etherfind - find packets on Ethernet
etherfind [ -d ] [ -n ] [ -p ] [ -r ] [ -t ] [ -u ] [ -v ]
[ -x ] [ -c count ] [ -i interface ] [ -l length ]
This program is available with the Networking software installation
option. Refer to for information on how to install optional software.
etherfind prints out the information about packets on the ethernet that
match the boolean expression. The short display, without the -v
option, displays only the destination and src (with port numbers).
When an Internet packet is fragmented into more than one ethernet
packet, all fragments except the first are marked with an asterisk.
With the -v option, the display is much more verbose, giving a trace
that is suitable for analyzing many network problems. You must be root
to invoke etherfind.
-d Print the number of dropped packets. Not necessarily reliable.
-n Do not convert host addresses and port numbers to names.
-p Normally, the selected interface is put into promiscuous mode,
so that etherfind has access to all packets on the ethernet.
However, when the -p flag is used, the interface will not go
-r RPC mode: treat each packet as an RPC message, printing the pro-
gram and procedure numbers. Routing packets are also more fully
decoded using this option, and Network Information Service (NIS)
and NFS requests have their arguments printed.
-t Timestamps: precede each packet listing with a time value in
seconds and hundredths of seconds since the first packet.
-u Make the output line buffered.
-v Verbose mode: print out some of the fields of TCP and UDP pack-
-x Dump the packet in hex, in addition to the line printed for each
packet by default. Use the -l option to limit this printout.
Exit after receiving count packets. This is sometimes useful
for dumping a sample of ethernet traffic to a file for later
etherfind listens on interface. The program netstat(8C) when
invoked with the -i flag lists all the interfaces that a machine
Use with the -x option to limit the number of bytes printed out.
The syntax of expression is similar to that used by find(1).
Here are the allowable primaries.
True if the destination field of the packet is destina-
tion, which may be either an address or a name.
True if the source field of the packet is source, which
may be either an address or a name.
True if either the source or the destination of the
packet is name.
between host1 host2
True if either the source of the packet is host1 and the
destination host2, or the source is host2 and the desti-
True if the destination field of the packet has a network
part of destination, which may be either an address or a
True if the source field of the packet has a network part
of source, which may be either an address or a name.
True if the packet has a source port value of port. This
will check the source port value of either UDP or TCP
packets (see tcp(4P)), and udp(4P)). The port can be a
number or a name used in /etc/services.
True if the packet has a destination port value of port.
The port can be a number or a name.
True if the packet has a length less than or equal to
True if the packet has a length greater than or equal to
True if the packet is an IP packet (see ip(4P)) of proto-
col type protocol. Protocol can be a number or one of
the names icmp, udp, nd, or tcp.
byte byte op value
True if byte number byte of the packet is in relation op
to value. Legal values for op are +, <<, >>, &&, and |.
Thus 4=6 is true if the fourth byte of the packet has the
value 6, and 20&&0xf is true if byte twenty has one of its
four low order bits nonzero.
True if the packet is a broadcast packet.
arp True if the packet is an ARP packet (see arp(4P)).
rarp True if the packet is a rarp packet.
-ip True if the packet is an IP packet.
True if the packet is a DECNET packet.
-apple True if the packet is an AppleTalk protocol packet.
The primaries may be combined using the following operators (in order
of decreasing precedence):
A parenthesized group of primaries and operators (parentheses
are special to the Shell and must be escaped).
The negation of a primary (`not' is the unary not operator).
Concatenation of primaries (the and operation is implied by the
juxtaposition of two primaries, or can be specified with `and').
Alternation of primaries (`or' is the or operator).
To find all packets arriving at or departing from the host sundown, or
that are ICMP packets:
example% etherfind host sundown or proto icmp
find(1), traffic(1C), arp(4P), ip(4P), nit(4P) tcp(4P), udp(4P), net-
The syntax is painful.
The Network Information Service (NIS) was formerly known as Sun Yellow
Pages (YP). The functionality of the two remains the same; only the
name has changed.
16 June 1989 ETHERFIND(8C)