Manual page for ETHERFIND(8C)
etherfind - find packets on Ethernet
SYNOPSIS
etherfind
[
-d
] [
-n
] [
-p
] [
-r
] [
-t
] [
-u
] [
-v
]
[
-x
] [
-c
count
] [
-i
interface
] [
-l
length
]
expression
AVAILABILITY
This program is available with the
Networking
software installation option. Refer to
[a manual with the abbreviation INSTALL]
for information on how to install optional software.
DESCRIPTION
etherfind
prints out the information about packets on the ethernet that
match the boolean
expression.
The short display, without the
-v
option, displays only the destination and src (with port numbers).
When an Internet packet is
fragmented into more than one ethernet packet, all fragments
except the first are marked with an asterisk.
With the
-v
option, the display is much more verbose, giving a trace that is suitable
for analyzing many network problems.
You must be root to invoke
etherfind.
OPTIONS
- -d
-
Print the number of dropped packets. Not necessarily reliable.
- -n
-
Do not convert host addresses and port numbers to names.
- -p
-
Normally, the selected interface is put
into promiscuous mode, so that
etherfind
has access to
all packets on the ethernet. However, when the
-p
flag
is used, the interface will not go promiscuous.
- -r
-
RPC
mode: treat each packet as an
RPC
message, printing
the program and procedure numbers. Routing packets are also
more fully decoded using this option, and
Network Information Service
(NIS)
and
NFS
requests have their arguments printed.
- -t
-
Timestamps: precede each packet listing with a time value in seconds
and hundredths of seconds since the first packet.
- -u
-
Make the output line buffered.
- -v
-
Verbose mode: print out some of the fields of
TCP
and
UDP
packets.
- -x
-
Dump the packet in hex, in addition to the line
printed for each packet by default.
Use the
-l
option to limit this printout.
- -c count
-
Exit after receiving
count
packets.
This is sometimes useful for dumping a sample of ethernet
traffic to a file for later analysis.
- -i interface
-
etherfind
listens on
interface.
The program
netstat.8c
when invoked with the
-i
flag lists all the interfaces
that a machine has.
- -l length
-
Use with the
-x
option to limit the number of bytes printed out.
- expression
-
-
The syntax of
expression
is similar to that used by
find.1
Here are the allowable primaries.
- dst destination
-
True if the destination field of the packet is
destination,
which may be either an address or a name.
- src source
-
True if the source field of the packet is
source,
which may be either an address or a name.
- host name
-
True if either the source or the destination of the packet is
name.
- between host1 host2
-
True if either the source of the packet is
host1
and the destination
host2,
or the source is
host2
and the destination
host1.
- dstnet destination
-
True if the destination field of the packet has a network
part of
destination,
which may be either an address or a name.
- srcnet source
-
True if the source field of the packet has a network
part of
source,
which may be either an address or a name.
- srcport port
-
True if the packet has a source port value of
port.
This will check the source port value of either
UDP
or
TCP
packets
(see
tcp.4p
and
udp.4p
The
port
can be a number or a name used in
/etc/services.
- dstport port
-
True if the packet has a destination port value of
port.
The
port
can be a number or a name.
- less length
-
True if the packet has a length less than or equal to
length.
- greater length
-
True if the packet has a length greater than or equal to
length.
- -proto protocol
-
True if the packet is an
IP
packet (see
ip.4p
of protocol type
protocol.
Protocol
can be a number or one of the
names
icmp,
udp,
nd,
or
tcp.
- byte byte op value
-
True if byte number
byte
of the packet is in relation
op
to
value.
Legal values for
op
are
+,
<,
>,
&,
and
|.
Thus
4=6
is true if the fourth byte of the
packet has the value 6, and
20&0xf
is true if byte twenty
has one of its four low order bits nonzero.
- broadcast
-
True if the packet is a broadcast packet.
- arp
-
True if the packet is an
ARP
packet (see
arp.4p
- rarp
-
True if the packet is a rarp packet.
- -ip
-
True if the packet is an
IP
packet.
- -decnet
-
True if the packet is a
DECNET
packet.
- -apple
-
True if the packet is an AppleTalk protocol packet.
The primaries may be combined using the following operators
(in order of decreasing precedence):
A parenthesized group of primaries and operators
(parentheses are special to the Shell and must be escaped).
The negation of a primary
(`not'
is the unary
not
operator).
Concatenation of primaries (the
and
operation is implied by the juxtaposition of two primaries, or can
be specified with
`and').
Alternation of primaries
(`or' is the
or
operator).
EXAMPLE
To find all packets arriving at or departing from the host
sundown,
or that are
ICMP
packets:
-
example% etherfind host sundown or proto icmp
SEE ALSO
find.1
traffic.1c
arp.4p
ip.4p
nit.4p
tcp.4p
udp.4p
netstat.8c
BUGS
The syntax is painful.
NOTES
The Network Information Service
(NIS)
was formerly known as Sun Yellow Pages
(YP).
The functionality of the two remains the same;
only the name has changed.
Created by unroff & hp-tools.
© somebody (See intro for details). All Rights Reserved.
Last modified 11/5/97
