ethereal(1)

NAME

ethereal - Interactively browse network traffic

SYNOPSYS

ethereal [ -a capture autostop condition ] ... [ -b num ber of ring buffer files [:duration] ]
[ -B byte view height ] [ -c count ] [ -f capture fil
ter expression ] [ -h ] [ -i interface ] [ -k ] [ -l ] [ -m font ] [ -n ] [ -N resolving flags ] [ -o prefer ence setting ] ... [ -p ] [ -P packet list height ]
[ -Q ] [ -r infile ] [ -R display filter expression ]
[ -S ] [ -s snaplen ] [ -T tree view height ]
[ -t time stamp format ] [ -v ] [ -w savefile]
[ -z statistics-string ] [ infile ]

DESCRIPTION

Ethereal is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or
from a previously saved capture file. Ethereal's native capture file format is libpcap format, which is also the format used by tcpdump and various other tools. In addi tion, Ethereal can read capture files from snoop and atm snoop, Shomiti/Finisar Surveyor, Novell LANalyzer, Network General/Network Associates DOS-based Sniffer (compressed or uncompressed), Microsoft Network Monitor, AIX's iptrace, Cinco Networks NetXRay, Network Associates Win dows-based Sniffer, AG Group/WildPackets EtherPeek/Token Peek/AiroPeek, RADCOM's WAN/LAN analyzer, Lucent/Ascend router debug output, HP-UX's nettl, the dump output from
Toshiba's ISDN routers, the output from i4btrace from the ISDN4BSD project, the output in IPLog format from the
Cisco Secure Intrusion Detection System, pppd logs (ppp dump format), the output from VMS's TCPIPtrace/TCP trace/UCX$TRACE utilities, the text output from the DBS Etherwatch VMS utility, traffic capture files from Visual Networks' Visual UpTime, and the output from CoSine L2
debug. There is no need to tell Ethereal what type of file you are reading; it will determine the file type by
itself. Ethereal is also capable of reading any of these file formats if they are compressed using gzip. Ethereal recognizes this directly from the file; the '.gz' exten
sion is not required for this purpose.

Like other protocol analyzers, Ethereal's main window
shows 3 views of a packet. It shows a summary line,
briefly describing what the packet is. A protocol tree is
shown, allowing you to drill down to exact protocol or
field that you interested in. Finally, a hex dump shows
you exactly what the packet looks like when it goes over
the wire.

In addition, Ethereal has some features that make it
unique. It can assemble all the packets in a TCP conver
sation and show you the ASCII (or EBCDIC, or hex) data in
that conversation. Display filters in Ethereal are very powerful; more fields are filterable in Ethereal than in other protocol analyzers, and the syntax you can use to
create your filters is richer. As Ethereal progresses, expect more and more protocol fields to be allowed in dis
play filters.

Packet capturing is performed with the pcap library. The
capture filter syntax follows the rules of the pcap
library. This syntax is different from the display filter
syntax.

Compressed file support uses (and therefore requires) the
zlib library. If the zlib library is not present, Ethe
real will compile, but will be unable to read compressed
files.

The pathname of a capture file to be read can be specified
with the -r option or can be specified as a command-line
argument.

OPTIONS

Most users will want to start Ethereal without options and configure it from the menus instead. Those users
may just skip this section.

-a Specify a criterion that specifies when Ethereal is to

stop writing to a capture file. The criterion is of
the form test:value, where test is one of:

duration

Stop writing to a capture file after value seconds
have elapsed.

filesize

Stop writing to a capture file after it reaches a
size of value kilobytes (where a kilobyte is 1000
bytes, not 1024 bytes).

-b If a maximum capture file size was specified, cause

Ethereal to run in "ring buffer" mode, with the speci fied number of files. In "ring buffer" mode, Ethereal will write to several capture files. Their name is
based on the number of the file and on the creation
date and time.

When the first capture file fills up, Ethereal will switch to writing to the next file, until it fills up
the last file, at which point it'll discard the data
in the first file (unless 0 is specified, in which
case, the number of files is unlimited) and start
writing to that file and so on.

If the optional duration is specified, Ethereal will switch also to the next file when the specified number
of seconds has elapsed even if the current file is not
completely fills up.

-B Set the initial height of the byte view (bottom) pane.

-c Set the default number of packets to read when captur

ing live data.

-f Set the capture filter expression.

-h Print the version and options and exit.

-i Set the name of the network interface or pipe to use

for live packet capture.

Network interface names should match one of the names
listed in "tethereal -D". If you're using Unix, "netstat -i" or "ifconfig -a" might also work to list interface names, although not all versions of Unix
support the -a flag to ifconfig.

Pipe names should be either the name of a FIFO (named
pipe) or ``-'' to read data from the standard input.
Data read from pipes must be in standard libpcap for
mat.

-k Start the capture session immediately. If the -i flag

was specified, the capture uses the specified inter
face. Otherwise, Ethereal searches the list of inter faces, choosing the first non-loopback interface if
there are any non-loopback interfaces, and choosing
the first loopback interface if there are no non-loop
back interfaces; if there are no interfaces, Ethereal reports an error and doesn't start the capture.

-l Turn on automatic scrolling if the packet display is

being updated automatically as packets arrive during a
capture (as specified by the -S flag).

-m Set the name of the font used by Ethereal for most

text. Ethereal will construct the name of the bold font used for the data in the byte view pane that cor
responds to the field selected in the protocol tree
pane from the name of the main text font.

-n Disable network object name resolution (such as host

name, TCP and UDP port names).

-N Turn on name resolving for particular types of

addresses and port numbers, with name resolving for
other types of addresses and port numbers turned off;
the argument is a string that may contain the letters
m to enable MAC address resolution, n to enable net
work address resolution, and t to enable transportlayer port number resolution. This overrides -n if
both -N and -n are present. The letter C enables con
current (asynchronous) DNS lookups.

-o Set a preference value, overriding the default value

and any value read from a preference file. The argu
ment to the flag is a string of the form pref_
name:value, where prefname is the name of the prefer ence (which is the same name that would appear in the
preference file), and value is the value to which it
should be set.

-p Don't put the interface into promiscuous mode. Note

that the interface might be in promiscuous mode for
some other reason; hence, -p cannot be used to ensure
that the only traffic that is captured is traffic sent
to or from the machine on which Ethereal is running, broadcast traffic, and multicast traffic to addresses
received by that machine.

-P Set the initial height of the packet list (top) pane.

-Q Cause Ethereal to exit after the end of capture ses

sion (useful in batch mode with -c option for
instance); this option requires the -i and -w parame
ters.

-r Read packet data from infile.

-R When reading a capture file specified with the -r

flag, causes the specified filter (which uses the syn
tax of display filters, rather than that of capture
filters) to be applied to all packets read from the
capture file; packets not matching the filter are dis
carded.

-S Perform the live packet capture in a separate process,

and automatically update the packet display as packets
are seen.

-s Set the default snapshot length to use when capturing

live data. No more than snaplen bytes of each network packet will be read into memory, or saved to disk.

-T Set the initial height of the tree view (middle) pane.

-t Set the format of the packet timestamp displayed in

the packet list window. The format can be one of 'r'
(relative), 'a' (absolute), 'ad' (absolute with date),
or 'd' (delta). The relative time is the time elapsed
between the first packet and the current packet. The
absolute time is the actual time the packet was cap
tured, with no date displayed; the absolute date and
time is the actual time and date the packet was cap
tured. The delta time is the time since the previous
packet was captured. The default is relative.

-v Print the version and exit.

-w Set the default capture file name.

-z Get Ethereal to collect various types of statistics

and display the result in a window that updates in
semi-real time. Currently implemented statistics are:

-z dcerpc,srt,uuid,major.minor[,filter]

Collect call/reply SRT (Service Response Time) data
for DCERPC interface uuid, version major.minor. Data collected is number of calls for each procedure, Min
SRT, MaxSRT and AvgSRT. Example: use -z
dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0 to collect data for CIFS SAMR Interface. This option can
be used multiple times on the command line.

If the optional filterstring is provided, the stats
will only be calculated on those calls that match that
filter. Example: use -z
dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4 to collect SAMR SRT statistics for a specific host.

-z io,stat

Collect frame/bytes statistics for the capture in
intervals of 1 seconds. This option will open a win
dow with up to 5 color-coded graphs where number-offrames-per-second or number-of-bytes-per-second
statistics can be calculated and displayed.

This option can be used multiple times on the command
line.

This graph window can also be opened from the
Tools:Statistics:Traffic:IO-Stat menu item.

-z rpc,srt,program,version[,<filter>]

Collect call/reply SRT (Service Response Time) data
for program/version. Data collected is number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
Example: use -z rpc,srt,100003,3 to collect data for NFS v3. This option can be used multiple times on the
command line.

If the optional filter string is provided, the stats
will only be calculated on those calls that match that
filter. Example: use -z
rpc,srt,100003,3,nfs.fh.hash==0x12345678 to collect NFS v3 SRT statistics for a specific file.

-z rpc,programs

Collect call/reply RTT data for all known ONC-RPC pro
grams/versions. Data collected is number of calls for
each protocol/version, MinRTT, MaxRTT and AvgRTT.

-z smb,srt[,filter]

Collect call/reply SRT (Service Response Time) data
for SMB. Data collected is number of calls for each
SMB command, MinSRT, MaxSRT and AvgSRT. Example: use
-z smb,srt.

The data will be presented as separate tables for all
normal SMB commands, all Transaction2 commands and all
NT Transaction commands. Only those commands that are
seen in the capture will have its stats displayed.
Only the first command in a xAndX command chain will
be used in the calculation. So for common SessionSe
tupAndX + TreeConnectAndX chains, only the SessionSe
tupAndX call will be used in the statistics. This is
a flaw that might be fixed in the future.

This option can be used multiple times on the command
line.

If the optional filterstring is provided, the stats
will only be calculated on those calls that match that
filter. Example: use -z "smb,srt,ip.addr==1.2.3.4" to only collect stats for SMB packets echanged by the
host at IP address 1.2.3.4 .

-z fc,srt[,filter]

Collect call/reply SRT (Service Response Time) data
for FC. Data collected is number of calls for each
Fibre Channel command, MinSRT, MaxSRT and AvgSRT.
Example: use -z fc,srt. The Service Response Time is calculated as the time delta between the First frame
of the exchange and the Last frame of the exchange.

The data will be presented as separate tables for all
normal FC commands, Only those commands that are seen
in the capture will have its stats displayed.

This option can be used multiple times on the command
line.

If the optional filterstring is provided, the stats
will only be calculated on those calls that match that
filter. Example: use -z "fc,srt,fc.id==01.02.03" to only collect stats for FC packets echanged by the host
at FC address 01.02.03 .

-z mgcp,rtd[,filter]

Collect requests/response RTD (Response Time Delay)
data for MGCP. This is similar to -z smb,rtt). Data collected is number of calls for each known MGCP Type,
MinRTD, MaxRTD and AvgRTD. Example: use -z mgcp,rtd.

This option can be used multiple times on the command
line.

If the optional filterstring is provided, the stats
will only be calculated on those calls that match that
filter. Example: use -z "mgcp,rtd,ip.addr==1.2.3.4" to only collect stats for MGCP packets exchanged by
the host at IP address 1.2.3.4 .

INTERFACE

MENU ITEMS

ArraySelecting the Filter: button lets you choose
from a list of named filters that you can
optionally save. Pressing the Return or Enter
keys, or selecting the Apply button, will cause
the filter to be applied to the current list of
packets. Selecting the Reset button clears the
display filter so that all packets are dis
played.

Preferences

The Preferences dialog lets you control various per sonal preferences for the behavior of Ethereal.

Printing Preferences

The radio buttons at the top of the Printing page allow you choose between printing packets
with the File:Print Packet menu item as text or PostScript, and sending the output directly to a
command or saving it to a file. The Command: text entry box, on UNIX-compatible systems, is
the command to send files to (usually lpr), and
the File: entry box lets you enter the name of
the file you wish to save to. Additionally, you
can select the File: button to browse the file
system for a particular save file.

Column Preferences

The Columns page lets you specify the number,
title, and format of each column in the packet
list.

The Column title entry is used to specify the title of the column displayed at the top of the
packet list. The type of data that the column
displays can be specified using the Column for_ mat option menu. The row of buttons on the left
perform the following actions:

Add New

Adds a new column to the list.

Delete

Deletes the currently selected list item.

Up / Down

Moves the selected list item up or down
one position.

OK Currently has no effect.

Save Saves the current column format as the

default.

Cancel

Closes the dialog without making any
changes.

TCP Streams Preferences

The TCP Streams page can be used to change the color of the text displayed in the TCP stream
window. To change a color, simply select an
attribute from the "Set:" menu and use the color
selector to get the desired color. The new text
colors are displayed in a sample window.

User Interface Preferences

The User Interface page is used to modify small aspects of the GUI to your own personal taste:

Scrollbars

The vertical scrollbars in the three panes
can be set to be either on the left or the
right.

Selection Bars

The selection bar in the packet list and
protocol tree can have either a "browse"
or "select" behavior. If the selection
bar has a "browse" behavior, the arrow
keys will move an outline of the selection
bar, allowing you to browse the rest of
the list or tree without changing the
selection until you press the space bar.
If the selection bar has a "select" behav
ior, the arrow keys will move the selec
tion bar and change the selection to the
new item in the packet list or protocol
tree.

Tree Line Style

Trees can be drawn with no lines, solid
lines, or dotted lines between items, or
can be drawn with "tab" headings.

Tree Expander Style

The expander item that can be clicked to
show or hide items under a tree item can
be omitted (note that this will prevent
you from changing whether those items are
shown or hidden!), or can be drawn as
squares, triangles, or circles.

Hex Display

The highlight method in the hex dump dis
play for the selected protocol item can be
set to use either inverse video, or bold
characters.

Save Window Position

If this item is selected, the position of
the main Ethereal window will be saved
when Ethereal exits, and used when Ethe
real is started again.

Save Window Size

If this item is selected, the size of the
main Ethereal window will be saved when
Ethereal exits, and used when Ethereal is
started again.

Fonts The "Font..." button lets you select the

font to be used for most text.

Colors

The "Colors..." button lets you select the
colors to be used for instance for the
marked frames.

Capture Preferences

The Capture page lets you specify various param eters for capturing live packet data; these are
used the first time a capture is started.

The Interface: combo box lets you specify the interface from which to capture packet data, or
the name of a FIFO from which to get the packet
data. You can specify whether the interface is
to be put in promiscuous mode or not with the
Capture packets in promiscuous mode check box, can specify that the display should be updated
as packets are captured with the Update list of packets in real time check box, and can specify whether in such a capture the packet list pane
should scroll to show the most recently captured
packets with the Automatic scrolling in live capture check box.

Protocol Preferences

There are also pages for various protocols that
Ethereal dissects, controlling the way Ethereal
handles those protocols.

Edit Capture Filter List
Edit Display Filter List
Capture Filter
Display Filter
Read Filter
Search Filter

The Edit Capture Filter List dialog lets you create, modify, and delete capture filters, and the Edit Dis_ play Filter List dialog lets you create, modify, and delete display filters.

The Capture Filter dialog lets you do all of the edit ing operations listed, and also lets you choose or
construct a filter to be used when capturing packets.

The Display Filter dialog lets you do all of the edit ing operations listed, and also lets you choose or
construct a filter to be used to filter the current
capture being viewed.

The Read Filter dialog lets you do all of the editing operations listed, and also lets you choose or con
struct a filter to be used to as a read filter for a
capture file you open.

The Search Filter dialog lets you do all of the edit ing operations listed, and also lets you choose or
construct a filter expression to be used in a find
operation.

In all of those dialogs, the Filter name entry speci fies a descriptive name for a filter, e.g. Web and
DNS traffic. The Filter string entry is the text that actually describes the filtering action to take, as
described above.The dialog buttons perform the follow
ing actions:

New If there is text in the two entry boxes, creates

a new associated list item.

Change

Modifies the currently selected list item to
match what's in the entry boxes.

Copy Makes a copy of the currently selected list

item.

Delete

Deletes the currently selected list item.

Add Expression...

For display filter expressions, pops up a dialog
box to allow you to construct a filter expres
sion to test a particular field; it offers lists
of field names, and, when appropriate, lists
from which to select tests to perform on the
field and values with which to compare it. In
that dialog box, the OK button will cause the
filter expression you constructed to be entered
into the Filter string entry at the current cur sor position.

OK In the Capture Filter dialog, closes the dialog

box and makes the filter in the Filter string entry the filter in the Capture Preferences dia log. In the Display Filter dialog, closes the dialog box and makes the filter in the Filter
string entry the current display filter, and
applies it to the current capture. In the Read
Filter dialog, closes the dialog box and makes
the filter in the Filter string entry the filter in the Open Capture File dialog. In the Search Filter dialog, closes the dialog box and makes
the filter in the Filter string entry the filter in the Find Frame dialog.

Apply Makes the filter in the Filter string entry the

current display filter, and applies it to the
current capture.

Save Saves the current filter list in $HOME/.ethe_

real/cfilters on UNIX-compatible systems, and %APPDATA%_Ethereal_cfilters (or, if %APPDATA% isn't defined, %USERPROFILE%_Application Data_Ethereal_cfilters) on Windows systems, if the list of filters being edited is the list of
capture filters, or in $HOME/.ethereal/dfilters on UNIX-compatible systems, and %APPDATA%_Ethe_ real_dfilters (or, if %APPDATA% isn't defined, %USERPROFILE%_Application Data_Ethereal_dfil_ ters) on Windows systems, if the list of filters
being edited is the list of display filters.

Close Closes the dialog without doing anything with

the filter in the Filter string entry.

Capture Options

The Capture Options dialog lets you specify various parameters for capturing live packet data.

The Interface: field lets you specify the interface from which to capture packet data or a command from
which to get the packet data via a pipe.

The Limit each packet to ... bytes check box and field lets you specify a maximum number of bytes per packet
to capture and save; if the check box is not checked,
the limit will be 65535 bytes.

The Capture packets in promiscuous mode check box lets you specify whether the interface should be put into
promiscuous mode when capturing.

The Filter: entry lets you specify the capture filter using a tcpdump-style filter string as described
above.

The File: entry lets you specify the file into which
captured packets should be saved, as in the Printer
Options dialog above. If not specified, the captured packets will be saved in a temporary file; you can
save those packets to a file with the File:Save As menu item.

The Use ring buffer check box lets you specify that the capture should be done in "ring buffer" mode; the
Number of files field lets you specify the number of files in the ring buffer (0 means unlimited).

The Rotate capture file every ... second(s) check box and field lets you to specify that the swith to a next
ring buffer file should be done if the specified dura
tion has elapsed even if the specified capture size is
not reached.

The Update list of packets in real time check box lets you specify whether the display should be updated as
packets are captured and, if you specify that, the
Automatic scrolling in live capture check box lets you specify the packet list pane should automatically
scroll to show the most recently captured packets as
new packets arrive.

The Stop capture after ... packet(s) captured check box and field let you specify that Ethereal should
stop capturing after having captured some number of
packets; if the check box is not checked, Ethereal
will not stop capturing at some fixed number of cap
tured packets.

If "ring buffer" mode is not specified, the Stop cap_ ture after ... kilobyte(s) captured check box and field let you specify that Ethereal should stop cap
turing after the the file to which captured packets
are being saved grows as large as or larger than some
specified number of kilobytes (where a kilobyte is
1000 bytes, not 1024 bytes). If the check box is not
checked, Ethereal will not stop capturing at some cap
ture file size (although the operating system on which
Ethereal is running, or the available disk space, may
still limit the maximum size of a capture file).

If "ring buffer" mode is specified, that field becomes
the Rotate capture file every ... kilobyte(s) field, and specifies the number of kilobytes at which to
start writing to a new ring buffer file; the check box
is forced to be checked, as "ring buffer" mode
requires a file size to be specified.

The Stop capture after ... second(s) check box and field let you specify that Ethereal should stop cap
turing after it has been capturing for some number of
seconds; if the check box is not checked, Ethereal
will not stop capturing after some fixed time has
elapsed.

The Enable MAC name resolution, Enable network name resolution and Enable transport name resolution check boxes let you specify whether MAC addresses, network
addresses, and transport-layer port numbers should be
translated to names.

Display Options

The Display Options dialog lets you specify the format of the time stamp in the packet list. You can select
"Time of day" for absolute time stamps, "Date and time
of day" for absolute time stamps with the date, "Sec
onds since beginning of capture" for relative time
stamps, or "Seconds since previous frame" for delta
time stamps. You can also specify whether, when the
display is updated as packets are captured, the list
should automatically scroll to show the most recently
captured packets or not and whether addresses or port
numbers should be translated to names in the display
on a MAC, network and transport layer basis.

Plugins

The Plugins dialog lets you view the dissector plugin modules available on your system.

The Plugins List shows the name and version of each dissector plugin module found on your system. The
plugins are searched in the following directories: the
lib/ethereal/plugins/$VERSION directory under the main installation directory (for example,
/usr/local/lib/ethereal/plugins/$VERSION), /usr/lib/ethereal/plugins/$VERSION, /usr/local/lib/ethereal/plugins/$VERSION, and $HOME/.ethereal/plugins on UNIX-compatible systems, and in the plugins_$VERSION directory under the main installation directory (for example, C:_Program Files_Ethereal_plugins_$VERSION) and %APPDATA%_Ethe_ real_plugins_$VERSION (or, if %APPDATA% isn't defined, %USERPROFILE%_Application Data_Ethereal_plugins_$VER_ SION) on Windows systems; $VERSION is the version num
ber of the plugin interface, which is typically the
version number of Ethereal. Note that a dissector
plugin module may support more than one protocol;
there is not necessarily a one-to-one correspondence
between dissector plugin modules and protocols. Pro
tocols supported by a dissector plugin module are
enabled and disabled using the Edit:Protocols dialog box, just as protocols built into Ethereal are.

CAPTURE FILTER SYNTAX

See manual page of tcpdump(8).

DISPLAY FILTER SYNTAX

Display filters help you remove the noise from a packet
trace and let you see only the packets that interest you.
If a packet meets the requirements expressed in your dis
play filter, then it is displayed in the list of packets.
Display filters let you compare the fields within a proto
col against a specific value, compare fields against
fields, and to check the existence of specified fields or
protocols.

The simplest display filter allows you to check for the
existence of a protocol or field. If you want to see all
packets which contain the IPX protocol, the filter would
be "ipx". (Without the quotation marks) To see all pack
ets that contain a Token-Ring RIF field, use "tr.rif".

ArrayBoolean
Target And Self Information Only

isns.seconds Seconds

Unsigned 32-bit integer
Seconds

isns.sequenceid Sequence ID

Unsigned 16-bit integer
iSNS sequence ID

isns.transactionid Transaction ID

Unsigned 16-bit integer
iSNS transaction ID

FILES

The ethereal.conf file, which is installed in the etc directory under the main installation directory (for exam
ple, /usr/local/etc) on UNIX-compatible systems, and in the main installation directory (for example, C:_Program Files_Ethereal) on Windows systems, and the personal pref erences file, which is $HOME/.ethereal/preferences on UNIX-compatible systems and %APPDATA%_Ethereal_preferences (or, if %APPDATA% isn't defined, %USERPROFILE%_Application Data_Ethereal_preferences) on Windows systems, contain system-wide and personal preference settings, respec
tively. The file contains preference settings of the form
prefname:value, one per line, where prefname is the name of the preference (which is the same name that would
appear in the preference file), and value is the value to
which it should be set; white space is allowed between :
and value. A preference setting can be continued on sub
sequent lines by indenting the continuation lines with
white space. A # character starts a comment that runs to
the end of the line.

The system-wide preference file is read first, if it
exists, overriding Ethereal's default values; the personal preferences file is then read, if it exists, overriding
default values and values read from the system-wide pref
erence file.

Note that whenever the preferences are saved by using the
Save button in the Edit:Preferences dialog box, your per sonal preferences file will be overwritten with the new
settings, destroying any comments that were in the file.

The ethers file, which is found in the /etc directory on UNIX-compatible systems, and in the main installation
directory (for example, C:_Program Files_Ethereal) on Win dows systems, is consulted to correlate 6-byte hardware
addresses to names. If an address is not found in the
ethers file, the $HOME/.ethereal/ethers file on UNIX-com patible systems, and the %APPDATA%_Ethereal_ethers file (or, if %APPDATA% isn't defined, the %USERPROFILE%_Appli_ cation Data_Ethereal_ethers file) on Windows systems is consulted next. Each line contains one hardware address
and name, separated by whitespace. The digits of the
hardware address are separated by either a colon (:), a
dash (-), or a period (.). The following three lines are
valid lines of an ethers file:

ff:ff:ff:ff:ff:ff Broadcast
c0-00-ff-ff-ff-ff TR_broadcast
00.00.00.00.00.00 Zero_broadcast

The manuf file, which is installed in the etc directory under the main installation directory (for example,
/usr/local/etc) on UNIX-compatible systems, and in the main installation directory (for example, C:_Program Files_Ethereal) on Windows systems, matches the 3-byte vendor portion of a 6-byte hardware address with the manu
facturer's name; it can also contain well-known MAC
addresses and address ranges specified with a netmask.
The format of the file is the same as the ethers file,
except that entries of the form

00:00:0C Cisco

can be provided, with the 3-byte OUI and the name for a
vendor, and entries of the form

00-00-0C-07-AC/40 All-HSRP-routers

can be specified, with a MAC address and a mask indicating
how many bits of the address must match. Trailing zero
bytes can be omitted from address ranges. That entry, for
example, will match addresses from 00-00-0C-07-AC-00
through 00-00-0C-07-AC-FF. The mask need not be a multi
ple of 8.

The ipxnets file, which is found in the /etc directory on UNIX-compatible systems, and in the main installation
directory (for example, C:_Program Files_Ethereal) on Win dows systems, correlates 4-byte IPX network numbers to
names. If a network number is not found in the ipxnets
file, the $HOME/.ethereal/ipxnets file on UNIX-compatible systems, and the %APPDATA%_Ethereal_ipxnets file (or, if %APPDATA% isn't defined, the %USERPROFILE%_Application Data_Ethereal_ipxnets file) on Windows systems, is con sulted next. The format is the same as the ethers file,
except that each address if four bytes instead of six.
Additionally, the address can be represented a single hex
adecimal number, as is more common in the IPX world,
rather than four hex octets. For example, these four
lines are valid lines of an ipxnets file.

C0.A8.2C.00 HR
c0-a8-1c-00 CEO
00:00:BE:EF IT_Server1
110f FileServer3

SEE ALSO

tethereal(1), editcap(1), tcpdump(8), pcap(3)

NOTES

The latest version of Ethereal can be found at
http://www.ethereal.com.

AUTHORS

Original Author
-------- -----Gerald Combs <gerald[AT]ethereal.com>

ArrayMichael Kopp <michael.kopp [AT] isarnet.de>

Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind
enough to give his permission to use his version of
snprintf.c.

Dan Lasley <dlasley[AT]promus.com> gave permission for his
dumpit() hex-dump routine to be used.

Mattia Cazzola <mattiac[AT]alinet.it> provided a patch to
the hex dump display routine.

We use the exception module from Kazlib, a C library writ
ten by Kaz Kylheku <kaz[AT]ashi.footprints.net>. Thanks
goes to him for his well-written library. The Kazlib home
page can be found at http://users.foot
prints.net/~kaz/kazlib.html

0.9.14 2003-11-06 ETHEREAL(1)