Variables

sniffer User Manual
<<< Previous	Scripting	Next >>>

General packet information

packet(length): Contains length of the packet (headers + contents) as the decimal integer.
packet(time): This is exact time the packet was received by the sniffer. This variable contains number of seconds elapsed since the epoch (system-dependent), but Tcl has builtin functions for formatting this value into human-readable format (man n clock).
packet(type): For now, this field is always "ethernet". Later, when we add support for other types of packets this field will be set accordingly.

eth(saddr): Source address (MAC) of the packet in the form "xx:xx:xx:xx:xx:xx" (string)
eth(daddr): Destination MAC address of the packet
eth(proto): Protocol carried within this ethernet frame (ip, ...). This variable contains decimal ethernet code in host byte order (0x0800 for IP, for example)

ip(version): Integer value representing IP version (I guess 4 or 6 currently)
ip(ihl): Integer value of internet header length
ip(tos): Type Of Service field
ip(tot_len): Total length of the IP packet (headers + contents)
ip(id): Packet ID field
ip(frag_off): Fragment offset if packet is fragmented
ip(ttl): Time To Live field
ip(protocol): Protocol carried within this packet (tcp, udp, ...). For easier interpreting of this field, there is an array variable $ip_proto defined in the default configuration (sample.ss). Protocol name is used as an array index ($ip_proto(tcp), for example, returns TCP protocol code (6)).
ip(check): Packet checksum
ip(saddr): Source address as dot quaded string or, if so specified on command line, fully qualified domain name of the source host.
ip(daddr): Destination address (look ip(saddr) for more info)
ip(data_hex): Hex dump of the packet data in the form "xx xx xx ..." where xx are hexadecimal digits
ip(data_ascii): ASCII dump of the packet data. If byte is within printable range then it is displayed literally. If it's non-printable then only "." (dot) is shown.
ip(data_length): Length of the packet contents (bytes/chars in hex or ascii dump)

NOTE: support for IP header flags in frag_off field is not yet supported.

tcp(source): Source port (integer)
tcp(dest): Destination port (integer)
tcp(seq): Sequence number (long)
tcp(ack_seq): Acknowledgement sequence number (long)
tcp(doff): Data offset
tcp(fin): finish flag (0 or 1)
tcp(syn): sync flag (0 or 1)
tcp(rst): reset flag (0 or 1)
tcp(psh): psh flag (0 or 1)
tcp(ack): ack flag (0 or 1)
tcp(urg): urgent flag
tcp(window): window
tcp(check): Packet checksum
tcp(urg_ptr): urgent pointer
tcp(data_hex): hex dump of the packet data (see ip(hex_dump) for more info)
tcp(data_ascii): ascii dump of the packet data (see ip(ascii_dump) for more info)
tcp(data_length): length of the packet data

udp(source): Source port
udp(dest): Destination port
udp(len): Packet length
udp(check): Packet checksum
udp(data_hex): hex dump of the packet data (see ip(hex_dump) for more info)
udp(data_ascii): ascii dump of the packet data (see ip(ascii_dump) for more info)
udp(data_length): length of the packet data

icmp(type): icmp packet type (decimal code)
icmp(type_str): icmp packet type (text description)
icmp(code): icmp packet sub-type code (decimal)
icmp(code_str): icmp packet sub-type code (text description)
icmp(checksum): icmp packet checksum
icmp(echo_id): ID in echo request/reply type packets
icmp(echo_sequence)
icmp(gateway)
icmp(frag_unused)
icmp(frag_mtu)
icmp(data_hex): hex dump of the packet data (see ip(hex_dump) for more info)
icmp(data_ascii): ascii dump of the packet data (see ip(ascii_dump) for more info)
icmp(data_length): Length of the packet data

<<< Previous	Home	Next >>>
Event handler hooks	Up	Functions