unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-4.1.3)
Page:
Section:
Apropos / Subsearch:
optional field

ETHERFIND(8C)                                                    ETHERFIND(8C)



NAME
       etherfind - find packets on Ethernet

SYNOPSIS
       etherfind [ -d ] [ -n ] [ -p ] [ -r ] [ -t ] [ -u ] [ -v ]
            [ -x ] [ -c count ] [ -i interface ] [ -l length ]
            expression

AVAILABILITY
       This  program  is  available  with the Networking software installation
       option.  Refer to for information on how to install optional software.

DESCRIPTION
       etherfind prints out the information about packets on the ethernet that
       match  the  boolean  expression.   The  short  display,  without the -v
       option, displays only the destination  and  src  (with  port  numbers).
       When  an  Internet  packet  is  fragmented  into more than one ethernet
       packet, all fragments except the first are  marked  with  an  asterisk.
       With  the  -v  option, the display is much more verbose, giving a trace
       that is suitable for analyzing many network problems.  You must be root
       to invoke etherfind.

OPTIONS
       -d     Print the number of dropped packets.  Not necessarily reliable.

       -n     Do not convert host addresses and port numbers to names.

       -p     Normally,  the  selected interface is put into promiscuous mode,
              so that etherfind has access to all  packets  on  the  ethernet.
              However,  when  the  -p  flag is used, the interface will not go
              promiscuous.

       -r     RPC mode: treat each packet as an RPC message, printing the pro-
              gram  and procedure numbers. Routing packets are also more fully
              decoded using this option, and Network Information Service (NIS)
              and NFS requests have their arguments printed.

       -t     Timestamps:  precede  each  packet  listing with a time value in
              seconds and hundredths of seconds since the first packet.

       -u     Make the output line buffered.

       -v     Verbose mode: print out some of the fields of TCP and UDP  pack-
              ets.

       -x     Dump the packet in hex, in addition to the line printed for each
              packet by default.  Use the -l option to limit this printout.

       -c count
              Exit after receiving count packets.  This  is  sometimes  useful
              for  dumping  a  sample  of ethernet traffic to a file for later
              analysis.

       -i interface
              etherfind listens on interface.  The  program  netstat(8C)  when
              invoked with the -i flag lists all the interfaces that a machine
              has.

       -l length
              Use with the -x option to limit the number of bytes printed out.

       expression
              The syntax of expression is similar to  that  used  by  find(1).
              Here are the allowable primaries.

              dst destination
                     True  if  the destination field of the packet is destina-
                     tion, which may be either an address or a name.

              src source
                     True if the source field of the packet is  source,  which
                     may be either an address or a name.

              host name
                     True  if  either  the  source  or  the destination of the
                     packet is name.

              between host1 host2
                     True if either the source of the packet is host1 and  the
                     destination  host2, or the source is host2 and the desti-
                     nation host1.

              dstnet destination
                     True if the destination field of the packet has a network
                     part  of destination, which may be either an address or a
                     name.

              srcnet source
                     True if the source field of the packet has a network part
                     of source, which may be either an address or a name.

              srcport port
                     True if the packet has a source port value of port.  This
                     will check the source port value of  either  UDP  or  TCP
                     packets  (see  tcp(4P)), and udp(4P)).  The port can be a
                     number or a name used in /etc/services.

              dstport port
                     True if the packet has a destination port value of  port.
                     The port can be a number or a name.

              less length
                     True  if  the  packet  has a length less than or equal to
                     length.

              greater length
                     True if the packet has a length greater than or equal  to
                     length.

              -proto protocol
                     True if the packet is an IP packet (see ip(4P)) of proto-
                     col type protocol.  Protocol can be a number  or  one  of
                     the names icmp, udp, nd, or tcp.

              byte byte op value
                     True  if byte number byte of the packet is in relation op
                     to value.  Legal values for op are +, <&lt;,  >&gt;,  &&amp;,  and  |.
                     Thus 4=6 is true if the fourth byte of the packet has the
                     value 6, and 20&&amp;0xf is true if byte twenty has one of its
                     four low order bits nonzero.

              broadcast
                     True if the packet is a broadcast packet.

              arp    True if the packet is an ARP packet (see arp(4P)).

              rarp   True if the packet is a rarp packet.

              -ip    True if the packet is an IP packet.

              -decnet
                     True if the packet is a DECNET packet.

              -apple True if the packet is an AppleTalk protocol packet.

       The  primaries  may be combined using the following operators (in order
       of decreasing precedence):

              A parenthesized group of primaries  and  operators  (parentheses
              are special to the Shell and must be escaped).

              The negation of a primary (`not' is the unary not operator).

              Concatenation  of primaries (the and operation is implied by the
              juxtaposition of two primaries, or can be specified with `and').

              Alternation of primaries (`or' is the or operator).

EXAMPLE
       To find all packets arriving at or departing from the host sundown,  or
       that are ICMP packets:
              example%  etherfind host sundown or proto icmp

SEE ALSO
       find(1),  traffic(1C),  arp(4P), ip(4P), nit(4P) tcp(4P), udp(4P), net-
       stat(8C)

BUGS
       The syntax is painful.

NOTES
       The Network Information Service (NIS) was formerly known as Sun  Yellow
       Pages  (YP).   The  functionality of the two remains the same; only the
       name has changed.



                                 16 June 1989                    ETHERFIND(8C)