Packet event
The packet event section holds raw networking packets and is used to display
their fields.
Ethernet
{src mac} > {dst mac} ethertype {etype name} ({etype hex})
VLAN
vlan {id} p {prio} [DEI] ethertype {etype name} ({etype hex})
ARP
request who-has {ip} tell {ip}
or,
reply {ip} is at {mac}
IP
For IPv4:
{src ip}.{src port} > {dst ip}.{dst port} tos {tos} {ECN info} ttl {ttl} id {id}
off {frag offset} [{flags}] len {packet len} opts [{IPv4 options}]
proto {protocol name} ({protocol hex})
ECN infocan be one ofCE,ECT(0)orECT(1).flagsare constructed with a combination of+,DFandrsvd.
For IPv6:
{src ip}.{src port} > {dst ip}.{dst port} {ECN info} ttl {ttl} label {flow label}
len {packet len} exts [{IPv6 extensions}] proto {protocol name} ({protocol hex})
TCP
flags [{flags}] seq {sequence} ack {acked sequence} win {window} [{options}]
flagsare constructed using a combination ofF(fin),S(syn),R(reset),P(push),.(ack),U(urgent),E(ece),W(cwr) ande(RFC7560).sequencecan be a range ({start}:{end}) or a single number ({sequence}).- {options} are constructed by listing all options and for some extra information (mss, wscale, sack, echo, echoreply, cc, ccnew, ccecho, timestamp, tfo).
UDP
len {UDP data len}
ICMP & ICMPv6
type {type number} code {code number}
Geneve
geneve [{flags}] vni {vni} proto {etype name} ({etype hex}) opts_len {opts_len}
flagsare constructed using a combination ofO(control) andC(critical).
VXLAN
vxlan [{flags}] vni {vni}
flagscan beI(set for a valid VNI).