SNIFF - A simple ethernet monitor
---------------------------------
SNIFF is a simple monitor for ethernet packets. SNIFF allows you to capture
and view packets occurring on a 10mbps ethernet, and to employ both hardware
and software filters to control which packets are monitored. SNIFF is *NOT*
a "protocol monitor", it does not know about or decode TCP/IP or any other
network protocol. The content of the network packets are shown in standard
HEX/ASCII dump format, and it is up to you (the user) to know the meaning
of the displayed data.

SNIFF interfaces to the ethernet card via a standard DOS packet driver, this
driver must be supplied by your ethernet card manufacturer, and is included
with most cards. See your network card documentation and software.

Packet drivers for a large assortment of ethernet cards are also available
from:
    Crynwr Software    11 Grant St.    Potsdam, NY 13676
This collection is available on SIMTEL and other software archive sites
under the filenames: PKTD*.ZIP (or whatever archive format is used)

You can also try the originators of the packet driver specification:
    FTP Software, Inc.   26 Princess St.   Wakefield, MA  01880-3004
    (617) 246-0900
for more information.



RUNNING SNIFF
-------------
Install the packet driver for your network card in accordance with the
card documentation. If possible, use the standard packet driver software
interrupt of 60 hex (0x60)... If you use a different interrupt, you will
have to specify the interrupt to SNIFF via a command line switch every
time you start it.

Start SNIFF running by typing SNIFF at the DOS command prompt. The following
command line options are available:

  F=filename    - Write packets to file
    When this option is used, all monitored packets are written to a file,
    which can be viewed using the included SNIFFR program, or processed by
    another program (See later in this document for information of the file
    format).

  I=xx          - Specify packet driver interrupt
    This option allows you to specify the software interrupt on which the
    packet driver has been installed. If not specified, SNIFF assumes the
    value of 60 hex (0x60) which is the standard packet driver interrupt.

  M=n           - Specify the packet driver reception mode
    This controls the packet driver and ethernet hardware, and can be
    used to filter out some types of packets.. for most applications,
    you will want to use '6' which means 'all' packets. Values are:
        1 - Monitor NO packets (receiver off)
        2 - Monitor normal packets to our ethernet address only
        3 - Our packets + broadcast packets
        4 - Our packets + broadcast + limited multicast packets
        5 - Our packets + broadcast + all multicast packets
        6 - All packets

  S=xxxx        - Specify the packet type to send
    SNIFF supports diagnostic functions where it can send test packets to
    other ethernet addresses ... This parameter specifies the packet type
    to insert in these packets.

  T=xxxx        - Specify packet type to monitor
    This defines the packet type (16 bit hex number) that SNIFF will
    monitor. If not specified, SNIFF monitors all packet types.

  /M            - Force monochrome screen
    Causes SNIFF to use a monochrome screen color scheme... Useful if you
    have a screen which does not support color bur is reported by the
    system as a color screen.



USING SNIFF
-----------
Once SNIFF starts up and displays it's main screen, you will see monitored
packets showing on the screen in the following format:

[q] size To:aa.aa.aa.aa.aa.aa Fr:aa.aa.aa.aa.aa.aa Type:xxxx
0000  dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd  ccccccccccccccc
... Mode data may follow ...

q = SNIFF queue position (0-31) ... not terribly useful except as a
    running counter on the screen to let you quickly see how many packets
    are spanning a visible range.

size = the size of the packet in bytes (including the 14 byte header)

aa = Ethernet to/from address, each address is a series of 6 HEX bytes.

xxxx = Packet type (16 bit word - 2 hex bytes)

0000 = Dump line address ... Depending on the size of the packet and the
    configuration of SNIFF, there may be a variable number of lines in
    the ASCII dump (including 0 lines).

dd  = Hex data bytes shown in the ASCII dump

ccc.. = ASCII character representations of the 'dd' data bytes.



Along the bottom of the screen, SNIFF will display the following information:

total shown Addr:n +/-Dump:n <>mode:6 0-9send:n C/E/M/R/T/ESC

total = Total number of packets seen by SNIFF on the ethernet interface
    (wraps back to 0 after 65535)

shown = Total number of packets which have been displayed by SNIFF
    (trigger matches)

Addr: = Number of ethernet addresses collected by SNIFF (0-10)

+/-dump: = Maximum number of HEX/ASCII dump lines currently configured

<>mode: = Current capture mode (same as M= command line option)

0-9send: = Number of packets send via 0-9 and 'M'

C/E/M/R/T/ESC = Reminder of other commands



The following commands may be entered on the keyboard while SNIFF is
running:

A = Show current address list
    Every time SNIFF displays a packet that has an address it has not
    seen before, it will "capture" the address into it's address list.
    Up to 10 addresses can be so captured.

C = Clear the screen

D = Dump entire packet
    Displays the content of the entire last packet received in HEX/ASCII
    dump notation... useful when you have configured SNIFF to only display
    1-2 lines of the packet, but need to see all of some, or when you want
    to see the packet header data in the dump output.

E = Erase address list
    Causes SNIFF to forget all of the addresses in it's address list and
    to begin collection a new one.

M = Send multicast packet
    Sends a multicast packet (address: FF.FF.FF.FF.FF.FF) with ASCII text
    indicating the packet number ("This is packet 0-65535 ..."). Mainly a
    diagnostic tool to transmit our address to other copies of SNIFF.

R = Resets the 'total' 'shown' and '0-9send:' counters to 0.

T = Enters the trigger setup screen for filtering the packets captured.
    See later in this document for more information.

+/- = Set the number of lines displayed in the HEX/ASCII dump portion of
    the packet display... Useful to limit the display of large packets
    when you only need to see specific values near the beginning (common).

<> = Switch between the available capture modes (same as M= parameter)
    This is one place where Mode 1 (No packets) is useful ... to stop
    receiving packets while you stuffy something on the screen!

0-9 = Send a packet to the corresponding (0-9) ethernet address from the
    current address list. Packet is sent with type specified by S= option,
    and contains "This is packet n ..." where n is the total number of
    packets which have been sent so far.



TRIGGERING
----------
One of the most powerful features of SNIFF is it's ability to filter out
traffic you do not want to see by "triggering" on byte or bit patterns
within the packets.

To set triggering, press 'T' at the SNIFF main screen. This will open up
the triggering panel.

When the triggering panel opens, you will see 50 byte entries, which
represent the packet:

  Size (2 entries) **NOTE
  To address (6 entries)
  From address (6 entries)
  Type (2 entries)
  Data (34 entries)

**NOTE that the Size entries represent a 16 bit quantity (the size of
the packet, and it occurs in LITTLE ENDIAN ordering (the low byte is
at position 1, and the high byte is at position 2) ... Also note that
the Size is not actually part in the packet, and therefore DOES NOT
include the two bytes for the size, but DOES include the packet header
(to/from/type)... Ie: a given size value will be the number of data bytes
in the packet +14 (6 + 6 + 2).

Each entry can be configured to one of three possible states:

 - Don't Care           - Always match this byte
 - nnnnnnnn (xx) [c]    - Entire byte must match exactly
   nnn...=Bit pattern  xx=Hex value   x=ASCII value
 - bbbbbbbb             - 1/0 bits must match, ignore x (don't care) bits

You can position the cursor to any entry with the Up/Down/Right/Left/Home
or End keys. When positioned on an entry, you may change it's state with:
  F1  = Set this entry to "Don't care"
  0-F = Enter HEX value for exact match
  Space/Backspace = Begin editing bit pattern for 1/0/x bit match
    - Press '1' to match only 1 bits in this position
    - Press '0' to match only 0 bits in this position
    - Press 'x' to match any bit in this position
    - Press SPACE to advance to next bit with no change
    - Press BACKSPACE to backup to previous bit

The default state of all entries is "Don't care", which means that SNIFF
will match any packets received of the selected mode and type (See M= and
T= options). You may modify the entries to cause SNIFF to accept only
packets which have bytes/bits which match the entries in the positions that
you have selected.

SNIFF also supports "FALSE" logic triggering:

Under TRUE (normal) logic, SNIFF accepts any packets which match the trigger
conditions. Use this to view packets containing a specific command sequence
etc.

Under FALSE logic, SNIFF accepts only packets which DO NOT meet the trigger
conditions... Use this to ignore packets containing a specific command
sequence etc.

The F2 key toggles the triggering mode between TRUE and FALSE.



PACKET FORMAT
-------------
SNIFF monitors standard DIX (Dec/Intel/Xerox) ethernet and IEEE 802.2/3
packets, which are formatted as follows:

    To address (6 bytes)
    From address (6 bytes)
    DIX: Packet type (2 byte)  IEEE 802.2/3: Length (2 bytes)
    Packet data (variable length)

The "To address" is the 6 byte ethernet address of the receiving station.
If the high bit is set on this address, it is taken as a "Multicast" address,
and received by all stations ** Each station can use a bit mask to filter
multicast packets, by requiring that the multicast address have a bit set
which matches the filter. Unless you need to differentiate multicasts to
various stations, common practice is to send the address as all FF's, and
to set your receive mask to all FF's

The "From address" is the 6 byte ethernet address of the sending station.
(This should never have the high bit set).

The "Packet type" is used in DIX ethernet packets only, and is a unique
number which indicates the type of packet service. It is used to allow
different systems to share a common network without confusing each other
packets. Note that IEEE 802.2/3 packets use this area for the length (this
is redundant, since the hardware supplies the length), however to avoid
conflicts, DIX ethernet requires that the "Packet type" always be greater
than 0x05EE, the maximum length of an 802.2/3 packet.

"Packet data" is the actual data sent/received in the packet. (Note, as far
as the hardware is concerned, the user data actually starts with the "Packet
type").



FILE FORMAT
-----------
When the packet information is saved to a file (F= command line option),
SNIFF writes the packets in the following format:

    Size - 2 bytes, little endian format
    To address - 6 bytes
    From address - 6 Bytes
    Type - 2 bytes
    Data (size-14 bytes)
    ... Additional packets to end of file ...

Note that the "Size" value includes the 14 byte header data (to/from/type),
but not the Size itself... In other words, the file space taken for each
packet in the file is Size+2 bytes.



SNIFFR
------
"SNIFF Reader" is a program that reads a SNIFF output file, and allows you
to view and search the packet data within it at your leasure.

SNIFFR is very simple and straightforward to use. Type SNIFFR ? for
information on the command line, and press F1 once you have activated
SNIFFR for information on the available command keys.



SNIFFV
------
"Sniff Viewer" is an enhanced version of SNIFFR (Sniff Reader) which makes
use of user defined templates to decode network packets and display them in
a more meaningful format.

Templates can be supplied in ASCII text (T=filename[.PTT]) in which case
SNIFFV will internally compile them into the binary form, or as a pre-compiled
binary image (B=filename[.PTB]). The latter will be slightly faster when
loading large templates.

For details on SNIFFV command line parameters, please run SNIFFV without any
command options. When viewing a capture, press F1 for a list of interactive
command keys.


Text template format:
---------------------
All templates are initially created in text form.  Please refer to the
included sample IP.PTT for an example of a text form template.

[]      = Indicates optional portion(s).
..      = Indicates that construct may be optionally repeated.
{o} = Arithmetic operator:
        +                   = Addition
        -                   = Subtraction
        *                   = Multiplication
        /                   = Division
        %                   = Modulus (remainder after division)
        &                   = Bitwise AND
        |                   = Bitwise OR
        ^                   = Bitwise Exclusive OR
        =                   = Test for equality
        !=                  = Test for inequality
        <                   = Test for Less Than
        >                   = Test for Greater Than
        <<                  = Shift left
        >>                  = Shift right
    *:  Arithmetic operations are applied without precedence, from left
        to right. Precedence can be forced by the use of () brackets.
{c} = Constant value (evaluated to 32-bits):
        0-9..               = Decimal number
        %0-1..              = Binary number
        @0-7..              = Octal number
        $0-9,A-F..          = Hexidecimal number
        -{c}                = Negative of value
        ~{c}                = Bitwize compliment of value
        !{c}                = Logical NOT of value
        ({c}[{o}{c}..])     = Nested expression (may have operators)
{d} = Simple constant decimal number (only)
{v} = Memory (from packet data) or Inline (constant) value:
        1<{c}               = 8-bit  L-endian value from address {c}    *1,2
        1>{c}               = 8-bit  B-endian value from address {c}    *1,2
        2<{c}               = 16-bit L-endian value from address {c}    *1
        2>{c}               = 16-bit B-endian value from address {c}    *1
        4<{c}               = 32-bit L-endian value from address {c}    *1
        4>{c}               = 32-bit B-endian value from address {c}    *1
        #{c}                = Inline constant value
        X                   = Content of temp-register 'X'
        Y                   = Content of temp-register 'Y'
        Z                   = Content of temp-register 'Z'
        {v}{o}{v}..         = Arithmetic operations                     *3
        ({v}[{o}{v}..])     = Nested expression (forced precedence).
    *1: If address {c} is positive, value is zero-extended (unsigned),
        if address {c} is negative, value is sign-extended (signed).
    *2: 8-bit values don't actually have "endian" - you can use either
        1<.. or 1>.. - both forms result in the same encoding.
    *3: Anywhere a {v} type value is expected, you may combine multiple
        {v} type values with arithmetic operations.
{r} = A destination temporary-register:
        X       = Assign to X temporary register
        Y       = Assign to Y temporary register
        Z       = Assign to Z temporary register
{f} = A display format specifier: [[-][0]{d1}]f[*{d2}s]
        -       = Left-justified, otherwise right-justified
        0       = Fill left-justified field with '0', otherwise space
        {d1}    = Width of field, if none or zero: free-format
        f:  D   = Signed decimal number
            U   = Unsigned decimal number
            B   = Binary number
            O   = Octal number
            X   = Hexidecimal number
            C   = Character
            S   = String (zero terminated)
        *       = Denotes that field repeats
        {d2}    = Number of times to repeat
        s       = Separator between repeated fields ('~'=none)

#section [|] [{v} ..]
    Begins a section definition, which describes the format of a block
    of packet data. All other constructs MUST occur within a section.

    ALL {v} parameters must evaluate TRUE (!0) to activate the section
    unless a leading '|' is specified in which case the section will be
    activated if ANY {v} parameter evaluates TRUE.

    Sections may be nested - sections occuring within sections will only
    activate if the containing section is active.

    If no parameters are provided, the section will only activate if no
    preceeding sections at the same level were activated. This is used
    to provide a "default" section to describe packet data that is not
    recognized as any other type.

    Sections are terminated with the #end directive.
    
    Sections contains text data which is output to the display, with the
    following special data substitutions available.
        ~{f}{v} = Output value in specified format.
        ~.      = Force a NEWLINE in output
        ~;      = Force a ';' in output (normally starts a comment)
        ~~      = Force a '~' in output (normally starts value output)
        ~=      = Stop expression scanner (insert nothing in output)
        ~       = At end of line - suppress NEWLINE

#data {v} ..

    Prepares a "data block" which is used by some other operations.

    Inline (constant) values output only as many bytes as are required
    to fit the value - use separate #0 values to create leading zeros.
        eg: #$1234  = Outputs 12 34
            #$0056  = Outputs 56

    Memory (from packet) values output as many bytes as the size of the
    memory item (first item in the case of operators).

    Values are output in "Big Endian" (most-significant bytes first).
    You can change the endian of the source value to reverse this for
    memory items.

#set {r} {v}

    Assigns a value to "temporary-register" X, Y or Z. This can be
    useful to:
        - Perform a calculation only once and use the result multiple
          times.
        - Pass a value on to forward template description. *1

    *1: At the beginning of each section, the 'Z' register is always set
        to the total size of the packet. This is needed to calculate the
        size of the packet data in some cases, however it also means that
        you cannot use 'Z' to pass values forward to other sections.

#check {r} {d} {v1} [{v2}] [{v3} {v4} ..]

    Calculates a check value used to validate certain data structures.

    If a #data block is defined, the check value is calculated over
    it (and it is cleared) before any other address/size pairs are
    processed. This is used to handle "pseudo-headers" required in
    some protocol check calculations.

    {r}             = Register to receive calculated check value
    {d}             = Type of check value:
                        1 = 8-bit sum
                        2 = 8-bit XOR
                        3 = 16-bit Big-Endian 1's compliment
                        4 = 16-bit Big-Endian 2's compliment
                        5 = 16-bit Little-Endian 1's compliment
                        6 = 16-bit Little-Endian 2's compliment
                        7 = Cyclic Redundancy Check     ({v2} req'd)
    {v1}            = Value to initialize check calculation.
    {v2}            = Optional value required for some check types:
                        7:  CRC generator polynomial
                      (must NOT be provided unless required)
    [{v3} {v4}..]   = Data block Address/size pairs to include in the
                      check calculation.

#if {v} [..]

    Conditionally processes a portion of the template description.

    The value {v} controls the conditional processing. FALSE (0) means
    to skip (not-process) this #if block - TRUE (!0) means to process
    the #if block.

    If [..] template data occurs on the same line, then a "one line #if"
    is recognzed - only the template data on the rest of the line is
    conditionally processed - unconditional processing resumes with the
    following line.

    If no [..] template data occurs on the same line, then a "multi line
    #if" is recognzed - All template data up until a #else or #end directive
    is conditionally processed.

#else [..]

    Conditionally processes a portion of the template description only
    if the corresponding #if directive was FALSE (did not process).

    Only a "multi line #if" can have an #else clause.

    #else can be "one line" or "multi line" - see #if.

#switch {v} [..]

    Conditionally processes one of several sections of the template
    description based on the {v} value. The section to be processed is
    selected based on the following #case directives.

    The template data between #switch and the first #case directive
    is processed as a default, only if no #case directives matched
    the switch value.

    #switch and all of it's #case directves must be followed by a #end
    directive, after which unconditional processing resumes.

    For convience, template data [..] may appear on the same line as
    #switch

#case {v} [..]

    Selects a block of template data to be processed following a #switch
    directive. If {v} matches the {v} originally supplied to #switch, the
    block of data is processed, then processing continues after the #end
    directive corresponding to the #switch.

    If no match is found, the next #case block is checked. If #end is
    reached before any match is found, the #switch default block is
    processed.

    For convience, template data [..] may appear on the same line as
    #case

#offset [+/-]{v}

    At the beginning of any section the Memory addresses used for {v}
    are relative to the beginning of the packet (offset 0).

    The #offset directive allows you to apply an offset to the memory
    address calculations which cam be used to:
    - Handle sections which are not located at an absolute offset
      into the packet.
    - Make it easier to code memory addresses relative to a fixed
      position.

    The new offset may be specified with '+' or '-' in which case the
    {v} value is added(+) or subtracted(-) from the current offset.

    If neither '+' or '-' is used, the {v} value replaces the current
    offset.

#dump {v1} {v2} {v3}

    Peforms a "memory dump" of a block of packet data:
        {v1}    = Address where dump is to begin.
        {v2}    = Number of bytes to dump.
        {v3}    = Maximum number of lines to use on screen.

    If the {v2} number of bytes to dump is more than can be displayed in
    {v3} maximum lines on screen, then the dump field becomes scrollable
    allowing you to view the entire content.

    If either {v2} or {v3} evaluates to zero, then no dump is performed.

#end

    This directive is used to close:
        #section definitions
        multi-line #if/#else blocks
        #switch/#case blocks


Binary template format:
-----------------------
When compiled into SNIFFVs internal binary representation, the template
data follows this format:

    Section header:
    ---------------
    1-0xFF      = Start of section indicator
    1-n         = Number of match parameters (bit7 == '|')
    2-size      = Total size of section (incl. header)
    n*{v}       = Match parameters
    .. template data ...

    Data within section:
    --------------------
    0xxxxxxx                            = ASCII data to output
    10frtttt [fmt] [rpt [sep]] {mem}    = Display value
        f = 1 if format provided:   fmt= lzwwwwww
            l = Left justify
            z = Zero fill
            w = field-width-1
        r = 1 if repeat provided:   rpt= snnnnnnn [sep]
            s = Separator provided
            n = # times to repeat
        tttt =  0   = Hex
                1   = bin
                2   = Octal
                3   = U-decimal
                4   = S-decimal
                5   = Character
                6   = String
    110xxxxx                            = Not currently used
    111xxxxx                            = Special function
        E0 {v}                          = X = {v}
        E1 {v}                          = Y = {v}
        E2 {v}                          = Z = {v}
        E3 t {v1} [{v2}] n [v3 v4]..    = X = check calculation
        E4 t {v1} [{v2}] n [v3 v4]..    = X = check calculation
        E5 t {v1} [{v2}] n [v3 v4]..    = X = check calculation
            t       = Type of check to calculate
            {v1}    = Initial value
            {v2}    = CRC polynomial (t==7 only)
            n       = Number of address/size pairs
            {v3}    = Address for block check
            {v4}    = size of block
        E6 {v}                          = Offset = {v}
        E7 {v}                          = Offset = Offset + {v}
        E8 {v}                          = Offset = Offset - {v}
        E9 n {v}..                      = Create data buffer
            n   = Number of values to process
            {v} = Value to insert
        EA {v1} {v2} {v3}               = Dump memory block
            {v1}    = Address to begin dump
            {v2}    = Size of dump area in bytes
            {v3}    = Maximum # lines to use on screen
        EB {v} n                        = Conditional jump
            {v}     = Test value
            n       = 00-FF = 1-256 bytes to skip if {v}==0
        EC n                            = unconditinal jump
            n       = 00-FF = 1-256 bytes to skip
        ED {v} addr len                 = #switch (begin)
            {v}     = Value to test
            addr    = 16-bit(LE) final address
            n       = 00-FF = 1-256 bytes in "default" block
        EE {v} n                        = #switch (#case)
            {v}     = Value to match
            n       = 00-FF = 1-256 bytes to next block
        EF                              = #switch (end)
        FF                              = Start of section

    Memory value {v} encoding:
        --High Nibble--                         --Low Nibble--
        0000 8u         - 8-bit unsigned        0000 = No operation
        0001 8s         - 8-bit signed          0001 = +
        0010 16lu       - 16-bit LE unsigned    0010 = -
        0011 16ls       - 15-bit LE signed      0011 = *
        0100 16bu       - 16-bit BE unsigned    0100 = /
        0101 16bs       - 16-bit BE signed      0101 = %
        0110 32l        - 32-bit LE             0110 = &
        0111 32b        - 32-bit BE             0111 = |
        1000 Imm8+      - Imm 8-bit unsigned    1000 = ^
        1001 imm8-      - Imm 8-bit signed      1001 = <
        1010 imm16+     - Imm 16-bit unsigned   1010 = >
        1011 imm16-     - Imm 16-bit signed     1011 = <<
        1100 imm32      - Imm 32-bit            1100 = >>
        1101 reg0       - Content of X          1101 = ==
        1110 reg1       - Content of Y          1110 = !=
        1111 reg3       - Content of Z          1111 = Force Precedence
    Types 0000-0111 denote memory accesses and are followed by
    an address: 0xxxxxxx            = 0-127
                1xxxxxxx xxxxxxxx   = 128-32895
    Types 1000-1100 denote immediate values:
        8-bit:  00-FF               = 0-255             (+ OR -)
        16-bit: 0000-FFFF           = 256-65,791        (+ OR -)
        32-bit: 00000000-FFFFFFFF   = 0-4,294,967,295   (+ AND -)
    If low-nibble indicates an operation, second memory operand
    is processed, and operation is performed - this continues
    until "No operation" is discovered.
        eg: #1+#2*#3+#4     = 81 01 83 02 81 03 80 04       = 13
    If lower nibble is '1111' then upper nibble is a count(-1)
    of operations to be grouped together.
        eg: #1+(#2*#3)+#4   = 81 01 1F 83 02 81 03 80 04    = 11
    Note that it is better to perform constant calculations
    within a constant expression, as no additional template data
    will be generated:
        eg: 2>12+(#1+#3)    = 41 0C 1F 81 01 80 02
            2>12+#(1+2)     = 41 0C 80 03


Template debugging:
-------------------
SNIFFV tries to "catch" template errors when it compiles the template,
however some errors will only occur while the template is being processed
when this happens, SNIFFV terminates with an error message showing the
address within the binary template which was being processed.

To assist you in determine which text source lines represent the problem
area, the '/A' option can be used to obtain information about the addresses
within the binary template corresponding to text lines.

When loading a T=filename[.PTT] text template, the '/A' option causes
the template to be written to standard output with each line prefixed by a
line number and address within the binary template. You can redirect this
to a file for reference: SNIFFV T=IP /A >IP.TXT

When converting a binary template into a text template (*) the '/A' option
causes each line in the created text template to be prefixed with the
line number and address within the binary template.

(*) while it is possible to recreate a text template from a binary image,
it is better to save the original text template. All comments and any source
formatting which does not affect the output will be lost during the
text->binary->text conversion process.



SNIFFD
------
"Sniff Dumper" is a command line tool that displays decoded packets on
standard output (can be redirected to a file). It uses the same templates
and options as SNIFFV, however it has a few additional command line options:

When no template (T= or B=) is supplied or section match within the supplied
template occurs, SNIFFD shows a hex dump of the data portion of the packet -
the /F command line option causes this hex dump to show the full packet
(including the packet header).

The L=n option can be used to limit the number of lines shown in hex dumps.
Use L=0 (or: L=) to use the number of lines encoded in the template.

The P=n[,n] causes SNIFFD to dump only a single packet or a range of packets.



SNIFFF
------
"Sniff Filter" is a utility which processes a SNIFF packet capture file and
removes packets which are not of interest, making if much simpler to follow
a protocol thread on a busy network. The rules describing which packets to
keep are provided in a "Filter" (.FIL) file.  For details on the format of
the filter file, please see the included UDP.FIL file.



Dunfield Development Services (DDS) offers software and firmware
development services specializing in systems and embedded applications.
For more information, visit: http://www.dunfield.com
