seguridad/2.- Ejercicios/reto_seguridad/capturas/WiresharkPortable64/App/Wireshark/rawshark.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Asciidoctor 2.0.17">
<title>rawshark(1)</title>
<link rel="stylesheet" href="./ws.css">
</head>
<body class="manpage">
<div id="header">
<h1>rawshark(1) Manual Page</h1>
<h2 id="_name">NAME</h2>
<div class="sectionbody">
<p>rawshark - Dump and analyze raw pcap data</p>
</div>
</div>
<div id="content">
<div class="sect1">
<h2 id="_synopsis">SYNOPSIS</h2>
<div class="sectionbody">
<div class="paragraph">
<p><span class="nowrap"><strong>rawshark</strong></span>
<span class="nowrap">[ <strong>-d</strong> &lt;encap:linktype&gt;|&lt;proto:protoname&gt; ]</span>
<span class="nowrap">[ <strong>-F</strong> &lt;field to display&gt; ]</span>
<span class="nowrap">[ <strong>-h</strong> ]</span>
<span class="nowrap">[ <strong>-l</strong> ]</span>
<span class="nowrap">[ <strong>-m</strong> &lt;bytes&gt; ]</span>
<span class="nowrap">[ <strong>-n</strong> ]</span>
<span class="nowrap">[ <strong>-N</strong> &lt;name resolving flags&gt; ]</span>
<span class="nowrap">[ <strong>-o</strong> &lt;preference setting&gt; ] &#8230;&#8203;</span>
<span class="nowrap">[ <strong>-p</strong> ]</span>
<span class="nowrap">[ <strong>-r</strong> &lt;pipe&gt;|- ]</span>
<span class="nowrap">[ <strong>-R</strong> &lt;read (display) filter&gt; ]</span>
<span class="nowrap">[ <strong>-s</strong> ]</span>
<span class="nowrap">[ <strong>-S</strong> &lt;field format&gt; ]</span>
<span class="nowrap">[ <strong>-t</strong> a|ad|adoy|d|dd|e|r|u|ud|udoy ]</span>
<span class="nowrap">[ <strong>-v</strong> ]</span></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_description">DESCRIPTION</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>Rawshark</strong> reads a stream of packets from a file or pipe, and prints a line
describing its output, followed by a set of matching fields for each packet
on stdout.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_input">INPUT</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Unlike <strong>TShark</strong>, <strong>Rawshark</strong> makes no assumptions about encapsulation or
input. The <strong>-d</strong> and <strong>-r</strong> flags must be specified in order for it to run.
One or more <strong>-F</strong> flags should be specified in order for the output to be
useful. The other flags listed above follow the same conventions as
<strong>Wireshark</strong> and <strong>TShark</strong>.</p>
</div>
<div class="paragraph">
<p><strong>Rawshark</strong> expects input records with the following format by default. This
matches the format of the packet header and packet data in a pcap-formatted
file on disk.</p>
</div>
<div class="literalblock">
<div class="content">
<pre>struct rawshark_rec_s {
    uint32_t ts_sec;      /* Time stamp (seconds) */
    uint32_t ts_usec;     /* Time stamp (microseconds) */
    uint32_t caplen;      /* Length of the packet buffer */
    uint32_t len;         /* "On the wire" length of the packet */
    uint8_t data[caplen]; /* Packet data */
};</pre>
</div>
</div>
<div class="paragraph">
<p>If <strong>-p</strong> is supplied <strong>rawshark</strong> expects the following format.  This
matches the <em>struct pcap_pkthdr</em> structure and packet data used in
libpcap, Npcap, or WinPcap.  This structure&#8217;s format is platform-dependent; the
size of the <em>tv_sec</em> field in the <em>struct timeval</em> structure could be
32 bits or 64 bits.  For <strong>rawshark</strong> to work, the layout of the
structure in the input must match the layout of the structure in
<strong>rawshark</strong>.  Note that this format will probably be the same as the
previous format if <strong>rawshark</strong> is a 32-bit program, but will not
necessarily be the same if <strong>rawshark</strong> is a 64-bit program.</p>
</div>
<div class="literalblock">
<div class="content">
<pre>struct rawshark_rec_s {
    struct timeval ts;    /* Time stamp */
    uint32_t caplen;      /* Length of the packet buffer */
    uint32_t len;         /* "On the wire" length of the packet */
    uint8_t data[caplen]; /* Packet data */
};</pre>
</div>
</div>
<div class="paragraph">
<p>In either case, the endianness (byte ordering) of each integer must match the
system on which <strong>rawshark</strong> is running.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_output">OUTPUT</h2>
<div class="sectionbody">
<div class="paragraph">
<p>If one or more fields are specified via the <strong>-F</strong> flag, <strong>Rawshark</strong> prints
the number, field type, and display format for each field on the first line
as "packet number" 0. For each record, the packet number, matching fields,
and a "1" or "0" are printed to indicate if the field matched any supplied
display filter. A "-" is used to signal the end of a field description and
at the end of each packet line. For example, the flags <strong>-F ip.src -F
 dns.qry.type</strong> might generate the following output:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
1 1="1" 0="192.168.77.10" 1 -
2 1="1" 0="192.168.77.250" 1 -
3 0="192.168.77.10" 1 -
4 0="74.125.19.104" 1 -</pre>
</div>
</div>
<div class="paragraph">
<p>Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding <strong>-R "not dns"</strong> still prints each line, but there&#8217;s an indication
that packets 1 and 2 didn&#8217;t pass the filter:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
1 1="1" 0="192.168.77.10" 0 -
2 1="1" 0="192.168.77.250" 0 -
3 0="192.168.77.10" 1 -
4 0="74.125.19.104" 1 -</pre>
</div>
</div>
<div class="paragraph">
<p>Also note that the output may be in any order, and that multiple matching
fields might be displayed.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_options">OPTIONS</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">-d  &lt;encapsulation&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Specify how the packet data should be dissected. The encapsulation is of the
form <em>type:value</em>, where <em>type</em> is one of:</p>
</div>
<div class="paragraph">
<p><strong>encap</strong>:<em>name</em> Packet data should be dissected using the
libpcap/Npcap/WinPcap data link type (DLT) <em>name</em>, e.g. <strong>encap:EN10MB</strong> for
Ethernet.  Names are converted using pcap_datalink_name_to_val().
A complete list of DLTs can be found at
<a href="https://www.tcpdump.org/linktypes.html" class="bare">https://www.tcpdump.org/linktypes.html</a>.</p>
</div>
<div class="paragraph">
<p><strong>encap</strong>:<em>number</em> Packet data should be dissected using the
libpcap/Npcap/WinPcap LINKTYPE_ <em>number</em>, e.g. <strong>encap:105</strong> for raw IEEE
802.11 or <strong>encap:101</strong> for raw IP.</p>
</div>
<div class="paragraph">
<p><strong>proto</strong>:<em>protocol</em> Packet data should be passed to the specified Wireshark
protocol dissector, e.g. <strong>proto:http</strong> for HTTP data.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-F  &lt;field to display&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Add the matching field to the output. Fields are any valid display filter
field. More than one <strong>-F</strong> flag may be specified, and each field can match
multiple times in a given packet. A single field may be specified per <strong>-F</strong>
flag. If you want to apply a display filter, use the <strong>-R</strong> flag.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-h</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print the version and options and exits.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-l</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Flush the standard output after the information for each packet is
printed.  (This is not, strictly speaking, line-buffered if <strong>-V</strong>
was specified; however, it is the same as line-buffered if <strong>-V</strong> wasn&#8217;t
specified, as only one line is printed for each packet, and, as <strong>-l</strong> is
normally used when piping a live capture to a program or script, so that
output for a packet shows up as soon as the packet is seen and
dissected, it should work just as well as true line-buffering.  We do
this as a workaround for a deficiency in the Microsoft Visual C++ C
library.)</p>
</div>
<div class="paragraph">
<p>This may be useful when piping the output of <strong>TShark</strong> to another
program, as it means that the program to which the output is piped will
see the dissected data for a packet as soon as <strong>TShark</strong> sees the
packet and generates that output, rather than seeing it only when the
standard output buffer containing that data fills up.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-m  &lt;memory limit bytes&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Limit rawshark&#8217;s memory usage to the specified number of bytes. POSIX
(non-Windows) only.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-n</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Disable network object name resolution (such as hostname, TCP and UDP port
names), the <strong>-N</strong> flag might override this one.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-N  &lt;name resolving flags&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Turn on name resolving only for particular types of addresses and port
numbers, with name resolving for other types of addresses and port
numbers turned off. This flag overrides <strong>-n</strong> if both <strong>-N</strong> and <strong>-n</strong> are
present. If both <strong>-N</strong> and <strong>-n</strong> flags are not present, all name resolutions are
turned on.</p>
</div>
<div class="paragraph">
<p>The argument is a string that may contain the letters:</p>
</div>
<div class="paragraph">
<p><strong>m</strong> to enable MAC address resolution</p>
</div>
<div class="paragraph">
<p><strong>n</strong> to enable network address resolution</p>
</div>
<div class="paragraph">
<p><strong>N</strong> to enable using external resolvers (e.g., DNS) for network address
resolution</p>
</div>
<div class="paragraph">
<p><strong>t</strong> to enable transport-layer port number resolution</p>
</div>
<div class="paragraph">
<p><strong>d</strong> to enable resolution from captured DNS packets</p>
</div>
<div class="paragraph">
<p><strong>v</strong> to enable VLAN IDs to names resolution</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-o  &lt;preference&gt;:&lt;value&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set a preference value, overriding the default value and any value read
from a preference file.  The argument to the option is a string of the
form <em>prefname:value</em>, where <em>prefname</em> is the name of the
preference (which is the same name that would appear in the preference
file), and <em>value</em> is the value to which it should be set.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-p</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Assume that packet data is preceded by a pcap_pkthdr struct as defined in
pcap.h. On some systems the size of the timestamp data will be different from
the data written to disk. On other systems they are identical and this flag has
no effect.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-r  &lt;pipe&gt;|-</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Read packet data from <em>input source</em>. It can be either the name of a FIFO
(named pipe) or ``-'' to read data from the standard input, and must have
the record format specified above.</p>
</div>
<div class="paragraph">
<p>If you are sending data to rawshark from a parent process on Windows you
should not close rawshark&#8217;s standard input handle prematurely, otherwise
the C runtime might trigger an exception.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-R  &lt;read (display) filter&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Cause the specified filter (which uses the syntax of read/display filters,
rather than that of capture filters) to be applied before printing the output.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-s</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Allows standard pcap files to be used as input, by skipping over the 24
byte pcap file header.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-S</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Use the specified format string to print each field. The following formats
are supported:</p>
</div>
<div class="paragraph">
<p><strong>%D</strong> Field name or description, e.g. "Type" for dns.qry.type</p>
</div>
<div class="paragraph">
<p><strong>%N</strong> Base 10 numeric value of the field.</p>
</div>
<div class="paragraph">
<p><strong>%S</strong> String value of the field.</p>
</div>
<div class="paragraph">
<p>For something similar to Wireshark&#8217;s standard display ("Type: A (1)") you
could use <strong>%D: %S (%N)</strong>.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-t  a|ad|adoy|d|dd|e|r|u|ud|udoy</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Set the format of the packet timestamp printed in summary lines.
The format can be one of:</p>
</div>
<div class="paragraph">
<p><strong>a</strong> absolute: The absolute time, as local time in your time zone,
is the actual time the packet was captured, with no date displayed</p>
</div>
<div class="paragraph">
<p><strong>ad</strong> absolute with date: The absolute date, displayed as YYYY-MM-DD,
and time, as local time in your time zone, is the actual time and date
the packet was captured</p>
</div>
<div class="paragraph">
<p><strong>adoy</strong> absolute with date using day of year: The absolute date,
displayed as YYYY/DOY, and time, as local time in your time zone,
is the actual time and date the packet was captured</p>
</div>
<div class="paragraph">
<p><strong>d</strong> delta: The delta time is the time since the previous packet was
captured</p>
</div>
<div class="paragraph">
<p><strong>dd</strong> delta_displayed: The delta_displayed time is the time since the
previous displayed packet was captured</p>
</div>
<div class="paragraph">
<p><strong>e</strong> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)</p>
</div>
<div class="paragraph">
<p><strong>r</strong> relative: The relative time is the time elapsed between the first packet
and the current packet</p>
</div>
<div class="paragraph">
<p><strong>u</strong> UTC: The absolute time, as UTC, is the actual time the packet was
captured, with no date displayed</p>
</div>
<div class="paragraph">
<p><strong>ud</strong> UTC with date: The absolute date, displayed as YYYY-MM-DD,
and time, as UTC, is the actual time and date the packet was captured</p>
</div>
<div class="paragraph">
<p><strong>udoy</strong> UTC with date using day of year: The absolute date, displayed
as YYYY/DOY, and time, as UTC, is the actual time and date the packet
was captured</p>
</div>
<div class="paragraph">
<p>The default format is relative.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-v</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print the version and exit.</p>
</div>
</div>
</div>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_diagnostic_options">DIAGNOSTIC OPTIONS</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">--log-level &lt;level&gt;</dt>
<dd>
<p>Set the active log level.
Supported levels in lowest to highest order are "noisy", "debug", "info", "message", "warning", "critical", and "error".
Messages at each level and higher will be printed, for example "warning" prints "warning", "critical", and "error" messages and "noisy" prints all messages.
Levels are case insensitive.</p>
</dd>
<dt class="hdlist1">--log-fatal &lt;level&gt;</dt>
<dd>
<p>Abort the program if any messages are logged at the specified level or higher.
For example, "warning" aborts on any "warning", "critical", or "error" messages.</p>
</dd>
</dl>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">--log-domains &lt;list&gt;</dt>
<dd>
<p>Only print messages for the specified log domains, e.g. "GUI,Epan,sshdump".
List of domains must be comma-separated.</p>
</dd>
<dt class="hdlist1">--log-debug &lt;list&gt;</dt>
<dd>
<p>Force the specified domains to log at the "debug" level.
List of domains must be comma-separated.</p>
</dd>
<dt class="hdlist1">--log-noisy &lt;list&gt;</dt>
<dd>
<p>Force the specified domains to log at the "noisy" level.
List of domains must be comma-separated.</p>
</dd>
<dt class="hdlist1">--log-file &lt;path&gt;</dt>
<dd>
<p>Write log messages and stderr output to the specified file.</p>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_read_filter_syntax">READ FILTER SYNTAX</h2>
<div class="sectionbody">
<div class="paragraph">
<p>For a complete table of protocol and protocol fields that are filterable
in <strong>TShark</strong> see the <a href="wireshark-filter.html">wireshark-filter</a>(4) manual page.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_files">FILES</h2>
<div class="sectionbody">
<div class="paragraph">
<p>These files contains various <strong>Wireshark</strong> configuration values.</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">Preferences</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The <em>preferences</em> files contain global (system-wide) and personal
preference settings. If the system-wide preference file exists, it is
read first, overriding the default settings. If the personal preferences
file exists, it is read next, overriding any previous values. Note: If
the command line option <strong>-o</strong> is used (possibly more than once), it will
in turn override values from the preferences files.</p>
</div>
<div class="paragraph">
<p>The preferences settings are in the form <em>prefname:value</em>,
one per line,
where <em>prefname</em> is the name of the preference
and <em>value</em> is the value to
which it should be set; white space is allowed between <strong>:</strong> and
<em>value</em>.  A preference setting can be continued on subsequent lines by
indenting the continuation lines with white space.  A <strong>#</strong> character
starts a comment that runs to the end of the line:</p>
</div>
<div class="literalblock">
<div class="content">
<pre># Capture in promiscuous mode?
# TRUE or FALSE (case-insensitive).
capture.prom_mode: TRUE</pre>
</div>
</div>
<div class="paragraph">
<p>The global preferences file is looked for in the <em>wireshark</em> directory
under the <em>share</em> subdirectory of the main installation directory (for
example, <em>/usr/local/share/wireshark/preferences</em>) on UNIX-compatible
systems, and in the main installation directory (for example,
<em>C:\Program Files\Wireshark\preferences</em>) on Windows systems.</p>
</div>
<div class="paragraph">
<p>The personal preferences file is looked for in
<em>$XDG_CONFIG_HOME/wireshark/preferences</em>
(or, if <em>$XDG_CONFIG_HOME/wireshark</em> does not exist while <em>$HOME/.wireshark</em>
is present, <em>$HOME/.wireshark/preferences</em>) on
UNIX-compatible systems and <em>%APPDATA%\Wireshark\preferences</em> (or, if
%APPDATA% isn&#8217;t defined, <em>%USERPROFILE%\Application
 Data\Wireshark\preferences</em>) on Windows systems.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Disabled (Enabled) Protocols</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The <em>disabled_protos</em> files contain system-wide and personal lists of
protocols that have been disabled, so that their dissectors are never
called.  The files contain protocol names, one per line, where the
protocol name is the same name that would be used in a display filter
for the protocol:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>http
tcp     # a comment</pre>
</div>
</div>
<div class="paragraph">
<p>The global <em>disabled_protos</em> file uses the same directory as the global
preferences file.</p>
</div>
<div class="paragraph">
<p>The personal <em>disabled_protos</em> file uses the same directory as the
personal preferences file.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Name Resolution (hosts)</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>If the personal <em>hosts</em> file exists, it is
used to resolve IPv4 and IPv6 addresses before any other
attempts are made to resolve them.  The file has the standard <em>hosts</em>
file syntax; each line contains one IP address and name, separated by
whitespace. The same directory as for the personal preferences file is
used.</p>
</div>
<div class="paragraph">
<p>Capture filter name resolution is handled by libpcap on UNIX-compatible
systems and Npcap or WinPcap on Windows.  As such the Wireshark personal
<em>hosts</em> file will not be consulted for capture filter name resolution.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Name Resolution (subnets)</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>If an IPv4 address cannot be translated via name resolution (no exact
match is found) then a partial match is attempted via the <em>subnets</em> file.</p>
</div>
<div class="paragraph">
<p>Each line of this file consists of an IPv4 address, a subnet mask length
separated only by a / and a name separated by whitespace. While the address
must be a full IPv4 address, any values beyond the mask length are subsequently
ignored.</p>
</div>
<div class="paragraph">
<p>An example is:</p>
</div>
<div class="paragraph">
<p># Comments must be prepended by the # sign!
192.168.0.0/24 ws_test_network</p>
</div>
<div class="paragraph">
<p>A partially matched name will be printed as "subnet-name.remaining-address".
For example, "192.168.0.1" under the subnet above would be printed as
"ws_test_network.1"; if the mask length above had been 16 rather than 24, the
printed address would be ``ws_test_network.0.1".</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Name Resolution (ethers)</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The <em>ethers</em> files are consulted to correlate 6-byte hardware addresses to
names. First the personal <em>ethers</em> file is tried and if an address is not
found there the global <em>ethers</em> file is tried next.</p>
</div>
<div class="paragraph">
<p>Each line contains one hardware address and name, separated by
whitespace.  The digits of the hardware address are separated by colons
(:), dashes (-) or periods (.).  The same separator character must be
used consistently in an address. The following three lines are valid
lines of an <em>ethers</em> file:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>ff:ff:ff:ff:ff:ff          Broadcast
c0-00-ff-ff-ff-ff          TR_broadcast
00.00.00.00.00.00          Zero_broadcast</pre>
</div>
</div>
<div class="paragraph">
<p>The global <em>ethers</em> file is looked for in the <em>/etc</em> directory on
UNIX-compatible systems, and in the main installation directory (for
example, <em>C:\Program Files\Wireshark</em>) on Windows systems.</p>
</div>
<div class="paragraph">
<p>The personal <em>ethers</em> file is looked for in the same directory as the personal
preferences file.</p>
</div>
<div class="paragraph">
<p>Capture filter name resolution is handled by libpcap on UNIX-compatible
systems and Npcap or WinPcap on Windows.  As such the Wireshark personal
<em>ethers</em> file will not be consulted for capture filter name resolution.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Name Resolution (manuf)</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The <em>manuf</em> file is used to match the 3-byte vendor portion of a 6-byte
hardware address with the manufacturer&#8217;s name; it can also contain well-known
MAC addresses and address ranges specified with a netmask.  The format of the
file is the same as the <em>ethers</em> files, except that entries of the form:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>00:00:0C      Cisco</pre>
</div>
</div>
<div class="paragraph">
<p>can be provided, with the 3-byte OUI and the name for a vendor, and
entries such as:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>00-00-0C-07-AC/40     All-HSRP-routers</pre>
</div>
</div>
<div class="paragraph">
<p>can be specified, with a MAC address and a mask indicating how many bits
of the address must match. The above entry, for example, has 40
significant bits, or 5 bytes, and would match addresses from
00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
multiple of 8.</p>
</div>
<div class="paragraph">
<p>The <em>manuf</em> file is looked for in the same directory as the global
preferences file.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Name Resolution (services)</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The <em>services</em> file is used to translate port numbers into names.</p>
</div>
<div class="paragraph">
<p>The file has the standard <em>services</em> file syntax; each line contains one
(service) name and one transport identifier separated by white space.  The
transport identifier includes one port number and one transport protocol name
(typically tcp, udp, or sctp) separated by a /.</p>
</div>
<div class="paragraph">
<p>An example is:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>mydns       5045/udp     # My own Domain Name Server
mydns       5045/tcp     # My own Domain Name Server</pre>
</div>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">Name Resolution (ipxnets)</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The <em>ipxnets</em> files are used to correlate 4-byte IPX network numbers to
names. First the global <em>ipxnets</em> file is tried and if that address is not
found there the personal one is tried next.</p>
</div>
<div class="paragraph">
<p>The format is the same as the <em>ethers</em>
file, except that each address is four bytes instead of six.
Additionally, the address can be represented as a single hexadecimal
number, as is more common in the IPX world, rather than four hex octets.
For example, these four lines are valid lines of an <em>ipxnets</em> file:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>C0.A8.2C.00              HR
c0-a8-1c-00              CEO
00:00:BE:EF              IT_Server1
110f                     FileServer3</pre>
</div>
</div>
<div class="paragraph">
<p>The global <em>ipxnets</em> file is looked for in the <em>/etc</em> directory on
UNIX-compatible systems, and in the main installation directory (for
example, <em>C:\Program Files\Wireshark</em>) on Windows systems.</p>
</div>
<div class="paragraph">
<p>The personal <em>ipxnets</em> file is looked for in the same directory as the
personal preferences file.</p>
</div>
</div>
</div>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_environment_variables">ENVIRONMENT VARIABLES</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">WIRESHARK_CONFIG_DIR</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This environment variable overrides the location of personal configuration
files. It defaults to <em>$XDG_CONFIG_HOME/wireshark</em> (or <em>$HOME/.wireshark</em> if
the former is missing while the latter exists). On Windows,
<em>%APPDATA%\Wireshark</em> is used instead. Available since Wireshark 3.0.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_DEBUG_WMEM_OVERRIDE</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Setting this environment variable forces the wmem framework to use the
specified allocator backend for <strong>all</strong> allocations, regardless of which
backend is normally specified by the code. This is mainly useful to developers
when testing or debugging. See <em>README.wmem</em> in the source distribution for
details.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_RUN_FROM_BUILD_DIRECTORY</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This environment variable causes the plugins and other data files to be loaded
from the build directory (where the program was compiled) rather than from the
standard locations.  It has no effect when the program in question is running
with root (or setuid) permissions on *NIX.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_DATA_DIR</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This environment variable causes the various data files to be loaded from
a directory other than the standard locations.  It has no effect when the
program in question is running with root (or setuid) permissions on *NIX.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">ERF_RECORDS_TO_CHECK</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This environment variable controls the number of ERF records checked when
deciding if a file really is in the ERF format.  Setting this environment
variable a number higher than the default (20) would make false positives
less likely.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">IPFIX_RECORDS_TO_CHECK</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>This environment variable controls the number of IPFIX records checked when
deciding if a file really is in the IPFIX format.  Setting this environment
variable a number higher than the default (20) would make false positives
less likely.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_ABORT_ON_DISSECTOR_BUG</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>If this environment variable is set, <strong>Rawshark</strong> will call abort(3)
when a dissector bug is encountered.  abort(3) will cause the program to
exit abnormally; if you are running <strong>Rawshark</strong> in a debugger, it
should halt in the debugger and allow inspection of the process, and, if
you are not running it in a debugger, it will, on some OSes, assuming
your environment is configured correctly, generate a core dump file.
This can be useful to developers attempting to troubleshoot a problem
with a protocol dissector.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">WIRESHARK_ABORT_ON_TOO_MANY_ITEMS</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>If this environment variable is set, <strong>Rawshark</strong> will call abort(3)
if a dissector tries to add too many items to a tree (generally this
is an indication of the dissector not breaking out of a loop soon enough).
abort(3) will cause the program to exit abnormally; if you are running
<strong>Rawshark</strong> in a debugger, it should halt in the debugger and allow
inspection of the process, and, if you are not running it in a debugger,
it will, on some OSes, assuming your environment is configured correctly,
generate a core dump file.  This can be useful to developers attempting to
troubleshoot a problem with a protocol dissector.</p>
</div>
</div>
</div>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_see_also">SEE ALSO</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="wireshark-filter.html">wireshark-filter</a>(4), <a href="wireshark.html">wireshark</a>(1), <a href="tshark.html">tshark</a>(1), <a href="editcap.html">editcap</a>(1), <a href="https://www.tcpdump.org/manpages/pcap.3pcap.html">pcap</a>(3), <a href="dumpcap.html">dumpcap</a>(1),
<a href="text2pcap.html">text2pcap</a>(1), <a href="https://www.tcpdump.org/manpages/pcap-filter.7.html">pcap-filter</a>(7) or <a href="https://www.tcpdump.org/manpages/tcpdump.1.html">tcpdump</a>(8)</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_notes">NOTES</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This is the manual page for <strong>Rawshark</strong> 4.0.5.
<strong>Rawshark</strong> is part of the <strong>Wireshark</strong> distribution.
The latest version of <strong>Wireshark</strong> can be found at <a href="https://www.wireshark.org" class="bare">https://www.wireshark.org</a>.</p>
</div>
<div class="paragraph">
<p>HTML versions of the Wireshark project man pages are available at
<a href="https://www.wireshark.org/docs/man-pages" class="bare">https://www.wireshark.org/docs/man-pages</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_authors">AUTHORS</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>Rawshark</strong> uses the same packet dissection code that <strong>Wireshark</strong> does, as
well as using many other modules from <strong>Wireshark</strong>; see the list of authors
in the <strong>Wireshark</strong> man page for a list of authors of that code.</p>
</div>
</div>
</div>
</div>
</body>
</html>