1ZIFFY(1)                  The Z39.50 Network Sniffer                  ZIFFY(1)
2
3
4

NAME

6       ziffy - capture and display Z39.50 APDUs on a live network
7

SYNOPSYS

9       ziffy [ -alloptionshere ]
10             [ -i interface ] [ -r file ] [ -s snaplen ]
11               [ -T type ] [ -w file ] [ expression ]
12

DESCRIPTION

14       ziffy  is  a Z39.50 protocol analyzer based on the LIBPCAP, the current
15       standard Unix library for packet capturing. It can be started  both  in
16       interactive  mode  to  capture,  decode and show all information in the
17       Z39.50 APDUs from a live network, and in  batch  mode  to  analyze  the
18       APDUs off-line from a previously created file.  ziffy uses the standard
19       BPF network packet filter for  more  reliable  capture  mechanism.   An
20       additional  expression can be given on the command line to capture only
21       packets for which expression is  `true'.   By  default  ziffy  displays
22       Z39.50  APDUs  in  a  single-line summary form. In this format only the
23       name of the captured APDU is displayed in the summary  line  while  the
24       underlaying  TCP,  IP,  and  Ethernet frames information are discarded.
25       Multi-lines are also supported if either of verbose modes are  enabled.
26       This  allows  an high degree of monitoring, from simple checks of func‐
27       tional processes down to full APDUs hexacimal dump for interoperability
28       and debugging testing phases.
29

OPTIONS

31       -a     Attempt to convert network addresses to names. By default, ziffy
32              will ___not___ resolve IP addresses to FQDN's.
33
34       -c     Capture a maximum of count number of APDUs and then exit.
35
36       -e     Enable the display of the link-level header.
37
38       -f     Do not traslate `foreign' internet addresses.
39
40       -h     Display a help screen and quit.
41
42       -i     Define the name of the interface to use for live packet capture.
43              It  should match one of the names listed in netstat -i or ifcon‐
44              fig -a.  By default ziffy will automatically  choose  the  first
45              non-loopback interface it finds.
46
47       -l     Make  stdout  line  buffered. Useful if you want to see the data
48              while capturing it.
49
50       -n     Disable domain name qualification of host names.
51
52       -p     Set  the  interface  in  non-promiscuous  mode.   Only   packets
53              addressed to the local host machine will be captured.
54
55       -r     Read  packet  data from file.  Currently, ziffy only understands
56              pcap / tcpdump formatted files.
57
58       -s     Truncate each packet after snaplen  bytes  when  capturing  live
59              data.  No more than snaplen bytes of each network packet will be
60              read into memory, or saved to disk.
61              While 68 bytes is adequate for lower-level protocol such as  IP,
62              ICMP,  TCP  and  UDP,  it is inadeguate for Z39.50 and the exact
63              cut-off is not easy to determine.  The default value is  set  to
64              10K  which should be enough for most networks.  You should limit
65              snaplen to the smallest number that will allow  you  to  capture
66              all the Z39.50 protocol information.
67              Note  that  taking larger snapshots both increases the amount of
68              time it takes to process packets and, effectively, decreases the
69              amount of packet buffering.  This may cause packets to be lost.
70
71       -t     Sets the format of the packet timestamp displayed.
72
73              INSERIRE QUI LA SBRODOLATA PER I VARI FORMATI DI PRESENTAZIONE
74
75
76       -v     Print the program version and exit.
77
78       -w     Write  the  raw  Z39.50  APDUs to file rather than printing them
79              out.  They can later be printed with the  -r  option.   Standard
80              output is used if file is ``-''.
81
82       -1     Set verbose output at level 1.
83
84       -2     Set verbose output at level 2.
85
86       -T     With this option you can filter out certain APDU types from bee‐
87              ing shown. For example, if you only wanted  to  see  all  APDU's
88              except  "init" and "sort" you could use: % ziffy -T init -T sort
89              Currently known APDU types are: init seach present scan sort
90
91
92              A display filter can be entered into the strip  at  the  bottom.
93              It  must  have  the same format as tcpdump filter strings, since
94              both programs use the same underlying library.
95

EXAMPLES

97       To print all APDUs arriving at or departing from zeta.tlcpi.finsiel.it:
98              ziffy host zeta.tlcpi.finsiel.it
99

OUTPUT FORMAT

101       The output of ziffy is Z39.50 APDU dependent.  The  following  gives  a
102       brief description and examples of most of the formats.
103

WARNING

105       To run ziffy you must be root or it must be installed setuid to root.
106

SEE ALSO

108       tcpdump(1), pcap(3), xasn1(3), yaz(7), snacc(3)
109

NOTES

111       The  latest  version  of  ziffy  can be found at http://zeta.tlcpi.fin
112       siel.it/ziffy
113

AUTHOR

115       Rocco Carbone <rocco@ntop.org>
116

BUGS

118       Please send bug reports to the author <rocco@ntop.org>
119
120
121
122
12328 December 1998                     0.0.2                            ZIFFY(1)
Impressum