Inter-Office MemorandumToDistributionDateJuly 12, 1982FromAndrew BirrellLocationPalo AltoSubjectPupwatchOrganizationPARC/CSLXEROX       Filed on:[Indigo]<Grapevine>Pupwatch>Pupwatch.bravo and Pupwatch.press1.IntroductionPupwatch is a program for observing PUP packets on your local Ethernet network.  It will runon any computer that can run Alto/Mesa 6.0 or Cedar.  Pupwatch operates by making the computerpromiscuous, so that it will accept every well-formed Ethernet packet on the attached network.  Itthen filters these packets to select only the packets which are from or to the particular PUP hostcurrently being watched.Pupwatch has a reasonable understanding of the common PUP packet types, the PUP ByteStream Protocol and the Leaf "Sequin" protocol.  On the display, Pupwatch shows you a summaryof packets interactively as they arrive.  By explicit command, you can cause Pupwatch to write adisk file containing details of the packets received.2.User InterfaceThere are two entirely different user interfaces for Pupwatch:  one on Altos (or machinesemulating Altos) and one when running under Cedar.2.1.Alto-MesaWhen it starts up, Pupwatch initialises its display, then prompts you with the message "Host(NLS-name or Net-address):".  You should then type the PUP address of the host you want towatch.  This may be a PUP address constant such as "3#17#" (note the second "#"), or it may bea Name Lookup Server text name such as "Ivy";  any socket number is ignored.  Pupwatch willthen display PUP packets it receives whose source or destination address matches the networknumber and host number you have given.  Note that a network number is needed:  Pupwatch isconcerned with packets on the PUP Internet, not just Ethernet packets.  The address you give neednot be on your local network:  if it is on another network, Pupwatch will perform the samefiltering, to show you any packets addressed to or from that host which happen to pass throughyour local network.  Unless you intervene, Pupwatch will now sit there forever showing you packetsas it receives them.  There are several commands you may type.If you type a "?", Pupwatch will tell you the available commands.  Typing a space causesPupwatch to stop displaying packets; typing another space will cause it to continue.  WhilePupwatch is waiting for you to tell it to continue, it is still receiving packets and buffering them(subject to not getting more than 150 packets ahead of the last packet displayed); it will displayÿ                                                                        î]ïg¡pô iî¶ïc8qî]rî-¤qî7Brô Xî¶ï]ûqî]rî-¤qî7Brî¶ïYqî]rî-¤qî7BrîüïSìsrî¶ïN°qô Fî]rð*ô Xî·ïF²tî2î2ïCÍurô œô qrð5î·ïBô €ð>ô î·ï@7u
rô ¢ô £ðSî·ï>mô ¯ð5ô °ð%qrî·ï<¢ô î2ï:Øô Øð6qrqrô Ùî·ï9ô ‘ð/ô ’ð.î·ï7Bô ªô «ðHî·ï5xô ð5î·ï0_tî2î2ï-zrô ÐðYî·ï+¯ô ð2î·ï&–uî2î2ï#±rô ®ô ¯ðUî·ï!æô ¾ð7qrô ¿î·ï ô ‡qrð>ô ˆî·ïQô ¨ð9ô ©ð"î·ï‡ô Ûqrð$ô Üð(î·ï¼ô £ô ¤ðDî·ïñô •qrô –ð$î·ï'ô Òð!ô Óð9î·ï\ô ±ð^î·ï‘ô ‡ð@ô ˆð"î·ïÇô ð>î2ïüô ÅðIô Æî·ï2ô ìðTô íî·ïgô «ðUô ¬î·ï
œô ±ð!ô ²ðAÿ       	¸    ü
U=ç^­%                                                                                                                                                                                                                                                                                                                                                                                                                                                      PUPWATCH2these packets when you let it continue.  If you type an "h", Pupwatch will prompt you for a newhost name;  if you successfully give it a new host name, Pupwatch will re-initialise itself and watchfor packets to or from that host.  If you type "q" Pupwatch will terminate (returning to the disk ornet executive as appropriate).If you type an "s", Pupwatch will enter "slow" mode.  In this mode it will wait for you to typea space after every 40 packets (so that packets don't go by faster than you can read them).  If youtype an "f", Pupwatch will leave "slow" mode and return to the default "fast" mode.  If you typean "r", Pupwatch will replay buffered packets.  Pupwatch retains at least the previous 150 packets,and up to 300.  While replaying, Pupwatch is still receiving and buffering incoming packets (subjectto not getting more than 150 packets ahead of the one being displayed).  Using the "r" commandcauses Pupwatch to enter "slow" mode as if you had also given the "s" command.If you type a "w" (and you are not running Pupwatch.boot), it will write a log of the bufferedpackets to the disk file "Pupwatch.log".  The first use of this command commences writing at thestart of Pupwatch.log; subsequent uses of this command during a single run of Pupwatch append tothe file.  Multiple uses of the "w" command will not cause a packet to be written to the file morethan once.  The details of the text written to the file for each packet are described below.Pupwatch.log is formatted with the assumption that you will look at it with a fixed pitch font.Printing it with Empress.run and the default font (Gacha 8) works well.2.2.CedarThe operations available when running under Cedar are basically the same as under Alto-Mesa.Instead of being invoked by keyboard commands, they are invoked by buttons.  When it starts upunder Cedar. Pupwatch initializes itself to watch the host that it is running on.  You can change thehost being watched by typing a host name or address constant in the text area following the "Host:"label then clicking "New Host".  Click the "Pause" button to cause Pupwatch to stop displayingpackets;  this also causes the "Pause" button to change into a "Continue" button.  The "Fast" and"Slow" buttons allow you to flip between "fast" and "slow" mode;  the current mode is indicatedby its button being gray.  When Pupwatch pauses in "slow" mode, the "Pause" button changes intoa "Continue" button.  The "Write Log" button writes (or appends to) the disk log file;  a viewerfor the log file is created if necessary.Two extra switches are available under Cedar.  The "Yes" and "No" buttons following the"Broadcasts:" label control whether or not to display broadcast packets that would be received bythe host being watched.  The "Normal" and "Background" buttons following the "Priority:" labelcontrol the priority of the process that displays packets;  using background causes less perturbationto processes on the machine where Pupwatch is running, but may cause the display process to getfar enough behind that it misses packets.  The current state of the "Broadcasts" and "Priority"decisions is indicated by the appropriate button being gray.Closing the Pupwatch viewer has no effect on Pupwatch's state;  it continues as if it was open.Destroying the Pupwatch viewer takes your machine out of promiscuous mode.  It isn't sensible torun two instances of Pupwatch at one time.3.Displayed PacketsEach packet displayed occupies a single line.  Typical lines might look like:1234: from 60#354#234 [aData,to:37064,L:52]   as??ghjkÿ                    î&Ñïfñr qîG?r î·ïbô ›ð4ô œð+î·ï`Sô 	ô ð[î·ï^‰ô Œð2ô ð2î·ï\¾ô î2ïZóô ‰ð=ô Šð"î·ïY)ô ”ðOô •î·ïW^ô ˜ð7ô ™ð)î·ïU”ô —ð8ô ˜ð+î·ïSÉô ‡ð<ô ˆð(î·ïQþô ›ð^î·ïP4ô ðNî2ïNiô ’ð"ô “ð<î·ïLžô ŸðGô  î·ïJÔô ˆð]ô ‰î·ïI	ô ”ðIô •î·ïG?ô æðKô çî·ïEtô ÂðFô Ãî·ïC©ô ðGî·ï>uî2î2ï;«rô Šð+ô ‹ð1î·ï9áô —ð.ô ˜ð0î·ï8ô …ð5ô †ð0î·ï6Kô ð#ô ‚ð@î·ï4ô ®ð&ô ¯ð8î·ï2¶ô ’ð-ô “ð4î·ï0ìô ›ð_î·ï/!ô ˆð/ô ‰ð0î·ï-Vô ŸðPô  î·ï+Œô ð)î2ï)Áô ÀðSô Áî·ï'÷ô ¡ð?ô ¢ð"î·ï&,ô ¡ô ¢ðGî·ï$aô “ðAô ”ð$î·ï"—ô œð>ô ð!î·ï Ìô Àð*ô Áð5î·ïô ð<î2ï7ô ’ô “ð@î·ïlô •ô –ðRî·ï¢ô ð*î·ïˆtî2î2ï¤rðMî(ïâvô ¬ð6       ì    ·¿>çYL@                                                                                                                                                                                                                                                                                                                                                                                                PUPWATCH340:     to 60#354#234 [ack,to:37014,pups:5]123s: from 3#14#532   [mailCheckL,Birrell.PA]The first number is the number of milliseconds that elapsed between receiving the previouspacket and receiving this one.  If this number would be greater than 9999, it is displayed as thenumber of seconds (for example "123s").  Intervals greater than 999 seconds are given as "long".The time interval is in decimal;  all other numbers in Pupwatch are in octal.  The clock used forthis interval timing has a period of about 42 minutes; wrap-around of this clock is not detected.The time is followed by either "from" or "to" then an address of the form "a#b#c", where"a#b#" is the source or destination host of the packet (the destination or source is the host thatyou are watching), and "c" is the bottom 8 bits of the corresponding socket number.  Then insquare brackets is a summary of the packet.  The summary always starts with the packet type, thenhas various details depending on the type.  For many packets, the number of data bytes in thepacket is given in the form "L:123".  For packets involved in the PUP Byte Stream Protocol, thesedetails include the bottom 16 bits of the sequence number at which this packet ends.  For packets oftype "data" or "aData", the packet summary is followed by the first few characters from the datapart of the packet (with non-printing characters replaced by "?").4.Logged PacketsWhen you use the "w" command, Pupwatch writes three lines to the log for each presentlybuffered packet that hasn't so far been logged.  Typical lines might look like:1234: from 60#354#234 [aData,to:37064,L:52] ID=432,37012 from=554,16234 to=6642,123                                            as<0><1>ghjkeirukhfiekrhfg<15>pierutyzx                                            141 163 0 1 145 150 152 153 145 151 162The first line contains the time interval, the source or destination, and the packet summary asgiven for displayed packets.  The remainder of the first line contains the PUP packet ID, sourcesocket number and destination socket number, each written as a pair of 16 bit octal numbers.  Thesecond line contains up to the first 50 characters of the data part of the packet, with non-printingcharacters replaced by "<octal-number>".  The third line contains up to the first 25 data bytes ofthe packet as octal numbers.5.LimitationsPupwatch can buffer up to 300 packets, although it will only buffer up to 150 packets ahead ofthe one currently being displayed (to ensure that the "replay" facility works).  If it runs out ofbuffering space and this might cause it to ignore a packet to or from the host being watched, thenthe message "Packet(s) lost" is displayed (or logged) when that point in the packet sequence isreached.  On an Alto (or Alto emulator), although Pupwatch's Ethernet driver tries hard to avoidmissing packets it will occasionally miss packets that are successfully received by other hosts(because Pupwatch must inspect every packet on the local Ethernet).  Pupwatch does not detect thishappening.  Running under Cedar, the Ethernet driver should see all packets, unless insufficientprocessor time is available to it.  When Pupwatch is running under Cedar to watch the host it isrunning on, Pupwatch guarantees to see all packets received by the Pup socket level or Cedar's RPCruntime.  Pupwatch will not receive PUP packets having more than 532 data bytes.6.Released Versions                                                                                                                                                                  î&Ñïfñr qîG?r î(ïbAvô ¬ð+î(ï`½ð-î2ï]ûrô »ô ¼ð<î·ï\1ô «ð7ô ¬ð*î·ïZfô ¦ðOô §î·ïXœô Ÿð3ô  ð.î·ïVÑô ¯ðaî·ïUô Êð2ô Ëð&î·ïS<ô ð/ô žð3î·ïQqô ¼ð\î·ïO§ô ð?ô ð"î·ïMÜô ¶ô ·ð@î·ïLô —ð$ô ˜qrî·ïJGô €ð9ô urî·ïH|ô ¡ðWô ¢î·ïF²ô ðBî·ïA˜tî2î2ï>³rô ·ô ¸ðKî·ï<éô ðOî­ï:'vô ¬ðSî­ï8£ðSî­ï7ðSî2ï4^rô žðMô Ÿî·ï2“ô ºðFô »qrqrî·ï0Èô ðaî·ï.þô žðJô Ÿî·ï-3ô ¥ðGô ¦î·ï+iô î·ï&Otî2
î2ï#jrô ŒðIô î·ï! ô ¸ð!ô ¹ðAî·ïÕô ”ô •ðDî·ïô ¿ô Àð@î·ï@ô ¤ô ¥ðHî·ïuô èðPô éî·ï«ô ‹urô Œð>î·ïàô ´ô µð@î·ïô ¦ð1ô §ð/î·ïKô ð2ô ‚ð0î·ï€ô ð$qrð)î·ïgtî2ÿ       ^    · >ç[ë9                                                                                                                                                                                                                                                                                                                                                                                                              PUPWATCH4Pupwatch is available in four versions:  Pupwatch.boot, Pupwatch.run, Pupwatch.bcd andPupwatch.df.  Each version has its advantages.  Pupwatch.boot is network bootable on Altos (orAlto emulators), but it does not have the disk logging facility.  Pupwatch.run needs to be invokedfrom the Alto disk executive.  Pupwatch.bcd runs on Altos and is much smaller than Pupwatch.run,but you need to have Runmesa.run and Mesa.image on your disk.  Use Pupwatch.df to runPupwatch under Cedar.Pupwatch.boot is installed on the Ivy boot server;  on network 3, it may be booted by namefrom the network executive, or by booting an Alto while holding down the "backspace" and "L"keys.  The availability of Pupwatch.boot on other networks depends on it being installed there bygateway or IFS administrators.  Pupwatch is boot file number 40;  it may be copied from[Ivy]<System>Boot>40-Pupwatch.boot.  The other Alto versions may be copied from[Indigo]<Grapevine>Pupwatch>Pupwatch.run and Pupwatch.bcd.  The Cedar version can beobtained by using Bringover to fetch the public file from [Indigo]<Cedar>Top>Pupwatch.df.7.MaintenancePupwatch will be maintained at a leisurely pace for as long as it is useful to CSL.  If you havecomments, suggestions (including requests for interpretation of extra protocols) or bug reports, senda message to LaurelSupport.pa.Last edit:  July 12, 1982  3:22 PMÿ                                                                                                                                                          î&Ñïfñr qîG?r î2ïbô òðVî·ï`Sô ¶ô ·ðQî·ï^‰ô œð.ô ð4î·ï\¾ô ‰ô ŠðBî·ïZóô ÞðQô ßî·ïY)ô î2ïW^ô ¦ðKô §î·ïU”ô ¦ðXô §î·ïSÉô  ðEô ¡î·ïQþô ò
qrð'ô óð"î·ïP4ô¢ð(ô£ð'î·ïNiô2ðMô3î·ïLžô ðYî·ïG…tî2
î2ïD rô •ðOqrô –î·ïBÖô Œð-ô ð8î·ïAô î·ï;òt	r       f    ·;«=ç,` ”                                                                                                                                                                                                                           
TIMESROMAN               
TIMESROMAN                
TIMESROMAN            
    LOGO                      
TIMESROMAN           
    
TIMESROMAN           
    GACHA                                                                                                                                                                                                                                                                                                                         Û    	 À    	 Ç     l   ÿÿ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        j/       ™Zi  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿPupwatch.bravo                                     
Birrell.pa                     July 12, 1982  3:32 PM                                                                                                                                                     