Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

find(1)

traffic(1C)

arp(4P)

ip(4P)

nit(4P)

tcp(4P)

udp(4P)

netstat(8C)

ETHERFIND(8C)  —  MAINTENANCE COMMANDS

NAME

etherfind − find packets on Ethernet

SYNOPSIS

etherfind [ −nprtuvx ] [ −c count ] [ −i interface ] [ −l length ] expression

AVAILABILITY

This program is available with the Networking Tools and Programs software installation option.  Refer to Installing the SunOS for information on how to install optional software. 

DESCRIPTION

etherfind prints out the information about packets on the ethernet that match the boolean expression. The short display, without the −v option, displays only the destination and src (with port numbers).  When an internet packet is fragmented into more than one ethernet packet, all fragments except the first are marked with an asterisk.  The the −v option, the display is much more verbose, giving a trace that is suitable for analyszing many network problems.  You must be root to invoke etherfind. 

OPTIONS

−n Do not convert host addresses and port numbers to names. 

−p Normally, the selected interface is put into promiscuous mode, so that etherfind has access to all packets on the ethernet.  However, when the −p flag is used, the interface will not go promiscuous. 

−r RPC mode: treat each packet as an RPC message, printing the program and procedure numbers. Routing packets are also more fully decoded using this option, and Yellow Pages and NFS requests have their arguments printed. 

−t Timestamps: precede each packet listing with a time value in seconds and hundredths of seconds since the first packet. 

−u Make the output line buffered. 

−v Verbose mode: print out some of the fields of TCP and UDP packets. 

−x Dump the packet in hex, in addition to the line printed for each packet by default. use the −l option to limit this printout. 

−c count
Exit after receiving count packets.  This is sometimes useful for dumping a sample of ethernet traffic to a file for later analysis. 

−i interface
etherfind listens on interface. The program netstat(8C) when invoked with the −i flag lists all the interfaces that a machine has. 

−l length
Use with the −x option to limit the number of bytes printed out. 

expression

The syntax of  of expression is similar to that used by find(1).  Here are the allowable primaries. 

dst destination
True if the destination field of the packet is destination, which may be either an address or a name.

src source
True if the source field of the packet is source, which may be either an address or a name.

host name
True if either the source or the destination of the packet is name.

between host1 host2
True if either the source of the packet is host1 and the destination host2, or the source is host2 and the destination host1.

dstnet destination
True if the destination field of the packet has a network part of destination, which may be either an address or a name.

srcnet source
True if the source field of the packet has a network part of source, which may be either an address or a name.

srcport port
True if the packet has a source port value of port. It must be either upd or tcp (see tcp(4P)), udp(4P)).  The port can be a number or a name used in /etc/services. 

dstport port
True if the packet has a destination port value of port. The port can be a number or a name. 

less length
True if the packet has a length less than or equal to length.

greater length
True if the packet has a length greater than or equal to length.

proto protocol
True if the packet is an ip packet (see ip(4P)) of protocol type protocol. Protocol can be a number or one of the names icmp, udp, nd, or tcp. 

byte byte op value
True if byte number byte of the packet is in relation op to value. Legal values for op are +, <, >, &, and |.  Thus 4=6 is true if the fourth byte of the packet has the value 6, and 20&0xf is true if byte twenty has one of its four low order bits nonzero. 

broadcast
True if the packet is a broadcast packet.

arp True if the packet is a arp packet (see arp(4P)). 

rarp True if the packet is a rarp packet. 

ip True if the packet is an ip packet. 

decnet
True if the packet is a Sunlink/DNI packet.

apple True if the packet is an AppleTalk protocol packet. 

The primaries may be combined using the following operators (in order of decreasing precedence):

A parenthesized group of primaries and operators (parentheses are special to the Shell and must be escaped). 

The negation of a primary (‘not’ is the unary not operator). 

Concatenation of primaries (the and operation is implied by the juxtaposition of two primaries, or can be specified with ‘and’). 

Alternation of primaries (‘or’ is the or operator). 

EXAMPLE

To find all packets arriving at or departing from sundown, or with the icmp protocol:

example% etherfind host sundown or proto icmp

SEE ALSO

find(1), traffic(1C), arp(4P), ip(4P), nit(4P) tcp(4P), udp(4P), netstat(8C)

BUGS

The syntax is painful. 
 

Sun Release 4.0  —  Last change: 22 March 1989

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026