ziffy

Langue: en

Version: 0.0.2 (mandriva - 22/10/07)

Section: 1 (Commandes utilisateur)

NAME

ziffy - capture and display Z39.50 APDUs on a live network

SYNOPSYS

ziffy [ -alloptionshere ]

       [ -i interface ] [ -r file ] [ -s snaplen ]

         [ -T type ] [ -w file ] [ expression ]

DESCRIPTION

ziffy is a Z39.50 protocol analyzer based on the LIBPCAP, the current standard Unix library for packet capturing. It can be started both in interactive mode to capture, decode and show all information in the Z39.50 APDUs from a live network, and in batch mode to analyze the APDUs off-line from a previously created file. ziffy uses the standard BPF network packet filter for more reliable capture mechanism. An additional expression can be given on the command line to capture only packets for which expression is `true'. By default ziffy displays Z39.50 APDUs in a single-line summary form. In this format only the name of the captured APDU is displayed in the summary line while the underlaying TCP, IP, and Ethernet frames information are discarded. Multi-lines are also supported if either of verbose modes are enabled. This allows an high degree of monitoring, from simple checks of functional processes down to full APDUs hexacimal dump for interoperability and debugging testing phases.

OPTIONS

-a
Attempt to convert network addresses to names. By default, ziffy will ___not___ resolve IP addresses to FQDN's.
-c
Capture a maximum of count number of APDUs and then exit.
-e
Enable the display of the link-level header.
-f
Do not traslate `foreign' internet addresses.
-h
Display a help screen and quit.
-i
Define the name of the interface to use for live packet capture. It should match one of the names listed in netstat -i or ifconfig -a. By default ziffy will automatically choose the first non-loopback interface it finds.
-l
Make stdout line buffered. Useful if you want to see the data while capturing it.
-n
Disable domain name qualification of host names.
-p
Set the interface in non-promiscuous mode. Only packets addressed to the local host machine will be captured.
-r
Read packet data from file. Currently, ziffy only understands pcap / tcpdump formatted files.
-s
Truncate each packet after snaplen bytes when capturing live data. No more than snaplen bytes of each network packet will be read into memory, or saved to disk.
While 68 bytes is adequate for lower-level protocol such as IP, ICMP, TCP and UDP, it is inadeguate for Z39.50 and the exact cut-off is not easy to determine. The default value is set to 10K which should be enough for most networks. You should limit snaplen to the smallest number that will allow you to capture all the Z39.50 protocol information.
Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost.
-t
Sets the format of the packet timestamp displayed.

INSERIRE QUI LA SBRODOLATA PER I VARI FORMATI DI PRESENTAZIONE

-v
Print the program version and exit.
-w
Write the raw Z39.50 APDUs to file rather than printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''.
-1
Set verbose output at level 1.
-2
Set verbose output at level 2.
-T
With this option you can filter out certain APDU types from beeing shown. For example, if you only wanted to see all APDU's except "init" and "sort" you could use: % ziffy -T init -T sort Currently known APDU types are: init seach present scan sort

A display filter can be entered into the strip at the bottom. It must have the same format as tcpdump filter strings, since both programs use the same underlying library.

EXAMPLES

To print all APDUs arriving at or departing from zeta.tlcpi.finsiel.it:

 ziffy host zeta.tlcpi.finsiel.it
 

OUTPUT FORMAT

The output of ziffy is Z39.50 APDU dependent. The following gives a brief description and examples of most of the formats.

WARNING

To run ziffy you must be root or it must be installed setuid to root.

SEE ALSO

tcpdump(1), pcap(3), xasn1(3), yaz(7), snacc(3)

NOTES

The latest version of ziffy can be found at http://zeta.tlcpi.finsiel.it/ziffy

AUTHOR

Rocco Carbone <rocco@ntop.org>

BUGS

Please send bug reports to the author <rocco@ntop.org>