WebSVN – nexmon – Blame – Rev 1 – /utilities/wireshark/doc/rawshark.pod

1

office

1

2

=head1 NAME

3

4

rawshark - Dump and analyze raw pcap data

=head1 SYNOPSIS

B<rawshark>

S<[ B<-d> E<lt>encap:linktypeE<gt>|E<lt>proto:protonameE<gt> ]>

10

S<[ B<-F> E<lt>field to displayE<gt> ]>

S<[ B<-h> ]>

S<[ B<-l> ]>

S<[ B<-n> ]>

S<[ B<-N> E<lt>name resolving flagsE<gt> ]>

15

S<[ B<-o> E<lt>preference settingE<gt> ] ...>

16

S<[ B<-p> ]>

17

S<[ B<-r> E<lt>pipeE<gt>|- ]>

18

S<[ B<-R> E<lt>read (display) filterE<gt> ]>

19

S<[ B<-s> ]>

20

S<[ B<-S> E<lt>field formatE<gt> ]>

21

S<[ B<-t> a|ad|adoy|d|dd|e|r|u|ud|udoy ]>

S<[ B<-v> ]>

=head1 DESCRIPTION

B<Rawshark> reads a stream of packets from a file or pipe, and prints a line

27

describing its output, followed by a set of matching fields for each packet

on stdout.

=head1 INPUT

Unlike B<TShark>, B<Rawshark> makes no assumptions about encapsulation or

33

input. The B<-d> and B<-r> flags must be specified in order for it to run.

34

One or more B<-F> flags should be specified in order for the output to be

35

useful. The other flags listed above follow the same conventions as

36

B<Wireshark> and B<TShark>.

37

38

B<Rawshark> expects input records with the following format by default. This

39

matches the format of the packet header and packet data in a pcap-formatted

40

file on disk.

41

42

struct rawshark_rec_s {

43

uint32_t ts_sec; /* Time stamp (seconds) */

44

uint32_t ts_usec; /* Time stamp (microseconds) */

45

uint32_t caplen; /* Length of the packet buffer */

46

uint32_t len; /* "On the wire" length of the packet */

47

uint8_t data[caplen]; /* Packet data */

48

};

49

50

If B<-p> is supplied B<rawshark> expects the following format. This

51

matches the I<struct pcap_pkthdr> structure and packet data used in

52

libpcap/WinPcap. This structure's format is platform-dependent; the

53

size of the I<tv_sec> field in the I<struct timeval> structure could be

54

32 bits or 64 bits. For B<rawshark> to work, the layout of the

55

structure in the input must match the layout of the structure in

56

B<rawshark>. Note that this format will probably be the same as the

57

previous format if B<rawshark> is a 32-bit program, but will not

58

necessarily be the same if B<rawshark> is a 64-bit program.

59

60

struct rawshark_rec_s {

61

struct timeval ts; /* Time stamp */

62

uint32_t caplen; /* Length of the packet buffer */

63

uint32_t len; /* "On the wire" length of the packet */

64

uint8_t data[caplen]; /* Packet data */

65

};

66

67

In either case, the endianness (byte ordering) of each integer must match the

68

system on which B<rawshark> is running.

=head1 OUTPUT

If one or more fields are specified via the B<-F> flag, B<Rawshark> prints

73

the number, field type, and display format for each field on the first line

74

as "packet number" 0. For each record, the packet number, matching fields,

75

and a "1" or "0" are printed to indicate if the field matched any supplied

76

display filter. A "-" is used to signal the end of a field description and

77

at the end of each packet line. For example, the flags B<-F ip.src -F

78

dns.qry.type> might generate the following output:

79

80

81

1 1="1" 0="192.168.77.10" 1 -

82

2 1="1" 0="192.168.77.250" 1 -

83

3 0="192.168.77.10" 1 -

84

4 0="74.125.19.104" 1 -

85

86

Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding B<-R "not dns"> still prints each line, but there's an indication

87

that packets 1 and 2 didn't pass the filter:

88

89

90

1 1="1" 0="192.168.77.10" 0 -

91

2 1="1" 0="192.168.77.250" 0 -

92

3 0="192.168.77.10" 1 -

93

4 0="74.125.19.104" 1 -

94

95

Also note that the output may be in any order, and that multiple matching

96

fields might be displayed.

=head1 OPTIONS

=over 4

=item -d E<lt>encapsulationE<gt>

103

104

Specify how the packet data should be dissected. The encapsulation is of the

105

form I<type>B<:>I<value>, where I<type> is one of:

106

107

B<encap>:I<name> Packet data should be dissected using the

108

libpcap/WinPcap data link type (DLT) I<name>, e.g. B<encap:EN10MB> for

109

Ethernet. Names are converted using pcap_datalink_name_to_val().

110

A complete list of DLTs can be found at

111

L<http://www.tcpdump.org/linktypes.html>.

112

113

B<encap>:I<number> Packet data should be dissected using the

114

libpcap/WinPcap LINKTYPE_ I<number>, e.g. B<encap:105> for raw IEEE

115

802.11 or B<encap:101> for raw IP.

116

117

B<proto>:I<protocol> Packet data should be passed to the specified Wireshark

118

protocol dissector, e.g. B<proto:http> for HTTP data.

119

120

=item -F E<lt>field to displayE<gt>

121

122

Add the matching field to the output. Fields are any valid display filter

123

field. More than one B<-F> flag may be specified, and each field can match

124

multiple times in a given packet. A single field may be specified per B<-F>

125

flag. If you want to apply a display filter, use the B<-R> flag.

=item -h

Print the version and options and exits.

=item -l

Flush the standard output after the information for each packet is

134

printed. (This is not, strictly speaking, line-buffered if B<-V>

135

was specified; however, it is the same as line-buffered if B<-V> wasn't

136

specified, as only one line is printed for each packet, and, as B<-l> is

137

normally used when piping a live capture to a program or script, so that

138

output for a packet shows up as soon as the packet is seen and

139

dissected, it should work just as well as true line-buffering. We do

140

this as a workaround for a deficiency in the Microsoft Visual C++ C

141

library.)

142

143

This may be useful when piping the output of B<TShark> to another

144

program, as it means that the program to which the output is piped will

145

see the dissected data for a packet as soon as B<TShark> sees the

146

packet and generates that output, rather than seeing it only when the

147

standard output buffer containing that data fills up.

=item -n

Disable network object name resolution (such as hostname, TCP and UDP port

152

names), the B<-N> flag might override this one.

153

154

=item -N E<lt>name resolving flagsE<gt>

155

156

Turn on name resolving only for particular types of addresses and port

157

numbers, with name resolving for other types of addresses and port

158

numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are

159

present. If both B<-N> and B<-n> flags are not present, all name resolutions are

160

turned on.

161

162

The argument is a string that may contain the letters:

163

164

B<m> to enable MAC address resolution

165

166

B<n> to enable network address resolution

167

168

B<N> to enable using external resolvers (e.g., DNS) for network address

169

resolution

170

171

B<t> to enable transport-layer port number resolution

172

173

B<d> to enable resolution from captured DNS packets

174

175

=item -o E<lt>preferenceE<gt>:E<lt>valueE<gt>

176

177

Set a preference value, overriding the default value and any value read

178

from a preference file. The argument to the option is a string of the

179

form I<prefname>B<:>I<value>, where I<prefname> is the name of the

180

preference (which is the same name that would appear in the preference

181

file), and I<value> is the value to which it should be set.

=item -p

Assume that packet data is preceded by a pcap_pkthdr struct as defined in

186

pcap.h. On some systems the size of the timestamp data will be different from

187

the data written to disk. On other systems they are identical and this flag has

188

no effect.

189

190

=item -r E<lt>pipeE<gt>|-

191

192

Read packet data from I<input source>. It can be either the name of a FIFO

193

(named pipe) or ``-'' to read data from the standard input, and must have

194

the record format specified above.

195

196

=item -R E<lt>read (display) filterE<gt>

197

198

Cause the specified filter (which uses the syntax of read/display filters,

199

rather than that of capture filters) to be applied before printing the output.

=item -s

Allows standard pcap files to be used as input, by skipping over the 24

204

byte pcap file header.

=item -S

Use the specified format string to print each field. The following formats

209

are supported:

210

211

B<%D> Field name or description, e.g. "Type" for dns.qry.type

212

213

B<%N> Base 10 numeric value of the field.

214

215

B<%S> String value of the field.

216

217

For something similar to Wireshark's standard display ("Type: A (1)") you

218

could use B<%D: %S (%N)>.

219

220

=item -t a|ad|adoy|d|dd|e|r|u|ud|udoy

221

222

Set the format of the packet timestamp printed in summary lines.

223

The format can be one of:

224

225

B<a> absolute: The absolute time, as local time in your time zone,

226

is the actual time the packet was captured, with no date displayed

227

228

B<ad> absolute with date: The absolute date, displayed as YYYY-MM-DD,

229

and time, as local time in your time zone, is the actual time and date

230

the packet was captured

231

232

B<adoy> absolute with date using day of year: The absolute date,

233

displayed as YYYY/DOY, and time, as local time in your time zone,

234

is the actual time and date the packet was captured

235

236

B<d> delta: The delta time is the time since the previous packet was

237

captured

238

239

B<dd> delta_displayed: The delta_displayed time is the time since the

240

previous displayed packet was captured

241

242

B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)

243

244

B<r> relative: The relative time is the time elapsed between the first packet

245

and the current packet

246

247

B<u> UTC: The absolute time, as UTC, is the actual time the packet was

248

captured, with no date displayed

249

250

B<ud> UTC with date: The absolute date, displayed as YYYY-MM-DD,

251

and time, as UTC, is the actual time and date the packet was captured

252

253

B<udoy> UTC with date using day of year: The absolute date, displayed

254

as YYYY/DOY, and time, as UTC, is the actual time and date the packet

255

was captured

256

257

The default format is relative.

=item -v

Print the version and exit.

=back

=head1 READ FILTER SYNTAX

266

267

For a complete table of protocol and protocol fields that are filterable

268

in B<TShark> see the wireshark-filter(4) manual page.

=head1 FILES

These files contains various B<Wireshark> configuration values.

=over 4

=item Preferences

The F<preferences> files contain global (system-wide) and personal

279

preference settings. If the system-wide preference file exists, it is

280

read first, overriding the default settings. If the personal preferences

281

file exists, it is read next, overriding any previous values. Note: If

282

the command line option B<-o> is used (possibly more than once), it will

283

in turn override values from the preferences files.

284

285

The preferences settings are in the form I<prefname>B<:>I<value>,

286

one per line,

287

where I<prefname> is the name of the preference

288

and I<value> is the value to

289

which it should be set; white space is allowed between B<:> and

290

I<value>. A preference setting can be continued on subsequent lines by

291

indenting the continuation lines with white space. A B<#> character

292

starts a comment that runs to the end of the line:

293

294

# Capture in promiscuous mode?

295

# TRUE or FALSE (case-insensitive).

296

capture.prom_mode: TRUE

297

298

The global preferences file is looked for in the F<wireshark> directory

299

under the F<share> subdirectory of the main installation directory (for

300

example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible

301

systems, and in the main installation directory (for example,

302

F<C:\Program Files\Wireshark\preferences>) on Windows systems.

303

304

The personal preferences file is looked for in

305

F<$HOME/.wireshark/preferences> on

306

UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if

307

%APPDATA% isn't defined, F<%USERPROFILE%\Application

308

Data\Wireshark\preferences>) on Windows systems.

309

310

=item Disabled (Enabled) Protocols

311

312

The F<disabled_protos> files contain system-wide and personal lists of

313

protocols that have been disabled, so that their dissectors are never

314

called. The files contain protocol names, one per line, where the

315

protocol name is the same name that would be used in a display filter

for the protocol:

http

tcp # a comment

The global F<disabled_protos> file uses the same directory as the global

322

preferences file.

323

324

The personal F<disabled_protos> file uses the same directory as the

325

personal preferences file.

326

327

=item Name Resolution (hosts)

328

329

If the personal F<hosts> file exists, it is

330

used to resolve IPv4 and IPv6 addresses before any other

331

attempts are made to resolve them. The file has the standard F<hosts>

332

file syntax; each line contains one IP address and name, separated by

333

whitespace. The same directory as for the personal preferences file is

334

used.

335

336

Capture filter name resolution is handled by libpcap on UNIX-compatible

337

systems and WinPcap on Windows. As such the Wireshark personal F<hosts> file

338

will not be consulted for capture filter name resolution.

339

340

=item Name Resolution (subnets)

341

342

If an IPv4 address cannot be translated via name resolution (no exact

343

match is found) then a partial match is attempted via the F<subnets> file.

344

345

Each line of this file consists of an IPv4 address, a subnet mask length

346

separated only by a / and a name separated by whitespace. While the address

347

must be a full IPv4 address, any values beyond the mask length are subsequently

ignored.

An example is:

# Comments must be prepended by the # sign!

353

192.168.0.0/24 ws_test_network

354

355

A partially matched name will be printed as "subnet-name.remaining-address".

356

For example, "192.168.0.1" under the subnet above would be printed as

357

"ws_test_network.1"; if the mask length above had been 16 rather than 24, the

358

printed address would be ``ws_test_network.0.1".

359

360

=item Name Resolution (ethers)

361

362

The F<ethers> files are consulted to correlate 6-byte hardware addresses to

363

names. First the personal F<ethers> file is tried and if an address is not

364

found there the global F<ethers> file is tried next.

365

366

Each line contains one hardware address and name, separated by

367

whitespace. The digits of the hardware address are separated by colons

368

(:), dashes (-) or periods (.). The same separator character must be

369

used consistently in an address. The following three lines are valid

370

lines of an F<ethers> file:

371

372

ff:ff:ff:ff:ff:ff Broadcast

373

c0-00-ff-ff-ff-ff TR_broadcast

374

00.00.00.00.00.00 Zero_broadcast

375

376

The global F<ethers> file is looked for in the F</etc> directory on

377

UNIX-compatible systems, and in the main installation directory (for

378

example, F<C:\Program Files\Wireshark>) on Windows systems.

379

380

The personal F<ethers> file is looked for in the same directory as the personal

381

preferences file.

382

383

Capture filter name resolution is handled by libpcap on UNIX-compatible

384

systems and WinPcap on Windows. As such the Wireshark personal F<ethers> file

385

will not be consulted for capture filter name resolution.

386

387

=item Name Resolution (manuf)

388

389

The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte

390

hardware address with the manufacturer's name; it can also contain well-known

391

MAC addresses and address ranges specified with a netmask. The format of the

392

file is the same as the F<ethers> files, except that entries of the form:

00:00:0C Cisco

can be provided, with the 3-byte OUI and the name for a vendor, and

397

entries such as:

398

399

00-00-0C-07-AC/40 All-HSRP-routers

400

401

can be specified, with a MAC address and a mask indicating how many bits

402

of the address must match. The above entry, for example, has 40

403

significant bits, or 5 bytes, and would match addresses from

404

00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a

405

multiple of 8.

406

407

The F<manuf> file is looked for in the same directory as the global

408

preferences file.

409

410

=item Name Resolution (services)

411

412

The F<services> file is used to translate port numbers into names.

413

414

The file has the standard F<services> file syntax; each line contains one

415

(service) name and one transport identifier separated by white space. The

416

transport identifier includes one port number and one transport protocol name

417

(typically tcp, udp, or sctp) separated by a /.

An example is:

mydns 5045/udp # My own Domain Name Server

422

mydns 5045/tcp # My own Domain Name Server

423

424

=item Name Resolution (ipxnets)

425

426

The F<ipxnets> files are used to correlate 4-byte IPX network numbers to

427

names. First the global F<ipxnets> file is tried and if that address is not

428

found there the personal one is tried next.

429

430

The format is the same as the F<ethers>

431

file, except that each address is four bytes instead of six.

432

Additionally, the address can be represented as a single hexadecimal

433

number, as is more common in the IPX world, rather than four hex octets.

434

For example, these four lines are valid lines of an F<ipxnets> file:

C0.A8.2C.00 HR

c0-a8-1c-00 CEO

00:00:BE:EF IT_Server1

439

110f FileServer3

440

441

The global F<ipxnets> file is looked for in the F</etc> directory on

442

UNIX-compatible systems, and in the main installation directory (for

443

example, F<C:\Program Files\Wireshark>) on Windows systems.

444

445

The personal F<ipxnets> file is looked for in the same directory as the

446

personal preferences file.

=back

=head1 ENVIRONMENT VARIABLES

=over 4

=item WIRESHARK_APPDATA

455

456

On Windows, Wireshark normally stores all application data in %APPDATA% or

457

%USERPROFILE%. You can override the default location by exporting this

458

environment variable to specify an alternate location.

459

460

=item WIRESHARK_DEBUG_WMEM_OVERRIDE

461

462

Setting this environment variable forces the wmem framework to use the

463

specified allocator backend for *all* allocations, regardless of which

464

backend is normally specified by the code. This is mainly useful to developers

465

when testing or debugging. See I<README.wmem> in the source distribution for

466

details.

467

468

=item WIRESHARK_RUN_FROM_BUILD_DIRECTORY

469

470

This environment variable causes the plugins and other data files to be loaded

471

from the build directory (where the program was compiled) rather than from the

472

standard locations. It has no effect when the program in question is running

473

with root (or setuid) permissions on *NIX.

474

475

=item WIRESHARK_DATA_DIR

476

477

This environment variable causes the various data files to be loaded from

478

a directory other than the standard locations. It has no effect when the

479

program in question is running with root (or setuid) permissions on *NIX.

480

481

=item ERF_RECORDS_TO_CHECK

482

483

This environment variable controls the number of ERF records checked when

484

deciding if a file really is in the ERF format. Setting this environment

485

variable a number higher than the default (20) would make false positives

486

less likely.

487

488

=item IPFIX_RECORDS_TO_CHECK

489

490

This environment variable controls the number of IPFIX records checked when

491

deciding if a file really is in the IPFIX format. Setting this environment

492

variable a number higher than the default (20) would make false positives

493

less likely.

494

495

=item WIRESHARK_ABORT_ON_DISSECTOR_BUG

496

497

If this environment variable is set, B<Rawshark> will call abort(3)

498

when a dissector bug is encountered. abort(3) will cause the program to

499

exit abnormally; if you are running B<Rawshark> in a debugger, it

500

should halt in the debugger and allow inspection of the process, and, if

501

you are not running it in a debugger, it will, on some OSes, assuming

502

your environment is configured correctly, generate a core dump file.

503

This can be useful to developers attempting to troubleshoot a problem

504

with a protocol dissector.

505

506

=item WIRESHARK_ABORT_ON_TOO_MANY_ITEMS

507

508

If this environment variable is set, B<Rawshark> will call abort(3)

509

if a dissector tries to add too many items to a tree (generally this

510

is an indication of the dissector not breaking out of a loop soon enough).

511

abort(3) will cause the program to exit abnormally; if you are running

512

B<Rawshark> in a debugger, it should halt in the debugger and allow

513

inspection of the process, and, if you are not running it in a debugger,

514

it will, on some OSes, assuming your environment is configured correctly,

515

generate a core dump file. This can be useful to developers attempting to

516

troubleshoot a problem with a protocol dissector.

=back

=head1 SEE ALSO

wireshark-filter(4), wireshark(1), tshark(1), editcap(1), pcap(3), dumpcap(1),

523

text2pcap(1), pcap-filter(7) or tcpdump(8)

=head1 NOTES

B<Rawshark> is part of the B<Wireshark> distribution. The latest version of

528

B<Wireshark> can be found at L<https://www.wireshark.org>.

529

530

HTML versions of the Wireshark project man pages are available at:

531

L<https://www.wireshark.org/docs/man-pages>.

=head1 AUTHORS

B<Rawshark> uses the same packet dissection code that B<Wireshark> does, as

536

well as using many other modules from B<Wireshark>; see the list of authors

537

in the B<Wireshark> man page for a list of authors of that code.

538

nexmon – Blame information for rev 1