diff options
author | Guy Harris <guy@alum.mit.edu> | 2013-07-28 21:12:07 +0000 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2013-07-28 21:12:07 +0000 |
commit | a4ad9e9f74d58f3a869ceb27845f74345d7b81be (patch) | |
tree | 8232de5a3f542b692b883fcf0f057b0f2a0e7af5 /doc/rawshark.pod | |
parent | 0f13e3c95d571c7000e84d0c1e6f9f76575508b4 (diff) |
If a core Wireshark developer repeatedly can't remember that the
argument to the -F flag for pcap format is "libpcap", not "pcap", we
have a problem. Make it "pcap", and add a backwards-compatibility hack
to support using "libpcap" as well.
Update the man pages to refer to it as pcap as well, and fix the
capitalization of "WinPcap" (see http://www.winpcap.org) while we're at
it.
Also, refer to http://www.tcpdump.org/linktypes.html for the list of
link-layer header types for pcap and pcap-ng.
svn path=/trunk/; revision=50989
Diffstat (limited to 'doc/rawshark.pod')
-rw-r--r-- | doc/rawshark.pod | 35 |
1 files changed, 18 insertions, 17 deletions
diff --git a/doc/rawshark.pod b/doc/rawshark.pod index fcf9822055..0514d41efb 100644 --- a/doc/rawshark.pod +++ b/doc/rawshark.pod @@ -1,7 +1,7 @@ =head1 NAME -rawshark - Dump and analyze raw libpcap data +rawshark - Dump and analyze raw pcap data =head1 SYNOPSIS @@ -36,7 +36,7 @@ useful. The other flags listed above follow the same conventions as B<Wireshark> and B<TShark>. B<Rawshark> expects input records with the following format by default. This -matches the format of the packet header and packet data in a libpcap-formatted +matches the format of the packet header and packet data in a pcap-formatted file on disk. struct rawshark_rec_s { @@ -49,13 +49,13 @@ file on disk. If B<-p> is supplied B<rawshark> expects the following format. This matches the I<struct pcap_pkthdr> structure and packet data used in -libpcap. This structure's format is platform-dependent; the size of the -I<tv_sec> field in the I<struct timeval> structure could be 32 bits or -64 bits. For B<rawshark> to work, the layout of the structure in the -input must match the layout of the structure in B<rawshark>. Note that -this format will probably be the same as the previous format if -B<rawshark> is a 32-bit program, but will not necessarily be the same if -B<rawshark> is a 64-bit program. +libpcap/WinPcap. This structure's format is platform-dependent; the +size of the I<tv_sec> field in the I<struct timeval> structure could be +32 bits or 64 bits. For B<rawshark> to work, the layout of the +structure in the input must match the layout of the structure in +B<rawshark>. Note that this format will probably be the same as the +previous format if B<rawshark> is a 32-bit program, but will not +necessarily be the same if B<rawshark> is a 64-bit program. struct rawshark_rec_s { struct timeval ts; /* Time stamp */ @@ -104,13 +104,14 @@ fields might be displayed. Specify how the packet data should be dissected. The encapsulation is of the form I<type>B<:>I<value>, where I<type> is one of: -B<encap>:I<name> Packet data should be dissected using the libpcap data link -type (DLT) I<name>, e.g. B<encap:EN10MB> for Ethernet. Names are converted -using pcap_datalink_name_to_val(). +B<encap>:I<name> Packet data should be dissected using the +libpcap/WinPcap data link type (DLT) I<name>, e.g. B<encap:EN10MB> for +Ethernet. Names are converted using pcap_datalink_name_to_val(). +A complete list of DLTs can be found at +L<http://www.tcpdump.org/linktypes.html>. -B<encap>:I<number> Packet data should be dissected using the libpcap DLT -I<number>, e.g. B<encap:105> for raw IEEE 802.11. A complete list of DLTs -can be found in pcap-bpf.h in the libpcap sources. +B<encap>:I<number> Packet data should be dissected using the +libpcap/WinPcap DLT I<number>, e.g. B<encap:105> for raw IEEE 802.11. B<proto>:I<protocol> Packet data should be passed to the specified Wireshark protocol dissector, e.g. B<proto:http> for HTTP data. @@ -312,7 +313,7 @@ whitespace. The same directory as for the personal preferences file is used. Capture filter name resolution is handled by libpcap on UNIX-compatible -systems and WinPCAP on Windows. As such the Wireshark personal F<hosts> file +systems and WinPcap on Windows. As such the Wireshark personal F<hosts> file will not be consulted for capture filter name resolution. =item Name Resolution (ethers) @@ -339,7 +340,7 @@ The personal F<ethers> file is looked for in the same directory as the personal preferences file. Capture filter name resolution is handled by libpcap on UNIX-compatible -systems and WinPCAP on Windows. As such the Wireshark personal F<ethers> file +systems and WinPcap on Windows. As such the Wireshark personal F<ethers> file will not be consulted for capture filter name resolution. =item Name Resolution (manuf) |