TOPSPEEK(8C) — MAINTENANCE COMMANDS
NAME
topspeek − interpret AppleTalk packets on Ethernet
SYNOPSIS
topspeek [ −n ] [ −u ] [ −x ] [ −c count ] [ −i interface ] [ −p ] expression
DESCRIPTION
Topspeek prints out the headers of packets on the ethernet that match the boolean expression. For AppleTalk packets traveling on the ethernet, topspeek displays a detailed breakdown by protocol layer of the content of the packet. Additionally, if the packet appears to carry a TOPS procedure call, the call’s arguments are interpreted, labeled and displayed. When an internet packet is fragmented into more than one ethernet packet, all fragments except the first are marked with an asterisk. Topspeek is derived from but is not meant to replace etherfind(8). An entirely different display is used for AppleTalk packets. Following is an example AppleTalk packet:
ETHER 08.00.89.D0.08.12 to 08.00.20.01.C7.BF
LAP (node 2C(44) to 02(2))
DPP (from 0001.76.B8 to 0002.02.89, length 103, sum 8929)
ATP (REQUEST 0123---- XO, TID 0B0C, userbytes 2600534F)
TOPS (SETOSTAT vid=8304 fid=4 W(72))
The first word on a line describes the layer being displayed. Successive levels of indent on the following lines denote nested higher level protocol layers. The higher level protocol layer displays tend to be more flexible. Ethernet source and destination addresses are displayed on the first (ETHER) line. The AppleTalk source and destination node numbers are shown on the LAP line. The AppleTalk broadcast node address (0xFF) is specially displayed as BROADCAST. Lines marked DDP show source and destination addresses, datagram length, and optional checksum. The triple of numbers has the meaning net.node.socket. Topspeek attempts to replace AppleTalk addresses by symbolic names gleaned from NBP traffic when possible. The -n option suppresses this behavior. DDP short and long format are lumped under the single tag DDP. The ATP has 3 forms: REQUEST, RESPONSE, and RELEASE. All show the transaction id in hex as TID=0000. The ATP bitmap is show broken down into bits. In the example above bits 0, 1, 2, and 3 are set on. The ATP request bitmap is not shown if all 8 bits are set. For ATP responses, the response number is preceded by a # symbol. ATP flags are XO (exactly once), EOM (end of message) and STS as in the AppleTalk spec. NBP protocol packets are shown with the names they carry. The list of pairs on the last line of an RTMP display is the bridges routing table in the form (net hops). EP (echo protocol), ADSP, and ZIP packets are only identified, not (yet) interpreted. TOPS network call requests are shown in lines beginning with the word TOPS. Topspeek attempts to record and later match up login names used and display them on the TOPS line. The TOPS function call name and argument list follow. Here is a key to some of the abbreviations used.
vid - volume id
did - directory id
fid - file id
mode - file open mode
index - read directory index
type - file type
overwrite - create overwrite flag
offset - read/write offset
time - file mod time
R(999) - read buffer
W(999) - write buffer with optional socket number
File and login names are enclosed in quotes. A more formal and complete TOPS protocol specification is available through the TOPS developer program.
OPTIONS
−n Don’t convert host addresses and port numbers to names.
−u Make the output line buffered.
−x Dump the header in hex, in addition to the line printed for each packet by default.
−c Exit after receiving count packets. This is sometimes useful for dumping a sample of ethernet traffic to a file for later analysis.
−i Topspeek listens on interface. The program netstat(8C) when invoked with the -i flag lists all the interfaces that a machine has.
−p Normally, the selected interface is put into promiscuous mode, so that topspeek has access to topspeek listens on interface. all packets on the ethernet. However, when the -p flag is used, the interface will not go promiscuous.
expression
The syntax of of expression is similar to that used by find(1). Here are the allowable primaries.
−dst destination
True if the destination field of the packet is destination, which may be either an address or a name.
−src source
True if the source field of the packet is source, which may be either an address or a name.
−between host1 host2
True if either the source of the packet is host1 and the destination host2, or the source is host2 and the destination host1.
−dstnet destination
True if the destination field of the packet has a network part of destination, which may be either an address or a name.
−srcnet source
True if the source field of the packet has a network part of source, which may be either an address or a name.
−srcport port
True if the packet has a source port value of port. It must be either upd or tcp (see tcp(4P)),udp(4P)). The port can be a number or a name used in /etc/services.
−dstport port
True if the packet has a destination port value of port. The port can be a number or a name.
−less length
True if the packet has a length less than or equal to length.
−greater length
True if the packet has a length greater than or equal to length.
−proto protocol
True if the packet is an ip packet (see ip(4P)) of protocol type protocol. Protocol can be a number or one of the names icmp, udp, nd, or tcp.
−byte byteOPvalue
True if byte number byte of the packet is in relation op to value. Legal values for op are +, <, >, &, and |. Thus -byte 4=6 is true if the fourth byte of the packet has the value 6, and -byte 20&0xf is true if byte twenty has one of its four low order bits nonzero. Here, byte offset zero corresponds to the first byte of the fourteen byte ethernet packet header. You may not choose byte offsets larger than the packet snapshot size, which is currently set to 700.
−broadcast
True if the packet is a broadcast packet.
−arpTrue if the packet is a arp packet (see arp(4P)).
−rarp
True if the packet is a rarp packet.
−ipTrue if the packet is an ip packet.
−lapTrue if the packet is a LAP packet. (Link Access Protocol)
−ddpTrue if the packet is a DDP packet. (Datagram Delivery Protocol)
−rtmp
True if the packet is a RTMP packet. (Routing Table Maintenance Protocol)
−atpTrue if the packet is a NBP packet. (Name Binding Protocol)
−nbpTrue if the packet is an ATP packet. (AppleTalk Transaction Protocol)
−epTrue if the packet is an EP packet. (Echo Protocol)
−zipTrue if the packet is an ZIP packet. (Zone Information Protocol)
−adsp
True if the packet is an ADSP packet. (AppleTalk Data Stream Protocol)
The primaries may be combined using the following operators (in order of decreasing precedence):
A parenthesized group of primaries and operators (parentheses are special to the Shell and must be escaped).
The negation of a primary (‘!’ is the unary not operator).
Concatenation of primaries (the and operation is implied by the juxtaposition of two primaries).
Alternation of primaries (‘−o’ is the or operator).
EXAMPLES
To find all packets arriving at or departing from sundown
angel% topspeek −src sundown -o −dst sundown
angel%
The following yields a trace of TOPS on ether activity.
angel% topspeek −atp | grep TOPS
Note that the { } characters must be quoted when using the C shell.
SEE ALSO
traffic(1C), nit(4P)
Inside Appletalk
BUGS
The syntax is painful.
Sun Release 4.0 — Last change: 03 November 1987