Add rawshark, a utility that, when given raw pcap-formatted packets and

a list of fields, prints the field values found in each packet.

Packet data can be specified as a libpcap DLT, e.g. "EN10MB" or an upper-layer protocol, e.g. "http".

svn path=/trunk/; revision=24339

1 files changed, 1504 insertions, 0 deletions

diff --git a/doc/rawshark.pod b/doc/rawshark.pod
new file mode 100644
index 0000000000..2724e85616
--- /dev/null
+++ b/doc/rawshark.pod
@@ -0,0 +1,1504 @@
+
+=head1 NAME
+
+rawshark - Dump and analyze raw libpcap data
+
+=head1 SYNOPSYS
+
+B<rawshark>
+S<[ B<-d> E<lt>encap:dltE<gt>|E<lt>proto:protonameE<gt> ]>
+S<[ B<-F> E<lt>field to displayE<gt> ]>
+S<[ B<-h> ]>
+S<[ B<-l> ]>
+S<[ B<-n> ]>
+S<[ B<-N> E<lt>name resolving flagsE<gt> ]>
+S<[ B<-o> E<lt>preference settingE<gt> ] ...>
+S<[ B<-r> E<lt>infile or pipeE<gt> ]>
+S<[ B<-R> E<lt>read (display) filterE<gt> ]>
+S<[ B<-S> E<lt>field formatE<gt> ]>
+S<[ B<-t> ad|a|r|d|e ]>
+S<[ B<-v> ]>
+
+=head1 DESCRIPTION
+
+B<Rawshark> reads a stream of packets from a file or pipe, and prints a line
+describing its output, followed by a set of matching fields for each packet
+on stdout.
+
+=head1 INPUT
+
+Unlike B<TShark>, B<Rawshark> makes no assumptions about encapsulation or
+input. The B<-d> and B<-r> flags must be specified in order for it to run.
+One or more B<-F> flags should be specified in order for the output to be
+useful. The other flags listed above follow the same conventions as
+B<Wireshark> and B<TShark>.
+
+B<Rawshark> expects input records with the following format. Note that this
+matches the pcap_pkthdr struct and packet data used in libpcap.
+
+struct rawshark_rec_s {
+    struct timeval ts;    /* Time stamp */
+    uint32_t caplen;      /* Length of the packet buffer */
+    uint32_t len;         /* "On the wire" length of the packet */
+    uint8_t *data;        /* Packet data */
+};
+
+=head1 OUTPUT
+
+If one or more fields are specified via the B<-F> flag, B<Rawshark> prints
+the number, field type, and display format for each field on the first line
+as "packet number" 0. For each record, the packet number, matching fields,
+and a "1" or "0" are printed to indicate if the field matched any supplied
+display filter. A "-" is used to signal the end of a field description and
+at the end of each packet line. For example, the flags B<-F ip.src -F
+dns.qry.type> might generate the following output:
+
+0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
+1 1="1" 0="192.168.77.10" 1 -
+2 1="1" 0="192.168.77.250" 1 -
+3 0="192.168.77.10" 1 -
+4 0="74.125.19.104" 1 -
+
+Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding B<-R "not dns"> still prints each line, but there's an indication
+that packets 1 and 2 didn't pass the filter:
+
+0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
+1 1="1" 0="192.168.77.10" 0 -
+2 1="1" 0="192.168.77.250" 0 -
+3 0="192.168.77.10" 1 -
+4 0="74.125.19.104" 1 -
+
+Also note that the output may be in any order, and that multiple matching
+fields might be displayed.
+
+=head1 OPTIONS
+
+=over 4
+
+=item -d  E<lt>encapsulationE<gt>
+
+Specify how the packet data should be dissected. The encapsulation is of the
+form I<type>B<:>I<value>, where I<type> is one of:
+
+B<encap>:I<name> Packet data should be dissected using the libpcap data
+link type I<name>, e.g. B<encap:EN10MB> for Ethernet.
+
+B<encap>:I<name> Packet data should be dissected using the libpcap data link
+type (DLT) I<name>, e.g. B<encap:EN10MB> for Ethernet. Names are converted
+using pcap_datalink_name_to_val().
+
+B<encap>:I<number> Packet data should be dissected using the libpcap DLT
+I<number>, e.g. B<encap:105> for raw IEEE 802.11. A complete list of DLTs
+can be found in pcap-bpf.h in the libpcap sources.
+
+B<proto>:I<protocol> Packet data should be passed to the specified Wireshark
+protocol dissector, e.g. B<proto:http> for HTTP data.
+
+=item -F  E<lt>field to displayE<gt>
+
+Add the matching field to the output. Fields are any valid display filter
+field. More than one B<-F> flag may be specified, and each field can match
+multiple times in a given packet. A single field may be specified per B<-F>
+flag. If you want to apply a display filter, use the B<-R> flag.
+
+=item -h
+
+Print the version and options and exits.
+
+=item -l
+
+Flush the standard output after the information for each packet is
+printed.  (This is not, strictly speaking, line-buffered if B<-V>
+was specified; however, it is the same as line-buffered if B<-V> wasn't
+specified, as only one line is printed for each packet, and, as B<-l> is
+normally used when piping a live capture to a program or script, so that
+output for a packet shows up as soon as the packet is seen and
+dissected, it should work just as well as true line-buffering.  We do
+this as a workaround for a deficiency in the Microsoft Visual C++ C
+library.)
+
+This may be useful when piping the output of B<TShark> to another
+program, as it means that the program to which the output is piped will
+see the dissected data for a packet as soon as B<TShark> sees the
+packet and generates that output, rather than seeing it only when the
+standard output buffer containing that data fills up.
+
+=item -n
+
+Disable network object name resolution (such as hostname, TCP and UDP port
+names), the B<-N> flag might override this one.
+
+=item -N  E<lt>name resolving flagsE<gt>
+
+Turn on name resolving only for particular types of addresses and port
+numbers, with name resolving for other types of addresses and port
+numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are
+present. If both B<-N> and B<-n> flags are not present, all name resolutions are
+turned on.
+
+The argument is a string that may contain the letters:
+
+B<m> to enable MAC address resolution
+
+B<n> to enable network address resolution
+
+B<t> to enable transport-layer port number resolution
+
+B<C> to enable concurrent (asynchronous) DNS lookups
+
+=item -o  E<lt>preferenceE<gt>:E<lt>valueE<gt>
+
+Set a preference value, overriding the default value and any value read
+from a preference file.  The argument to the option is a string of the
+form I<prefname>B<:>I<value>, where I<prefname> is the name of the
+preference (which is the same name that would appear in the preference
+file), and I<value> is the value to which it should be set.
+
+=item -r  E<lt>input file or pipeE<gt>
+
+Read packet data from I<input source>. It can be a regular file or pipe,
+and must be have the record format specified above.
+
+=item -R  E<lt>read (display) filterE<gt>
+
+Cause the specified filter (which uses the syntax of read/display filters,
+rather than that of capture filters) to be applied before printing the output. Packets not
+matching the filter are discarded rather than being printed or written.
+
+=item -s  E<lt>capture snaplenE<gt>
+
+Set the default snapshot length to use when capturing live data.
+No more than I<snaplen> bytes of each network packet will be read into
+memory, or saved to disk.
+
+=item -S
+
+Use the specified format string to print each field. The following formats
+are supported:
+
+=over 4
+
+B<%D> Field name or description, e.g. "Type" for dns.qry.type
+B<%N> Base 10 numeric value of the field.
+B<%S> String value of the field.
+
+=back
+
+For something similar to Wireshark's standard display ("Type: A (1)") you
+could use B<%D: %S (%N)>.
+
+=item -t  ad|a|r|d|e
+
+Set the format of the packet timestamp printed in summary lines, the default
+is relative. The format can be one of:
+
+B<ad> absolute with date: The absolute date and time is the actual time and
+date the packet was captured
+
+B<a> absolute: The absolute time is the actual time the packet was captured,
+with no date displayed
+
+B<r> relative: The relative time is the time elapsed between the first packet
+and the current packet
+
+B<d> delta: The delta time is the time since the previous packet was
+captured
+
+B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
+
+=item -v
+
+Print the version and exit.
+
+
+=back
+
+=head1 READ FILTER SYNTAX
+
+For a complete table of protocol and protocol fields that are filterable
+in B<TShark> see the wireshark-filter(4) manual page.
+
+=head1 FILES
+
+These files contains various B<Wireshark> configuration values.
+
+=over 4
+
+=item Preferences
+
+The F<preferences> files contain global (system-wide) and personal
+preference settings. If the system-wide preference file exists, it is
+read first, overriding the default settings. If the personal preferences
+file exists, it is read next, overriding any previous values. Note: If
+the command line option B<-o> is used (possibly more than once), it will
+in turn override values from the preferences files.
+
+The preferences settings are in the form I<prefname>B<:>I<value>,
+one per line,
+where I<prefname> is the name of the preference
+and I<value> is the value to
+which it should be set; white space is allowed between B<:> and
+I<value>.  A preference setting can be continued on subsequent lines by
+indenting the continuation lines with white space.  A B<#> character
+starts a comment that runs to the end of the line:
+
+  # Capture in promiscuous mode?
+  # TRUE or FALSE (case-insensitive).
+  capture.prom_mode: TRUE
+
+The global preferences file is looked for in the F<wireshark> directory
+under the F<share> subdirectory of the main installation directory (for
+example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible
+systems, and in the main installation directory (for example,
+F<C:\Program Files\Wireshark\preferences>) on Windows systems.
+
+The personal preferences file is looked for in
+F<$HOME/.wireshark/preferences> on
+UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if
+%APPDATA% isn't defined, F<%USERPROFILE%\Application
+Data\Wireshark\preferences>) on Windows systems.
+
+=item Disabled (Enabled) Protocols
+
+The F<disabled_protos> files contain system-wide and personal lists of
+protocols that have been disabled, so that their dissectors are never
+called.  The files contain protocol names, one per line, where the
+protocol name is the same name that would be used in a display filter
+for the protocol:
+
+  http
+  tcp     # a comment
+
+The global F<disabled_protos> file uses the same directory as the global
+preferences file.
+
+The personal F<disabled_protos> file uses the same directory as the
+personal preferences file.
+
+=item Name Resolution (hosts)
+
+If the personal F<hosts> file exists, it is
+used to resolve IPv4 and IPv6 addresses before any other
+attempts are made to resolve them.  The file has the standard F<hosts>
+file syntax; each line contains one IP address and name, separated by
+whitespace. The same directory as for the personal preferences file is
+used.
+
+=item Name Resolution (ethers)
+
+The F<ethers> files are consulted to correlate 6-byte hardware addresses to
+names. First the personal F<ethers> file is tried and if an address is not
+found there the global F<ethers> file is tried next.
+
+Each line contains one hardware address and name, separated by
+whitespace.  The digits of the hardware address are separated by colons
+(:), dashes (-) or periods (.).  The same separator character must be
+used consistently in an address. The following three lines are valid
+lines of an F<ethers> file:
+
+  ff:ff:ff:ff:ff:ff          Broadcast
+  c0-00-ff-ff-ff-ff          TR_broadcast
+  00.00.00.00.00.00          Zero_broadcast
+
+The global F<ethers> file is looked for in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Wireshark>) on Windows systems.
+
+The personal F<ethers> file is looked for in the same directory as the personal
+preferences file.
+
+=item Name Resolution (manuf)
+
+The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte
+hardware address with the manufacturer's name; it can also contain well-known
+MAC addresses and address ranges specified with a netmask.  The format of the
+file is the same as the F<ethers> files, except that entries of the form:
+
+  00:00:0C      Cisco
+
+can be provided, with the 3-byte OUI and the name for a vendor, and
+entries such as:
+
+  00-00-0C-07-AC/40     All-HSRP-routers
+
+can be specified, with a MAC address and a mask indicating how many bits
+of the address must match. The above entry, for example, has 40
+significant bits, or 5 bytes, and would match addresses from
+00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
+multiple of 8.
+
+The F<manuf> file is looked for in the same directory as the global
+preferences file.
+
+=item Name Resolution (ipxnets)
+
+The F<ipxnets> files are used to correlate 4-byte IPX network numbers to
+names. First the global F<ipxnets> file is tried and if that address is not
+found there the personal one is tried next.
+
+The format is the same as the F<ethers>
+file, except that each address is four bytes instead of six.
+Additionally, the address can be represented as a single hexadecimal
+number, as is more common in the IPX world, rather than four hex octets.
+For example, these four lines are valid lines of an F<ipxnets> file:
+
+  C0.A8.2C.00              HR
+  c0-a8-1c-00              CEO
+  00:00:BE:EF              IT_Server1
+  110f                     FileServer3
+
+The global F<ipxnets> file is looked for in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Wireshark>) on Windows systems.
+
+The personal F<ipxnets> file is looked for in the same directory as the
+personal preferences file.
+
+=back
+
+=head1 SEE ALSO
+
+wireshark-filter(4), wireshark(1), tshark(1), editcap(1), tcpdump(8),
+pcap(3), dumpcap(1), text2pcap(1)
+
+=head1 NOTES
+
+B<Rawshark> is part of the B<Wireshark> distribution. The latest version of
+B<Wireshark> can be found at L<http://www.wireshark.org>.
+
+HTML versions of the Wireshark project man pages are available at:
+L<http://www.wireshark.org/docs/man-pages>.
+
+=head1 AUTHORS
+
+B<Rawshark> uses the same packet dissection code that B<Wireshark> does, as
+well as using many other modules from B<Wireshark>; see the list of authors
+in the B<Wireshark> man page for a list of authors of that code.
+
+=head1 NAME
+
+rawshark - Dump and analyze raw libpcap data
+
+=head1 SYNOPSYS
+
+B<rawshark>
+S<[ B<-d> E<lt>encap:dltE<gt>|E<lt>proto:protonameE<gt> ]>
+S<[ B<-F> E<lt>field to displayE<gt> ]>
+S<[ B<-h> ]>
+S<[ B<-l> ]>
+S<[ B<-n> ]>
+S<[ B<-N> E<lt>name resolving flagsE<gt> ]>
+S<[ B<-o> E<lt>preference settingE<gt> ] ...>
+S<[ B<-r> E<lt>infile or pipeE<gt> ]>
+S<[ B<-R> E<lt>read (display) filterE<gt> ]>
+S<[ B<-S> E<lt>field formatE<gt> ]>
+S<[ B<-t> ad|a|r|d|e ]>
+S<[ B<-v> ]>
+
+=head1 DESCRIPTION
+
+B<Rawshark> reads a stream of packets from a file or pipe, and prints a line
+describing its output, followed by a set of matching fields for each packet
+on stdout.
+
+=head1 INPUT
+
+Unlike B<TShark>, B<Rawshark> makes no assumptions about encapsulation or
+input. The B<-d> and B<-r> flags must be specified in order for it to run.
+One or more B<-F> flags should be specified in order for the output to be
+useful. The other flags listed above follow the same conventions as
+B<Wireshark> and B<TShark>.
+
+B<Rawshark> expects input records with the following format. Note that this
+matches the pcap_pkthdr struct and packet data used in libpcap.
+
+struct rawshark_rec_s {
+    struct timeval ts;    /* Time stamp */
+    uint32_t caplen;      /* Length of the packet buffer */
+    uint32_t len;         /* "On the wire" length of the packet */
+    uint8_t *data;        /* Packet data */
+};
+
+=head1 OUTPUT
+
+If one or more fields are specified via the B<-F> flag, B<Rawshark> prints
+the number, field type, and display format for each field on the first line
+as "packet number" 0. For each record, the packet number, matching fields,
+and a "1" or "0" are printed to indicate if the field matched any supplied
+display filter. A "-" is used to signal the end of a field description and
+at the end of each packet line. For example, the flags B<-F ip.src -F
+dns.qry.type> might generate the following output:
+
+0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
+1 1="1" 0="192.168.77.10" 1 -
+2 1="1" 0="192.168.77.250" 1 -
+3 0="192.168.77.10" 1 -
+4 0="74.125.19.104" 1 -
+
+Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding B<-R "not dns"> still prints each line, but there's an indication
+that packets 1 and 2 didn't pass the filter:
+
+0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
+1 1="1" 0="192.168.77.10" 0 -
+2 1="1" 0="192.168.77.250" 0 -
+3 0="192.168.77.10" 1 -
+4 0="74.125.19.104" 1 -
+
+Also note that the output may be in any order, and that multiple matching
+fields might be displayed.
+
+=head1 OPTIONS
+
+=over 4
+
+=item -d  E<lt>encapsulationE<gt>
+
+Specify how the packet data should be dissected. The encapsulation is of the
+form I<type>B<:>I<value>, where I<type> is one of:
+
+B<encap>:I<name> Packet data should be dissected using the libpcap data
+link type I<name>, e.g. B<encap:EN10MB> for Ethernet.
+
+B<encap>:I<name> Packet data should be dissected using the libpcap data link
+type (DLT) I<name>, e.g. B<encap:EN10MB> for Ethernet. Names are converted
+using pcap_datalink_name_to_val().
+
+B<encap>:I<number> Packet data should be dissected using the libpcap DLT
+I<number>, e.g. B<encap:105> for raw IEEE 802.11. A complete list of DLTs
+can be found in pcap-bpf.h in the libpcap sources.
+
+B<proto>:I<protocol> Packet data should be passed to the specified Wireshark
+protocol dissector, e.g. B<proto:http> for HTTP data.
+
+=item -F  E<lt>field to displayE<gt>
+
+Add the matching field to the output. Fields are any valid display filter
+field. More than one B<-F> flag may be specified, and each field can match
+multiple times in a given packet. A single field may be specified per B<-F>
+flag. If you want to apply a display filter, use the B<-R> flag.
+
+=item -h
+
+Print the version and options and exits.
+
+=item -l
+
+Flush the standard output after the information for each packet is
+printed.  (This is not, strictly speaking, line-buffered if B<-V>
+was specified; however, it is the same as line-buffered if B<-V> wasn't
+specified, as only one line is printed for each packet, and, as B<-l> is
+normally used when piping a live capture to a program or script, so that
+output for a packet shows up as soon as the packet is seen and
+dissected, it should work just as well as true line-buffering.  We do
+this as a workaround for a deficiency in the Microsoft Visual C++ C
+library.)
+
+This may be useful when piping the output of B<TShark> to another
+program, as it means that the program to which the output is piped will
+see the dissected data for a packet as soon as B<TShark> sees the
+packet and generates that output, rather than seeing it only when the
+standard output buffer containing that data fills up.
+
+=item -n
+
+Disable network object name resolution (such as hostname, TCP and UDP port
+names), the B<-N> flag might override this one.
+
+=item -N  E<lt>name resolving flagsE<gt>
+
+Turn on name resolving only for particular types of addresses and port
+numbers, with name resolving for other types of addresses and port
+numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are
+present. If both B<-N> and B<-n> flags are not present, all name resolutions are
+turned on.
+
+The argument is a string that may contain the letters:
+
+B<m> to enable MAC address resolution
+
+B<n> to enable network address resolution
+
+B<t> to enable transport-layer port number resolution
+
+B<C> to enable concurrent (asynchronous) DNS lookups
+
+=item -o  E<lt>preferenceE<gt>:E<lt>valueE<gt>
+
+Set a preference value, overriding the default value and any value read
+from a preference file.  The argument to the option is a string of the
+form I<prefname>B<:>I<value>, where I<prefname> is the name of the
+preference (which is the same name that would appear in the preference
+file), and I<value> is the value to which it should be set.
+
+=item -r  E<lt>input file or pipeE<gt>
+
+Read packet data from I<input source>. It can be a regular file or pipe,
+and must be have the record format specified above.
+
+=item -R  E<lt>read (display) filterE<gt>
+
+Cause the specified filter (which uses the syntax of read/display filters,
+rather than that of capture filters) to be applied before printing the output. Packets not
+matching the filter are discarded rather than being printed or written.
+
+=item -s  E<lt>capture snaplenE<gt>
+
+Set the default snapshot length to use when capturing live data.
+No more than I<snaplen> bytes of each network packet will be read into
+memory, or saved to disk.
+
+=item -S
+
+Use the specified format string to print each field. The following formats
+are supported:
+
+=over 4
+
+B<%D> Field name or description, e.g. "Type" for dns.qry.type
+B<%N> Base 10 numeric value of the field.
+B<%S> String value of the field.
+
+=back
+
+For something similar to Wireshark's standard display ("Type: A (1)") you
+could use B<%D: %S (%N)>.
+
+=item -t  ad|a|r|d|e
+
+Set the format of the packet timestamp printed in summary lines, the default
+is relative. The format can be one of:
+
+B<ad> absolute with date: The absolute date and time is the actual time and
+date the packet was captured
+
+B<a> absolute: The absolute time is the actual time the packet was captured,
+with no date displayed
+
+B<r> relative: The relative time is the time elapsed between the first packet
+and the current packet
+
+B<d> delta: The delta time is the time since the previous packet was
+captured
+
+B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
+
+=item -v
+
+Print the version and exit.
+
+
+=back
+
+=head1 READ FILTER SYNTAX
+
+For a complete table of protocol and protocol fields that are filterable
+in B<TShark> see the wireshark-filter(4) manual page.
+
+=head1 FILES
+
+These files contains various B<Wireshark> configuration values.
+
+=over 4
+
+=item Preferences
+
+The F<preferences> files contain global (system-wide) and personal
+preference settings. If the system-wide preference file exists, it is
+read first, overriding the default settings. If the personal preferences
+file exists, it is read next, overriding any previous values. Note: If
+the command line option B<-o> is used (possibly more than once), it will
+in turn override values from the preferences files.
+
+The preferences settings are in the form I<prefname>B<:>I<value>,
+one per line,
+where I<prefname> is the name of the preference
+and I<value> is the value to
+which it should be set; white space is allowed between B<:> and
+I<value>.  A preference setting can be continued on subsequent lines by
+indenting the continuation lines with white space.  A B<#> character
+starts a comment that runs to the end of the line:
+
+  # Capture in promiscuous mode?
+  # TRUE or FALSE (case-insensitive).
+  capture.prom_mode: TRUE
+
+The global preferences file is looked for in the F<wireshark> directory
+under the F<share> subdirectory of the main installation directory (for
+example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible
+systems, and in the main installation directory (for example,
+F<C:\Program Files\Wireshark\preferences>) on Windows systems.
+
+The personal preferences file is looked for in
+F<$HOME/.wireshark/preferences> on
+UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if
+%APPDATA% isn't defined, F<%USERPROFILE%\Application
+Data\Wireshark\preferences>) on Windows systems.
+
+=item Disabled (Enabled) Protocols
+
+The F<disabled_protos> files contain system-wide and personal lists of
+protocols that have been disabled, so that their dissectors are never
+called.  The files contain protocol names, one per line, where the
+protocol name is the same name that would be used in a display filter
+for the protocol:
+
+  http
+  tcp     # a comment
+
+The global F<disabled_protos> file uses the same directory as the global
+preferences file.
+
+The personal F<disabled_protos> file uses the same directory as the
+personal preferences file.
+
+=item Name Resolution (hosts)
+
+If the personal F<hosts> file exists, it is
+used to resolve IPv4 and IPv6 addresses before any other
+attempts are made to resolve them.  The file has the standard F<hosts>
+file syntax; each line contains one IP address and name, separated by
+whitespace. The same directory as for the personal preferences file is
+used.
+
+=item Name Resolution (ethers)
+
+The F<ethers> files are consulted to correlate 6-byte hardware addresses to
+names. First the personal F<ethers> file is tried and if an address is not
+found there the global F<ethers> file is tried next.
+
+Each line contains one hardware address and name, separated by
+whitespace.  The digits of the hardware address are separated by colons
+(:), dashes (-) or periods (.).  The same separator character must be
+used consistently in an address. The following three lines are valid
+lines of an F<ethers> file:
+
+  ff:ff:ff:ff:ff:ff          Broadcast
+  c0-00-ff-ff-ff-ff          TR_broadcast
+  00.00.00.00.00.00          Zero_broadcast
+
+The global F<ethers> file is looked for in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Wireshark>) on Windows systems.
+
+The personal F<ethers> file is looked for in the same directory as the personal
+preferences file.
+
+=item Name Resolution (manuf)
+
+The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte
+hardware address with the manufacturer's name; it can also contain well-known
+MAC addresses and address ranges specified with a netmask.  The format of the
+file is the same as the F<ethers> files, except that entries of the form:
+
+  00:00:0C      Cisco
+
+can be provided, with the 3-byte OUI and the name for a vendor, and
+entries such as:
+
+  00-00-0C-07-AC/40     All-HSRP-routers
+
+can be specified, with a MAC address and a mask indicating how many bits
+of the address must match. The above entry, for example, has 40
+significant bits, or 5 bytes, and would match addresses from
+00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
+multiple of 8.
+
+The F<manuf> file is looked for in the same directory as the global
+preferences file.
+
+=item Name Resolution (ipxnets)
+
+The F<ipxnets> files are used to correlate 4-byte IPX network numbers to
+names. First the global F<ipxnets> file is tried and if that address is not
+found there the personal one is tried next.
+
+The format is the same as the F<ethers>
+file, except that each address is four bytes instead of six.
+Additionally, the address can be represented as a single hexadecimal
+number, as is more common in the IPX world, rather than four hex octets.
+For example, these four lines are valid lines of an F<ipxnets> file:
+
+  C0.A8.2C.00              HR
+  c0-a8-1c-00              CEO
+  00:00:BE:EF              IT_Server1
+  110f                     FileServer3
+
+The global F<ipxnets> file is looked for in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Wireshark>) on Windows systems.
+
+The personal F<ipxnets> file is looked for in the same directory as the
+personal preferences file.
+
+=back
+
+=head1 SEE ALSO
+
+wireshark-filter(4), wireshark(1), tshark(1), editcap(1), tcpdump(8),
+pcap(3), dumpcap(1), text2pcap(1)
+
+=head1 NOTES
+
+B<Rawshark> is part of the B<Wireshark> distribution. The latest version of
+B<Wireshark> can be found at L<http://www.wireshark.org>.
+
+HTML versions of the Wireshark project man pages are available at:
+L<http://www.wireshark.org/docs/man-pages>.
+
+=head1 AUTHORS
+
+B<Rawshark> uses the same packet dissection code that B<Wireshark> does, as
+well as using many other modules from B<Wireshark>; see the list of authors
+in the B<Wireshark> man page for a list of authors of that code.
+
+=head1 NAME
+
+rawshark - Dump and analyze raw libpcap data
+
+=head1 SYNOPSYS
+
+B<rawshark>
+S<[ B<-d> E<lt>encap:dltE<gt>|E<lt>proto:protonameE<gt> ]>
+S<[ B<-F> E<lt>field to displayE<gt> ]>
+S<[ B<-h> ]>
+S<[ B<-l> ]>
+S<[ B<-n> ]>
+S<[ B<-N> E<lt>name resolving flagsE<gt> ]>
+S<[ B<-o> E<lt>preference settingE<gt> ] ...>
+S<[ B<-r> E<lt>infile or pipeE<gt> ]>
+S<[ B<-R> E<lt>read (display) filterE<gt> ]>
+S<[ B<-S> E<lt>field formatE<gt> ]>
+S<[ B<-t> ad|a|r|d|e ]>
+S<[ B<-v> ]>
+
+=head1 DESCRIPTION
+
+B<Rawshark> reads a stream of packets from a file or pipe, and prints a line
+describing its output, followed by a set of matching fields for each packet
+on stdout.
+
+=head1 INPUT
+
+Unlike B<TShark>, B<Rawshark> makes no assumptions about encapsulation or
+input. The B<-d> and B<-r> flags must be specified in order for it to run.
+One or more B<-F> flags should be specified in order for the output to be
+useful. The other flags listed above follow the same conventions as
+B<Wireshark> and B<TShark>.
+
+B<Rawshark> expects input records with the following format. Note that this
+matches the pcap_pkthdr struct and packet data used in libpcap.
+
+struct rawshark_rec_s {
+    struct timeval ts;    /* Time stamp */
+    uint32_t caplen;      /* Length of the packet buffer */
+    uint32_t len;         /* "On the wire" length of the packet */
+    uint8_t *data;        /* Packet data */
+};
+
+=head1 OUTPUT
+
+If one or more fields are specified via the B<-F> flag, B<Rawshark> prints
+the number, field type, and display format for each field on the first line
+as "packet number" 0. For each record, the packet number, matching fields,
+and a "1" or "0" are printed to indicate if the field matched any supplied
+display filter. A "-" is used to signal the end of a field description and
+at the end of each packet line. For example, the flags B<-F ip.src -F
+dns.qry.type> might generate the following output:
+
+0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
+1 1="1" 0="192.168.77.10" 1 -
+2 1="1" 0="192.168.77.250" 1 -
+3 0="192.168.77.10" 1 -
+4 0="74.125.19.104" 1 -
+
+Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding B<-R "not dns"> still prints each line, but there's an indication
+that packets 1 and 2 didn't pass the filter:
+
+0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
+1 1="1" 0="192.168.77.10" 0 -
+2 1="1" 0="192.168.77.250" 0 -
+3 0="192.168.77.10" 1 -
+4 0="74.125.19.104" 1 -
+
+Also note that the output may be in any order, and that multiple matching
+fields might be displayed.
+
+=head1 OPTIONS
+
+=over 4
+
+=item -d  E<lt>encapsulationE<gt>
+
+Specify how the packet data should be dissected. The encapsulation is of the
+form I<type>B<:>I<value>, where I<type> is one of:
+
+B<encap>:I<name> Packet data should be dissected using the libpcap data
+link type I<name>, e.g. B<encap:EN10MB> for Ethernet.
+
+B<encap>:I<name> Packet data should be dissected using the libpcap data link
+type (DLT) I<name>, e.g. B<encap:EN10MB> for Ethernet. Names are converted
+using pcap_datalink_name_to_val().
+
+B<encap>:I<number> Packet data should be dissected using the libpcap DLT
+I<number>, e.g. B<encap:105> for raw IEEE 802.11. A complete list of DLTs
+can be found in pcap-bpf.h in the libpcap sources.
+
+B<proto>:I<protocol> Packet data should be passed to the specified Wireshark
+protocol dissector, e.g. B<proto:http> for HTTP data.
+
+=item -F  E<lt>field to displayE<gt>
+
+Add the matching field to the output. Fields are any valid display filter
+field. More than one B<-F> flag may be specified, and each field can match
+multiple times in a given packet. A single field may be specified per B<-F>
+flag. If you want to apply a display filter, use the B<-R> flag.
+
+=item -h
+
+Print the version and options and exits.
+
+=item -l
+
+Flush the standard output after the information for each packet is
+printed.  (This is not, strictly speaking, line-buffered if B<-V>
+was specified; however, it is the same as line-buffered if B<-V> wasn't
+specified, as only one line is printed for each packet, and, as B<-l> is
+normally used when piping a live capture to a program or script, so that
+output for a packet shows up as soon as the packet is seen and
+dissected, it should work just as well as true line-buffering.  We do
+this as a workaround for a deficiency in the Microsoft Visual C++ C
+library.)
+
+This may be useful when piping the output of B<TShark> to another
+program, as it means that the program to which the output is piped will
+see the dissected data for a packet as soon as B<TShark> sees the
+packet and generates that output, rather than seeing it only when the
+standard output buffer containing that data fills up.
+
+=item -n
+
+Disable network object name resolution (such as hostname, TCP and UDP port
+names), the B<-N> flag might override this one.
+
+=item -N  E<lt>name resolving flagsE<gt>
+
+Turn on name resolving only for particular types of addresses and port
+numbers, with name resolving for other types of addresses and port
+numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are
+present. If both B<-N> and B<-n> flags are not present, all name resolutions are
+turned on.
+
+The argument is a string that may contain the letters:
+
+B<m> to enable MAC address resolution
+
+B<n> to enable network address resolution
+
+B<t> to enable transport-layer port number resolution
+
+B<C> to enable concurrent (asynchronous) DNS lookups
+
+=item -o  E<lt>preferenceE<gt>:E<lt>valueE<gt>
+
+Set a preference value, overriding the default value and any value read
+from a preference file.  The argument to the option is a string of the
+form I<prefname>B<:>I<value>, where I<prefname> is the name of the
+preference (which is the same name that would appear in the preference
+file), and I<value> is the value to which it should be set.
+
+=item -r  E<lt>input file or pipeE<gt>
+
+Read packet data from I<input source>. It can be a regular file or pipe,
+and must be have the record format specified above.
+
+=item -R  E<lt>read (display) filterE<gt>
+
+Cause the specified filter (which uses the syntax of read/display filters,
+rather than that of capture filters) to be applied before printing the output. Packets not
+matching the filter are discarded rather than being printed or written.
+
+=item -s  E<lt>capture snaplenE<gt>
+
+Set the default snapshot length to use when capturing live data.
+No more than I<snaplen> bytes of each network packet will be read into
+memory, or saved to disk.
+
+=item -S
+
+Use the specified format string to print each field. The following formats
+are supported:
+
+=over 4
+
+B<%D> Field name or description, e.g. "Type" for dns.qry.type
+B<%N> Base 10 numeric value of the field.
+B<%S> String value of the field.
+
+=back
+
+For something similar to Wireshark's standard display ("Type: A (1)") you
+could use B<%D: %S (%N)>.
+
+=item -t  ad|a|r|d|e
+
+Set the format of the packet timestamp printed in summary lines, the default
+is relative. The format can be one of:
+
+B<ad> absolute with date: The absolute date and time is the actual time and
+date the packet was captured
+
+B<a> absolute: The absolute time is the actual time the packet was captured,
+with no date displayed
+
+B<r> relative: The relative time is the time elapsed between the first packet
+and the current packet
+
+B<d> delta: The delta time is the time since the previous packet was
+captured
+
+B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
+
+=item -v
+
+Print the version and exit.
+
+
+=back
+
+=head1 READ FILTER SYNTAX
+
+For a complete table of protocol and protocol fields that are filterable
+in B<TShark> see the wireshark-filter(4) manual page.
+
+=head1 FILES
+
+These files contains various B<Wireshark> configuration values.
+
+=over 4
+
+=item Preferences
+
+The F<preferences> files contain global (system-wide) and personal
+preference settings. If the system-wide preference file exists, it is
+read first, overriding the default settings. If the personal preferences
+file exists, it is read next, overriding any previous values. Note: If
+the command line option B<-o> is used (possibly more than once), it will
+in turn override values from the preferences files.
+
+The preferences settings are in the form I<prefname>B<:>I<value>,
+one per line,
+where I<prefname> is the name of the preference
+and I<value> is the value to
+which it should be set; white space is allowed between B<:> and
+I<value>.  A preference setting can be continued on subsequent lines by
+indenting the continuation lines with white space.  A B<#> character
+starts a comment that runs to the end of the line:
+
+  # Capture in promiscuous mode?
+  # TRUE or FALSE (case-insensitive).
+  capture.prom_mode: TRUE
+
+The global preferences file is looked for in the F<wireshark> directory
+under the F<share> subdirectory of the main installation directory (for
+example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible
+systems, and in the main installation directory (for example,
+F<C:\Program Files\Wireshark\preferences>) on Windows systems.
+
+The personal preferences file is looked for in
+F<$HOME/.wireshark/preferences> on
+UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if
+%APPDATA% isn't defined, F<%USERPROFILE%\Application
+Data\Wireshark\preferences>) on Windows systems.
+
+=item Disabled (Enabled) Protocols
+
+The F<disabled_protos> files contain system-wide and personal lists of
+protocols that have been disabled, so that their dissectors are never
+called.  The files contain protocol names, one per line, where the
+protocol name is the same name that would be used in a display filter
+for the protocol:
+
+  http
+  tcp     # a comment
+
+The global F<disabled_protos> file uses the same directory as the global
+preferences file.
+
+The personal F<disabled_protos> file uses the same directory as the
+personal preferences file.
+
+=item Name Resolution (hosts)
+
+If the personal F<hosts> file exists, it is
+used to resolve IPv4 and IPv6 addresses before any other
+attempts are made to resolve them.  The file has the standard F<hosts>
+file syntax; each line contains one IP address and name, separated by
+whitespace. The same directory as for the personal preferences file is
+used.
+
+=item Name Resolution (ethers)
+
+The F<ethers> files are consulted to correlate 6-byte hardware addresses to
+names. First the personal F<ethers> file is tried and if an address is not
+found there the global F<ethers> file is tried next.
+
+Each line contains one hardware address and name, separated by
+whitespace.  The digits of the hardware address are separated by colons
+(:), dashes (-) or periods (.).  The same separator character must be
+used consistently in an address. The following three lines are valid
+lines of an F<ethers> file:
+
+  ff:ff:ff:ff:ff:ff          Broadcast
+  c0-00-ff-ff-ff-ff          TR_broadcast
+  00.00.00.00.00.00          Zero_broadcast
+
+The global F<ethers> file is looked for in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Wireshark>) on Windows systems.
+
+The personal F<ethers> file is looked for in the same directory as the personal
+preferences file.
+
+=item Name Resolution (manuf)
+
+The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte
+hardware address with the manufacturer's name; it can also contain well-known
+MAC addresses and address ranges specified with a netmask.  The format of the
+file is the same as the F<ethers> files, except that entries of the form:
+
+  00:00:0C      Cisco
+
+can be provided, with the 3-byte OUI and the name for a vendor, and
+entries such as:
+
+  00-00-0C-07-AC/40     All-HSRP-routers
+
+can be specified, with a MAC address and a mask indicating how many bits
+of the address must match. The above entry, for example, has 40
+significant bits, or 5 bytes, and would match addresses from
+00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
+multiple of 8.
+
+The F<manuf> file is looked for in the same directory as the global
+preferences file.
+
+=item Name Resolution (ipxnets)
+
+The F<ipxnets> files are used to correlate 4-byte IPX network numbers to
+names. First the global F<ipxnets> file is tried and if that address is not
+found there the personal one is tried next.
+
+The format is the same as the F<ethers>
+file, except that each address is four bytes instead of six.
+Additionally, the address can be represented as a single hexadecimal
+number, as is more common in the IPX world, rather than four hex octets.
+For example, these four lines are valid lines of an F<ipxnets> file:
+
+  C0.A8.2C.00              HR
+  c0-a8-1c-00              CEO
+  00:00:BE:EF              IT_Server1
+  110f                     FileServer3
+
+The global F<ipxnets> file is looked for in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Wireshark>) on Windows systems.
+
+The personal F<ipxnets> file is looked for in the same directory as the
+personal preferences file.
+
+=back
+
+=head1 SEE ALSO
+
+wireshark-filter(4), wireshark(1), tshark(1), editcap(1), tcpdump(8),
+pcap(3), dumpcap(1), text2pcap(1)
+
+=head1 NOTES
+
+B<Rawshark> is part of the B<Wireshark> distribution. The latest version of
+B<Wireshark> can be found at L<http://www.wireshark.org>.
+
+HTML versions of the Wireshark project man pages are available at:
+L<http://www.wireshark.org/docs/man-pages>.
+
+=head1 AUTHORS
+
+B<Rawshark> uses the same packet dissection code that B<Wireshark> does, as
+well as using many other modules from B<Wireshark>; see the list of authors
+in the B<Wireshark> man page for a list of authors of that code.
+
+=head1 NAME
+
+rawshark - Dump and analyze raw libpcap data
+
+=head1 SYNOPSYS
+
+B<rawshark>
+S<[ B<-d> E<lt>encap:dltE<gt>|E<lt>proto:protonameE<gt> ]>
+S<[ B<-F> E<lt>field to displayE<gt> ]>
+S<[ B<-h> ]>
+S<[ B<-l> ]>
+S<[ B<-n> ]>
+S<[ B<-N> E<lt>name resolving flagsE<gt> ]>
+S<[ B<-o> E<lt>preference settingE<gt> ] ...>
+S<[ B<-r> E<lt>infile or pipeE<gt> ]>
+S<[ B<-R> E<lt>read (display) filterE<gt> ]>
+S<[ B<-S> E<lt>field formatE<gt> ]>
+S<[ B<-t> ad|a|r|d|e ]>
+S<[ B<-v> ]>
+
+=head1 DESCRIPTION
+
+B<Rawshark> reads a stream of packets from a file or pipe, and prints a line
+describing its output, followed by a set of matching fields for each packet
+on stdout.
+
+=head1 INPUT
+
+Unlike B<TShark>, B<Rawshark> makes no assumptions about encapsulation or
+input. The B<-d> and B<-r> flags must be specified in order for it to run.
+One or more B<-F> flags should be specified in order for the output to be
+useful. The other flags listed above follow the same conventions as
+B<Wireshark> and B<TShark>.
+
+B<Rawshark> expects input records with the following format. Note that this
+matches the pcap_pkthdr struct and packet data used in libpcap.
+
+struct rawshark_rec_s {
+    struct timeval ts;    /* Time stamp */
+    uint32_t caplen;      /* Length of the packet buffer */
+    uint32_t len;         /* "On the wire" length of the packet */
+    uint8_t *data;        /* Packet data */
+};
+
+=head1 OUTPUT
+
+If one or more fields are specified via the B<-F> flag, B<Rawshark> prints
+the number, field type, and display format for each field on the first line
+as "packet number" 0. For each record, the packet number, matching fields,
+and a "1" or "0" are printed to indicate if the field matched any supplied
+display filter. A "-" is used to signal the end of a field description and
+at the end of each packet line. For example, the flags B<-F ip.src -F
+dns.qry.type> might generate the following output:
+
+0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
+1 1="1" 0="192.168.77.10" 1 -
+2 1="1" 0="192.168.77.250" 1 -
+3 0="192.168.77.10" 1 -
+4 0="74.125.19.104" 1 -
+
+Note that packets 1 and 2 are DNS queries, and 3 and 4 are not. Adding B<-R "not dns"> still prints each line, but there's an indication
+that packets 1 and 2 didn't pass the filter:
+
+0 FT_IPv4 BASE_NONE - 1 FT_UINT16 BASE_HEX -
+1 1="1" 0="192.168.77.10" 0 -
+2 1="1" 0="192.168.77.250" 0 -
+3 0="192.168.77.10" 1 -
+4 0="74.125.19.104" 1 -
+
+Also note that the output may be in any order, and that multiple matching
+fields might be displayed.
+
+=head1 OPTIONS
+
+=over 4
+
+=item -d  E<lt>encapsulationE<gt>
+
+Specify how the packet data should be dissected. The encapsulation is of the
+form I<type>B<:>I<value>, where I<type> is one of:
+
+B<encap>:I<name> Packet data should be dissected using the libpcap data
+link type I<name>, e.g. B<encap:EN10MB> for Ethernet.
+
+B<encap>:I<name> Packet data should be dissected using the libpcap data link
+type (DLT) I<name>, e.g. B<encap:EN10MB> for Ethernet. Names are converted
+using pcap_datalink_name_to_val().
+
+B<encap>:I<number> Packet data should be dissected using the libpcap DLT
+I<number>, e.g. B<encap:105> for raw IEEE 802.11. A complete list of DLTs
+can be found in pcap-bpf.h in the libpcap sources.
+
+B<proto>:I<protocol> Packet data should be passed to the specified Wireshark
+protocol dissector, e.g. B<proto:http> for HTTP data.
+
+=item -F  E<lt>field to displayE<gt>
+
+Add the matching field to the output. Fields are any valid display filter
+field. More than one B<-F> flag may be specified, and each field can match
+multiple times in a given packet. A single field may be specified per B<-F>
+flag. If you want to apply a display filter, use the B<-R> flag.
+
+=item -h
+
+Print the version and options and exits.
+
+=item -l
+
+Flush the standard output after the information for each packet is
+printed.  (This is not, strictly speaking, line-buffered if B<-V>
+was specified; however, it is the same as line-buffered if B<-V> wasn't
+specified, as only one line is printed for each packet, and, as B<-l> is
+normally used when piping a live capture to a program or script, so that
+output for a packet shows up as soon as the packet is seen and
+dissected, it should work just as well as true line-buffering.  We do
+this as a workaround for a deficiency in the Microsoft Visual C++ C
+library.)
+
+This may be useful when piping the output of B<TShark> to another
+program, as it means that the program to which the output is piped will
+see the dissected data for a packet as soon as B<TShark> sees the
+packet and generates that output, rather than seeing it only when the
+standard output buffer containing that data fills up.
+
+=item -n
+
+Disable network object name resolution (such as hostname, TCP and UDP port
+names), the B<-N> flag might override this one.
+
+=item -N  E<lt>name resolving flagsE<gt>
+
+Turn on name resolving only for particular types of addresses and port
+numbers, with name resolving for other types of addresses and port
+numbers turned off. This flag overrides B<-n> if both B<-N> and B<-n> are
+present. If both B<-N> and B<-n> flags are not present, all name resolutions are
+turned on.
+
+The argument is a string that may contain the letters:
+
+B<m> to enable MAC address resolution
+
+B<n> to enable network address resolution
+
+B<t> to enable transport-layer port number resolution
+
+B<C> to enable concurrent (asynchronous) DNS lookups
+
+=item -o  E<lt>preferenceE<gt>:E<lt>valueE<gt>
+
+Set a preference value, overriding the default value and any value read
+from a preference file.  The argument to the option is a string of the
+form I<prefname>B<:>I<value>, where I<prefname> is the name of the
+preference (which is the same name that would appear in the preference
+file), and I<value> is the value to which it should be set.
+
+=item -r  E<lt>input file or pipeE<gt>
+
+Read packet data from I<input source>. It can be a regular file or pipe,
+and must be have the record format specified above.
+
+=item -R  E<lt>read (display) filterE<gt>
+
+Cause the specified filter (which uses the syntax of read/display filters,
+rather than that of capture filters) to be applied before printing the output. Packets not
+matching the filter are discarded rather than being printed or written.
+
+=item -s  E<lt>capture snaplenE<gt>
+
+Set the default snapshot length to use when capturing live data.
+No more than I<snaplen> bytes of each network packet will be read into
+memory, or saved to disk.
+
+=item -S
+
+Use the specified format string to print each field. The following formats
+are supported:
+
+=over 4
+
+B<%D> Field name or description, e.g. "Type" for dns.qry.type
+B<%N> Base 10 numeric value of the field.
+B<%S> String value of the field.
+
+=back
+
+For something similar to Wireshark's standard display ("Type: A (1)") you
+could use B<%D: %S (%N)>.
+
+=item -t  ad|a|r|d|e
+
+Set the format of the packet timestamp printed in summary lines, the default
+is relative. The format can be one of:
+
+B<ad> absolute with date: The absolute date and time is the actual time and
+date the packet was captured
+
+B<a> absolute: The absolute time is the actual time the packet was captured,
+with no date displayed
+
+B<r> relative: The relative time is the time elapsed between the first packet
+and the current packet
+
+B<d> delta: The delta time is the time since the previous packet was
+captured
+
+B<e> epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
+
+=item -v
+
+Print the version and exit.
+
+
+=back
+
+=head1 READ FILTER SYNTAX
+
+For a complete table of protocol and protocol fields that are filterable
+in B<TShark> see the wireshark-filter(4) manual page.
+
+=head1 FILES
+
+These files contains various B<Wireshark> configuration values.
+
+=over 4
+
+=item Preferences
+
+The F<preferences> files contain global (system-wide) and personal
+preference settings. If the system-wide preference file exists, it is
+read first, overriding the default settings. If the personal preferences
+file exists, it is read next, overriding any previous values. Note: If
+the command line option B<-o> is used (possibly more than once), it will
+in turn override values from the preferences files.
+
+The preferences settings are in the form I<prefname>B<:>I<value>,
+one per line,
+where I<prefname> is the name of the preference
+and I<value> is the value to
+which it should be set; white space is allowed between B<:> and
+I<value>.  A preference setting can be continued on subsequent lines by
+indenting the continuation lines with white space.  A B<#> character
+starts a comment that runs to the end of the line:
+
+  # Capture in promiscuous mode?
+  # TRUE or FALSE (case-insensitive).
+  capture.prom_mode: TRUE
+
+The global preferences file is looked for in the F<wireshark> directory
+under the F<share> subdirectory of the main installation directory (for
+example, F</usr/local/share/wireshark/preferences>) on UNIX-compatible
+systems, and in the main installation directory (for example,
+F<C:\Program Files\Wireshark\preferences>) on Windows systems.
+
+The personal preferences file is looked for in
+F<$HOME/.wireshark/preferences> on
+UNIX-compatible systems and F<%APPDATA%\Wireshark\preferences> (or, if
+%APPDATA% isn't defined, F<%USERPROFILE%\Application
+Data\Wireshark\preferences>) on Windows systems.
+
+=item Disabled (Enabled) Protocols
+
+The F<disabled_protos> files contain system-wide and personal lists of
+protocols that have been disabled, so that their dissectors are never
+called.  The files contain protocol names, one per line, where the
+protocol name is the same name that would be used in a display filter
+for the protocol:
+
+  http
+  tcp     # a comment
+
+The global F<disabled_protos> file uses the same directory as the global
+preferences file.
+
+The personal F<disabled_protos> file uses the same directory as the
+personal preferences file.
+
+=item Name Resolution (hosts)
+
+If the personal F<hosts> file exists, it is
+used to resolve IPv4 and IPv6 addresses before any other
+attempts are made to resolve them.  The file has the standard F<hosts>
+file syntax; each line contains one IP address and name, separated by
+whitespace. The same directory as for the personal preferences file is
+used.
+
+=item Name Resolution (ethers)
+
+The F<ethers> files are consulted to correlate 6-byte hardware addresses to
+names. First the personal F<ethers> file is tried and if an address is not
+found there the global F<ethers> file is tried next.
+
+Each line contains one hardware address and name, separated by
+whitespace.  The digits of the hardware address are separated by colons
+(:), dashes (-) or periods (.).  The same separator character must be
+used consistently in an address. The following three lines are valid
+lines of an F<ethers> file:
+
+  ff:ff:ff:ff:ff:ff          Broadcast
+  c0-00-ff-ff-ff-ff          TR_broadcast
+  00.00.00.00.00.00          Zero_broadcast
+
+The global F<ethers> file is looked for in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Wireshark>) on Windows systems.
+
+The personal F<ethers> file is looked for in the same directory as the personal
+preferences file.
+
+=item Name Resolution (manuf)
+
+The F<manuf> file is used to match the 3-byte vendor portion of a 6-byte
+hardware address with the manufacturer's name; it can also contain well-known
+MAC addresses and address ranges specified with a netmask.  The format of the
+file is the same as the F<ethers> files, except that entries of the form:
+
+  00:00:0C      Cisco
+
+can be provided, with the 3-byte OUI and the name for a vendor, and
+entries such as:
+
+  00-00-0C-07-AC/40     All-HSRP-routers
+
+can be specified, with a MAC address and a mask indicating how many bits
+of the address must match. The above entry, for example, has 40
+significant bits, or 5 bytes, and would match addresses from
+00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
+multiple of 8.
+
+The F<manuf> file is looked for in the same directory as the global
+preferences file.
+
+=item Name Resolution (ipxnets)
+
+The F<ipxnets> files are used to correlate 4-byte IPX network numbers to
+names. First the global F<ipxnets> file is tried and if that address is not
+found there the personal one is tried next.
+
+The format is the same as the F<ethers>
+file, except that each address is four bytes instead of six.
+Additionally, the address can be represented as a single hexadecimal
+number, as is more common in the IPX world, rather than four hex octets.
+For example, these four lines are valid lines of an F<ipxnets> file:
+
+  C0.A8.2C.00              HR
+  c0-a8-1c-00              CEO
+  00:00:BE:EF              IT_Server1
+  110f                     FileServer3
+
+The global F<ipxnets> file is looked for in the F</etc> directory on
+UNIX-compatible systems, and in the main installation directory (for
+example, F<C:\Program Files\Wireshark>) on Windows systems.
+
+The personal F<ipxnets> file is looked for in the same directory as the
+personal preferences file.
+
+=back
+
+=head1 SEE ALSO
+
+wireshark-filter(4), wireshark(1), tshark(1), editcap(1), tcpdump(8),
+pcap(3), dumpcap(1), text2pcap(1)
+
+=head1 NOTES
+
+B<Rawshark> is part of the B<Wireshark> distribution. The latest version of
+B<Wireshark> can be found at L<http://www.wireshark.org>.
+
+HTML versions of the Wireshark project man pages are available at:
+L<http://www.wireshark.org/docs/man-pages>.
+
+=head1 AUTHORS
+
+B<Rawshark> uses the same packet dissection code that B<Wireshark> does, as
+well as using many other modules from B<Wireshark>; see the list of authors
+in the B<Wireshark> man page for a list of authors of that code.