end of each packet line. For example, the flags B<-F ip.src -F +dns.qry.type> might generate the following output: + +0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX - +1 1="1" 0="192.168.77.10" 1 - +2 1="1" 0="192.168.77.250" 1 - +3 0="192.168.77.10" 1 - +4 0="74.125.19.104" 1 - + +Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding B<-R "not dns"> still prints each line, but there's an indication +that packets 1 and 2 didn't pass the filter: + +0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX - +1 1="1" 0="192.168.77.10" 0 - +2 1="1" 0="192.168.77.250" 0 - +3 0="192.168.77.10" 1 - +4 0="74.125.19.104" 1 - + +Also note that the output may be in any order, and that multiple matching +fields might be displayed. + +=head1 OPTIONS + +=over 4 + +=item -d E<lt>encapsulationE<gt> + +Specify how the packet data should be dissected. The encapsulation is of the +form I<type>B<:>I<value>, where I<type> is one of: + +B<encap>:I<name> Packet data should be dissected using the libpcap data +link type I<name>, e.g. B<encap:EN10MB> for Ethernet. + +B<encap>:I<name> Packet data should be dissected using the libpcap data link +type (DLT) I<name>, e.g. B<encap:EN10MB> for Ethernet. Names are converted +using pcap_datalink_name_to_val(). + +B<encap>:I<number> Packet data should be dissected using the libpcap DLT +I<number>, e.g. B<encap:105> for raw IEEE 802.11. A complete list of DLTs +can be found in pcap-bpf.h in the libpcap sources. + +B<proto>:I<protocol> Packet data should be passed to the specified Wireshark +protocol dissector, e.g. B<proto:http> for HTTP data. + +=item -F E<lt>field to displayE<gt> + +Add the matching field to the output. Fields are any valid display filter +field. More than one B<-F> flag may be specified, and each field can match +multiple times in a given packet. A single field may be specified per B<-F> +flag. If you want to apply a display filter, use the B<-R> flag. + +=item -h + +Print the version and options and exits. + +=item -l + +Flush the standard output after the information for each packet is +printed. (This is not, strictly speaking, line-buffered if B<-V> +was specified; however, it is the same as line-buffered if B<-V> wasn't +specified, as only one line is printed for each packet, and, as B<-l> is +normally used when piping a live capture to a program or script, so that +output for a packet shows up as soon as the packet is seen and +dissected, it should work just as well as true line-buffering. We do +this as a workaround for a deficiency in the Microsoft Visual C++ C +library.) + +This may be useful when piping the output of B<TShark> to another +program, as it means that the program to which the output is piped will +see the dissected data for a packet as soon as B<TShark> sees the +packet and generates that output, rather than seeing it only when the +standard output buffer containing that data fills up. + +=item -n + +Disable network object name resolution (such as hostname, TCP and UDP port +names), the B<-N> flag might override this one. + +=item -N E<lt>name resolving flagsE<gt> + +Turn on name resolving only for particular types of addresses and port +numbers, with name resolving for other types of addresses and port +numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are +present. If both B<-N> and B<-n> flags are not present, all name resolutions are +turned on. + +The argument is a string that may contain the letters: + +B<m> to enable MAC address resolution + +B<n> to enable network address resolution + +B<t> to enable transport-layer port number resolution + +B<C> to enable concurrent (asynchronous) DNS lookups + +=item -o E<lt>preferenceE<gt>:E<lt>valueE<gt> + +Set a preference value, overriding the default value and any value read +from a preference file. The argument to the option is a string of the +form I<prefname>B<:>I<value>, where I<prefname> is the name of the +preference (which is the same name that would appear in the preference +file), and I<value> is the value to which it should be set. + +=item -r E<lt>input file or pipeE<gt> + +Read packet data from I<input source>. It can be a regular file or pipe, +and must be have the record format specified above. + +=item -R E<lt>read (display) filterE<gt> + +Cause the specified filter (which uses the syntax of read/display filters, +rather than that of capture filters) to be applied before printing the output. Packets not +matching the filter are discarded rather than being printed or written. + +=item -s E<lt>capture snaplenE<gt> + +Set the default snapshot length to use when capturing live data. +No more than I<snaplen> bytes of each network packet will be read into +memory, or saved to disk. + +=item -S + +Use the specified format string to print each field. The following formats +are supported: + +=over 4 + +B<%D> Field name or description, e.g. "Type" for dns.qry.type +B<%N> Base 10 numeric value of the field. +B<%S> String value of the field. + +=back + +For something similar to Wireshark's standard display ("Type: A (1)") you +could use B<%D: %S (%N)>. + +=item -t ad|a|r|d|e + +Set the format of the packet timestamp printed in summary lines, the default +is relative. The format can be one of: + +B<ad> absolute with date: The absolute date and time is the actual time and +date the packet was captured + +B<a> absolute: The absolute time is the actual time the packet was captured, +with no date displayed + +B<r> relative: The relative time is the time elapsed between the first packet +and the current packet + +B<d> delta: The delta time is the time since the previous packet was +captured + +B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00) + +=item -v + +Print the version and exit. + + +=back + +=head1 READ FILTER SYNTAX + +For a complete table of protocol and protocol fields that are filterable +in B<TShark> see the wireshark-filter(4) manual page. + +=head1 FILES + +These files contains various B<Wireshark> configuration values. + +=over 4 + +=item Preferences + +The F<preferences> files contain global (system-wide) and personal +preference settings. If the system-wide preference file exists, it is +read first, overriding the default settings. If the personal preferences +file exists, it is read next, overriding any previous values. Note: If +the command line option B<-o> is used (possibly more than once), it will +in turn override values from the preferences files. + +The preferences settings are in the form I<prefname>B<:>I<value>, +one per line, +where I<prefname> is the name of the preference +and I<value> is the value to +which it should be set; white space is allowed between B<:> and +I<value>. A preference setting can be continued on subsequent lines by +indenting the continuation lines with white space. A B<#> character +starts a comment that runs to the end of the line: + + # Capture in promiscuous mode? + # TRUE or FALSE (case-insensitive). + capture.prom_mode: TRUE + +The global preferences file is looked for in the F<wireshark> directory +under the F<share> subdirectory of the main installation directory (for +example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible +systems, and in the main installation directory (for example, +F<C:\Program Files\Wireshark\preferences>) on Windows systems. + +The personal preferences file is looked for in +F<$HOME/.wireshark/preferences> on +UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if +%APPDATA% isn't defined, F<%USERPROFILE%\Application +Data\Wireshark\preferences>) on Windows systems. + +=item Disabled (Enabled) Protocols + +The F<disabled_protos> files contain system-wide and personal lists of +protocols that have been disabled, so that their dissectors are never +called. The files contain protocol names, one per line, where the +protocol name is the same name that would be used in a display filter +for the protocol: + + http + tcp # a comment + +The global F<disabled_protos> file uses the same directory as the global +preferences file. + +The personal F<disabled_protos> file uses the same directory as the +personal preferences file. + +=item Name Resolution (hosts) + +If the personal F<hosts> file exists, it is +used to resolve IPv4 and IPv6 addresses before any other +attempts are made to resolve them. The file has the standard F<hosts> +file syntax; each line contains one IP address and name, separated by +whitespace. The same directory as for the personal preferences file is +used. + +=item Name Resolution (ethers) + +The F<ethers> files are consulted to correlate 6-byte hardware addresses to +names. First the personal F<ethers> file is tried and if an address is not +found there the global F<ethers> file is tried next. + +Each line contains one hardware address and name, separated by +whitespace. The digits of the hardware address are separated by colons +(:), dashes (-) or periods (.). The same separator character must be +used consistently in an address. The following three lines are valid +lines of an F<ethers> file: + + ff:ff:ff:ff:ff:ff Broadcast + c0-00-ff-ff-ff-ff TR_broadcast + 00.00.00.00.00.00 Zero_broadcast + +The global F<ethers> file is looked for in the F</etc> directory on +UNIX-compatible systems, and in the main installation directory (for +example, F<C:\Program Files\Wireshark>) on Windows systems. + +The personal F<ethers> file is looked for in the same directory as the personal +preferences file. + +=item Name Resolution (manuf) + +The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte +hardware address with the manufacturer's name; it can also contain well-known +MAC addresses and address ranges specified with a netmask. The format of the +file is the same as the F<ethers> files, except that entries of the form: + + 00:00:0C Cisco + +can be provided, with the 3-byte OUI and the name for a vendor, and +entries such as: + + 00-00-0C-07-AC/40 All-HSRP-routers + +can be specified, with a MAC address and a mask indicating how many bits +of the address must match. The above entry, for example, has 40 +significant bits, or 5 bytes, and would match addresses from +00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a +multiple of 8. + +The F<manuf> file is looked for in the same directory as the global +preferences file. + +=item Name Resolution (ipxnets) + +The F<ipxnets> files are used to correlate 4-byte IPX network numbers to +names. First the global F<ipxnets> file is tried and if that address is not +found there the personal one is tried next. + +The format is the same as the F<ethers> +file, except that each address is four bytes instead of six. +Additionally, the address can be represented as a single hexadecimal +number, as is more common in the IPX world, rather than four hex octets. +For example, these four lines are valid lines of an F<ipxnets> file: + + C0.A8.2C.00 HR + c0-a8-1c-00 CEO + 00:00:BE:EF IT_Server1 + 110f FileServer3 + +The global F<ipxnets> file is looked for in the F</etc> directory on +UNIX-compatible systems, and in the main installation directory (for +example, F<C:\Program Files\Wireshark>) on Windows systems. + +The personal F<ipxnets> file is looked for in the same directory as the +personal preferences file. + +=back + +=head1 SEE ALSO + +wireshark-filter(4), wireshark(1), tshark(1), editcap(1), tcpdump(8), +pcap(3), dumpcap(1), text2pcap(1) + +=head1 NOTES + +B<Rawshark> is part of the B<Wireshark> distribution. The latest version of +B<Wireshark> can be found at L<http://www.wireshark.org>. + +HTML versions of the Wireshark project man pages are available at: +L<http://www.wireshark.org/docs/man-pages>. + +=head1 AUTHORS + +B<Rawshark> uses the same packet dissection code that B<Wireshark> does, as +well as using many other modules from B<Wireshark>; see the list of authors +in the B<Wireshark> man page for a list of authors of that code. |