etdc is a product of the Network Systems Group at Princeton University's Office of Information Technology, and is available from http://www.net.princeton.edu/software/etdc/
The script relies on perl 5.6.0 or later, and tcpdump(8).
By default, all packets are displayed. If you specify an include filter, only packets that match that filter will be shown. You may specify a combination of include filters to include packets that match any of the filters (include filters are logically or'd).
If you specify an exclude filter, all packets that match that filter will be excluded from the display. You may specify a combination of exclude filters to exclude packets that match any of the filters (exclude filters are logically or'd).
It usually is not meaningful to specify both include and exclude filters, except when you are trying to see only certain kinds of ATP packets. etdc will refuse to do anything too silly (e.g. both -R and -r).
If you specify an address filter, only packets that match that filter will be shown. You may not specify more than one AppleTalk source address; you may not specify more than one AppleTalk destination address. If you specify both source and destination address filters, the two filters will be OR'd together. Thus, to capture all traffic coming to and from an AppleTalk address, specify it in both source and a destination address filters.
The simplest way to use etdc is in a pipeline with tcpdump(8), e.g. on Ethernet use:
tcpdump -l -s 621 -q -x -e ('ether[14:4]=0xaaaa0300' and 'ether[18:4]=0x000080f3') or ('ether[14:4]=0xaaaa0308' and 'ether[18:4]=0x0007809b') | etdc
The command above has been split across multiple lines for clarity; it should be entered as a single line. The quotes around the filter's subexpressions are not actually part of the command, but are necessary if the square brackets are special characters in your shell. If your shell treats parentheses as special characters, you'll need to escape or quote them as well.
Note that etdc does not read the raw packet capture files that are produced with tcpdump's -w option. Instead, etdc reads the hex dump (textual) output produced by tcpdump's -x option.
You must specify tcpdump's -x option, to produce the hex dump that etdc expects to read. etdc expects that each packet it reads will consist of a single packet header line followed by hex dump lines. Therefore, you should not specify tcpdump's -X option; it causes newer versions of tcpdump to also print the packet's contents in ASCII. And it's a good idea to include tcpdump's -q option, which inhibits some additional decoding which tcpdump might decide to perform when it believes it knows how to decode the packet.
You must specify tcpdump's -s option to increase the snarflen high enough to capture complete EtherTalk packets. A value of 621 is adequate.
When used in a pipe, specify tcpdump's -l option, so its output is line-buffered. (This isn't necessary if you first write the tcpdump output to a file, then later process the file with etdc.)
AppleTalk AARP packets begin with the 802.2 header 0xaaaa03 followed by the SNAP protocol discriminator 0x00000080f3. AppleTalk data packets begin with the 802.2 header 0xaaaa03 followed by the SNAP protocol discriminator 0x080007809b. (These fields immediately follow the link encapsulation (e.g. Ethernet), and are followed in turn by the actual AARP or DDP packet.) Therefore, an appropriate tcpdump(8) filter should include packets beginning with either 8-byte values: 0xaaaa0300000080f3 or 0xaaaa03080007809b following the link's own encapsulation. As of this writing, tcpdump(8) only permits filters to test 1, 2 or 4 bytes at a time; this is why the filter expression suggested above doesn't test the entire 8-byte value all at once.
17:40:57.348848 plaid 9:0:7:ff:ff:ff AARP function=Probe htype=0001 prototype=809b hlen=06 protolen=04 Src hardware: 00:01:02:03:04:05 Tentative AppleTalk: 29416.80 Unused: 00:00:00:00:00:00 Tentative Appletalk: 29416.80 17:40:57.378932 plaid 9:0:7:ff:ff:ff DDP HEADER: Src: 29416.80.6 Dest: 0.255.6 Hops: 0 Length: 31 ChkSum: 0x0000 DDPType: ZIP ZIP HEADER: Function: GetNetInfo Request Zone: 87_Prospect 17:40:57.389889 wormhole 9:0:7:ff:ff:ff AARP function=Request htype=0001 prototype=809b hlen=06 protolen=04 Src hardware: 00:22:44:66:88:aa Src AppleTalk: 29418.131 Unused: 00:00:00:00:00:00 Desired Appletalk: 29416.80 17:40:57.390009 plaid wormhole AARP function=Response htype=0001 prototype=809b hlen=06 protolen=04 Src hardware: 00:01:02:03:04:05 Src AppleTalk: 29416.80 Dst hardware: 00:22:44:66:88:aa Dst AppleTalk: 29418.131 17:40:57.391144 wormhole plaid DDP HEADER: Src: 29418.131.6 Dest: 29416.80.6 Hops: 0 Length: 38 ChkSum: 0x908f DDPType: ZIP ZIP HEADER: Function: GetNetInfo Reply FLAGS: Range Start: 29416 Range End: 29419 Zone: 87_Prospect Mcast Addr: 0x0900070000f3 17:40:57.392543 plaid wormhole DDP HEADER: Src: 29416.80.64 Dest: 29418.131.6 Hops: 0 Length: 21 ChkSum: 0x0000 DDPType: ATP ATP HEADER: Function: TReq TID: 1 Bitmap: 01 ZIP GetLocalZones Request: Start Index: 1 17:40:57.399712 wormhole plaid DDP HEADER: Src: 29418.131.6 Dest: 29416.80.64 Hops: 0 Length: 92 ChkSum: 0x68d1 DDPType: ATP ATP HEADER: Function: TResp EOM TID: 1 Seqnum: 00 ZIP GetZoneList/GetLocalZones/GetMyZone Reply: 5 zones (LAST) Name: Unconfigured Name: 116_Prospect Name: 171_Broadmead Name: 87_Prospect Name: PU_Cluster_87P_108 17:43:54.186754 wormhole 9:0:7:0:0:f3 DDP HEADER: Src: 29312.85.131 Dest: 0.255.2 Hops: 0 Length: 36 ChkSum: 0x7ddc DDPType: NBP NBP HEADER: Function: LkUp Tuples: 1 NBP ID: 1 Addr: 29312.85.131 Enum: 0 Entity: "=:=@87_Prospect" 17:43:54.186936 scramble wormhole DDP HEADER: Src: 29416.83.2 Dest: 29312.85.131 Hops: 0 Length: 86 ChkSum: 0xe57d DDPType: NBP NBP HEADER: Function: LkUp-Reply Tuples: 2 NBP ID: 1 Addr: 29416.83.130 Enum: 0 Entity: "scramble:UNIX/CAP@87_Prospect" Addr: 29416.83.132 Enum: 1 Entity: "scramble:AFPServer@87_Prospect" 17:48:13.174344 scramble psnt DDP HEADER: Src: 29416.83.135 Dest: 29416.4.157 Hops: 0 Length: 25 ChkSum: 0x54e7 DDPType: ATP ATP HEADER: Function: TReq XO TID: 26087 Bitmap: 01 TRel timeout: 30 sec PAP HEADER: ConnID: 41 CMD: OpenConn ATPRSSN: 134 FlowQuantum: 8 WaitTime: 1 17:48:15.183992 scramble psnt DDP HEADER: Src: 29416.83.135 Dest: 29416.4.157 Hops: 0 Length: 25 ChkSum: 0x54e7 DDPType: ATP ATP HEADER: Function: TReq XO TID: 26087 Bitmap: 01 TRel timeout: 30 sec PAP HEADER: ConnID: 41 CMD: OpenConn ATPRSSN: 134 FlowQuantum: 8 WaitTime: 1 17:48:15.259261 psnt scramble DDP HEADER: Src: 29416.4.157 Dest: 29416.83.135 Hops: 0 Length: 61 ChkSum: 0x0000 DDPType: ATP ATP HEADER: Function: TResp XO TID: 26087 Seqnum: 00 PAP HEADER: ConnID: 41 CMD: OpenConnReply ATPRSSN: 186 FlowQuantum: 8 Result: No error - connection opened Status: status: busy; source: EIO 1 (ATALK) 17:48:15.259406 scramble psnt DDP HEADER: Src: 29416.83.135 Dest: 29416.4.157 Hops: 0 Length: 21 ChkSum: 0xb444 DDPType: ATP ATP HEADER: Function: TRel TID: 26087 17:48:15.259464 scramble psnt DDP HEADER: Src: 29416.83.135 Dest: 29416.4.186 Hops: 0 Length: 21 ChkSum: 0x1d05 DDPType: ATP ATP HEADER: Function: TReq TID: 26088 Bitmap: 01 PAP HEADER: ConnID: 41 CMD: Tickle 17:48:15.260252 scramble psnt DDP HEADER: Src: 29416.83.135 Dest: 29416.4.186 Hops: 0 Length: 21 ChkSum: 0xbc17 DDPType: ATP ATP HEADER: Function: TReq XO TID: 26089 Bitmap: ff TRel timeout: 30 sec PAP HEADER: ConnID: 41 CMD: SendData PAP Seq Num: 1
We don't allow you to decode ATP as AFP yet.
We don't know how to decode AURP yet.
When decoding ATP as IPGP, when we come across an ATP packet that is not IPGP, we can usually figure it out and avoid showing IPGP fields, but only after we've displayed the packet up through its ATP header.