Using Command Line Options
|
| < Day Day Up > |
|
Ethereal supports a large number of command line options to control its behavior when first run. This section will document some of the most commonly used options. Several of the other options are used to manipulate certain aspects of the GUI (font, height of Summary Window, Protocol Tree Window, Data Window, etc.) or set elements like link type or automatic scrolling. However, these options are not as common and will not be covered in this section.
Capture and File Options
The most commonly used Ethereal options are those related to captures and files. Table 4.18 lists some of the most common command line options related to these tasks.
| Command Line Option | Description |
|---|---|
| -i <interface> | Set the name of the interface used for live captures to <inteface>. |
| -k | Start capture immediately. This requires the –i option. |
| -a <test>:<value> | Sets an autostop condition for the capture. <test> may be one of duration or filesize. If the <test> is duration then <value> must be the number of seconds the capture should run before it stops. If <test> is filesize then <value> is the number of kilobytes that should be captured before the capture stops. |
| -c <count> | Sets the number of packets to read before stopping the capture. After <count> packets have been read the capture will stop. |
| -r <filename> | Read the capture saved in <filename>. |
| -w <filename> | Write the capture to <filename>. |
| -b <count> | Enable the use of <count> files in a ring buffer for captures. A maximum capture size must be specified with the –a filesize:<value> option. |
To start capturing immediately on interface eth0 and write the results to a ring buffer with 3 files of maximum size 100 kilobytes with base filename foo.bar.libpcap you would execute the following at the command line:
ethereal –i eth0 –k –w foo.bar.libpcap –b 3 –a filesize:100
Filter Options
Ethereal will allow you to specify filter information from the command line as well. Table 4.19 lists some of the most commonly used filter related command line options.
| Command Line Option | Description |
|---|---|
| -f <capture filter > | Set the tcpdump style capture filter string to <filter string>. |
| -R <display filter> | Only applicable when reading a capture from a file with the –r option. Applies the display filter <display filter> to all packets in the capture file and discard those that do not match. |
To extract all packets from a capture file bgp.pcap.gz with bgp.type == 2, you would execute the following at the command line:
ethereal –r bgp.pcap.gz –R "bgp.type == 2"
Other Options
Other commonly used options are shown in Table 4.20.
| Command Line Option | Description |
|---|---|
| -N <flags> | Turns on name resolution. Depending on which letters follow –N, various names will be resolved by Ethereal. n will cause network name resolution to be turned on, t will enable transport name resolution, m will enable MAC address resolution, and C will enable asynchronous DNS lookups for network name resolution. |
| -v | Print the Ethereal version information. |
| -h | Print Ethereal’s help information. |
|
| < Day Day Up > |
|
EAN: 2147483647
Pages: 105