.Dd November 16, 1998 .Dt ETHER-UNPACK 1 .Os NetBSD 1.3F .Sh NAME .Nm ether-unpack .Nd Ethernet (and other) packet unpacker .Sh SYNOPSIS .Nm .Op Fl h Ar size .Op Fl ip .Op Fl rpc .Op Fl conn .Op Fl format Ar format .Sh DESCRIPTION .Nm is designed to unpack network packets from the sort of hexadecimal format produced by tools such as .Xr tcpdump 1 on NetBSD and other 4.4-derived systems, .Xr etherfind 1 under SunOS, or .\".Xr snoop snoop on Solaris (though snoop output is currently not directly supported). .Pp .Nm reads packet data from its standard input, printing unpacked packets to its standard output. By default, the input is examined to see what type of tool appears to have produced it; this can be overridden with the .Fl format flag. (The list of recognized formats can be obtained by specifying .Fl format Ar list . ) .Nm can also handle .Sq raw packet data, which consists of lines of hexadecimal bytes giving packet contents; lines consisting entirely of whitespace, or lines that do not have two hexadecimal digits following possible initial whitespace, are taken as inter-packet separators. (Use .Sq Fl format Ar raw to handle raw data.) .Pp .Fl h can be used to specify that the packet contents include a fixed-size header that is to be ignored. .Pp .Fl ip and .Fl rpc specify that the packets are just the IP, or just the RPC, portion of the packet, that any outer encapsulation has already been stripped off. In particular, when using .Nm with stock .Xr tcpdump 1 , you will often need .Fl ip , because .Xr tcpdump 1 usually strips off everything outside the IP layer for IP packets. (Unfortunately when printing both IP and non-IP packets, it strips the outer layers for IP packets but not the others. .Nm makes no attempt to compensate for this braindamage, taking the view that it's tcpdump's fault for producing inconsistent output. .Xr etherfind 8 does not have this problem \- one of the few things SunOS does better than BSD.) .Pp .Fl conn causes .Nm to track TCP connections and unpack their data streams distinctively, producing lines beginning .Sq =TCP= showing data flow. .Sh AUTHOR der Mouse, .Aq mouse@rodents.montreal.qc.ca .