aboutsummaryrefslogtreecommitdiffstats
path: root/doc/capinfo.pod
blob: d9912a9eca5d8a2060d8abc950fa0bcff753cb6f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
=head1 NAME

capinfo - Prints information about binary capture files

=head1 SYNOPSYS

B<capinfo>
S<[ B<-t> ]>
S<[ B<-c> ]>
S<[ B<-s> ]>
S<[ B<-d> ]>
S<[ B<-u> ]>
S<[ B<-a> ]>
S<[ B<-e> ]>
S<[ B<-y> ]>
S<[ B<-i> ]>
S<[ B<-z> ]>
S<[ B<-h> ]>
I<capfile>

=head1 DESCRIPTION

B<Capinfo> is a program that reads a saved capture file and returns any
or all of several statistics about that file.  B<Capinfo> is able to detect
and read any capture supported by the B<Ethereal> package.

B<Capinfo> can read the following file formats:

=over 4

=item *
libpcap/WinPcap, tcpdump and various other tools using tcpdump's capture format

=item *
B<snoop> and B<atmsnoop>

=item *
Shomiti/Finisar B<Surveyor> captures

=item *
Novell B<LANalyzer> captures

=item *
Microsoft B<Network Monitor> captures

=item *
AIX's B<iptrace> captures

=item *
Cinco Networks B<NetXRay> captures

=item *
Network Associates Windows-based B<Sniffer> captures

=item *
Network General/Network Associates DOS-based B<Sniffer> (compressed or uncompressed) captures

=item *
AG Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>/B<EtherHelp>/B<PacketGrabber> captures

=item *
B<RADCOM>'s WAN/LAN analyzer captures

=item *
Network Instruments B<Observer> version 9 captures

=item *
B<Lucent/Ascend> router debug output

=item *
files from HP-UX's B<nettl>

=item *
B<Toshiba's> ISDN routers dump output

=item *
the output from B<i4btrace> from the ISDN4BSD project

=item *
traces from the B<EyeSDN> USB S0.

=item *
the output in B<IPLog> format from the Cisco Secure Intrusion Detection System

=item *
B<pppd logs> (pppdump format)

=item *
the output from VMS's B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities

=item *
the text output from the B<DBS Etherwatch> VMS utility

=item *
Visual Networks' B<Visual UpTime> traffic capture

=item *
the output from B<CoSine> L2 debug

=item *
the output from Accellent's B<5Views> LAN agents

=item *
Endace Measurement Systems' ERF format captures 

=item *
Linux Bluez Bluetooth stack B<hcidump -w> traces

=back

There is no need to tell B<Capinfo> what type of
file you are reading; it will determine the file type by itself. 
B<Capinfo> is also capable of reading any of these file formats if they
are compressed using gzip.  B<Capinfo> recognizes this directly from the
file; the '.gz' extension is not required for this purpose.

The user specifies which statistics to report by specifying flags 
corresponding to the statistic.  If no flags are specified, B<Capinfo> will
report all statistics available.

=head1 OPTIONS

=over 4

=item -t

Displays the capture type of the capture file.

=item -c

Counts the number of packets in the capture file.

=item -s

Displays the size of the file, in bytes.  This reports
the size of the capture file itself.

=item -d

Displays the total length of all packets in the file, in
bytes.  This counts the size of the packets as they appeared
in their original form, not as they appear in this file.
For example, if a packet was originally 1514 bytes and only
256 of those bytes were saved to the capture file (if packets
were captured with a snaplen or other slicing option),
B<Capinfo> will consider the packet to have been 1514 bytes.

=item -u

Displays the capture duration, in seconds.  This is the
difference in time between the earliest packet seen and
latest packet seen.

=item -a

Displays the start time of the capture.  B<Capinfo> considers
the earliest timestamp seen to be the start time, so the
first packet in the capture is not necessarily the earliest -
if packets exist "out-of-order", time-wise, in the capture,
B<Capinfo> detects this.

=item -e

Displays the end time of the capture.  B<Capinfo> considers
the latest timestamp seen to be the end time, so the
last packet in the capture is not necessarily the latest -
if packets exist "out-of-order", time-wise, in the capture,
B<Capinfo> detects this.

=item -y

Displays the average data rate, in bytes

=item -i

Displays the average data rate, in bits

=item -z

displays the average packet size, in bytes

=item -h

Prints the help listing and exits.

=back

=head1 SEE ALSO

I<tcpdump(8)>, I<pcap(3)>, I<ethereal(1)>, I<mergecap(1)>, I<editcap(1)>, I<tethereal(1)>

=head1 NOTES

B<Capinfo> is part of the B<Ethereal> distribution.  The latest version
of B<Ethereal> can be found at B<http://www.ethereal.com>.

=head1 AUTHORS

  Original Author
  -------- ------
  Ian Schorr           <ian[AT]ianschorr.com>


  Contributors
  ------------