NAME
tethereal - Dump and analyze network traffic
tethereal - Dump and analyze network traffic
# 注释 :tethereal 用于 dump 和
分析网络流量
# 补充 ;当前 tethereal
的版本信息
[bob@mail ~]$ /usr/sbin/tethereal
-v
tethereal 0.10.6
Compiled with GLib 2.4.6, with libpcap 0.8.3, with libz 1.2.1.2,
without libpcre, without UCD-SNMP or Net-SNMP, without ADNS.
NOTE: this build does not support the "matches" operator for Ethereal filter
syntax.
Running with libpcap version 0.8.3 on Linux 2.6.9-prepall-fs.
[bob@mail ~]$
tethereal 0.10.6
Compiled with GLib 2.4.6, with libpcap 0.8.3, with libz 1.2.1.2,
without libpcre, without UCD-SNMP or Net-SNMP, without ADNS.
NOTE: this build does not support the "matches" operator for Ethereal filter
syntax.
Running with libpcap version 0.8.3 on Linux 2.6.9-prepall-fs.
[bob@mail ~]$
SYNOPSYS
tethereal [ -a capture autostop condition ] ... [ -b number of ring buffer files [:duration] ] [ -c count ]
[ -d,
]> [ -D ] [ -f capture filter expression ] [ -F file format ] [ -h ] [ -i
interface ]
[ -l ] [ -L ] [ -n ] [ -N resolving flags ] [ -o preference setting ] ... [ -p ] [ -q ] [ -r infile ] [ -R display filter expression ] [ -s snaplen ]
tethereal [ -a capture autostop condition ] ... [ -b number of ring buffer files [:duration] ] [ -c count ]
[ -d
[ -l ] [ -L ] [ -n ] [ -N resolving flags ] [ -o preference setting ] ... [ -p ] [ -q ] [ -r infile ] [ -R display filter expression ] [ -s snaplen ]
[ -S ] [ -t time stamp format ] [ -T
pdml│psml│ps│text ] [ -v ] [ -V ] [ -w savefile ] [ -x ][ -y link type ] [ -z
statistics-string ] [ filter expression ]
DESCRIPTION
Tethereal is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved cap-
ture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. Tethereal’s native
capture file format is libpcap format, which is also the format used by tcpdump and various other tools.
Tethereal is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved cap-
ture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. Tethereal’s native
capture file format is libpcap format, which is also the format used by tcpdump and various other tools.
# 注释 :tethereal
是一个网络协议的分析工具。它能够替你捕捉网络上的 packet ,或者从一个事先保存好的 capture 文件中读取 packets
。
# 也可以对 packet 进行解码然后打印出,或者把捕捉到的
packet 写入一个文件。
# Tethereal 的默认 capture 文件格式是
libcap ,可以被 tcpdump 或者其他工具所识别
Ethereal can read / import the following
file formats:
# 注释 :ethereal
可以读取/导入下面格式的文件
* libpcap/WinPcap, tcpdump and various other
tools using tcpdump’s capture format
* snoop and atmsnoop
* Shomiti/Finisar Surveyor captures
* Novell LANalyzer captures
* Microsoft Network Monitor captures
* AIX’s iptrace captures
* Cinco Networks NetXRay captures
* Network Associates Windows-based Sniffer captures
* Network General/Network Associates DOS-based Sniffer (compressed or
uncompressed) captures
* AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet-
Grabber captures
* RADCOM’s WAN/LAN analyzer captures
* Network Instruments Observer version 9 captures
* Lucent/Ascend router debug output
* files from HP-UX’s nettl
* Toshiba’s ISDN routers dump output
* the output from i4btrace from the ISDN4BSD project
* traces from the EyeSDN USB S0.
* the output in IPLog format from the Cisco Secure Intrusion Detection System
* pppd logs (pppdump format)
* the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
* the text output from the DBS Etherwatch VMS utility
* Visual Networks’ Visual UpTime traffic capture
* the output from CoSine L2 debug
* the output from Accellent’s 5Views LAN agents
* Endace Measurement Systems’ ERF format captures
* Linux Bluez Bluetooth stack hcidump -w traces
* snoop and atmsnoop
* Shomiti/Finisar Surveyor captures
* Novell LANalyzer captures
* Microsoft Network Monitor captures
* AIX’s iptrace captures
* Cinco Networks NetXRay captures
* Network Associates Windows-based Sniffer captures
* Network General/Network Associates DOS-based Sniffer (compressed or
uncompressed) captures
* AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet-
Grabber captures
* RADCOM’s WAN/LAN analyzer captures
* Network Instruments Observer version 9 captures
* Lucent/Ascend router debug output
* files from HP-UX’s nettl
* Toshiba’s ISDN routers dump output
* the output from i4btrace from the ISDN4BSD project
* traces from the EyeSDN USB S0.
* the output in IPLog format from the Cisco Secure Intrusion Detection System
* pppd logs (pppdump format)
* the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
* the text output from the DBS Etherwatch VMS utility
* Visual Networks’ Visual UpTime traffic capture
* the output from CoSine L2 debug
* the output from Accellent’s 5Views LAN agents
* Endace Measurement Systems’ ERF format captures
* Linux Bluez Bluetooth stack hcidump -w traces
There is no need to tell Tethereal what
type of file you are reading;
it will determine the file type by itself. Tethereal is also capable
of reading any of these file formats if they are compressed using
gzip. Tethereal recognizes this directly from the file; the ’.gz’
extension is not required for this purpose.
it will determine the file type by itself. Tethereal is also capable
of reading any of these file formats if they are compressed using
gzip. Tethereal recognizes this directly from the file; the ’.gz’
extension is not required for this purpose.
# 注释 :你不需要告诉 tehereal 它读取的 capture
文件的类型,它会自动判断。
# 而且 tethereal 也支持 gzip 格式的 capture
文件,而且不强制需要 .gz 后缀
If the -w flag is not specified, Tethereal
prints a decoded form of
the packets it captures or reads; otherwise, it writes those packets
to the file specified by that flag.
the packets it captures or reads; otherwise, it writes those packets
to the file specified by that flag.
# 注释 :如果没有指定 -w 选项,tethereal
将会把解码后的内容打印到 stdout ,否则会写入到指定的文件
When printing a decoded form of packets, Tethereal prints, by default,
a summary line containing the fields specified by the preferences file
(which are also the fields displayed in the packet list pane in Ethe-
real), although if it’s printing packets as it captures them, rather
than printing packets from a saved capture file, it won’t print the
"frame number" field.
a summary line containing the fields specified by the preferences file
(which are also the fields displayed in the packet list pane in Ethe-
real), although if it’s printing packets as it captures them, rather
than printing packets from a saved capture file, it won’t print the
"frame number" field.
# 注释 :当打印一个解码过的 packet 时,tethereal
默认会打印一个汇总行
If the -V flag is specified, it prints
instead a view of the details of the packet, showing all the fields of all
protocols in the packet.
# 注释 :如果指定了 -V 选项,则会打印每个 packet
的详细内容
When writing packets to a file, Tethereal,
by default, writes the file
in libpcap format, and writes all of the packets it sees to the output
file. The -F flag can be used to specify the format in which to write
the file. The following output formats are supported:
in libpcap format, and writes all of the packets it sees to the output
file. The -F flag can be used to specify the format in which to write
the file. The following output formats are supported:
# 注释 :当使用 -w 写入文件时,tethereal 默认使用
libcap 格式,并把所有 packet 都输出到该文件
# -F 可以指定 capture
文件的格式
* libpcap - libpcap (tcpdump, Ethereal,
etc.)
* rh6_1libpcap - Red Hat Linux 6.1 libpcap (tcpdump)
* suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)
* modlibpcap - modified libpcap (tcpdump)
* nokialibpcap - Nokia libpcap (tcpdump)
* lanalyzer - Novell LANalyzer
* ngsniffer - Network Associates Sniffer (DOS-based)
* snoop - Sun snoop
* netmon1 - Microsoft Network Monitor 1.x
* netmon2 - Microsoft Network Monitor 2.x
* ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1
* ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x
* visual - Visual Networks traffic capture
* rh6_1libpcap - Red Hat Linux 6.1 libpcap (tcpdump)
* suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)
* modlibpcap - modified libpcap (tcpdump)
* nokialibpcap - Nokia libpcap (tcpdump)
* lanalyzer - Novell LANalyzer
* ngsniffer - Network Associates Sniffer (DOS-based)
* snoop - Sun snoop
* netmon1 - Microsoft Network Monitor 1.x
* netmon2 - Microsoft Network Monitor 2.x
* ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1
* ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x
* visual - Visual Networks traffic capture
This list is also displayed by the -h
flag.
# 注释 :你可以用 -h 来显示 tethereal
所支持的格式
Read filters in Tethereal, which allow you
to select which packets are
to be decoded or written to a file, are very powerful; more fields are
filterable in Tethereal than in other protocol analyzers, and the syn-
tax you can use to create your filters is richer. As Tethereal pro-
gresses, expect more and more protocol fields to be allowed in read
filters.
to be decoded or written to a file, are very powerful; more fields are
filterable in Tethereal than in other protocol analyzers, and the syn-
tax you can use to create your filters is richer. As Tethereal pro-
gresses, expect more and more protocol fields to be allowed in read
filters.
# 注释 :你还可以使用过滤器来选择对那些 packet
进行解码,或者把那些 packet 写入一个文件
# 过滤器是一个非常强大的工具。tethereal
比其他协议分析器支持更多的过滤手段。
# 而且语法也更加复杂。
Packet capturing is performed with the
pcap library. The capture fil-
ter syntax follows the rules of the pcap library. This syntax is dif-
ferent from the read filter syntax. A read filter can also be speci-
fied when capturing, and only packets that pass the read filter will
be displayed or saved to the output file; note, however, that capture
filters are much more efficient than read filters, and it may be more
difficult for Tethereal to keep up with a busy network if a read fil-
ter is specified for a live capture.
ter syntax follows the rules of the pcap library. This syntax is dif-
ferent from the read filter syntax. A read filter can also be speci-
fied when capturing, and only packets that pass the read filter will
be displayed or saved to the output file; note, however, that capture
filters are much more efficient than read filters, and it may be more
difficult for Tethereal to keep up with a busy network if a read fil-
ter is specified for a live capture.
# 注释 :packet caputre 是由 pcap
这个库是实现的。过滤器的语法格式和 pcap 库的语法格式一样。
#
它的格式和读取过滤器的语法格式不一样。读取过滤器能够在捕包时指定,只有那些匹配的 packet
#
才会被显示或者输出到文件;但捕包过滤器比读取过滤器的效率要高,所以对一个比较繁忙的网络来说,
# 用读取过滤器可能会跟不上速度
Compressed file support uses (and
therefore requires) the zlib
library. If the zlib library is not present, Tethereal will compile,
but will be unable to read compressed files.
library. If the zlib library is not present, Tethereal will compile,
but will be unable to read compressed files.
# 注释 :tethereal 使用 zlib
库来实现压缩功能,假如不存在 zlib 库,
# tethereal
会编译一个,但无法用它来读取压缩后的 capture 文件
A capture or read filter can either be
specified with the -f or -R
option, respectively, in which case the entire filter expression must
be specified as a single argument (which means that if it contains
spaces, it must be quoted), or can be specified with command-line
arguments after the option arguments, in which case all the arguments
after the filter arguments are treated as a filter expression. Cap-
ture filters are supported only when doing a live capture; read fil-
ters are supported when doing a live capture and when reading a cap-
ture file, but require Tethereal to do more work when filtering, so
you might be more likely to lose packets under heavy load if you’re
using a read filter. If the filter is specified with command-line
arguments after the option arguments, it’s a capture filter if a cap-
ture is being done (i.e., if no -r flag was specified) and a read
filter if a capture file is being read (i.e., if a -r flag was speci-
fied).
option, respectively, in which case the entire filter expression must
be specified as a single argument (which means that if it contains
spaces, it must be quoted), or can be specified with command-line
arguments after the option arguments, in which case all the arguments
after the filter arguments are treated as a filter expression. Cap-
ture filters are supported only when doing a live capture; read fil-
ters are supported when doing a live capture and when reading a cap-
ture file, but require Tethereal to do more work when filtering, so
you might be more likely to lose packets under heavy load if you’re
using a read filter. If the filter is specified with command-line
arguments after the option arguments, it’s a capture filter if a cap-
ture is being done (i.e., if no -r flag was specified) and a read
filter if a capture file is being read (i.e., if a -r flag was speci-
fied).
# 注释 :capture 或者 read filter 可以用 -f
或者 -R 指定。这时候整个过滤表达式必须表现为一个参数,
#
也就是说,过滤规则如果含有空格,则必须用括号括起来。
#
也可以在选项后通过命令行参数指定,在过滤器参数之后的所有参数都被当成过滤表达式。
# 注释 :要注意,caputer filter
只有在做实际的捕包时才能被使用,而 read filter 则可以在实际捕包或者
# 从 capture 文件读取 packet 时使用,但是 read
filter 的效率不高,它需要 Tethereal 做更多的工作,
# 所以你在一个比较繁忙的网络上使用 read filter
时可能会漏掉一些数据包。
# 如果指定了 -r 则是 read filter ,否则是
capture filter
OPTIONS
-a Specify a criterion that specifies when Tethereal is to stop writing to a capture file. The criterion is of the form test:value,
where test is one of:
-a Specify a criterion that specifies when Tethereal is to stop writing to a capture file. The criterion is of the form test:value,
where test is one of:
# 注释 :-a 指定一个规则,该规则控制
Tethereal 什么时候停止写 capture 文件。
# 规则的格式是
: 。可选的规则有:
duration
Stop writing to a capture file after value seconds have elapsed.
Stop writing to a capture file after value seconds have elapsed.
# 注释 :第一个控制条件是
duration ,表示在捕包开始多少秒后停止写文件
[root@mail ~]# tethereal -S -w lo.capture -i lo -t ad -a duration:2
Capturing on lo
2007-08-22 11:24:23.912709 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2007-08-22 11:24:23.912723 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
2007-08-22 11:24:24.912556 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2007-08-22 11:24:24.912571 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
2007-08-22 11:24:25.912406 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2007-08-22 11:24:25.912425 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply6 packets captured
[root@mail ~]#filesize
Stop writing to a capture file after it reaches a size of value kilobytes (where a kilobyte is 1000 bytes, not 1024 bytes).# 注释 :filesize 控制的是 capture 文件的大小,单位是 1000 字节,而不是 1024 字节-b If a maximum capture file size was specified, cause Tethereal to
run in "ring buffer" mode, with the specified number of files. In
"ring buffer" mode, Tethereal will write to several capture files.
Their name is based on the number of the file and on the creation
date and time.
# 注释 :如果指定了 capture
文件的最大大小,-b 使 Tethereal 运行在 'ring buffer' 模式。
# 你可以指定文件的数量。在 ring buffer
模式下,Tethereal 会写到多个 capture 文件。它们的
#
文件名是基于文件数量和文件的创建时间的。
# 补充 :-b 并不是指当 tethereal
写满多少个文件就退出,相反它是一直运行的。例如 -a filesize:100 -b 2 则 tethereal
# 会在写满第一个文件时(100*1000
字节)后,再创建第二个文件。在写满第二个文件后,又再删除第一个文件,再创建
# 一个新的 capture
文件,继续写。总之是一种循环使用的方式,保持 capture 文件的大小总是固定在 N * max_filesize
-rw------- 1 root root 10056 Aug 22 11:30 lo_00003_20070822113001.capture
-rw------- 1 root root 0 Aug 22 11:30 lo_00004_20070822113045.capture-rw------- 1 root root 10084 Aug 22 11:31 lo_00004_20070822113045.capture
-rw------- 1 root root 9270 Aug 22 11:31 lo_00005_20070822113109.capture
#
可以看到文件名一直在变,但总数总是保持2个,大小总是不超过 -a filesize 的指定值
# 补充 :-a 和 -b
必须同时用,用于指定每个文件的最大大小,否则会报错。
[root@mail ~]# tethereal -S -w lo.capture -i lo -t ad -a duration:2 -b 10
tethereal: Ring buffer requested, but no maximum capture file size was specified.
[root@mail ~]## 补充 :如果你想按时间分割文件应该用 -a filesize:MAX -b N:
When the first capture file fills up,
Tethereal will switch to
writing to the next file, until it fills up the last file, at
which point it’ll discard the data in the first file (unless 0 is
specified, in which case, the number of files is unlimited) and
start writing to that file and so on.
writing to the next file, until it fills up the last file, at
which point it’ll discard the data in the first file (unless 0 is
specified, in which case, the number of files is unlimited) and
start writing to that file and so on.
# 注释 :当第一个 capture
文件达到指定的最大大小时,Tethereal 会创建一个新的 capture 文件,直到
# capture 文件的数量达到 -b
指定的数量为止。
# 注释 :注意!如果 -b 指定的值是 0
,则表示不限制文件数量
If the optional duration is specified,
Tethereal will switch also
to the next file when the specified number of seconds has elapsed
even if the current file is not completely fills up.
to the next file when the specified number of seconds has elapsed
even if the current file is not completely fills up.
# 注释 :假如你指定了 duration ,则
Tethereal 会在指定的时间后切换到写一个 captuer 文件,即使它还没有写满
You can only save files in libpcap format
when using a ring buffer.
# 注释 :在使用 ring buffer
模式时,你只能以 libcap 的格式保存 capture 文件
-c Set the default number of packets to
read when capturing live data.
# 注释 :-c 表示在实时捕包时要读取多少个 packet
or udp.port for a TCP or UDP port number)
has the specified selec-
tor value, packets should be dissected as the specified protocol.
tor value, packets should be dissected as the specified protocol.
# 注释 :-d
指定应该对那些端口的流量进行解码
Example: -d tcp.port==8888,http will decode
any traffic running over TCP port 8888 as HTTP.
# 注释 :例如 -d
tcp.port=8888,http 表示在 TCP 8888 端口的流量应该当成 HTTP 协议来解码
# 补充
:这应该是针对那些运行在非常规端口上的服务的需要而创建的。
# 它的语法格式是 :-d
==,
-D Print a list of the interfaces on
which Tethereal can capture, and
exit. For each network interface, a number and an interface name,
possibly followed by a text description of the interface, is
printed. The interface name or the number can be supplied to the
exit. For each network interface, a number and an interface name,
possibly followed by a text description of the interface, is
printed. The interface name or the number can be supplied to the
# 注释 :-D 打印一个
Tethereal 能够捕捉到数据报的接口列表,然后退出。
[bob@mail ~]$ /usr/sbin/tethereal -D
1. eth0
2. eth1.no7
3. any (Pseudo-device that captures on all interfaces)
4. lo
[bob@mail ~]$
-i flag to specify an interface on which to capture.
# 注释 :-i 指定要在那个接口上捕包
This can be useful on systems that don’t have
a command to list
them (e.g., Windows systems, or UNIX systems lacking ifconfig
\-a); the number can be useful on Windows 2000 and later systems,
where the interface name is a somewhat complex string.
them (e.g., Windows systems, or UNIX systems lacking ifconfig
\-a); the number can be useful on Windows 2000 and later systems,
where the interface name is a somewhat complex string.
# 注释 :该选项同样也可以用于指定 -D
没有列出的接口
Note that "can capture" means that Tethereal
was able to open that
device to do a live capture; if, on your system, a program doing a
network capture must be run from an account with special privi-
leges (for example, as root), then, if Tethereal is run with the
-D flag and is not run from such an account, it will not list any
interfaces.
device to do a live capture; if, on your system, a program doing a
network capture must be run from an account with special privi-
leges (for example, as root), then, if Tethereal is run with the
-D flag and is not run from such an account, it will not list any
interfaces.
# 注释 :要注意,tethereal
最好以特权用户的身份运行,否则 -D 可能无法列出全部接口
[bob@mail ~]$
/usr/sbin/tethereal
tethereal: The capture session could not be initiated (socket: Operation not permitted).
Please check to make sure you have sufficient permissions, and that
you have the proper interface or pipe specified.
[bob@mail ~]$
tethereal: The capture session could not be initiated (socket: Operation not permitted).
Please check to make sure you have sufficient permissions, and that
you have the proper interface or pipe specified.
[bob@mail ~]$
[bob@mail ~]$ /usr/sbin/tethereal -i
lo
tethereal: The capture session could not be initiated (socket: Operation not permitted).
Please check to make sure you have sufficient permissions, and that
you have the proper interface or pipe specified.
[bob@mail ~]$
tethereal: The capture session could not be initiated (socket: Operation not permitted).
Please check to make sure you have sufficient permissions, and that
you have the proper interface or pipe specified.
[bob@mail ~]$
-f Set the capture filter
expression.
# 注释 :-f 设置 capture
filter 表达式
-F Set the file format of the output
capture file.
# 注释 :-F 设置 capture
filter 的格式文件,也就是从那个文件读入 capture filter 的表达式
-h Print the version and options and
exits.
# 注释 :-h
打印帮助信息
-i Set the name of the network interface
or pipe to use for live packet capture.
# 注释 :-i
设置要捕包的接口或者管道
Network interface names should match one of
the names listed in
"tethereal -D" (described above); a number, as reported by "tethe-
real -D", can also be used. If you’re using UNIX, "netstat -i" or
"ifconfig -a" might also work to list interface names, although
not all versions of UNIX support the -a flag to ifconfig.
"tethereal -D" (described above); a number, as reported by "tethe-
real -D", can also be used. If you’re using UNIX, "netstat -i" or
"ifconfig -a" might also work to list interface names, although
not all versions of UNIX support the -a flag to ifconfig.
# 注释 :网络接口的名称应该匹配 -D
选项所列出的任意一个端口或者端口编号
[bob@mail ~]$ ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.063 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.022 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.021 ms--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.021/0.035/0.063/0.018 ms, pipe 2
[bob@mail ~]$[root@mail ~]# /usr/sbin/tethereal -i lo
Capturing on lo
0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
0.000030 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
0.999846 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
0.999858 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
1.999713 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
1.999733 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
2.999547 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2.999558 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
8 packets captured
[root@mail ~]#
If no interface is specified, Tethereal
searches the list of
interfaces, choosing the first non-loopback interface if there are
any non-loopback interfaces, and choosing the first loopback
interface if there are no non-loopback interfaces; if there are no
interfaces, Tethereal reports an error and doesn’t start the cap-
ture.
interfaces, choosing the first non-loopback interface if there are
any non-loopback interfaces, and choosing the first loopback
interface if there are no non-loopback interfaces; if there are no
interfaces, Tethereal reports an error and doesn’t start the cap-
ture.
# 注释 :如果没有指定接口,tethereal
会搜索接口列表,
# 如果存在 non-loopback
接口的话,则选择第一个 non-loopback 接口
# 如果只有 loopback
接口的话,则挑选第一个 loopback 接口
# 如果搜索不到接口,则 ethereal
会报错并退出
[root@mail ~]# tethereal -w all.capture
Warning: Couldn't obtain netmask info (eth0: no IPv4 address assigned).
Capturing on eth0 // 它只在 eth0 上监听而已,因为 eth0 是第一个可用的 non-loopback 接口
20
[root@mail ~]#
Pipe names should be either the name of a
FIFO (named pipe) or‘-’’ to read data from the standard input. Data read from
pipes
must be in standard libpcap format.
must be in standard libpcap format.
# 注释 :管道名必须是一个命名管道,或者 '-'
,表示从 stdin 接受输入,不过必须是标准的 libcap 格式(二进制文件)
# 例如 :
[root@mail ~]# /usr/sbin/tethereal -i lo -w lo.capture
Capturing on lo
20
[root@mail ~]#
[root@mail ~]#[root@mail ~]# file lo.capture
lo.capture: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
[root@mail ~]# tethereal -i - < lo.capture
Capturing on -
0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
0.000018 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
0.999357 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
0.999372 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
1.999199 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
1.999211 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
2.999055 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2.999071 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
3.998889 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
3.998896 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
4.998754 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
4.998772 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
5.998587 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
5.998596 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
6.998448 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
6.998467 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
7.998281 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
7.998289 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
8.998142 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
8.998158 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
20 packets captured
[root@mail ~]#
-l Flush the standard output after the
information for each packet is
printed. (This is not, strictly speaking, line-buffered if -V was
specified; however, it is the same as line-buffered if -V wasn’t
specified, as only one line is printed for each packet, and, as -l
is normally used when piping a live capture to a program or
script, so that output for a packet shows up as soon as the packet
is seen and dissected, it should work just as well as true
line-buffering. We do this as a workaround for a deficiency in
the Microsoft Visual C++ C library.)
printed. (This is not, strictly speaking, line-buffered if -V was
specified; however, it is the same as line-buffered if -V wasn’t
specified, as only one line is printed for each packet, and, as -l
is normally used when piping a live capture to a program or
script, so that output for a packet shows up as soon as the packet
is seen and dissected, it should work just as well as true
line-buffering. We do this as a workaround for a deficiency in
the Microsoft Visual C++ C library.)
# 注释 :-l 用于在输出每个 packet 后清除 stdout 。
This may be useful when piping the output of
Tethereal to another
program, as it means that the program to which the output is piped
will see the dissected data for a packet as soon as Tethereal sees
the packet and generates that output, rather than seeing it only
when the standard output buffer containing that data fills up.
program, as it means that the program to which the output is piped
will see the dissected data for a packet as soon as Tethereal sees
the packet and generates that output, rather than seeing it only
when the standard output buffer containing that data fills up.
-L List the data link types supported by
the interface and exit.
# 注释 :-L
列出接口所支持的数据链路类型并退出
[root@mail ~]# tethereal -L
Data link types (use option -y to set):
EN10MB (Ethernet)
[root@mail ~]#
-n Disable network object name resolution
(such as hostname, TCP and UDP port names).
# 注释 :-n 表示显示 ip
地址/端口号,而不是主机名/端口名
-N Turn on name resolving for particular
types of addresses and port
numbers, with name resolving for other types of addresses and port
numbers turned off; the argument is a string that may contain the
letters m to enable MAC address resolution, n to enable network
address resolution, and t to enable transport-layer port number
resolution. This overrides -n if both -N and -n are present. The
letter C enables concurrent (asynchronous) DNS lookups.
numbers, with name resolving for other types of addresses and port
numbers turned off; the argument is a string that may contain the
letters m to enable MAC address resolution, n to enable network
address resolution, and t to enable transport-layer port number
resolution. This overrides -n if both -N and -n are present. The
letter C enables concurrent (asynchronous) DNS lookups.
# 注释 :-N
表示对指定类型的项目显示名称。它会覆盖 -n 。
# -N 可以带的参数有 :m(MAC 地址)、n
(网络地址解释)、t(端口解释)、C (主机名)
-o Set a preference value, overriding the
default value and any value
read from a preference file. The argument to the flag is a string
of the form prefname:value, where prefname is the name of the
preference (which is the same name that would appear in the pref-
erence file), and value is the value to which it should be set.
read from a preference file. The argument to the flag is a string
of the form prefname:value, where prefname is the name of the
preference (which is the same name that would appear in the pref-
erence file), and value is the value to which it should be set.
# 注释 :-o 设置 preference
值。
-p Don’t put the interface into
promiscuous mode. Note that the
interface might be in promiscuous mode for some other reason;
hence, -p cannot be used to ensure that the only traffic that is
captured is traffic sent to or from the machine on which Tethereal
is running, broadcast traffic, and multicast traffic to addresses
received by that machine.
interface might be in promiscuous mode for some other reason;
hence, -p cannot be used to ensure that the only traffic that is
captured is traffic sent to or from the machine on which Tethereal
is running, broadcast traffic, and multicast traffic to addresses
received by that machine.
# 注释 :-p 表示不把接口设置为 promiscuous
模式。
# 不过 -p 不能确保一定处于
procmiscuous 模式。
# 默认 tethereal 会把接口置于
promiscuous 模式,在退出时返回正常模式
Aug 22 10:44:32 mail kernel: device lo entered promiscuous mode
Aug 22 10:44:48 mail kernel: device lo left promiscuous mode
[root@mail ~]#
# 补充 :应该是不可以的。例如在 as1 上
ping 172.17.64.34 ,但 tethereal 并不能抓到 ICMP 包,但 as1、172.17.64.34
以及本地主机
# 都是在 172.17.64.0/24
这个网络内的。
:~> ping 172.17.64.34
PING 172.17.64.34 (172.17.64.34) from 172.17.64.11 : 56(84) bytes of data.
64 bytes from 172.17.64.34: icmp_seq=1 ttl=64 time=0.359 ms[root@mail ~]# tethereal -r all.capture |grep ICMP
[root@mail ~]#
-q When capturing packets, don’t display
the continuous count of
packets captured that is normally shown when saving a capture to a
file; instead, just display, at the end of the capture, a count of
packets captured. On systems that support the SIGINFO signal,
such as various BSDs, typing your "status" character (typically
control-T, although it might be set to "disabled" by default on at
least some BSDs, so you’d have to explicitly set it to use it)
will cause the current count to be displayed.
packets captured that is normally shown when saving a capture to a
file; instead, just display, at the end of the capture, a count of
packets captured. On systems that support the SIGINFO signal,
such as various BSDs, typing your "status" character (typically
control-T, although it might be set to "disabled" by default on at
least some BSDs, so you’d have to explicitly set it to use it)
will cause the current count to be displayed.
# 注释 :-q 表示在使用 -w
保存被捕捉数据包时,不要显示已经捕捉到的数据包的数量。
# 默认情况下是会随时刷新显示的。在那些支持
SIGINIFO 信号的系统上,通过该信号可以显示
[root@mail ~]# tethereal -q -w all.capture
Warning: Couldn't obtain netmask info (eth0: no IPv4 address assigned).
Capturing on eth0
20 packets captured // 本来在 Capturing on eth0 的下面是会显示一个不断变动的数值的,加了 -q 就不显示了
[root@mail ~]#
When
reading a capture file, don’t print packet information; this
is useful if you’re using a -z flag to calculate statistics and
don’t want the packet information printed, just the statistics.
is useful if you’re using a -z flag to calculate statistics and
don’t want the packet information printed, just the statistics.
# 注释 :在读取 capture
文件时,不显示包的信息。例如在你使用 -z 时,只想看统计信息,不想看具体的包内容
-r Read packet data from
infile.
# 注释 :-r 表示读取一个保存好的
capture 文件
[root@mail ~]# tethereal -r all.capture
1 0.000000 202.105.95.35 -> 224.0.0.2 HSRP Hello (state Active)
2 0.236027 202.105.95.34 -> 224.0.0.2 HSRP Hello (state Standby)
3 0.976804 Cisco_25:40:fb -> CDP/VTP LLC U, func=UI; SNAP, OUI 0x00000C (Cisco), PID 0x2004
4 0.977104 Cisco_25:40:fb -> CDP/VTP LLC U, func=UI; SNAP, OUI 0x00000C (Cisco), PID 0x2004
5 1.969446 Cisco_dc:04:02 -> Broadcast ARP Who has 202.105.95.59? Tell 202.105.95.34
-R Cause the specified filter (which uses
the syntax of read filters,
rather than that of capture filters) to be applied before printing
a decoded form of packets or writing packets to a file; packets
not matching the filter are discarded rather than being printed or
written.
rather than that of capture filters) to be applied before printing
a decoded form of packets or writing packets to a file; packets
not matching the filter are discarded rather than being printed or
written.
# 注释 :-R 导致表示启动一个 read
filter ,而不是 capture filter 。
# 它是用于解码后的过滤,而不是解码前的过滤,作用只是阻挡某个
packet 不被显示
# 或者不写入文件,但实际上 tethereal 已经对该
packet 进行了一些处理。
# 那些不匹配的 packet
会被丢弃而不是被打印或者写入文件
-s Set the default snapshot length to use
when capturing live data.
No more than snaplen bytes of each network packet will be read
into memory, or saved to disk.
No more than snaplen bytes of each network packet will be read
into memory, or saved to disk.
# 注释 :-s 设置在捕捉网络上的 packet
时,默认的 snapshot 长度。
# tethereal
只会把不超过指定长度的字节读入内存或者保存到磁盘
# 注释 :-S 表示解码的同时一边显示到
stdout ,一边保存到文件,就类似 tee 命令
[root@mail ~]# tethereal -S -w lo.capture -i lo
Capturing on lo
0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
0.000019 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
0.999542 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
0.999555 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
1.999395 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
1.999410 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
2.999238 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2.999249 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply8 packets captured
[root@mail ~]#
-t Set the format of the packet timestamp
printed in summary lines.
The format can be one of ’r’ (relative), ’a’ (absolute), ’ad’
(absolute with date), or ’d’ (delta). The relative time is the
time elapsed between the first packet and the current packet. The
absolute time is the actual time the packet was captured, with no
date displayed; the absolute date and time is the actual time and
date the packet was captured. The delta time is the time since
the previous packet was captured. The default is relative.
The format can be one of ’r’ (relative), ’a’ (absolute), ’ad’
(absolute with date), or ’d’ (delta). The relative time is the
time elapsed between the first packet and the current packet. The
absolute time is the actual time the packet was captured, with no
date displayed; the absolute date and time is the actual time and
date the packet was captured. The delta time is the time since
the previous packet was captured. The default is relative.
# 注释 :-t
表示设置汇总行的时间戳的格式。格式可以是 r (相对)、a(绝对)
# 'ad'
(带日期的绝对时间)、d(增量)。
# r(relative)是当前 packet
和第一个 packet 之间的时间差。对于 ping 这类持续的发送数据包的工具,我们可以通过该格式的时间看出它发送 packet
的速率)
# a
(absolute)是捕包所使用的总时间
# ad (absolute with
date)则是每个 packet 被捕捉的实际的时间
# d (delta)则是距离前一个 packet
被捕捉的时间)
# 默认使用的时间格式是
relative
[root@mail ~]# tethereal -S -w lo.capture -i lo -t ad
Capturing on lo
2007-08-22 11:21:42.936943 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2007-08-22 11:21:42.936961 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
2007-08-22 11:21:43.937030 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2007-08-22 11:21:43.937048 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
2007-08-22 11:21:44.936869 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2007-08-22 11:21:44.936879 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
2007-08-22 11:21:45.936725 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2007-08-22 11:21:45.936739 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply8 packets captured
[root@mail ~]#
# 补充 :-t 也可以用于 -r 从一个 capture 文件读入 packet 的情况[root@as7 ~]# tethereal -r lo.capture -t ad
1 2007-08-22 16:13:22.473059 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2 2007-08-22 16:13:22.473086 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
3 2007-08-22 16:13:23.473109 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
4 2007-08-22 16:13:23.473123 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
5 2007-08-22 16:13:24.472930 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
6 2007-08-22 16:13:24.472941 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
[root@as7 ~]#
-T Set the format of the output when
viewing packet data. The options are:
# 注释 :-T 设置输出的 packet
的格式。可选的格式有 :
pdml
Packet Details Markup Language, an XML-based format for the
details of a decoded packet. This information is equivalent
to the packet details printed with the -V flag.# 注释 :pdml 是 Packet Details Markup 语言,一种基于 XML 的详细描述 packet 的格式。# 这个格式等同于 -V 选项# 要注意,-T pdml 并不能保存到文件中。要注意,该格式会产生很多的输出psml
Packet Summary Markup Language, an XML-based format for the
summary information of a decoded packet. This information is
equivalent to the information shown in the one-line summary
printed by default.# 注释 :psml 是 packet summary markup 语言,也是基于 XML 的。# 它是单行模式的默认输出格式[root@as7 ~]# tethereal -i lo -T psml
Capturing on loNo. Time Source Destination Protocol Info 1 0.000000 127.0.0.1 127.0.0.1 ICMP Echo (ping) request 2 0.000021 127.0.0.1 127.0.0.1 ICMP Echo (ping) reply ps PostScript for a human-readable one-line summary of each of
the packets, or a multi-line view of the details of each of
the packets, depending on whether the -V flag was specified.text
Text of a human-readable one-line summary of each of the pack-
ets, or a multi-line view of the details of each of the pack-
ets, depending on whether the -V flag was specified. This is
the default.# 注释 :text 就是默认的格式了。
-v Print the version and exit.
# 注释 :-v
打印版本并退出
[root@as7 ~]# tethereal -v
tethereal 0.10.6
Compiled with GLib 2.4.7, with libpcap 0.8.3, with libz 1.2.1.2,
without libpcre, without UCD-SNMP or Net-SNMP, without ADNS.
NOTE: this build does not support the "matches" operator for Ethereal filter
syntax.
Running with libpcap version 0.8.3 on Linux 2.6.9-5.13smp.
[root@as7 ~]
-V Cause Tethereal to print a view of the
details of the packet
rather than a one-line summary of the packet.
rather than a one-line summary of the packet.
# 注释 :-V 表示详细打印,就像在
ethereal 的图形格式下看到的每个字段的详细情况的那样。
# 补充 :-V 不仅可以用于 live capture
,还可以用 -r 从文件读取 packet 时用
[root@as7 ~]# tethereal -V -i lo
Capturing on lo
Frame 1 (98 bytes on wire, 98 bytes captured)
Arrival Time: Aug 22, 2007 15:40:49.239842000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 98 bytes
Capture Length: 98 bytes
Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00
Destination: 00:00:00:00:00:00 (00:00:00_00:00:00)
Source: 00:00:00:00:00:00 (00:00:00_00:00:00)
Type: IP (0x0800)
Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1)
Version: 4Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 84
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: ICMP (0x01)
Header checksum: 0x3ca7 (correct)
Source: 127.0.0.1 (127.0.0.1)
Destination: 127.0.0.1 (127.0.0.1)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x621a (correct)
Identifier: 0x910a
Sequence number: 0x0000
Data (56 bytes)0000 81 e8 cb 46 c9 a8 03 00 08 09 0a 0b 0c 0d 0e 0f ...F............
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37
-w Write packet data to savefile or to
the standard output if savefile is "-".
# 注释 :-w 用于保存结果。不过保存的格式是
libcap ,而不是文本格式
# 补充 :不要用 I/O
重定向的方式来保存
-x Cause Tethereal to print a hex and
ASCII dump of the packet data after printing the summary or
details.
# 注释 :-x 让 Tethereal 用 16
进制和 ASCII 导出 packet 数据。
-y Set the data link type to use while
capturing packets. The values reported by -L are the values that can be
used.
# 注释 :-y
设置数据类型为指定类型。它必须匹配 -L 所给出的类型
-z Get Tethereal to collect various types
of statistics and display the result after finishing reading the capture file.
Use the -q
flag if you’re reading a capture file and only want the statistics printed, not any per-packet information.
flag if you’re reading a capture file and only want the statistics printed, not any per-packet information.
# 注释 :-z 让 Tethereal 在读取
capture 文件后显示统计信息。
Note that the -z proto option is different -
it doesn’t cause
statistics to be gathered and printed when the capture is com-
plete, it modifies the regular packet summary output to include
the values of fields specified with the option. Therefore you
must not use the -q option, as that option would suppress the
printing of the regular packet summary output, and must also not
use the -V option, as that would cause packet detail information
rather than packet summary information to be printed.
statistics to be gathered and printed when the capture is com-
plete, it modifies the regular packet summary output to include
the values of fields specified with the option. Therefore you
must not use the -q option, as that option would suppress the
printing of the regular packet summary output, and must also not
use the -V option, as that would cause packet detail information
rather than packet summary information to be printed.
# 注释 :-z
选项有点不同,它并不会产生统计数据,而是修改普通 packet 的汇总输出,使其含有指定字段的值
# 所以在使用 -z
时不能使用 -q 或者 -z ,前者会禁止 tethereal 输出每个 packet
的信息,而后者会输出详细而不是汇总信息
Currently implemented statistics
are:
# 注释 :-z 需要你指定要完成的统计类型
,-z 可用的统计类型有 :
tethereal: invalid -z argument.
-z argument must be one of :
wsp,stat,
smb,rtt
smb,sids
sip,stat
rpc,programs
rpc,rtt,
io,phs
proto,colinfo,
mgcp,rtd
conv,
io,stat,
http,stat,
h225,srt
h225,counter
gsm_a,
dcerpc,rtt,
bootp,stat,
ansi_a,
-z
dcerpc,rtt,uuid,major.minor[,filter]
Collect call/reply RTT data for DCERPC
interface uuid, version
major.minor. Data collected is number of calls for each proce-
dure, MinRTT, MaxRTT and AvgRTT. Example: use -z
dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0 to collect
data for CIFS SAMR Interface. This option can be used multiple
times on the command line.
major.minor. Data collected is number of calls for each proce-
dure, MinRTT, MaxRTT and AvgRTT. Example: use -z
dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0 to collect
data for CIFS SAMR Interface. This option can be used multiple
times on the command line.
If the optional filterstring is provided, the
stats will only be
calculated on those calls that match that filter. Example: use -z
dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
to collect SAMR RTT statistics for a specific host.
calculated on those calls that match that filter. Example: use -z
dcerpc,rtt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
to collect SAMR RTT statistics for a specific host.
-z
io,phs[,filter]
Create Protocol Hierarchy Statistics listing
both number of pack-
ets and bytes. If no filter is specified the statistics will be
calculated for all packets. If a filters is specified statistics
will be only calculated for those packets that match the filter.
ets and bytes. If no filter is specified the statistics will be
calculated for all packets. If a filters is specified statistics
will be only calculated for those packets that match the filter.
# 注释 :-z io,phs
用于统计协议级别的统计信息,并列出 packet 数量和字节数量。
# 如果没有指定 filter ,则默认对所有
packet 都做统计,如果指定了 filter ,则只计算那些匹配 filter
This option can be used multiple times on the
command line.
# 注释 ;该选项可以使用多次
[root@as7 ~]# tethereal -r lo.capture -z io,phs
1 0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2 0.000018 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
3 1.000086 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
4 1.000106 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
5 1.999922 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
6 1.999932 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
7 2.999762 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
8 2.999771 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
9 3.999614 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
10 3.999628 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
11 4.999450 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
12 4.999460 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
13 5.999294 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
14 5.999305 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
15 6.999133 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
16 6.999143 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
17 7.999068 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
18 7.999093 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
19 8.998982 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
20 8.999010 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
21 9.998814 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
22 9.998852 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply===================================================================
Protocol Hierarchy Statistics
Filter: frameframe frames:22 bytes:2156
eth frames:22 bytes:2156
ip frames:22 bytes:2156
icmp frames:22 bytes:2156
===================================================================
[root@as7 ~]#
-z
io,stat,interval[,filter][,filter][,filter]...
Collect packet/bytes statistics for the
capture in intervals of
interval seconds. Intervals can be specified either as whole or
fractional seconds. Interval can be specified in ms resolution.
interval seconds. Intervals can be specified either as whole or
fractional seconds. Interval can be specified in ms resolution.
# 注释 :-z io,stat,interval
用于按周期统计,周期可以是小数,精度可以是 ms ,也就是说可以为 0.00x 秒
[root@as7 ~]# tethereal -r lo.capture -z io,stat,0.5
1 0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2 0.000027 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
3 1.000050 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
4 1.000064 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
5 1.999871 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
6 1.999882 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply===================================================================
IO Statistics
Interval: 0.500 secs
Column #0:
| Column #0
Time |frames| bytes
000.000-000.500 2 196 # 注释 :196 = 98 + 98 ,也就是第1个 ECHO_REQUEST 和 第1个 ECHO_RESPONSE
000.500-001.000 0 0
001.000-001.500 2 196 # 这是第2个 ECHO_REQUEST 和第2个 ECHO_RESPONSE (第2个 ECHO_REQUEST 是在距离第1个 ECHO_REQUEST 1秒后发的)
001.500-002.000 2 196 # 这是第3个 ECHO_REQUEST 和第2个 ECHO_RESPONSE (第3个 ECHO_REQUEST 是在距离第1个 ECHO_REQUEST 1.9 秒后发的)
===================================================================
[root@as7 ~]#
If no filter is specified the statistics will
be calculated for
all packets. If one or more filters are specified statistics will
be calculated for all filters and presented with one column of
statistics for each filter.
all packets. If one or more filters are specified statistics will
be calculated for all filters and presented with one column of
statistics for each filter.
This option can be used multiple times on the
command line.
# 注释 :同样,-z
io,stat,可以在命令行使用多次。
[root@as7 ~]# tethereal -r lo.capture -z io,stat,0.5 -z io,stat,1(省略)===================================================================
IO Statistics
Interval: 1.000 secs
Column #0:
| Column #0
Time |frames| bytes
000.000-001.000 2 196
001.000-002.000 4 392
======================================================================================================================================
IO Statistics
Interval: 0.500 secs
Column #0:
| Column #0
Time |frames| bytes
000.000-000.500 2 196
000.500-001.000 0 0
001.000-001.500 2 196
001.500-002.000 2 196
===================================================================
[root@as7 ~]#
Example: -z io,stat,1,ip.addr==1.2.3.4 to
generate 1 second statistics for all traffic to/from host 1.2.3.4.
# 注释 :例如上面的例子首先过滤出 ip
包的源/目的地址是 1.2.3.4 的所有数据包,然后以1秒为周期打印统计信息
Example: -z
"io,stat,0.001,smb&&ip.addr==1.2.3.4" to generate 1ms statistics
for all SMB packets to/from host 1.2.3.4.
# 注释 :上面的例子首先过滤出消息类型为 SMB
消息,且源/目的地址为 1.2.3.4 的所有数据包,然后按0.001 秒的周期统计
The examples above all use the standard
syntax for generating statistics which only calculates the number of packets and
bytes
in each interval. io,stat can also do much more statistics and calculate COUNT(), SUM(), MIN(), MAX(), and AVG() using a slightly different filter
syntax:
in each interval. io,stat can also do much more statistics and calculate COUNT(), SUM(), MIN(), MAX(), and AVG() using a slightly different filter
syntax:
[COUNT│SUM│MIN│MAX│AVG]()
# 注释 :实际上上面只是用到 io,stat,
这个统计功能的一小部分而已,它还可以做更多的操作
# 例如可以做
COUNT()、SUM()、MIN()、MAX()、AVG() 操作。语法格式如上
One important thing to note here is that the
field that the calcu-
lation is based on MUST also be part of the filter string or else
the calculation will fail.
lation is based on MUST also be part of the filter string or else
the calculation will fail.
# 注释
:不过有一点要记住,计算的字段必须是过滤器淄川的一部分,否则会报错
So: -z io,stat,0.010,AVG(smb.time) does not
work. Use -z io,stat,0.010,AVG(smb.time)smb.time instead. Also be aware that
a
field can exist multiple times inside the same packet and will then be counted multiple times in those packets.
field can exist multiple times inside the same packet and will then be counted multiple times in those packets.
# 注释 :例如 -z io,stat,0.0010,AVG(smb.time) 不会工作,但如果在后面加上 smb.time 就可以了# 要注意,一个字段在一个 packet 内可以多次出现,会被重复计算# COUNT 表示统计该字段的出现次数、SUM 统计总和(必须是数字型,否则会报错)、AVG、MIN、MAX (都必须是数字型)# 补充 :由于 ()对于 shell 来说是特殊字符,所以必须用 ‘ ’ 括起来[root@as7 ~]# tethereal -r lo.capture -z io,stat,0.5,COUNT'(ip.addr)' ip.addr
1 0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2 0.000027 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
3 1.000050 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
4 1.000064 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
5 1.999871 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
6 1.999882 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply===================================================================
IO Statistics
Interval: 0.500 secs
Column #0: COUNT(ip.addr)
| Column #0
Time | COUNT
000.000-000.500 4
000.500-001.000 0
001.000-001.500 4
001.500-002.000 4
===================================================================
[root@as7 ~]#[root@as7 ~]# tethereal -r lo.capture -z io,stat,0.5,SUM'(ip.checksum)' ip.checksum
1 0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2 0.000027 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
3 1.000050 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
4 1.000064 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
5 1.999871 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
6 1.999882 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply===================================================================
IO Statistics
Interval: 0.500 secs
Column #0: SUM(ip.checksum)
| Column #0
Time | SUM
000.000-000.500 52180
000.500-001.000 0
001.000-001.500 52178
001.500-002.000 52176
===================================================================
[root@as7 ~]#
COUNT() can be used on any type
which has a display filter name. It will count how many times this particular
field is
encountered in the filtered packet list.
encountered in the filtered packet list.
# 注释 :
必须是一个有效的 filter
Example: -z io,stat,0.010,COUNT(smb.sid)smb.sid
This will count the total number of SIDs seen in each 10ms
interval.
# 注释 :例如上面的例子用于计算每 10ms
内出现的 sid 数量
SUM() can only be used on named
fields of integer type. This will sum together every occurence of this fields
value for each interval.
# 注释 :SUM(
)字段可以用于统计整数型的字段。
Example: -z
io,stat,0.010,SUM(frame.pkt_len)frame.pkt_len This will report the total
number of bytes seen in all the packets within an interval.
# 注释
:例如上面的例子把每个周期内的每个帧的长度加起来。
MIN/MAX/AVG() can only be used
on named fields that are either integers or relative time fields. This will
calculate maximum/minimum or average seen in each
interval. If the field is a relative time
field the output will be presented in seconds and three digits after the decimal
point. The resolution for time
calculations is 1ms and anything smaller will be truncated.
calculations is 1ms and anything smaller will be truncated.
# 注释 :AVG 是把总量除以出现的次数。例如统计每个周期内每个以太网帧的长度
[root@as7 ~]# tethereal -r lo.capture -z io,stat,0.5,AVG'(frame.pkt_len)' frame.pkt_len
1 0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2 0.000027 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
3 1.000050 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
4 1.000064 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
5 1.999871 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
6 1.999882 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply===================================================================
IO Statistics
Interval: 0.500 secs
Column #0: AVG(frame.pkt_len)
| Column #0
Time | AVG
000.000-000.500 98 # 注释 :因为 ECHO_REQUEST 和 ECHO_RESPONSE 都是 98 字节
000.500-001.000 0
001.000-001.500 98
001.500-002.000 98
===================================================================
[root@as7 ~]#
Example:
-z
"io,stat,0.010,smb.time&&ip.addr==1.1.1.1,MIN(smb.time)smb.time&&ip.addr==1.1.1.1,MAX(smb.time)smb.time&&ip.addr==1.1.1.1,MAX(smb.time)
smb.time&&ip.addr==1.1.1.1"
# 注释 :例如上面的例子以 10ms
为周期,找出
This will calculate statistics for all smb
response times we see to/from host 1.1.1.1 in 10ms intervals. The output will
be displayed in 4 columns; number of
packets/bytes, minimum response time, maximum
response time and average response time.
# 注释 :如果你想要输出多个统计,必须用 ' '
把 -z 后面的部分括起来,每个字段之间用逗号分开
[root@as7 ~]# tethereal -r lo.capture -z "io,stat,0.5,MAX(frame.pkt_len) frame.pkt_len,SUM(frame.pkt_len)frame.pkt_len"
1 0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2 0.000027 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
3 1.000050 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
4 1.000064 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
5 1.999871 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
6 1.999882 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply===================================================================
IO Statistics
Interval: 0.500 secs
Column #0: MAX(frame.pkt_len) frame.pkt_len
Column #1: SUM(frame.pkt_len)frame.pkt_len
| Column #0 | Column #1
Time | MAX | SUM
000.000-000.500 98 196
000.500-001.000 0 0
001.000-001.500 98 196
001.500-002.000 98 196
===================================================================
[root@as7 ~]#
-z
conv,type[,filter]
Create a table that lists all conversations
that could be seen in the capture. type specifies which type of conversation we
want to
generate the statistics for; currently the supported ones are
generate the statistics for; currently the supported ones are
# 注释 :-z
conv, 用于打印一个表格,把所有会话都打印出来。可选的 如下 :
"eth" Ethernet # 注释 :eth 表示以太网
"fc" Fibre Channel # 注释 :fc 表示光纤通道
"fddi" FDDI # 注释 :fddi 表示 FDDI
"ip" IP addresses # 注释 :ip 表示 ip 协议
"ipx" IPX addresses # 注释 :ipx 表示 ipx 协议
"tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported # 注释 :tcp 表示 tcp 协议
"tr" Token Ring # 注释 :tr 表示令牌环
"udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported # 注释 :udp 表示 udp 协议
"fc" Fibre Channel # 注释 :fc 表示光纤通道
"fddi" FDDI # 注释 :fddi 表示 FDDI
"ip" IP addresses # 注释 :ip 表示 ip 协议
"ipx" IPX addresses # 注释 :ipx 表示 ipx 协议
"tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported # 注释 :tcp 表示 tcp 协议
"tr" Token Ring # 注释 :tr 表示令牌环
"udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported # 注释 :udp 表示 udp 协议
# 补充 ; 不能是 ICMP
,因为它包含在 ip 协议之中。
If the optional filter string is specified,
only those packets that match the filter will be used in the
calculations.
The table is presented with one line for each
conversation and displays number of packets/bytes in each direction as well
as
total number of packets/bytes. The table is sorted according to total number of bytes.
total number of packets/bytes. The table is sorted according to total number of bytes.
[root@as7 ~]# tethereal -r lo.capture -z conv,eth -z conv,ip
1 0.000000 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
2 0.000027 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
3 1.000050 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
4 1.000064 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
5 1.999871 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) request
6 1.999882 127.0.0.1 -> 127.0.0.1 ICMP Echo (ping) reply
================================================================================
IPv4 Conversations
Filter:
| <- | | -> | | Total |
| Frames Bytes | | Frames Bytes | | Frames Bytes |
127.0.0.1 <-> 127.0.0.1 6 588 0 0 6 588
================================================================================
================================================================================
Ethernet Conversations
Filter:
| <- | | -> | | Total |
| Frames Bytes | | Frames Bytes | | Frames Bytes |
00:00:00:00:00:00 <-> 00:00:00:00:00:00 6 588 0 0 6 588
================================================================================
[root@as7 ~]#
-z
proto,colinfo,filter,field
Append all field values for the packet to the
Info column of the one-line summary output. This feature can be used to append
arbi-
trary fields to the Info column in addition to the normal content of that column. field is the display-filter name of a field which
value should be placed in the Info column. filter is a filter string that controls for which packets the field value will be
presented in the info column. field will only be presented in the Info column for the packets which match filter.
trary fields to the Info column in addition to the normal content of that column. field is the display-filter name of a field which
value should be placed in the Info column. filter is a filter string that controls for which packets the field value will be
presented in the info column. field will only be presented in the Info column for the packets which match filter.
# 注释 :-z
表示
NOTE: In order for Tethereal to be able to
extract the field value from the packet, field MUST be part of the filter
string. If not,
Tethereal will not be able to extract its value.
Tethereal will not be able to extract its value.
For a simple example to add the "nfs.fh.hash"
field to the Info column for all packets containing the "nfs.fh.hash" field,
use
-z
proto,colinfo,nfs.fh.hash,nfs.fh.hash
To put "nfs.fh.hash" in the Info column but
only for packets coming from host 1.2.3.4 use:
-z
"proto,colinfo,nfs.fh.hash &&
ip.src==1.2.3.4,nfs.fh.hash"
This option can be used multiple times on the
command line.
-z
rpc,rtt,program,version[,filter]
Collect call/reply RTT data for
program/version. Data collected is number of calls for each procedure, MinRTT,
MaxRTT and AvgRTT.
Example: use -z rpc,rtt,100003,3 to collect data for NFS v3. This option can be used multiple times on the command line.
Example: use -z rpc,rtt,100003,3 to collect data for NFS v3. This option can be used multiple times on the command line.
# 注释 :-z rpc,rtt,program,version
If the optional filterstring is provided, the
stats will only be calculated on those calls that match that filter. Example:
use -z
rpc,rtt,100003,3,nfs.fh.hash==0x12345678 to collect NFS v3 RTT statistics for a specific file.
rpc,rtt,100003,3,nfs.fh.hash==0x12345678 to collect NFS v3 RTT statistics for a specific file.
-z
rpc,programs
Collect call/reply RTT data for all known
ONC-RPC programs/versions. Data collected is number of calls for each
protocol/ver-
sion, MinRTT, MaxRTT and AvgRTT. This option can only be used once on the command line.
sion, MinRTT, MaxRTT and AvgRTT. This option can only be used once on the command line.
-z
smb,rtt[,filter]
Collect call/reply RTT data for SMB. Data
collected is number of calls for each SMB command, MinRTT, MaxRTT and AvgRTT.
Example:
use -z smb,rtt. The data will be presented as separate tables for all normal SMB commands, all Transaction2 commands and all NT
Transaction commands. Only those commands that are seen in the capture will have its stats displayed. Only the first command in
a xAndX command chain will be used in the calculation. So for common SessionSetupAndX + TreeConnectAndX chains, only the
SessionSetupAndX call will be used in the statistics. This is a flaw that might be fixed in the future.
use -z smb,rtt. The data will be presented as separate tables for all normal SMB commands, all Transaction2 commands and all NT
Transaction commands. Only those commands that are seen in the capture will have its stats displayed. Only the first command in
a xAndX command chain will be used in the calculation. So for common SessionSetupAndX + TreeConnectAndX chains, only the
SessionSetupAndX call will be used in the statistics. This is a flaw that might be fixed in the future.
This option can be used multiple times on the
command line.
If the optional filterstring is provided, the
stats will only be calculated on those calls that match that filter. Example:
use -z
"smb,rtt,ip.addr==1.2.3.4" to only collect stats for SMB packets echanged by the host at IP address 1.2.3.4 .
"smb,rtt,ip.addr==1.2.3.4" to only collect stats for SMB packets echanged by the host at IP address 1.2.3.4 .
-z smb,sids
When this feature is used Tethereal will
print a report with all the discovered SID and account name mappings. Only
those SIDs
where the account name is known will be presented in the table.
where the account name is known will be presented in the table.
For this feature to work you will need to
either to enable "Edit/Preferences/Protocols/SMB/Snoop SID to name mappings" in
the
preferences or you can override the preferences by specifying -o "smb.sid_name_snooping:TRUE" on the Tethereal command line.
preferences or you can override the preferences by specifying -o "smb.sid_name_snooping:TRUE" on the Tethereal command line.
The current methods used by Tethereal to find
the SID->name mapping is relatively restricted but is hoped to be expanded in
the future.
-z
mgcp,rtd[,filter]
Collect requests/response RTD (Response Time
Delay) data for MGCP.This is similar to -z smb,rtt). Data collected is number of
calls
for each known MGCP Type, MinRTD, MaxRTD and AvgRTD. Additionally you get the number of duplicate requests/responses, unresponded
requests, responses ,which don’t match with any request. Example: use -z mgcp,rtd.
for each known MGCP Type, MinRTD, MaxRTD and AvgRTD. Additionally you get the number of duplicate requests/responses, unresponded
requests, responses ,which don’t match with any request. Example: use -z mgcp,rtd.
This option can be used multiple times on the
command line.
If the optional filterstring is provided, the
stats will only be calculated on those calls that match that filter. Example:
use -z
"mgcp,rtd,ip.addr==1.2.3.4" to only collect stats for MGCP packets exchanged by the host at IP address 1.2.3.4 .
"mgcp,rtd,ip.addr==1.2.3.4" to only collect stats for MGCP packets exchanged by the host at IP address 1.2.3.4 .
-z
h225,counter[,filter]
Count ITU-T H.225 messages and their reasons.
In the first column you get a list of H.225 messages and H.225 message reasons,
which
occur in the current capture file. The number of occurences of each message or reason is displayed in the second column.
occur in the current capture file. The number of occurences of each message or reason is displayed in the second column.
Example: use -z h225,counter.
This option can be used multiple times on the
command line.
If the optional filterstring is provided, the
stats will only be calculated on those calls that match that filter. Example:
use -z
"h225,counter,ip.addr==1.2.3.4" to only collect stats for H.225 packets exchanged by the host at IP address 1.2.3.4 .
"h225,counter,ip.addr==1.2.3.4" to only collect stats for H.225 packets exchanged by the host at IP address 1.2.3.4 .
-z
h225,srt[,filter]
Collect requests/response SRT (Service
Response Time) data for ITU-T H.225 RAS. Data collected is number of calls of
each ITU-T
H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average SRT, Minimum in Frame, and Maximum in Frame. You will also get the
number of Open Requests (Unresponded Requests), Discarded Responses (Responses without matching request) and Duplicate Mes-
sages. Example: use -z h225,srt.
H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average SRT, Minimum in Frame, and Maximum in Frame. You will also get the
number of Open Requests (Unresponded Requests), Discarded Responses (Responses without matching request) and Duplicate Mes-
sages. Example: use -z h225,srt.
This option can be used multiple times on the
command line.
If the optional filterstring is provided, the
stats will only be calculated on those calls that match that filter. Example:
use -z
"h225,srt,ip.addr==1.2.3.4" to only collect stats for ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 .
"h225,srt,ip.addr==1.2.3.4" to only collect stats for ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4 .
-z
sip,stat[,filter]
This option will activate a counter for SIP
messages. You will get he number of occurences of each SIP Method and of each
SIP Sta-
tus-Code. Additionally you also get the number of resent SIP Messages (only for SIP over UDP).
tus-Code. Additionally you also get the number of resent SIP Messages (only for SIP over UDP).
Example: use -z
sip,stat.
This option can be used multiple times on the
command line.
If the optional filter string is provided,
the stats will only be
calculated on those calls that match that filter. Example: use -z
"sip,stat,ip.addr==1.2.3.4" to only collect stats for SIP packets
exchanged by the host at IP address 1.2.3.4 .
calculated on those calls that match that filter. Example: use -z
"sip,stat,ip.addr==1.2.3.4" to only collect stats for SIP packets
exchanged by the host at IP address 1.2.3.4 .
CAPTURE FILTER
SYNTAX
See manual page of tcpdump(8).
See manual page of tcpdump(8).
# 注释 :capture filter 的语法参见 tcpdump
READ FILTER
SYNTAX
For a complete table of protocol and protocol fields that are filter able in Tethereal see ethereal-filter(4).
For a complete table of protocol and protocol fields that are filter able in Tethereal see ethereal-filter(4).
# 注释 :关于 read filter ,则参考 Tethereal
的 ethereal-filter
FILES
The ethereal.conf file, which is installed in the etc directory under the main installation directory (for example, /usr/local/etc) on UNIX-
compatible systems, and in the main installation directory (for example, C:\Program Files\Ethereal) on Windows systems, and the personal
preferences file, which is $HOME/.ethereal/preferences on UNIX-compatible systems and %APPDATA%\Ethereal\preferences (or, if %APPDATA%
isn’t defined, %USERPROFILE%\Application Data\Ethereal\preferences) on Windows systems, contain system-wide and personal preference settings,
respectively. The file contains preference settings of the form prefname:value, one per line, where prefname is the name of the preference
(which is the same name that would appear in the preference file), and value is the value to which it should be set; white space is allowed
between : and value. A preference setting can be continued on subsequent lines by indenting the continuation lines with white space. A #
character starts a comment that runs to the end of the line.
The ethereal.conf file, which is installed in the etc directory under the main installation directory (for example, /usr/local/etc) on UNIX-
compatible systems, and in the main installation directory (for example, C:\Program Files\Ethereal) on Windows systems, and the personal
preferences file, which is $HOME/.ethereal/preferences on UNIX-compatible systems and %APPDATA%\Ethereal\preferences (or, if %APPDATA%
isn’t defined, %USERPROFILE%\Application Data\Ethereal\preferences) on Windows systems, contain system-wide and personal preference settings,
respectively. The file contains preference settings of the form prefname:value, one per line, where prefname is the name of the preference
(which is the same name that would appear in the preference file), and value is the value to which it should be set; white space is allowed
between : and value. A preference setting can be continued on subsequent lines by indenting the continuation lines with white space. A #
character starts a comment that runs to the end of the line.
# 注释 :preference file 就是指
ethereal.conf 和 .ethereal 文件。前者是在 /etc 下,后者是在用户的 HOME 目录下
#
前者是系统范围的配置,后者是个人的优先配置。它的格式是
# 如果行是以空格起头,则认为是上一行的继续。# 可以用于表示这是一个注释行
The system-wide preference file is read
first, if it exists, overriding Tethereal’s default values; the personal
preferences file is then
read, if it exists, overriding default values and values read from the system-wide preference file.
read, if it exists, overriding default values and values read from the system-wide preference file.
# 注释 :系统范围的 prefernece
file 被首先读取(如果存在的话),然后再读入个人的 preference file (如果有的话)
# 它会覆盖系统范围的 preference
file
The disabled protocols file, which is
$HOME/.ethereal/disabled_protos on UNIX-compatible systems and
%APPDATA%\Ethereal\disabled_protos (or,
if %APPDATA% isn’t defined, %USERPROFILE%\Application Data\Ethereal\disabled_protos) on Windows systems, contain a list of protocols
that have been disabled, so that their dissectors are never called. The file contains protocol names, one per line, where the protocol
name is the same name that would be used in a display filter for the protocol. A # character starts a comment that runs to the end of the
line.
if %APPDATA% isn’t defined, %USERPROFILE%\Application Data\Ethereal\disabled_protos) on Windows systems, contain a list of protocols
that have been disabled, so that their dissectors are never called. The file contains protocol names, one per line, where the protocol
name is the same name that would be used in a display filter for the protocol. A # character starts a comment that runs to the end of the
line.
# 注释:你还可以禁止 tethereal
分析那些协议,在 $HOME/.ethereal/disabled_protos 文件中定义,每行一个协议名
The ethers file, which is found in the
/etc directory on UNIX-compatible systems, and in the main installation
directory (for example,
C:\Program Files\Ethereal) on Windows systems, is consulted to correlate 6-byte hardware addresses to names. If an address is not
found in the ethers file, the $HOME/.ethereal/ethers file on UNIX-compatible systems, and the %APPDATA%\Ethereal\ethers file (or, if %APP-
DATA% isn’t defined, the %USERPROFILE%\Application Data\Ethereal\ethers file) on Windows systems is consulted next. Each line
contains one hardware address and name, separated by whitespace. The digits of the hardware address are separated by either a colon (:), a
dash (-), or a period (.). The following three lines are valid lines of an ethers file:
C:\Program Files\Ethereal) on Windows systems, is consulted to correlate 6-byte hardware addresses to names. If an address is not
found in the ethers file, the $HOME/.ethereal/ethers file on UNIX-compatible systems, and the %APPDATA%\Ethereal\ethers file (or, if %APP-
DATA% isn’t defined, the %USERPROFILE%\Application Data\Ethereal\ethers file) on Windows systems is consulted next. Each line
contains one hardware address and name, separated by whitespace. The digits of the hardware address are separated by either a colon (:), a
dash (-), or a period (.). The following three lines are valid lines of an ethers file:
ff:ff:ff:ff:ff:ff
Broadcast
c0-00-ff-ff-ff-ff TR_broadcast
00.00.00.00.00.00 Zero_broadcast
c0-00-ff-ff-ff-ff TR_broadcast
00.00.00.00.00.00 Zero_broadcast
The manuf file, which is installed in the
etc directory under the main installation directory (for example,
/usr/local/etc) on UNIX-compati-
ble systems, and in the main installation directory (for example, C:\Program Files\Ethereal) on Windows systems, matches the 3-byte ven-
dor portion of a 6-byte hardware address with the manufacturer’s name; it can also contain well-known MAC addresses and address ranges speci-
fied with a netmask. The format of the file is the same as the ethers file, except that entries of the form
ble systems, and in the main installation directory (for example, C:\Program Files\Ethereal) on Windows systems, matches the 3-byte ven-
dor portion of a 6-byte hardware address with the manufacturer’s name; it can also contain well-known MAC addresses and address ranges speci-
fied with a netmask. The format of the file is the same as the ethers file, except that entries of the form
00:00:0C Cisco
can be provided, with the 3-byte OUI and
the name for a vendor, and entries of the form
00-00-0C-07-AC/40
All-HSRP-routers
can be specified, with a MAC address and a
mask indicating how many bits of the address must match. Trailing zero bytes
can be omitted
from address ranges. That entry, for example, will match addresses from 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not
be a multiple of 8.
from address ranges. That entry, for example, will match addresses from 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not
be a multiple of 8.
The ipxnets file, which is found in the
/etc directory on UNIX-compatible systems, and in the main installation
directory (for example,
C:\Program Files\Ethereal) on Windows systems, correlates 4-byte IPX network numbers to names. If a network number is not found in the
ipxnets file, the $HOME/.ethereal/ipxnets file on UNIX-compatible systems, and the %APPDATA%\Ethereal\ipxnets file (or, if %APPDATA% isn’t
defined, the %USERPROFILE%\Application Data\Ethereal\ipxnets file) on Windows systems, is consulted next. The format is the same as the
ethers file, except that each address if four bytes instead of six.
Additionally, the address can be represented a single hexadecimal number, as is more common in the IPX world, rather than four hex octets.
For example, these four lines are valid lines of an ipxnets file.
C:\Program Files\Ethereal) on Windows systems, correlates 4-byte IPX network numbers to names. If a network number is not found in the
ipxnets file, the $HOME/.ethereal/ipxnets file on UNIX-compatible systems, and the %APPDATA%\Ethereal\ipxnets file (or, if %APPDATA% isn’t
defined, the %USERPROFILE%\Application Data\Ethereal\ipxnets file) on Windows systems, is consulted next. The format is the same as the
ethers file, except that each address if four bytes instead of six.
Additionally, the address can be represented a single hexadecimal number, as is more common in the IPX world, rather than four hex octets.
For example, these four lines are valid lines of an ipxnets file.
C0.A8.2C.00 HR
c0-a8-1c-00 CEO
00:00:BE:EF IT_Server1
110f FileServer3
c0-a8-1c-00 CEO
00:00:BE:EF IT_Server1
110f FileServer3
SEE ALSO
ethereal-filter(4) ethereal(1), editcap(1), tcpdump(8), pcap(3)
ethereal-filter(4) ethereal(1), editcap(1), tcpdump(8), pcap(3)
NOTES
Tethereal is part of the Ethereal distribution. The latest version of
Ethereal can be found at .
Tethereal is part of the Ethereal distribution. The latest version of
Ethereal can be found at .
AUTHORS
Tethereal uses the same packet dissection code that Ethereal does, as
well as using many other modules from Ethereal; see the list of
authors in the Ethereal man page for a list of authors of that code.
Tethereal uses the same packet dissection code that Ethereal does, as
well as using many other modules from Ethereal; see the list of
authors in the Ethereal man page for a list of authors of that code.
0.10.6 2004-08-12
TETHEREAL(1)