📄 ethereal.html
字号:
Modifies the currently selected list item.
<BR>
<DT>Delete<DD>
<A NAME="ixACN"></A>
Deletes the currently selected list item.
<BR>
<DT>Up / Down
<DD>
<A NAME="ixACO"></A>
Moves the selected list item up or down one position.
<BR>
<DT><FONT SIZE="-1">OK</FONT><DD>
<A NAME="ixACP"></A>
Currently has no effect.
<BR>
<DT>Save<DD>
<A NAME="ixACQ"></A>
Saves the current column format as the default.
<BR>
<DT>Cancel<DD>
<A NAME="ixACR"></A>
Closes the dialog without making any changes.
</DL>
</DL>
<DL COMPACT><DT><DD>
</DL>
<BR>
<DT><FONT SIZE="-1">TCP</FONT> Stream Preferences<DD>
<A NAME="ixACS"></A>
The <I></I><FONT SIZE="-1"><I>TCP</I></FONT><I> Streams</I> page can be used to change the color of the text
displayed in the <FONT SIZE="-1">TCP</FONT> stream window. To change a color, simply select
an attribute from the ``Set:'' menu and use the color selector to get the
desired color. The new text colors are displayed in a sample window.
<BR>
<DT><FONT SIZE="-1">GUI</FONT> Preferences<DD>
<A NAME="ixACT"></A>
The <I></I><FONT SIZE="-1"><I>GUI</I></FONT><I></I> page is used to modify small aspects of the <FONT SIZE="-1">GUI</FONT> to your own
personal taste:
<DL COMPACT><DT><DD>
<BR>
<DL COMPACT>
<DT>Scrollbars<DD>
<A NAME="ixACU"></A>
The vertical scrollbars in the three panes can be set to be either on
the left or the right.
<BR>
<DT>Selection Bars<DD>
<A NAME="ixACV"></A>
The selection bar in the
packet list and protocol tree can have either a ``browse'' or ``select''
behavior. If the selection bar has a ``browse'' behavior, the arrow keys
will move an outline of the selection bar, allowing you to browse
the rest of the list or tree without changing the selection
until you press the space bar. If the selection bar has a ``select''
behavior, the arrow keys will move the selection bar and change
the selection to the new item in the packet list or protocol tree.
The highlight method in the hex dump display for the selected protocol
item can be set to use either inverse video, or bold characters.
<BR>
<DT>Fonts<DD>
<A NAME="ixACW"></A>
The ``Font...'' button lets you select the font to be used for most text.
<BR>
<DT>Colors<DD>
<A NAME="ixACX"></A>
The ``Colors...'' button lets you select the colors to be used for instance
for the marked frames.
</DL>
</DL>
<DL COMPACT><DT><DD>
</DL>
<BR>
<DT>Protocol Preferences<DD>
<A NAME="ixACY"></A>
There are also pages for various protocols that Ethereal dissects,
controlling the way Ethereal handles those protocols.
</DL>
</DL>
<DL COMPACT><DT><DD>
</DL>
<BR>
<DT>Edit Capture Filter List<DD>
<A NAME="ixACZ"></A>
<BR>
<DT>Edit Display Filter List<DD>
<A NAME="ixADA"></A>
<BR>
<DT>Capture Filter<DD>
<A NAME="ixADB"></A>
<BR>
<DT>Display Filter<DD>
<A NAME="ixADC"></A>
<BR>
<DT>Read Filter<DD>
<A NAME="ixADD"></A>
<BR>
<DT>Search Filter<DD>
<A NAME="ixADE"></A>
The <I>Edit Capture Filter List</I> dialog lets you create, modify, and
delete capture filters, and the <I>Edit Display Filter List</I> dialog lets
you create, modify, and delete display filters.
<P>
The <I>Capture Filter</I> dialog lets you do all of the editing operations
listed, and also lets you choose or construct a filter to be used when
capturing packets.
<P>
The <I>Display Filter</I> dialog lets you do all of the editing operations
listed, and also lets you choose or construct a filter to be used to
filter the current capture being viewed.
<P>
The <I>Read Filter</I> dialog lets you do all of the editing operations
listed, and also lets you choose or construct a filter to be used to
as a read filter for a capture file you open.
<P>
The <I>Search Filter</I> dialog lets you do all of the editing operations
listed, and also lets you choose or construct a filter expression to be
used in a find operation.
<P>
In all of those dialogs, the <I>Filter name</I> entry specifies a
descriptive name for a filter, e.g. <B>Web and </B><FONT SIZE="-1"><B>DNS</B></FONT><B> traffic</B>. The
<I>Filter string</I> entry is the text that actually describes the filtering
action to take, as described above.The dialog buttons perform the
following actions:
<DL COMPACT><DT><DD>
<BR>
<DL COMPACT>
<DT>New<DD>
<A NAME="ixADF"></A>
If there is text in the two entry boxes, creates a new associated list
item.
<BR>
<DT>Change<DD>
<A NAME="ixADG"></A>
Modifies the currently selected list item to match what's in the entry
boxes.
<BR>
<DT>Copy<DD>
<A NAME="ixADH"></A>
Makes a copy of the currently selected list item.
<BR>
<DT>Delete<DD>
<A NAME="ixADI"></A>
Deletes the currently selected list item.
<BR>
<DT>Add Expression...<DD>
<A NAME="ixADJ"></A>
For display filter expressions, pops up a dialog box to allow you to
construct a filter expression to test a particular field; it offers
lists of field names, and, when appropriate, lists from which to select
tests to perform on the field and values with which to compare it. In
that dialog box, the <FONT SIZE="-1">OK</FONT> button will cause the filter expression you
constructed to be entered into the <I>Filter string</I> entry at the current
cursor position.
<BR>
<DT><FONT SIZE="-1">OK</FONT><DD>
<A NAME="ixADK"></A>
In the <I>Capture Filter</I> dialog, closes the dialog box and makes the
filter in the <I>Filter string</I> entry the filter in the <I>Capture
Preferences</I> dialog. In the <I>Display Filter</I> dialog, closes the dialog
box and makes the filter in the <I>Filter string</I> entry the current
display filter, and applies it to the current capture. In the <I>Read
Filter</I> dialog, closes the dialog box and makes the filter in the
<I>Filter string</I> entry the filter in the <I>Open Capture File</I> dialog.
In the <I>Search Filter</I> dialog, closes the dialog box and makes the
filter in the <I>Filter string</I> entry the filter in the <I>Find Frame</I>
dialog.
<BR>
<DT>Apply<DD>
<A NAME="ixADL"></A>
Makes the filter in the <I>Filter string</I> entry the current display
filter, and applies it to the current capture.
<BR>
<DT>Save<DD>
<A NAME="ixADM"></A>
Saves the current filter list in <I>$HOME/.ethereal/cfilters</I> if the list
of filters being edited is the list of capture filters or in
<I>$HOME/.ethereal/dfilters</I> if the list of filters being edited is the
list of display filters.
<BR>
<DT>Close<DD>
<A NAME="ixADN"></A>
Closes the dialog without doing anything with the filter in the <I>Filter
string</I> entry.
</DL>
</DL>
<DL COMPACT><DT><DD>
</DL>
<BR>
<DT>Capture Preferences<DD>
<A NAME="ixADO"></A>
The <I>Capture Preferences</I> dialog lets you specify various parameters for
capturing live packet data.
<P>
The <I>Interface:</I> combo box lets you specify the interface from which to
capture packet data, or the name of a <FONT SIZE="-1">FIFO</FONT> from which to get the packet
data. The <I>Count:</I> entry specifies the number of packets to capture.
Entering 0 will capture packets indefinitely. The <I>Filter:</I> entry lets
you specify the capture filter using a tcpdump-style filter string as
described above. The <I>File:</I> entry specifies the file to save to, as
in the <I>Printer Options</I> dialog above. You can specify the maximum
number of bytes to capture per packet with the <I>Capture length</I> entry,
can specify whether the interface is to be put in promiscuous mode or
not with the <I>Capture packets in promiscuous mode</I> check box, can
specify that the display should be updated as packets are captured with
the <I>Update list of packets in real time</I> check box, can specify
whether in such a capture the packet list pane should scroll to show the
most recently captured packets with the <I>Automatic scrolling in live
capture</I> check box, and can specify whether addresses should be
translated to names in the display with the <I>Enable name resolution</I>
check box.
<BR>
<DT>Display Options<DD>
<A NAME="ixADP"></A>
The <I>Display Options</I> dialog lets you specify the format of the time
stamp in the packet list. You can select ``Time of day'' for absolute
time stamps, ``Date and time of day'' for absolute time stamps with the
date, ``Seconds since beginning of capture'' for relative time stamps, or
``Seconds since previous frame'' for delta time stamps. You can also
specify whether, when the display is updated as packets are captured,
the list should automatically scroll to show the most recently captured
packets or not and whether addresses should be translated to names in
the display.
<BR>
<DT>Plugins<DD>
<A NAME="ixADQ"></A>
The <I>Plugins</I> dialog lets you view the dissector plugin modules
available on your system.
<P>
The <I>Plugins List</I> shows the name and version of each dissector plugin
module found on your system. The plugins are searched in the following
directories: <I>/usr/share/ethereal/plugins</I>,
<I>/usr/local/share/ethereal/plugins</I> and <I>~/.ethereal/plugins</I>. Note
that a dissector plugin module may support more than one protocol; there
is not necessarily a one-to-one correspondence between dissector plugin
modules and protocols. Protocols supported by a dissector plugin module
are enabled and disabled using the <I>Edit:Protocols</I> dialog box, just as
protocols built into Ethereal are.
</DL>
<A NAME="lbAI"> </A>
<H2>CAPTURE FILTER SYNTAX</H2>
<A NAME="ixADR"></A>
See manual page of <I><A HREF="http://localhost/cgi-bin/man/man2html?8+tcpdump">tcpdump</A></I>(8).
<A NAME="lbAJ"> </A>
<H2>DISPLAY FILTER SYNTAX</H2>
<A NAME="ixADS"></A>
Display filters help you remove the noise from a packet trace and let
you see only the packets that interest you. If a packet meets the
requirements expressed in your display filter, then it is displayed in
the list of packets. Display filters let you compare the fields within
a protocol against a specific value, compare fields against fields, and
to check the existence of specified fields or protocols.
<P>
The simplest display filter allows you to check for the existence of a
protocol or field. If you want to see all packets which contain the <FONT SIZE="-1">IPX</FONT>
protocol, the filter would be ``ipx''. (Without the quotation marks) To
see all packets that contain a Token-Ring <FONT SIZE="-1">RIF</FONT> field, use ``tr.rif''.
<P>
Fields can also be compared against values. The comparison operators
can be expressed either through C-like symbols, or through English-like
abbreviations:
<P>
<PRE>
eq, == Equal
ne, != Not equal
gt, > Greater than
lt, < Less Than
ge, >= Greater than or Equal to
le, <= Less than or Equal to
</PRE>
Furthermore, each protocol field is typed. The types are:
<P>
<PRE>
Unsigned integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
Signed integer (either 8-bit, 16-bit, 24-bit, or 32-bit)
Boolean
Ethernet address (6 bytes)
Byte string (n-number of bytes)
IPv4 address
IPv6 address
IPX network number
String (text)
Double-precision floating point number
</PRE>
An integer may be expressed in decimal, octal, or hexadecimal notation.
The following three display filters are equivalent:
<P>
<PRE>
frame.pkt_len > 10
frame.pkt_len > 012
frame.pkt_len > 0xa
</PRE>
Boolean values are either true or false. In a display filter expression
testing the value of a Boolean field, ``true'' is expressed as 1 or any
other non-zero value, and ``false'' is expressed as zero. For example, a
token-ring packet's source route field is boolean. To find any
source-routed packets, a display filter would be:
<P>
<PRE>
tr.sr == 1
</PRE>
Non source-routed packets can be found with:
<P>
<PRE>
tr.sr == 0
</PRE>
Ethernet addresses, as well as a string of bytes, are represented in hex
digits. The hex digits may be separated by colons, periods, or hyphens:
<P>
<PRE>
fddi.dst eq ff:ff:ff:ff:ff:ff
ipx.srcnode == 0.0.0.0.0.1
eth.src == aa-aa-aa-aa-aa-aa
</PRE>
If a string of bytes contains only one byte, then it is represented as
an unsigned integer. That is, if you are testing for hex value 'ff' in
a one-byte byte-string, you must compare it agains '0xff' and not 'ff'.
<P>
IPv4 addresses can be represented in either dotted decimal notation, or
by using the hostname:
<P>
<PRE>
ip.dst eq <A HREF="http://www.mit.edu">www.mit.edu</A>
ip.src == 192.168.1.1
</PRE>
IPv4 address can be compared with the same logical relations as numbers:
eq, ne, gt, ge, lt, and le. The IPv4 address is stored in host order,
so you do not have to worry about how the endianness of an IPv4 address
when using it in a display filter.
<P>
<FONT SIZE="-1">IPX</FONT> networks are represented by unsigned 32-bit integers. Most likely
you will be using hexadecimal when testing for <FONT SIZE="-1">IPX</FONT> network values:
<P>
<PRE>
ipx.srcnet == 0xc0a82c00
</PRE>
A slice operator also exists. You can check the substring
(byte-string) of any protocol or field. For example, you can filter on
the vendor portion of an ethernet address (the first three bytes) like
this:
<P>
<PRE>
eth.src[0:3] == 00:00:83
</PRE>
If the length of your byte-slice is only one byte, then it is still
represented in hex, but without the preceding ``0x'':
<P>
<PRE>
llc[3] == aa
</PRE>
You can use the slice operator on a protocol name, too. And
remember, the ``frame'' protocol encompasses the entire packet, allowing
you to look at the nth byte of a packet regardless of its frame type
(Ethernet, token-ring, etc.).
<P>
<PRE>
token[0:5] ne 0.0.0.1.1
ipx[0:2] == ff:ff
llc[3:1] eq 0xaa
</PRE>
The following syntax governs slices:
<P>
<PRE>
[i:j] i = start_offset, j = length
[i-j] i = start_offet, j = end_offset, inclusive.
[i] i = start_offset, length = 1
[:j] start_offset = 0, length = j
[i:] start_offset = i, end_offset = end_of_field
</PRE>
Offsets and lengths can be negative, in which case they indicate the offset from the
*end* of the field. Here's how to check the last 4 bytes of a frame:
<P>
<PRE>
frame[-4:4] == 0.1.2.3
or
frame[-4:] == 0.1.2.3
</PRE>
You can create complex concatenations of slices using the comma operator:
<P>
<PRE>
field[1,3-5,9:] == 01:03:04:05:09:0a:0b
</PRE>
All the above tests can be combined together with logical expressions.
These too are expressable in C-like syntax or with English-like
abbreviations:
<P>
<PRE>
and, && Logical AND
or, || Logical OR
not, ! Logical NOT
</PRE>
Expressions can be grouped by parentheses as well. The following are
all valid display filter expression:
<P>
<PRE>
tcp.port == 80 and ip.src == 192.168.2.1
not llc
(ipx.srcnet == 0xbad && ipx.srnode == 0.0.0.0.0.1) || ip
tr.dst[0:3] == 0.6.29 xor tr.src[0:3] == 0.6.29
</PRE>
A special caveat must be given regarding fields that occur more than
once per packet. ``ip.addr'' occurs twice per <FONT SIZE="-1">IP</FONT> packet, once for the
source address, and once for the destination address. Likewise,
tr.rif.ring fields can occur more than once per packet. The following
two expressions are not equivalent:
<P>
<PRE>
ip.addr ne 192.168.4.1
not ip.addr eq 192.168.4.1
</PRE>
The first filter says ``show me all packets where an ip.addr exists that
does not equal 192.168.4.1''. That is, as long as one ip.addr in the
packet does not equal 192.168.44.1, the packet passes the display
filter. The second filter ``don't show me any packets that have at least
one ip.addr field equal to 192.168.4.1''. If one ip.addr is 192.168.4.1,
the packet does not pass. If <B>neither</B> ip.addr fields is 192.168.4.1,
then the packet passes.
<P>
It is easy to think of the 'ne' and 'eq' operators as having an implict
``exists'' modifier when dealing with multiply-recurring fields. ``ip.addr
ne 192.168.4.1'' can be thought of as ``there exists an ip.addr that does
not equal 192.168.4.1''.
<P>
Be careful with multiply-recurring fields; they can be confusing.
<P>
The following is a table of protocol and protocol fields that are
filterable in <B>Ethereal</B>. The abbreviation of the protocol or field is
given. This abbreviation is what you use in the display filter. The
type of the field is also given.
<A NAME="lbAK"> </A>
<H2>802.1q Virtual <FONT SIZE="-1">LAN</FONT> (vlan)</H2>
<A NAME="ixADT"></A>
<PRE>
vlan.cfi CFI
Unsigned 16-bit integer
</PRE>
<PRE>
vlan.etype Type
Unsigned 16-bit integer
</PRE>
<PRE>
vlan.id ID
Unsigned 16-bit integer
</PRE>
<PRE>
vlan.len Length
Unsigned 16-bit integer
</PRE>
<PRE>
vlan.priority Priority
Unsigned 16-bit integer
</PRE>
<PRE>
vlan.trailer Trailer
Byte array
</PRE>
<A NAME="lbAL"> </A>
<H2><FONT SIZE="-1">AOL</FONT> Instant Messenger (aim)</H2>
<A NAME="ixADU"></A>
<PRE>
aim.channel Channel ID
Unsigned 8-bit integer
</PRE>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -