man: reformat all man pages

- use .TP for option and example labels
- use .BR for references to other manpages, also in description texts
- highlight options using .B in description texts
- misc. cleanups

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

7 files changed, 669 insertions, 581 deletions

diff --git a/astraceroute.8 b/astraceroute.8
index aedf730..fc999aa 100644
--- a/astraceroute.8
+++ b/astraceroute.8
@@ -7,7 +7,7 @@ astraceroute \- autonomous system trace route utility
 .PP
 .SH SYNOPSIS
 .PP
-\fBastraceroute\fR [\fIoptions\fR]
+\fBastraceroute\fP [\fIoptions\fP]
 .PP
 .SH DESCRIPTION
 astraceroute is a small utility to retrieve path information in a traceroute
@@ -29,133 +29,133 @@ keywords. This tool might be a good start for further in-depth analysis of such
 systems.
 .PP
 .SH OPTIONS
-.PP
-.SS -H <host>, --host <host>
+.TP
+.B -H <host>, --host <host>
 Hostname or IPv4 or IPv6 address of the remote host where the AS route should
-be traced to. In the case of an IPv6 address or host, option ''\-6'' must be
+be traced to. In the case of an IPv6 address or host, option \fB-6\fP must be
 used. IPv4 is the default.
-.PP
-.SS -p <port>, --port <port>
+.TP
+.B -p <port>, --port <port>
 TCP port for the remote host to use. If not specified, the default
 port used is 80.
-.PP
-.SS -i <device>, -d <device>, --dev <device>
+.TP
+.B -i <device>, -d <device>, --dev <device>
 Networking device to start the trace route from, e.g. eth0, wlan0.
-.PP
-.SS -b <IP>, --bind <IP>
+.TP
+.B -b <IP>, --bind <IP>
 IP address to bind to other than the network device's address. You must specify
-\-6 for an IPv6 address.
-.PP
-.SS -f <ttl>, --init-ttl <ttl>
+\fB-6\fP for an IPv6 address.
+.TP
+.B -f <ttl>, --init-ttl <ttl>
 Initial TTL value to be used. This option might be useful if you are not
 interested in the first n hops, but only the following ones. The default
 initial TTL value is 1.
-.PP
-.SS -m <ttl>, --max-ttl <ttl>
+.TP
+.B -m <ttl>, --max-ttl <ttl>
 Maximum TTL value to be used. If not otherwise specified, the maximum
 TTL value is 30. Thus, after this has been reached astraceroute exits.
-.PP
-.SS -q <num>, --num-probes <num>
+.TP
+.B -q <num>, --num-probes <num>
 Specifies the number of queries to be done on a particular hop. The
 default is 2 query requests.
-.PP
-.SS -x <sec>, --timeout <sec>
+.TP
+.B -x <sec>, --timeout <sec>
 Tells astraceroute the probe response timeout in seconds, in other words
 the maximum time astraceroute must wait for an ICMP response from the current
 hop. The default is 3 seconds.
-.PP
-.SS -X <string>, --payload <string>
+.TP
+.B -X <string>, --payload <string>
 Places an ASCII cleartext string into the packet payload. Cleartext that
 contains whitespace must be put into quotes (e.g.: "censor me").
-.PP
-.SS -l <len>, --totlen <len>
+.TP
+.B -l <len>, --totlen <len>
 Specifies the total length of the packet. Payload that does not have a
 cleartext string in it is padded with random garbage.
-.PP
-.SS -4, --ipv4
+.TP
+.B -4, --ipv4
 Use IPv4 only requests. This is the default.
-.PP
-.SS -6, --ipv6
+.TP
+.B -6, --ipv6
 Use IPv6 only requests. This must be used when passing an IPv6 host as an
 argument.
-.PP
-.SS -n, --numeric
+.TP
+.B -n, --numeric
 Tells astraceroute to not perform reverse DNS lookup for hop replies. The
-reverse option is ''\-N''.
-.PP
-.SS -u, --update
+reverse option is \fB-N\fP.
+.TP
+.B -u, --update
 The built-in geo-database update mechanism will be invoked to get Maxmind's
 latest version. To configure search locations for databases, the file
 /etc/netsniff-ng/geoip.conf contains possible addresses. Thus, to save bandwidth
 or for mirroring Maxmind's databases (to bypass their traffic limit policy),
 different hosts or IP addresses can be placed into geoip.conf, separated by
 a newline.
-.PP
-.SS -L, --latitude
+.TP
+.B -L, --latitude
 Also show latitude and longitude of hops.
-.PP
-.SS -N, --dns
+.TP
+.B -N, --dns
 Tells astraceroute to perform reverse DNS lookup for hop replies. The
-reverse option is ''\-n''.
-.PP
-.SS -S, --syn
+reverse option is \fB-n\fP.
+.TP
+.B -S, --syn
 Use TCP's SYN flag for the request.
-.PP
-.SS -A, --ack
+.TP
+.B -A, --ack
 Use TCP's ACK flag for the request.
-.PP
-.SS -F, --fin
+.TP
+.B -F, --fin
 Use TCP's FIN flag for the request.
-.PP
-.SS -P, --psh
+.TP
+.B -P, --psh
 Use TCP's PSH flag for the request.
-.PP
-.SS -U, --urg
+.TP
+.B -U, --urg
 Use TCP's URG flag for the request.
-.PP
-.SS -R, --rst
+.TP
+.B -R, --rst
 Use TCP's RST flag for the request.
-.PP
-.SS -E, --ecn-syn
+.TP
+.B -E, --ecn-syn
 Use TCP's ECN flag for the request.
-.PP
-.SS -t <tos>, --tos <tos>
+.TP
+.B -t <tos>, --tos <tos>
 Explicitly specify IP's TOS.
-.PP
-.SS -G, --nofrag
+.TP
+.B -G, --nofrag
 Set IP's no fragmentation flag.
-.PP
-.SS -Z, --show-packet
+.TP
+.B -Z, --show-packet
 Show and dissect the returned packet.
-.PP
-.SS -v, --version
+.TP
+.B -v, --version
 Show version information and exit.
-.PP
-.SS -h, --help
+.TP
+.B -h, --help
 Show user help and exit.
 .PP
 .SH USAGE EXAMPLE
-.PP
-.SS astraceroute -i eth0 -N -S -H netsniff-ng.org
+.TP
+.B astraceroute -i eth0 -N -S -H netsniff-ng.org
 This sends out a TCP SYN probe via the ''eth0'' networking device to the
 remote IPv4 host netsniff-ng.org. This request is most likely to pass. Also,
 tell astraceroute to perform reverse DNS lookups for each hop.
-.PP
-.SS astraceroute -6 -i eth0 -S -E -N -H www.6bone.net
+.TP
+.B astraceroute -6 -i eth0 -S -E -N -H www.6bone.net
 In this example, a TCP SYN/ECN probe for the IPv6 host www.6bone.net is being
 performed. Also in this case, the ''eth0'' device is being used as well as a
 reverse DNS lookup for each hop.
-.PP
-.SS astraceroute -i eth0 -N -F -H netsniff-ng.org
+.TP
+.B astraceroute -i eth0 -N -F -H netsniff-ng.org
 Here, we send out a TCP FIN probe to the remote host netsniff-ng.org. Again,
 on each hop a reverse DNS lookup is being done and the queries are transmitted
 from ''eth0''. IPv4 is used.
-.PP
-.SS astraceroute -i eth0 -N -FPU -H netsniff-ng.org
+.TP
+.B astraceroute -i eth0 -N -FPU -H netsniff-ng.org
 As in most other examples, we perform a trace route to IPv4 host netsniff-ng.org
 and do a TCP Xmas probe this time.
-.PP
-.SS astraceroute -i eth0 -N -H netsniff-ng.org -X "censor-me" -Z
+.TP
+.B astraceroute -i eth0 -N -H netsniff-ng.org -X "censor-me" -Z
 In this example, we have a Null probe to the remote host netsniff-ng.org, port
 80 (default) and this time, we append the cleartext string "censor-me" into the
 packet payload to test if a firewall or DPI will let this string pass. Such a trace
@@ -173,8 +173,8 @@ http://bgp.he.net/AS<number>.
 .SH BUGS
 The geographical locations are estimated with the help of Maxmind's GeoIP
 database and can differ from the real physical location. To decrease the
-possible errors, update the database regularly using astraceroute's \-\-update
-option.
+possible errors, update the database regularly using astraceroute's
+\fB--update\fP option.
 .PP
 At some point in time, we need a similar approach to gather more reliable path
 information such as in the paris-traceroute tool.
diff --git a/bpfc.8 b/bpfc.8
index 3456e1e..d14d977 100644
--- a/bpfc.8
+++ b/bpfc.8
@@ -7,7 +7,7 @@ bpfc \- a Berkeley Packet Filter assembler and compiler
 .PP
 .SH SYNOPSIS
 .PP
-\fBbpfc\fR { [\fIoptions\fR] | [\fIsource-file\fR] }
+\fBbpfc\fP { [\fIoptions\fP] | [\fIsource-file\fP] }
 .PP
 .SH DESCRIPTION
 .PP
@@ -15,8 +15,9 @@ bpfc is a small Berkeley Packet Filter assembler and compiler which is able to
 translate BPF assembler-like mnemonics into a numerical or C-like format,
 that can be read by tools such as netsniff-ng, iptables (xt_bpf) and many
 others. BPF is the one and only upstream filtering construct that is used
-in combination with packet(7) sockets, but also seccomp-BPF for system call
-sandboxing.
+in combination with
+.BR packet (7)
+sockets, but also seccomp-BPF for system call sandboxing.
 .PP
 The Linux kernel and also BSD kernels implement "virtual machine" like
 constructs and JIT compilers that mimic a small register-based machine in
@@ -29,22 +30,27 @@ application in other areas such as in the communication between user and
 kernel space like system call sand-boxing.
 .PP
 At the time of writing this man page, the only other available BPF compiler
-is part of the pcap(3) library and accessible through a high-level filter
-language that might be familiar to many people as tcpdump-like filters.
+is part of the
+.BR pcap (3)
+library and accessible through a high-level filter language that might be
+familiar to many people as tcpdump-like filters.
 .PP
 However, it is quite often useful to bypass that compiler and write
-optimized code that cannot be produced by the pcap(3) compiler, or is
-wrongly optimized, or is defective on purpose in order to debug test kernel
-code. Also, a reason to use bpfc could be to try out some new BPF extensions
-that are not supported by other compilers. Furthermore, bpfc can be useful
-to verify JIT compiler behavior or to find possible bugs that need
-to be fixed.
-.PP
-bpfc is implemented with the help of flex(1) and bison(1), tokenizes the
-source file in the first stage and parses its content into an AST. In two
-code generation stages it emits target opcodes. bpfc furthermore supports
-Linux kernel BPF extensions. More about that can be found in the syntax
-section.
+optimized code that cannot be produced by the
+.BR pcap (3)
+compiler, or is wrongly optimized, or is defective on purpose in order to debug
+test kernel code. Also, a reason to use bpfc could be to try out some new BPF
+extensions that are not supported by other compilers. Furthermore, bpfc can be
+useful to verify JIT compiler behavior or to find possible bugs that need to be
+fixed.
+.PP
+bpfc is implemented with the help of
+.BR flex (1)
+and
+.BR bison (1),
+tokenizes the source file in the first stage and parses its content into an AST.
+In two code generation stages it emits target opcodes. bpfc furthermore supports
+Linux kernel BPF extensions. More about that can be found in the syntax section.
 .PP
 The Linux kernel BPF JIT compiler is automatically turned on if detected
 by netsniff-ng. However, it can also be manually turned on through the
@@ -56,38 +62,38 @@ source tree under ''tools/net/bpf_jit_disasm.c'' or within the netsniff-ng
 Git repository.
 .PP
 .SH OPTIONS
-.PP
-.SS -i <source-file/->, --input <source-file/->
+.TP
+.B -i <source-file/->, --input <source-file/->
 Read BPF assembly instruction from an input file or from stdin.
-.PP
-.SS -p, --cpp
+.TP
+.B -p, --cpp
 Pass the bpf program through the C preprocessor before reading it in
 bpfc. This allows #define and #include directives (e.g. to include
 definitions from system headers) to be used in the bpf program.
-.PP
-.SS -D <name>=<definition>, --define <name>=<definition>
+.TP
+.B -D <name>=<definition>, --define <name>=<definition>
 Add macro definition for the C preprocessor to use it within bpf file. This
-option is used in combination with the -p,--cpp option.
-.PP
-.SS -f <format>, --format <format>
+option is used in combination with the \fB-p\fP/\fB--cpp\fP option.
+.TP
+.B -f <format>, --format <format>
 Specify a different output format than the default that is netsniff-ng
 compatible. The <format> specifier can be: C, netsniff-ng, xt_bpf, tcpdump.
-.PP
-.SS -b, --bypass
+.TP
+.B -b, --bypass
 Bypass basic filter validation when emitting opcodes. This can be useful
 for explicitly creating malformed BPF expressions for injecting
 into the kernel, for example, for bug testing.
-.PP
-.SS -V, --verbose
+.TP
+.B -V, --verbose
 Be more verbose and display some bpfc debugging information.
-.PP
-.SS -d, --dump
+.TP
+.B -d, --dump
 Dump all supported instructions to stdout.
-.PP
-.SS -v, --version
+.TP
+.B -v, --version
 Show version information and exit.
-.PP
-.SS -h, --help
+.TP
+.B -h, --help
 Show user help and exit.
 .PP
 .SH SYNTAX
@@ -230,20 +236,20 @@ Used Abbreviations:
 .PP
 In this section, we give a couple of examples of bpfc source files, in other
 words, some small example filter programs:
-.PP
-.SS Only return packet headers (truncate packets):
+.TP
+.B Only return packet headers (truncate packets):
 .PP
   ld poff
   ret a
-.PP
-.SS Only allow ARP packets:
+.TP
+.B Only allow ARP packets:
 .PP
   ldh [12]
   jne #0x806, drop
   ret #-1
   drop: ret #0
-.PP
-.SS Only allow IPv4 TCP packets:
+.TP
+.B Only allow IPv4 TCP packets:
 .PP
   ldh [12]
   jne #0x800, drop
@@ -251,8 +257,8 @@ words, some small example filter programs:
   jneq #6, drop
   ret #-1
   drop: ret #0
-.PP
-.SS Only allow IPv4 TCP SSH traffic:
+.TP
+.B Only allow IPv4 TCP SSH traffic:
 .PP
   ldh [12]
   jne #0x800, drop
@@ -267,8 +273,8 @@ words, some small example filter programs:
   jne #0x16, drop
   pass: ret #-1
   drop: ret #0
-.PP
-.SS A loadable x86_64 seccomp-BPF filter to allow a given set of syscalls:
+.TP
+.B A loadable x86_64 seccomp-BPF filter to allow a given set of syscalls:
 .PP
   ld [4]                  /* offsetof(struct seccomp_data, arch) */
   jne #0xc000003e, bad    /* AUDIT_ARCH_X86_64 */
@@ -285,22 +291,22 @@ words, some small example filter programs:
   jeq #35, good           /* __NR_nanosleep */
   bad: ret #0             /* SECCOMP_RET_KILL */
   good: ret #0x7fff0000   /* SECCOMP_RET_ALLOW */
-.PP
-.SS Allow any (hardware accelerated) VLAN:
+.TP
+.B Allow any (hardware accelerated) VLAN:
 .PP
   ld vlanp
   jeq #0, drop
   ret #-1
   drop: ret #0
-.PP
-.SS Only allow traffic for (hardware accelerated) VLAN 10:
+.TP
+.B Only allow traffic for (hardware accelerated) VLAN 10:
 .PP
   ld vlant
   jneq #10, drop
   ret #-1
   drop: ret #0
-.PP
-.SS More pedantic check for the above VLAN example:
+.TP
+.B More pedantic check for the above VLAN example:
 .PP
   ld vlanp
   jeq #0, drop
@@ -308,8 +314,8 @@ words, some small example filter programs:
   jneq #10, drop
   ret #-1
   drop: ret #0
-.PP
-.SS Filter rtnetlink messages
+.TP
+.B Filter rtnetlink messages:
 .PP
   ldh #proto       /* A = skb->protocol */
 
@@ -334,25 +340,27 @@ words, some small example filter programs:
   skip: ret #0
 .PP
 .SH USAGE EXAMPLE
-.PP
-.SS bpfc fubar
+.TP
+.B bpfc fubar
 Compile the source file ''fubar'' into BPF opcodes. Opcodes will be
 directed to stdout.
-.PP
-.SS bpfc -f xt_bpf -b -p -i fubar, resp. iptables -A INPUT -m bpf --bytecode "`bpfc -f xt_bpf -i fubar`" -j LOG
+.TP
+.B bpfc -f xt_bpf -b -p -i fubar, resp. iptables -A INPUT -m bpf --bytecode "`bpfc -f xt_bpf -i fubar`" -j LOG
 Compile the source file ''fubar'' into BPF opcodes, bypass basic filter
 validation and emit opcodes in netfilter's xt_bpf readable format. Note
 that the source file ''fubar'' is first passed to the C preprocessor for
 textual replacements before handing over to the bpfc compiler.
-.PP
-.SS bpfc -
+.TP
+.B cat fubar | bpfc -
 Read bpfc instruction from stdin and emit opcodes to stdout.
-.PP
-.SS bpfc foo > bar, resp. netsniff-ng -f bar ...
+.TP
+.B bpfc foo > bar && netsniff-ng -f bar ...
 Compile filter instructions from file foo and redirect bpfc's output into
-the file bar, that can then be read by netsniff-ng(8) through option \-f.
-.PP
-.SS bpfc -f tcpdump -i fubar
+the file bar, that can then be read by
+.BR netsniff-ng (8)
+through option \fB-f\fP.
+.TP
+.B bpfc -f tcpdump -i fubar
 Output opcodes from source file fubar in the same behavior as ''tcpdump \-ddd''.
 .PP
 .SH LEGAL
diff --git a/curvetun.8 b/curvetun.8
index e90ea53..2b2cb25 100644
--- a/curvetun.8
+++ b/curvetun.8
@@ -7,12 +7,14 @@ curvetun \- a lightweight curve25519 ip4/6 tunnel
 .PP
 .SH SYNOPSIS
 .PP
-\fBcurvetun\fR [\fIoptions\fR]
+\fBcurvetun\fP [\fIoptions\fP]
 .PP
 .SH DESCRIPTION
 curvetun is a lightweight, high-speed ECDH multiuser IP tunnel for Linux
-that is based on epoll(2). curvetun uses the Linux TUN/TAP interface and
-supports {IPv4, IPv6} over {IPv4, IPv6} with UDP or TCP as carrier protocols.
+that is based on
+.BR epoll (2).
+curvetun uses the Linux TUN/TAP interface and supports {IPv4, IPv6} over {IPv4,
+IPv6} with UDP or TCP as carrier protocols.
 .PP
 It has an integrated packet forwarding tree, thus multiple users with
 different IPs can be handled via a single tunnel device on the server side,
@@ -48,83 +50,83 @@ Telex, anti-censorship in the network infrastructure
 .RE
 .PP
 .SH OPTIONS
-.PP
-.SS -d <tundev>, --dev <tundev>
+.TP
+.B -d <tundev>, --dev <tundev>
 Defines the name of the tunnel device that is being created. If this option
 is not set, then the default names, curves{0,1,2,..} for a curvetun server,
 and curvec{0,1,2,...} for a curvetun client are used.
-.PP
-.SS -p <num>, --port <num>
+.TP
+.B -p <num>, --port <num>
 Defines the port the curvetun server should listen on. There is no default port
 for curvetun, so setting this option for server bootstrap is mandatory. This
 option is for servers only.
-.PP
-.SS -t <server>, --stun <server>
+.TP
+.B -t <server>, --stun <server>
 If needed, this options enables an STUN lookup in order to show public IP to port
 mapping and to punch a hole into the firewall. In case you are unsure what STUN
 server to use, simply use ''\-\-stun stunserver.org''.
-.PP
-.SS -c[=alias], --client[=alias]
+.TP
+.B -c[=alias], --client[=alias]
 Starts curvetun in client mode and connects to the given connection alias that is
 defined in the configuration file.
-.PP
-.SS -k, --keygen
+.TP
+.B -k, --keygen
 Generate private and public keypair. This must be done initially.
-.PP
-.SS -x, --export
+.TP
+.B -x, --export
 Export user and key combination to stdout as a one-liner.
-.PP
-.SS -C, --dumpc
+.TP
+.B -C, --dumpc
 Dump all known clients that may connect to the local curvetun server and exit.
-.PP
-.SS -S, --dumps
+.TP
+.B -S, --dumps
 Dump all known servers curvetun as a client can connect to, and exit.
-.PP
-.SS -D, --nofork
+.TP
+.B -D, --nofork
 Do not fork off as a client or server on startup.
-.PP
-.SS -s, --server
+.TP
+.B -s, --server
 Start curvetun in server mode. Additional parameters are needed, at least
 the definition of the port that clients can connect to is required.
-.PP
-.SS -N, --no-logging
+.TP
+.B -N, --no-logging
 Disable all curvetun logging of user information. This option can be used to
 enable curvetun users to connect more anonymously. This option is for servers
 only.
-.PP
-.SS -u, --udp
+.TP
+.B -u, --udp
 Use UDP as a carrier protocol instead of TCP. By default, TCP is the
 carrier protocol. This option is for servers only.
-.PP
-.SS -4, --ipv4
+.TP
+.B -4, --ipv4
 Defines IPv4 as the underlying network protocol to be used on the tunnel
 device. IPv4 is the default. This option is for servers only.
-.PP
-.SS -6, --ipv6
+.TP
+.B -6, --ipv6
 Defines IPv6 as the underlying network protocol to be used on the tunnel
 device. This option is for servers only.
-.PP
-.SS -v, --version
+.TP
+.B -v, --version
 Show version information and exit.
-.PP
-.SS -h, --help
+.TP
+.B -h, --help
 Show user help and exit.
 .PP
 .SH USAGE EXAMPLE
-.PP
-.SS curvetun --server -4 -u -N --port 6666 --stun stunserver.org
+.TP
+.B curvetun --server -4 -u -N --port 6666 --stun stunserver.org
 Starts curvetun in server mode with IPv4 as network protocol and UDP as a transport
 carrier protocol. The curvetun server listens for incoming connections on port 6666
 and performs an STUN lookup on startup to stunserver.org.
-.PP
-.SS curvetun --client=ethz
+.TP
+.B curvetun --client=ethz
 Starts curvetun in client mode and connects to the defined connection alias ''ethz''
 that is defined in the curvetun ~/.curvetun/servers configuration file.
-.PP
-.SS curvetun --keygen
+.TP
+.B curvetun --keygen
 Generates initial keypairs and stores them in the ~/.curvetun/ directory.
-.PP
-.SS curvetun --export
+.TP
+.B curvetun --export
 Export user data to stdout for configuration of a curvetun server.
 .PP
 .SH CRYPTOGRAPHY
diff --git a/flowtop.8 b/flowtop.8
index 27ba22c..5ffeed7 100644
--- a/flowtop.8
+++ b/flowtop.8
@@ -7,7 +7,7 @@ flowtop \- top-like netfilter TCP/UDP/SCTP/DCCP/ICMP(v6) flow tracking
 .PP
 .SH SYNOPSIS
 .PP
-\fBflowtop\fR { [\fIoptions\fR] }
+\fBflowtop\fP { [\fIoptions\fP] }
 .PP
 .SH DESCRIPTION
 .PP
@@ -43,7 +43,8 @@ The following information will be presented in flowtop's output:
 .PP
 In order for flowtop to work, netfilter must be active and running
 on your machine, thus kernel-side connection tracking is active. If netfilter
-is not running, you can activate it with iptables(8):
+is not running, you can activate it with
+.BR iptables (8):
 .in +4
 .sp
 iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
@@ -59,8 +60,9 @@ modprobe nf_conntrack_ipv4
 modprobe nf_conntrack_ipv6
 .in -4
 .PP
-To dump byte/packet counters flowtop enables the sysctl(8) parameter
-\[lq]net.netfilter.nf_conntrack_acct\[rq] via:
+To dump byte/packet counters flowtop enables the
+.BR sysctl (8)
+parameter \fBnet.netfilter.nf_conntrack_acct\fP via:
 .in +4
 .sp
 echo 1 > /proc/sys/net/netfilter/nf_conntrack_acct
@@ -69,11 +71,15 @@ echo 1 > /proc/sys/net/netfilter/nf_conntrack_acct
 and resets it to the previously set value on exit. These counters will only be
 active on connections which were created after accounting was enabled. Thus, to
 have these counters be active all the time the parameter should be enabled after
-the system is up. To automatically enable it, sysctl.conf(8) or sysctl.d(8)
+the system is up. To automatically enable it,
+.BR sysctl.conf (8)
+or
+.BR sysctl.d (8)
 might be used.
 .PP
-To calculate the connection duration flowtop enables the sysctl(8) parameter
-\[lq]net.netfilter.nf_conntrack_timestamp\[rq] via:
+To calculate the connection duration flowtop enables the
+.BR sysctl (8)
+parameter \fBnet.netfilter.nf_conntrack_timestamp\fP via:
 .in +4
 .sp
 echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp
@@ -82,72 +88,73 @@ echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp
 and resets it to the previously set value on exit.
 .PP
 flowtop's intention is just to get a quick look over your active connections.
-If you want logging support, have a look at netfilter's conntrack(8) tools
-instead.
+If you want logging support, have a look at netfilter's
+.BR conntrack (8)
+tools instead.
 .PP
 .SH OPTIONS
-.PP
-.SS -4, --ipv4
+.TP
+.B -4, --ipv4
 Display IPv4 flows. That is the default when flowtop is started without
 any arguments.
-.PP
-.SS -6, --ipv6
+.TP
+.B -6, --ipv6
 Display IPv6 flows. That is the default when flowtop is started without
 any arguments.
-.PP
-.SS -T, --tcp
+.TP
+.B -T, --tcp
 Display TCP flows. That is the default when flowtop is started without
 any arguments.
-.PP
-.SS -U, --udp
+.TP
+.B -U, --udp
 Display UDP and UDP-lite flows.
-.PP
-.SS -D, --dccp
+.TP
+.B -D, --dccp
 Display DCCP flows.
-.PP
-.SS -I, --icmp
+.TP
+.B -I, --icmp
 Display ICMP version 4 and version 6 flows.
-.PP
-.SS -S, --sctp
+.TP
+.B -S, --sctp
 Display SCTP flows.
-.PP
-.SS -n, --no-dns
+.TP
+.B -n, --no-dns
 Don't perform hostname lookup. Only numeric addresses will be shown for flow
 endpoints.
-.PP
-.SS -G, --no-geoip
+.TP
+.B -G, --no-geoip
 Don't perform GeoIP lookup. No geographical information will be shown for flow
 endpoints.
-.PP
-.SS -s, --show-src
+.TP
+.B -s, --show-src
 Also show source information of the flow, not only destination information.
-.PP
-.SS -b, --bits
+.TP
+.B -b, --bits
 Show flow rates in bits per second instead of bytes per second.
-.PP
-.SS -u, --update
+.TP
+.B -u, --update
 The built-in database update mechanism will be invoked to get Maxmind's
 latest database. To configure search locations for databases, the file
 /etc/netsniff-ng/geoip.conf contains possible addresses. Thus, to save
 bandwidth or for mirroring Maxmind's databases (to bypass their traffic
 limit policy), different hosts or IP addresses can be placed into geoip.conf,
 separated by a newline.
-.PP
-.SS -t <time>, --interval <time>
+.TP
+.B -t <time>, --interval <time>
 Flow info refresh interval in seconds, default is 1s.
-.PP
-.SS -v, --version
+.TP
+.B -v, --version
 Show version information and exit.
-.PP
-.SS -h, --help
+.TP
+.B -h, --help
 Show user help and exit.
 .PP
 .SH USAGE EXAMPLE
-.PP
-.SS flowtop
+.TP
+.B flowtop
 Default ncurses output for flowtop that tracks IPv4, IPv6 flows for TCP.
-.PP
-.SS flowtop -46UTDISs
+.TP
+.B flowtop -46UTDISs
 This example enables the maximum display options for flowtop.
 .PP
 .SH CONFIG FILES
diff --git a/ifpps.8 b/ifpps.8
index b60e7b8..f344cec 100644
--- a/ifpps.8
+++ b/ifpps.8
@@ -22,83 +22,90 @@ an Intel 82566DC-2 Gigabit Ethernet NIC are used for performance evaluation.
 One machine generates 64 byte network packets by using the kernel space
 packet generator pktgen with a maximum possible packet rate. The other
 machine displays statistics about incoming network packets by using i)
-iptraf(8) and ii) ifpps.
-.PP
-iptraf which incorporates pcap(3) shows an average packet rate of
-246,000 pps while on the other hand ifpps shows an average packet rate
-of 1,378,000 pps. Hence, due to packet copies and deferring statistics
-creation into user space, a measurement error of approximately 460 percent
-occurs. Tools like iptraf might display much more information such as
-TCP per flow statistics (hence the use of the pcap library). This is not
-possible with ifpps, because overall networking statistics are its focus;
-statistics, which are also fairly reliable under high packet load.
+.BR iptraf (8)
+and ii) ifpps.
+.PP
+iptraf which incorporates
+.BR pcap (3)
+shows an average packet rate of 246,000 pps while on the other hand ifpps shows
+an average packet rate of 1,378,000 pps. Hence, due to packet copies and
+deferring statistics creation into user space, a measurement error of
+approximately 460 percent occurs. Tools like iptraf might display much more
+information such as TCP per flow statistics (hence the use of the pcap library).
+This is not possible with ifpps, because overall networking statistics are its
+focus; statistics, which are also fairly reliable under high packet load.
 .PP
 ifpps also periodically displays CPU load, interrupt, software interrupt
 data per sample interval as well as total interrupts, all per CPU. In case
 the number of CPUs exceeds 5 or the number specified by the user with the
-\[lq]\-n\[rq] command line option, ifpps will only display this number top
+\fB-n\fP command line option, ifpps will only display this number top
 heavy hitters. The topmost heavy hitter CPU will be marked with \[lq]+\[rq].
 The least heavy hitter will always be displayed and is marked with
 \[lq]-\[rq]. In addition, the average for all the above per-CPU data is
-shown. Optionally the median values can be displayed using the \[lq]\-m\[rq]
+shown. Optionally the median values can be displayed using the \fB-m\fP
 command line option.
 .PP
-ifpps also supports directly the gnuplot(1) data sample format. This
-facilitates creation of gnuplot figures from ifpps time series.
+ifpps also supports directly the
+.BR gnuplot (1)
+data sample format. This facilitates creation of gnuplot figures from ifpps time
+series.
 .PP
 .SH OPTIONS
-.PP
-.SS -d <netdev>, --dev <netdev>
+.TP
+.B -d <netdev>, --dev <netdev>
 Networking device to fetch statistics from, for example eth0, wlan0.
-.PP
-.SS -n, --num-cpus
+.TP
+.B -n, --num-cpus
 Set maximum number of top hitter CPUs (in terms of time spent in system/user
 mode) to display in ncurses mode, default is 10.
-.PP
-.SS -t <time>, --interval <time>
+.TP
+.B -t <time>, --interval <time>
 Statistics refresh interval in milliseconds, default is 1000ms.
-.PP
-.SS -c, --csv
-Output (once) the ncurses data to the terminal as gnuplot(1)-ready data.
-.PP
-.SS -l, --loop
+.TP
+.B -c, --csv
+Output (once) the ncurses data to the terminal as
+.BR gnuplot (1)-ready
+data.
+.TP
+.B -l, --loop
 Continuously output the terminal data after a refresh interval. This option
-is only available if option \[lq]\-c\[rq] is given. For \[lq]\-l\[rq] it is
+is only available if option \fB-c\fP is given. For \fB-l\fP it is
 usually recommended to redirect the output into a file that is to be processed
-later with gnuplot(1).
-.PP
-.SS -m, --median
+later with
+.BR gnuplot (1).
+.TP
+.B -m, --median
 Show median values across all CPUs for CPU load, interrupts (per interval and
 absolute) and software interrupts.
-.PP
-.SS -o, --omit-header
-Omit printing the CSV header. This option is only available if \[lq]\-c\[rq] is given.
-.PP
-.SS -p, --promisc
+.TP
+.B -o, --omit-header
+Omit printing the CSV header. This option is only available if \fB-c\fP is given.
+.TP
+.B -p, --promisc
 Turn on promiscuous mode for the given networking device.
-.PP
-.SS -P, --percentage
+.TP
+.B -P, --percentage
 Show percentage of current throughput in relation to theoretical line rate.
-.PP
-.SS -W, --no-warn
+.TP
+.B -W, --no-warn
 Suppress possible warnings in the ncurses output, e.g. about a too low sampling
 interval that could cause performance regression.
-.PP
-.SS -v, --version
+.TP
+.B -v, --version
 Show version information.
-.PP
-.SS -h, --help
+.TP
+.B -h, --help
 Show user help.
 .PP
 .SH USAGE EXAMPLE
-.PP
-.SS ifpps eth0
+.TP
+.B ifpps eth0
 Default ncurses output for the eth0 device.
-.PP
-.SS ifpps -pd eth0
+.TP
+.B ifpps -pd eth0
 Ncurses output for the eth0 device in promiscuous mode.
-.PP
-.SS ifpps -lpcd wlan0 > plot.dat
+.TP
+.B ifpps -lpcd wlan0 > plot.dat
 Continuous terminal output for the wlan0 device in promiscuous mode.
 .PP
 .SH NOTE
diff --git a/netsniff-ng.8 b/netsniff-ng.8
index d714853..c937978 100644
--- a/netsniff-ng.8
+++ b/netsniff-ng.8
@@ -7,7 +7,7 @@ netsniff-ng \- the packet sniffing beast
 .PP
 .SH SYNOPSIS
 .PP
-\fBnetsniff-ng\fR { [\fIoptions\fR] [\fIfilter-expression\fR] }
+\fBnetsniff-ng\fP { [\fIoptions\fP] [\fIfilter-expression\fP] }
 .PP
 .SH DESCRIPTION
 .PP
@@ -37,8 +37,12 @@ for low-level and high-level packet filters that are translated into Berkeley
 Packet Filter instructions.
 .PP
 netsniff-ng can capture pcap files in several different pcap formats that
-are interoperable with other tools. It has different pcap I/O methods supported
-(scatter-gather, mmap(2), read(2), and write(2)) for efficient to-disc capturing.
+are interoperable with other tools. The following pcap I/O methods are supported
+for efficient to-disc capturing: scatter-gather,
+.BR mmap (2),
+.BR read (2),
+and
+.BR write (2).
 netsniff-ng is also able to rotate pcap files based on data size or time
 intervals, thus, making it a useful backend tool for subsequent traffic
 analysis.
@@ -57,27 +61,30 @@ prevent you from starting multiple netsniff-ng instances that are pinned to
 different, non-overlapping CPUs and f.e. have different BPF filters attached.
 Likely that at some point in time your harddisc might become a bottleneck
 assuming you do not rotate such pcaps in ram (and from there periodically
-scheduled move to slower medias). You can then use mergecap(1) to transform
-all pcaps into a single large pcap. Thus, netsniff-ng then works multithreaded
-eventually.
+scheduled move to slower medias). You can then use
+.BR mergecap (1)
+to transform all pcap files into a single large pcap file. Thus, netsniff-ng
+then works multithreaded eventually.
 .PP
 netsniff-ng can also be used to debug netlink traffic.
 .PP
 .SH OPTIONS
-.PP
-.SS -i <dev|pcap|->, -d <dev|pcap|->, --in <dev|pcap|->, --dev <dev|pcap|->
+.TP
+.B -i <dev|pcap|->, -d <dev|pcap|->, --in <dev|pcap|->, --dev <dev|pcap|->
 Defines an input device. This can either be a networking device, a pcap file
 or stdin (\[lq]\-\[rq]). In case of a pcap file, the pcap type (\fB\-D\fP
 option) is determined automatically by the pcap file magic. In case of stdin,
 it is assumed that the input stream is a pcap file. If the pcap link type is
 Netlink and pcap type is default format (usec or nsec), then each packet will
 be wrapped with pcap cooked header [2].
-.PP
-.SS -o <dev|pcap|dir|cfg|->, --out <dev|pcap|dir|cfg|->
+.TP
+.B -o <dev|pcap|dir|cfg|->, --out <dev|pcap|dir|cfg|->
 Defines the output device. This can either be a networking device, a pcap file,
-a folder, a trafgen(8) configuration file or stdout (\[lq]-\[rq]). If the output
-device is a pcap or trafgen(8) configuration file, it may include a time format
-as defined by
+a folder, a
+.BR trafgen (8)
+configuration file or stdout (\[lq]-\[rq]). If the output device is a pcap or
+.BR trafgen (8)
+configuration file, it may include a time format as defined by
 .BR strfime (3).
 If used in conjunction with the \fB-F\fP option, each rotated file will have a
 unique time stamp. In the case of a pcap file that should not have the default
@@ -94,8 +101,8 @@ input device is a networking device. If the input device is a Netlink monitor
 device and pcap type is default (usec or nsec) then each packet will be wrapped
 with pcap cooked header [2] to keep Netlink family number (Kuznetzov's and
 netsniff-ng pcap types already contain family number in protocol number field).
-.PP
-.SS -C <id>, --fanout-group <id>
+.TP
+.B -C <id>, --fanout-group <id>
 If multiple netsniff-ng instances are being started that all have the same packet
 fanout group id, then the ingress network traffic being captured is being
 distributed/load-balanced among these group participants. This gives a much better
@@ -103,45 +110,52 @@ scaling than running multiple netsniff-ng processes without a fanout group param
 in parallel, but only with a BPF filter attached as a packet would otherwise need
 to be delivered to all such capturing processes, instead of only once to such a
 fanout member. Naturally, each fanout member can have its own BPF filters attached.
-.PP
-.SS -K <hash|lb|cpu|rnd|roll|qm>, --fanout-type <hash|lb|cpu|rnd|roll|qm>
+.TP
+.B -K <hash|lb|cpu|rnd|roll|qm>, --fanout-type <hash|lb|cpu|rnd|roll|qm>
 This parameter specifies the fanout discipline, in other words, how the captured
 network traffic is dispatched to the fanout group members. Options are to distribute
 traffic by the packet hash (\[lq]hash\[rq]), in a round-robin manner (\[lq]lb\[rq]),
 by CPU the packet arrived on (\[lq]cpu\[rq]), by random (\[lq]rnd\[rq]), by rolling
 over sockets (\[lq]roll\[rq]) which means if one socket's queue is full, we move on
 to the next one, or by NIC hardware queue mapping (\[lq]qm\[rq]).
-.PP
-.SS -L <defrag|roll>, --fanout-opts <defrag|roll>
+.TP
+.B -L <defrag|roll>, --fanout-opts <defrag|roll>
 Defines some auxiliary fanout options to be used in addition to a given fanout type.
 These options apply to any fanout type. In case of \[lq]defrag\[rq], the kernel is
 being told to defragment packets before delivering to user space, and \[lq]roll\[rq]
 provides the same roll-over option as the \[lq]roll\[rq] fanout type, so that on any
 different fanout type being used (e.g. \[lq]qm\[rq]) the socket may temporarily roll
 over to the next fanout group member in case the original one's queue is full.
-.PP
-.SS -f, --filter <bpf-file|-|expr>
+.TP
+.B -f, --filter <bpf-file|-|expr>
 Specifies to not dump all traffic, but to filter the network packet haystack.
-As a filter, either a bpfc(8) compiled file/stdin can be passed as a parameter or
-a tcpdump(1)-like filter expression in quotes. For details regarding the
-bpf-file have a look at bpfc(8), for details regarding a tcpdump(1)-like filter
-have a look at section \[lq]filter example\[rq] or at pcap-filter(7). A filter
-expression may also be passed to netsniff-ng without option \[lq]\-f\[rq] in case
-there is no subsequent option following after the command-line filter expression.
-.PP
-.SS -t, --type <type>
+As a filter, either a
+.BR bpfc (8)
+compiled file/stdin can be passed as a parameter or a
+.BR tcpdump (1)-like
+filter expression in quotes. For details regarding the bpf-file have a look at
+.BR bpfc (8),
+for details regarding a
+.BR tcpdump (1)-like
+filter have a look at section \[lq]filter example\[rq] or at
+.BR pcap-filter (7).
+A filter expression may also be passed to netsniff-ng without option \fB-f\fP in
+case there is no subsequent option following after the command-line filter
+expression.
+.TP
+.B -t, --type <type>
 This defines some sort of filtering mechanisms in terms of addressing. Possible
 values for type are \[lq]host\[rq] (to us), \[lq]broadcast\[rq] (to all), \[lq]multicast\[rq] (to
 group), \[lq]others\[rq] (promiscuous mode) or \[lq]outgoing\[rq] (from us).
-.PP
-.SS -F, --interval <size|time>
+.TP
+.B -F, --interval <size|time>
 If the output device is a folder, with \[lq]\-F\[rq], it is possible to define the pcap
 file rotation interval either in terms of size or time. Thus, when the interval
 limit has been reached, a new pcap file will be started. As size parameter, the
 following values are accepted \[lq]<num>KiB/MiB/GiB\[rq]; As time parameter,
 it can be \[lq]<num>s/sec/min/hrs\[rq].
-.PP
-.SS -J, --jumbo-support
+.TP
+.B -J, --jumbo-support
 By default, in pcap replay or redirect mode, netsniff-ng's ring buffer frames
 are a fixed size of 2048 bytes. This means that if you are expecting jumbo
 frames or even super jumbo frames to pass through your network, then you need
@@ -149,223 +163,241 @@ to enable support for that by using this option. However, this has the
 disadvantage of performance degradation and a bigger memory footprint for the
 ring buffer. Note that this doesn't affect (pcap) capturing mode, since tpacket
 in version 3 is used!
-.PP
-.SS -R, --rfraw
+.TP
+.B -R, --rfraw
 In case the input or output networking device is a wireless device, it is
 possible with netsniff-ng to turn this into monitor mode and create a mon<X>
 device that netsniff-ng will be listening on instead of wlan<X>, for instance.
 This enables netsniff-ng to analyze, dump, or even replay raw 802.11 frames.
-.PP
-.SS -n <0|uint>, --num <0|uint>
+.TP
+.B -n <0|uint>, --num <0|uint>
 Process a number of packets and then exit. If the number of packets is 0, then
 this is equivalent to infinite packets resp. processing until interrupted.
 Otherwise, a number given as an unsigned integer will limit processing.
-.PP
-.SS -P <name>, --prefix <name>
+.TP
+.B -P <name>, --prefix <name>
 When dumping pcap files into a folder, a file name prefix can be defined with
 this option. If not otherwise specified, the default prefix is \[lq]dump\-\[rq]
 followed by a Unix timestamp. Use \[lq]\-\-prefex ""\[rq] to set filename as
 seconds since the Unix Epoch e.g. 1369179203.pcap
-.PP
-.SS -T <pcap-magic>, --magic <pcap-magic>
+.TP
+.B -T <pcap-magic>, --magic <pcap-magic>
 Specify a pcap type for storage. Different pcap types with their various meta
-data capabilities are shown with option \[lq]\-D\[rq]. If not otherwise
+data capabilities are shown with option \fB\-D\fP. If not otherwise
 specified, the pcap-magic 0xa1b2c3d4, also known as a standard tcpdump-capable
 pcap format, is used. Pcap files with swapped endianness are also supported.
-.PP
-.SS -D, --dump-pcap-types
+.TP
+.B -D, --dump-pcap-types
 Dump all available pcap types with their capabilities and magic numbers that
 can be used with option \[lq]\-T\[rq] to stdout and exit.
-.PP
-.SS -B, --dump-bpf
+.TP
+.B -B, --dump-bpf
 If a Berkeley Packet Filter is given, for example via option \[lq]\-f\[rq], then
 dump the BPF disassembly to stdout during ring setup. This only serves for informative
 or verification purposes.
-.PP
-.SS -r, --rand
+.TP
+.B -r, --rand
 If the input and output device are both networking devices, then this option will
 randomize packet order in the output ring buffer.
-.PP
-.SS -M, --no-promisc
+.TP
+.B -M, --no-promisc
 The networking interface will not be put into promiscuous mode. By default,
 promiscuous mode is turned on.
-.PP
-.SS -N, --no-hwtimestamp
+.TP
+.B -N, --no-hwtimestamp
 Disable taking hardware time stamps for RX packets. By default, if the network
 device supports hardware time stamping, the hardware time stamps will be used
 when writing packets to pcap files. This option disables this behavior and
 forces (kernel based) software time stamps to be used, even if hardware time
 stamps are available.
-.PP
-.SS -A, --no-sock-mem
+.TP
+.B -A, --no-sock-mem
 On startup and shutdown, netsniff-ng tries to increase socket read and
 write buffers if appropriate. This option will prevent netsniff-ng from doing
 so.
-.PP
-.SS -m, --mmap
-Use mmap(2) as pcap file I/O. This is the default when replaying pcap files.
-.PP
-.SS -G, --sg
+.TP
+.B -m, --mmap
+Use
+.BR mmap (2)
+as pcap file I/O. This is the default when replaying pcap files.
+.TP
+.B -G, --sg
 Use scatter-gather as pcap file I/O. This is the default when capturing
 pcap files.
-.PP
-.SS -c, --clrw
-Use slower read(2) and write(2) I/O. This is not the default case anywhere, but in
+.TP
+.B -c, --clrw
+Use slower
+.BR read (2)
+and
+.BR write (2)
+I/O. This is not the default case anywhere, but in
 some situations it could be preferred as it has a lower latency on write-back
 to disc.
-.PP
-.SS -S <size>, --ring-size <size>
+.TP
+.B -S <size>, --ring-size <size>
 Manually define the RX_RING resp. TX_RING size in \[lq]<num>KiB/MiB/GiB\[rq]. By
 default, the size is determined based on the network connectivity rate.
-.PP
-.SS -k <uint>, --kernel-pull <uint>
+.TP
+.B -k <uint>, --kernel-pull <uint>
 Manually define the interval in micro-seconds where the kernel should be triggered
 to batch process the ring buffer frames. By default, it is every 10us, but it can
 manually be prolonged, for instance.
-.PP
-.SS -b <cpu>, --bind-cpu <cpu>
+.TP
+.B -b <cpu>, --bind-cpu <cpu>
 Pin netsniff-ng to a specific CPU and also pin resp. migrate the NIC's IRQ
 CPU affinity to this CPU. This option should be preferred in combination with
-\[lq]\-s\[rq] in case a middle to high packet rate is expected.
-.PP
-.SS -u <uid>, --user <uid> resp. -g <gid>, --group <gid>
+\fB\-s\fP in case a middle to high packet rate is expected.
+.TP
+.B -u <uid>, --user <uid> resp. -g <gid>, --group <gid>
 After ring setup drop privileges to a non-root user/group combination.
-.PP
-.SS -H, --prio-high
+.TP
+.B -H, --prio-high
 Set this process as a high priority process in order to achieve a higher
 scheduling rate resp. CPU time. This is however not the default setting, since
 it could lead to starvation of other processes, for example low priority kernel
 threads.
-.PP
-.SS -Q, --notouch-irq
+.TP
+.B -Q, --notouch-irq
 Do not reassign the NIC's IRQ CPU affinity settings.
-.PP
-.SS -s, --silent
+.TP
+.B -s, --silent
 Do not enter the packet dissector at all and do not print any packet information
 to the terminal. Just shut up and be silent. This option should be preferred in
 combination with pcap recording or replay, since it will not flood your terminal
 which causes a significant performance degradation.
-.PP
-.SS -q, --less
+.TP
+.B -q, --less
 Print a less verbose one-line information for each packet to the terminal.
-.PP
-.SS -X, --hex
+.TP
+.B -X, --hex
 Only dump packets in hex format to the terminal.
-.PP
-.SS -l, --ascii
+.TP
+.B -l, --ascii
 Only display ASCII printable characters.
-.PP
-.SS -U, --update
+.TP
+.B -U, --update
 If geographical IP location is used, the built-in database update
 mechanism will be invoked to get Maxmind's latest database. To configure
 search locations for databases, the file /etc/netsniff-ng/geoip.conf contains
 possible addresses. Thus, to save bandwidth or for mirroring of Maxmind's
 databases (to bypass their traffic limit policy), different hosts or IP
 addresses can be placed into geoip.conf, separated by a newline.
-.PP
-.SS -w, --cooked
+.TP
+.B -w, --cooked
 Replace each frame link header with Linux "cooked" header [3] which keeps info
 about link type and protocol. It allows to dump and dissect frames captured
 from different link types when -i "any" was specified, for example.
-.PP
-.SS -V, --verbose
+.TP
+.B -V, --verbose
 Be more verbose during startup i.e. show detailed ring setup information.
-.PP
-.SS -v, --version
+.TP
+.B -v, --version
 Show version information and exit.
-.PP
-.SS -h, --help
+.TP
+.B -h, --help
 Show user help and exit.
 .PP
 .SH USAGE EXAMPLE
-.PP
-.SS netsniff-ng
+.TP
+.B netsniff-ng
 The most simple command is to just run \[lq]netsniff-ng\[rq]. This will start
 listening on all available networking devices in promiscuous mode and dump
 the packet dissector output to the terminal. No files will be recorded.
-.PP
-.SS  netsniff-ng --in eth0 --out dump.pcap -s -T 0xa1e2cb12 -b 0 tcp or udp
+.TP
+.B netsniff-ng --in eth0 --out dump.pcap -s -T 0xa1e2cb12 -b 0 tcp or udp
 Capture TCP or UDP traffic from the networking device eth0 into the pcap file
 named dump.pcap, which has netsniff-ng specific pcap extensions (see
 \[lq]netsniff-ng \-D\[rq] for capabilities). Also, do not print the content to
 the terminal and pin the process and NIC IRQ affinity to CPU 0. The pcap write
 method is scatter-gather I/O.
-.PP
-.SS  netsniff-ng --in wlan0 --rfraw --out dump.pcap --silent --bind-cpu 0
+.TP
+.B netsniff-ng --in wlan0 --rfraw --out dump.pcap --silent --bind-cpu 0
 Put the wlan0 device into monitoring mode and capture all raw 802.11 frames
 into the file dump.pcap. Do not dissect and print the content to the terminal
 and pin the process and NIC IRQ affinity to CPU 0. The pcap write method is
 scatter-gather I/O.
-.PP
-.SS  netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent --bind-cpu 0
-Replay the pcap file dump.pcap which is read through mmap(2) I/O and send
-the packets out via the eth0 networking device. Do not dissect and print the
-content to the terminal and pin the process and NIC IRQ affinity to CPU 0.
-Also, trigger the kernel every 1000us to traverse the TX_RING instead of every
-10us. Note that the pcap magic type is detected automatically from the pcap
-file header.
-.PP
-.SS  netsniff-ng --in eth0 --out eth1 --silent --bind-cpu 0 --type host -r
+.TP
+.B netsniff-ng --in dump.pcap --mmap --out eth0 -k1000 --silent --bind-cpu 0
+Replay the pcap file dump.pcap which is read through
+.BR mmap (2)
+I/O and send the packets out via the eth0 networking device. Do not dissect and
+print the content to the terminal and pin the process and NIC IRQ affinity to
+CPU 0.  Also, trigger the kernel every 1000us to traverse the TX_RING instead of
+every 10us. Note that the pcap magic type is detected automatically from the
+pcap file header.
+.TP
+.B netsniff-ng --in eth0 --out eth1 --silent --bind-cpu 0 --type host -r
 Redirect network traffic from the networking device eth0 to eth1 for traffic
 that is destined for our host, thus ignore broadcast, multicast and promiscuous
 traffic. Randomize the order of packets for the outgoing device and do not
 print any packet contents to the terminal. Also, pin the process and NIC IRQ
 affinity to CPU 0.
-.PP
-.SS  netsniff-ng --in team0 --out /opt/probe/ -s -m --interval 100MiB -b 0
+.TP
+.B netsniff-ng --in team0 --out /opt/probe/ -s -m --interval 100MiB -b 0
 Capture on an aggregated team0 networking device and dump packets into multiple
-pcap files that are split into 100MiB each. Use mmap(2) I/O as a pcap write
-method, support for super jumbo frames is built-in (does not need to be
-configured here), and do not print the captured data to the terminal. Pin
-netsniff-ng and NIC IRQ affinity to CPU 0. The default pcap magic type is
+pcap files that are split into 100MiB each. Use
+.BR mmap (2)
+I/O as a pcap write method, support for super jumbo frames is built-in (does not
+need to be configured here), and do not print the captured data to the terminal.
+Pin netsniff-ng and NIC IRQ affinity to CPU 0. The default pcap magic type is
 0xa1b2c3d4 (tcpdump-capable pcap).
-.PP
-.SS  netsniff-ng --in vlan0 --out dump.pcap -c -u `id -u bob` -g `id -g bob`
+.TP
+.B netsniff-ng --in vlan0 --out dump.pcap -c -u `id -u bob` -g `id -g bob`
 Capture network traffic on device vlan0 into a pcap file called dump.pcap
-by using normal read(2), write(2) I/O for the pcap file (slower but less
-latency). Also, after setting up the RX_RING for capture, drop privileges
-from root to the user and group \[lq]bob\[rq]. Invoke the packet dissector and print
-packet contents to the terminal for further analysis.
-.PP
-.SS  netsniff-ng --in any --filter http.bpf -B --ascii -V
+by using normal
+.BR read (2),
+.BR write (2)
+I/O for the pcap file (slower but less latency). Also, after setting up the
+RX_RING for capture, drop privileges from root to the user and group
+\[lq]bob\[rq]. Invoke the packet dissector and print packet contents to the
+terminal for further analysis.
+.TP
+.B netsniff-ng --in any --filter http.bpf -B --ascii -V
 Capture from all available networking interfaces and install a low-level
-filter that was previously compiled by bpfc(8) into http.bpf in order to
-filter HTTP traffic. Super jumbo frame support is automatically enabled and
-only print human readable packet data to the terminal, and also be more
-verbose during setup phase. Moreover, dump a BPF disassembly of http.bpf.
-.PP
-.SS netsniff-ng --in dump.pcap --out dump.cfg --silent
-Convert the pcap file dump.pcap into a trafgen(8) configuration file dump.cfg.
-Do not print pcap contents to the terminal.
-.PP
-.SS netsniff-ng -i dump.pcap -f beacon.bpf -o -
-Convert the pcap file dump.pcap into a trafgen(8) configuration file and write
-it to stdout. However, do not dump all of its content, but only the one that
-passes the low-level filter for raw 802.11 from beacon.bpf. The BPF engine
-here is invoked in user space inside of netsniff-ng, so Linux extensions
-are not available.
-.PP
-.SS cat foo.pcap | netsniff-ng -i - -o -
-Read a pcap file from stdin and convert it into a trafgen(8) configuration
+filter that was previously compiled by
+.BR bpfc (8)
+into http.bpf in order to filter HTTP traffic. Super jumbo frame support is
+automatically enabled and only print human readable packet data to the terminal,
+and also be more verbose during setup phase. Moreover, dump a BPF disassembly of
+http.bpf.
+.TP
+.B netsniff-ng --in dump.pcap --out dump.cfg --silent
+Convert the pcap file dump.pcap into a
+.BR trafgen (8)
+configuration file dump.cfg. Do not print pcap contents to the terminal.
+.TP
+.B netsniff-ng -i dump.pcap -f beacon.bpf -o -
+Convert the pcap file dump.pcap into a
+.BR trafgen (8)
+configuration file and write it to stdout. However, do not dump all of its
+content, but only the one that passes the low-level filter for raw 802.11 from
+beacon.bpf. The BPF engine here is invoked in user space inside of netsniff-ng,
+so Linux extensions are not available.
+.TP
+.B cat foo.pcap | netsniff-ng -i - -o -
+Read a pcap file from stdin and convert it into a
+.BR trafgen (8)
+configuration
 file to stdout.
-.PP
-.SS modprobe nlmon
-.SS ip link add type nlmon
-.SS ip link set nlmon0 up
-.SS netsniff-ng -i nlmon0 -o dump.pcap -s
-.SS ip link set nlmon0 down
-.SS ip link del dev nlmon0
-.SS rmmod nlmon
-In this example, netlink traffic is being captured. If not already done, a
-netlink monitoring device needs to be set up before it can be used to capture
-netlink socket buffers (iproute2's ip(1) commands are given for nlmon device
-setup and teardown). netsniff-ng can then make use of the nlmon device as
-an input device. In this example a pcap file with netlink traffic is being
-recorded.
-.PP
-.SS netsniff-ng --fanout-group 1 --fanout-type cpu --fanout-opts defrag --bind-cpu 0 --notouch-irq --silent --in em1 --out /var/cap/cpu0/ --interval 120sec
-.SS netsniff-ng --fanout-group 1 --fanout-type cpu --fanout-opts defrag --bind-cpu 1 --notouch-irq --silent --in em1 --out /var/cap/cpu1/ --interval 120sec
-Starts two netsniff-ng fanout instances. Both are assigned into the same fanout
+.TP
+.B netsniff-ng -i nlmon0 -o dump.pcap -s
+Capture netlink traffic to a pcap file. This command needs a netlink monitoring
+device to be set up beforehand using the follwing commands using
+.BR ip (1)
+from the iproute2 utility collection:
+
+  modprobe nlmon
+  ip link add type nlmon
+  ip link set nlmon0 up
+
+To tear down the \fBnlmon0\fP device, use the following commands:
+
+  ip link set nlmon0 down
+  ip link del dev nlmon0
+  rmmod nlmon
+.TP
+.B netsniff-ng --fanout-group 1 --fanout-type cpu --fanout-opts defrag --bind-cpu 0 --notouch-irq --silent --in em1 --out /var/cap/cpu0/ --interval 120sec
+Start two netsniff-ng fanout instances. Both are assigned into the same fanout
 group membership and traffic is splitted among them by incoming cpu. Furthermore,
 the kernel is supposed to defragment possible incoming fragments. First instance
 is assigned to CPU 0 and the second one to CPU 1, IRQ bindings are not altered as
@@ -388,8 +420,11 @@ functionality:
 .SH FILTER EXAMPLE
 .PP
 netsniff-ng supports both, low-level and high-level filters that are
-attached to its packet(7) socket. Low-level filters are described in
-the bpfc(8) man page.
+attached to its
+.BR packet (7)
+socket. Low-level filters are described in the
+.BR bpfc (8)
+man page.
 .PP
 Low-level filters can be used with netsniff-ng in the following way:
 .PP
@@ -401,73 +436,76 @@ Here, foo is the bpfc program that will be translated into a netsniff-ng
 readable \[lq]opcodes\[rq] file and passed to netsniff-ng through the \-f
 option.
 .PP
-Similarly, high-level filter can be either passed through the \-f option,
+Similarly, high-level filter can be either passed through the \fB\-f\fP option,
 e.g. \-f "tcp or udp" or at the end of all options without the \[lq]\-f\[rq].
 .PP
-The filter syntax is the same as in tcpdump(8), which is described in
-the man page pcap-filter(7). Just to quote some examples from pcap-filter(7):
-.PP
-.SS host sundown
+The filter syntax is the same as in
+.BR tcpdump (8),
+which is described in the man page
+.BR pcap-filter (7).
+Just to quote some examples:
+.TP
+.B host sundown
 To select all packets arriving at or departing from sundown.
-.PP
-.SS host helios and \(hot or ace\)
+.TP
+.B host helios and (hot or ace)
 To select traffic between helios and either hot or ace.
-.PP
-.SS ip host ace and not helios
+.TP
+.B ip host ace and not helios
 To select all IP packets between ace and any host except helios.
-.PP
-.SS net ucb-ether
+.TP
+.B net ucb-ether
 To select all traffic between local hosts and hosts at Berkeley.
-.PP
-.SS gateway snup and (port ftp or ftp-data)
+.TP
+.B gateway snup and (port ftp or ftp-data)
 To select all FTP traffic through Internet gateway snup.
-.PP
-.SS ip and not net localnet
+.TP
+.B ip and not net localnet
 To select traffic neither sourced from, nor destined for, local hosts. If you
 have a gateway to another network, this traffic should never make it onto
 your local network.
-.PP
-.SS tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet
+.TP
+.B tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet
 To select the start and end packets (the SYN and FIN packets) of each TCP
 conversation that involve a non-local host.
-.PP
-.SS tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
+.TP
+.B tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)
 To select all IPv4 HTTP packets to and from port 80, that is to say, print only packets
 that contain data, not, for example, SYN and FIN packets and ACK-only packets.
 (IPv6 is left as an exercise for the reader.)
-.PP
-.SS gateway snup and ip[2:2] > 576
+.TP
+.B gateway snup and ip[2:2] > 576
 To select IP packets longer than 576 bytes sent through gateway snup.
-.PP
-.SS ether[0] & 1 = 0 and ip[16] >= 224
+.TP
+.B ether[0] & 1 = 0 and ip[16] >= 224
 To select IP broadcast or multicast packets that were not sent via Ethernet
 broadcast or multicast.
-.PP
-.SS icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
+.TP
+.B icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply
 To select all ICMP packets that are not echo requests or replies
 (that is to say, not "ping" packets).
 .PP
 .SH PCAP FORMATS:
 .PP
 netsniff-ng supports a couple of pcap formats, visible through ``netsniff-ng \-D'':
-.PP
-.SS tcpdump-capable pcap (default)
+.TP
+.B tcpdump-capable pcap (default)
 Pcap magic number is encoded as 0xa1b2c3d4 resp. 0xd4c3b2a1. As packet meta data
 this format contains the timeval in microseconds, the original packet length and
 the captured packet length.
-.PP
-.SS tcpdump-capable pcap with ns resolution
+.TP
+.B tcpdump-capable pcap with ns resolution
 Pcap magic number is encoded as 0xa1b23c4d resp. 0x4d3cb2a1. As packet meta data
 this format contains the timeval in nanoseconds, the original packet length and
 the captured packet length.
-.PP
-.SS Alexey Kuznetzov's pcap
+.TP
+.B Alexey Kuznetzov's pcap
 Pcap magic number is encoded as 0xa1b2cd34 resp. 0x34cdb2a1. As packet meta data
 this format contains the timeval in microseconds, the original packet length,
 the captured packet length, the interface index (sll_ifindex), the packet's
 protocol (sll_protocol), and the packet type (sll_pkttype).
-.PP
-.SS netsniff-ng pcap
+.TP
+.B netsniff-ng pcap
 Pcap magic number is encoded as 0xa1e2cb12 resp. 0x12cbe2a1. As packet meta data
 this format contains the timeval in nanoseconds, the original packet length,
 the captured packet length, the timestamp hw/sw source, the interface index
@@ -475,7 +513,7 @@ the captured packet length, the timestamp hw/sw source, the interface index
 and the hardware type (sll_hatype).
 .PP
 For further implementation details or format support in your application,
-have a look at pcap_io.h.
+have a look at pcap_io.h in the netsniff-ng sources.
 .PP
 .SH NOTE
 To avoid confusion, it should be noted that there is another network
@@ -483,8 +521,9 @@ analyzer with a similar name, called NetSniff, that is unrelated to
 the netsniff-ng project.
 .PP
 For introducing bit errors, delays with random variation and more
-while replaying pcaps, make use of tc(8) with its disciplines such
-as netem.
+while replaying pcaps, make use of
+.BR tc (8)
+with its disciplines such as netem.
 .PP
 netsniff-ng does only some basic, architecture generic tuning on
 startup. If you are considering to do high performance capturing,
@@ -495,8 +534,9 @@ that tuning your system is always a tradeoff and fine-grained
 balancing act (throughput versus latency). You should know what
 you are doing!
 .PP
-One recommendation for software-based tuning is tuned(8). Besides
-that, there are many other things to consider. Just to throw you
+One recommendation for software-based tuning is
+.BR tuned (8).
+Besides that, there are many other things to consider. Just to throw you
 a few things that you might want to look at: NAPI networking drivers,
 tickless kernel, I/OAT DMA engine, Direct Cache Access, RAM-based
 file systems, multi-queues, and many more things. Also, you might
@@ -528,11 +568,13 @@ if your switch hardware supports it and if you have access to the switch.
 .PP
 If you do not need to dump all possible traffic, you have to consider
 running netsniff-ng with a BPF filter for the ingress path. For that
-purpose, read the bpfc(8) man page.
+purpose, read the
+.BR bpfc (8)
+man page.
 .PP
 Also, to aggregate multiple NICs that you want to capture on, you
 should consider using team devices, further explained in libteam resp.
-teamd(8).
+.BR teamd (8).
 .PP
 The following netsniff-ng pcap magic numbers are compatible with other
 tools, at least tcpdump or Wireshark:
@@ -597,10 +639,13 @@ is stored in the kernel helper data structure. We think that there should be
 a good consensus on the kernel space side about what gets transferred to
 userland first.
 .PP
-Update (28.11.2012): the Linux kernel and also bpfc(8) has built-in support
-for hardware accelerated VLAN filtering, even though tags might not be visible
-in the payload itself as reported here. However, the filtering for VLANs works
-reliable if your NIC supports it. See bpfc(8) for an example.
+Update (28.11.2012): the Linux kernel and also
+.BR bpfc (8)
+has built-in support for hardware accelerated VLAN filtering, even though tags
+might not be visible in the payload itself as reported here. However, the
+filtering for VLANs works reliable if your NIC supports it. See
+.BR bpfc (8)
+for an example.
 .PP
    [1] http://lkml.indiana.edu/hypermail/linux/kernel/0710.3/3816.html
    [2] http://www.tcpdump.org/linktypes/LINKTYPE_NETLINK.html
diff --git a/trafgen.8 b/trafgen.8
index f720043..ead5dd0 100644
--- a/trafgen.8
+++ b/trafgen.8
@@ -7,12 +7,13 @@ trafgen \- a fast, multithreaded network packet generator
 .PP
 .SH SYNOPSIS
 .PP
-\fBtrafgen\fR [\fIoptions\fR] [\fIpacket\fR]
+\fBtrafgen\fP [\fIoptions\fP] [\fIpacket\fP]
 .PP
 .SH DESCRIPTION
 .PP
 trafgen is a fast, zero-copy network traffic generator for debugging,
-performance evaluation, and fuzz-testing. trafgen utilizes the packet(7)
+performance evaluation, and fuzz-testing. trafgen utilizes the
+.BR packet (7)
 socket interface of Linux which postpones complete control over packet data
 and packet headers into the user space. It has a powerful packet configuration
 language, which is rather low-level and not limited to particular protocols.
@@ -22,10 +23,14 @@ various kinds of load testing in order to analyze and subsequently improve
 systems behaviour under DoS attack scenarios, for instance.
 .PP
 trafgen is Linux specific, meaning there is no support for other operating
-systems, same as netsniff-ng(8), thus we can keep the code footprint quite
-minimal and to the point. trafgen makes use of packet(7) socket's TX_RING
-interface of the Linux kernel, which is a mmap(2)'ed ring buffer shared between
-user and kernel space.
+systems, same as
+.BR netsniff-ng (8),
+thus we can keep the code footprint quite minimal and to the point. trafgen
+makes use of
+.BR packet (7)
+socket's TX_RING interface of the Linux kernel, which is a
+.BR mmap (2)'ed
+ring buffer shared between user and kernel space.
 .PP
 By default, trafgen starts as many processes as available CPUs, pins each
 of them to their respective CPU and sets up the ring buffer each in their own
@@ -60,48 +65,49 @@ where arithmetic (basic operations, bit operations, bit shifting, ...) on consta
 expressions is being reduced to a single constant on compile time. Other features
 are ''fill'' macros, where a packet can be filled with n bytes by a constant, a
 compile-time random number or run-time random number (as mentioned with fuzz
-testing). Also, netsniff-ng(8) is able to convert a pcap file into a trafgen
-configuration file, thus such a configuration can then be further tweaked for a
-given scenario.
+testing). Also,
+.BR netsniff-ng (8)
+is able to convert a pcap file into a trafgen configuration file, thus such a
+configuration can be further tweaked for a given scenario.
 .PP
 .SH OPTIONS
-.PP
-.SS -i <cfg|pcap|->, -c <cfg|->, --in <cfg|pcap|->, --conf <cfg|->
+.TP
+.B -i <cfg|pcap|->, -c <cfg|->, --in <cfg|pcap|->, --conf <cfg|->
 Defines the input configuration file that can either be passed as a normal plain
 text file or via stdin (''-''). Note that currently, if a configuration is
 passed through stdin, only 1 CPU will be used.
-It is also possible to specify PCAP file with .pcap extension via -i,--in option,
-by default packets will be sent at rate considering timestamp from PCAP file which
-might be reset via -b/-t options.
-.PP
-.SS -o <dev|.pcap|.cfg>, -d <dev|.pcap|.cfg>, --out <dev|.pcap|.cfg>, --dev <dev|.pcap|.cfg>
+It is also possible to specify PCAP file with .pcap extension via
+\fB-i\fP/\fB--in\fP option, by default packets will be sent at rate considering
+timestamp from PCAP file which might be reset via the \fB-b\fP or \fB-t\fP option.
+.TP
+.B -o <dev|.pcap|.cfg>, -d <dev|.pcap|.cfg>, --out <dev|.pcap|.cfg>, --dev <dev|.pcap|.cfg>
 Defines the outgoing networking device such as eth0, wlan0 and others or
 a *.pcap or *.cfg file. Pcap and configuration files are identified by extension.
-.PP
-.SS -p, --cpp
+.TP
+.B -p, --cpp
 Pass the packet configuration to the C preprocessor before reading it into
 trafgen. This allows #define and #include directives (e.g. to include
 definitions from system headers) to be used in the trafgen configuration file.
-.PP
-.SS -D <name>=<definition>, --define <name>=<definition>
+.TP
+.B -D <name>=<definition>, --define <name>=<definition>
 Add macro definition for the C preprocessor to use it within trafgen file. This
-option is used in combination with the -p,--cpp option.
-.PP
-.SS -J, --jumbo-support
+option is used in combination with the \fB-p\fP/\fB--cpp\fP option.
+.TP
+.B -J, --jumbo-support
 By default trafgen's ring buffer frames are of a fixed size of 2048 bytes.
 This means that if you're expecting jumbo frames or even super jumbo frames to
 pass your line, then you will need to enable support for that with the help of
 this option. However, this has the disadvantage of a performance regression and
 a bigger memory footprint for the ring buffer.
-.PP
-.SS -R, --rfraw
+.TP
+.B -R, --rfraw
 In case the output networking device is a wireless device, it is possible with
 trafgen to turn this into monitor mode and create a mon<X> device that trafgen
 will be transmitting on instead of wlan<X>, for instance. This enables trafgen
 to inject raw 802.11 frames. In case if the output is a pcap file the link type
 is set to 127 (ieee80211 radio tap).
-.PP
-.SS -s <ipv4>, --smoke-test <ipv4>
+.TP
+.B -s <ipv4>, --smoke-test <ipv4>
 In case this option is enabled, trafgen will perform a smoke test. In other
 words, it will probe the remote end, specified by an <ipv4> address, that is
 being ''attacked'' with trafgen network traffic, if it is still alive and
@@ -113,91 +119,99 @@ packet configuration and the random seed that has been used in order to
 reproduce a possible bug. This might be useful when testing proprietary embedded
 devices. It is recommended to have a direct link between the host running
 trafgen and the host being attacked by trafgen.
-.PP
-.SS -n <0|uint>, --num <0|uint>
+.TP
+.B -n <0|uint>, --num <0|uint>
 Process a number of packets and then exit. If the number of packets is 0, then
 this is equivalent to infinite packets resp. processing until interrupted.
 Otherwise, a number given as an unsigned integer will limit processing.
-.PP
-.SS -r, --rand
+.TP
+.B -r, --rand
 Randomize the packet selection of the configuration file. By default, if more
 than one packet is defined in a packet configuration, packets are scheduled for
 transmission in a round robin fashion. With this option, they are selected
 randomly instread.
-.PP
-.SS -P <uint>, --cpus <uint>
-Specify the number of processes trafgen shall fork(2) off. By default trafgen
-will start as many processes as CPUs that are online and pin them to each,
-respectively. Allowed value must be within interval [1,CPUs].
-.PP
-.SS -t <time>, --gap <time>
+.TP
+.B -P <uint>, --cpus <uint>
+Specify the number of processes trafgen shall
+.Br fork (2)
+off. By default trafgen will start as many processes as CPUs that are online and
+pin them to each, respectively. Allowed value must be within interval [1,CPUs].
+.TP
+.B -t <time>, --gap <time>
 Specify a static inter-packet timegap in seconds, milliseconds, microseconds,
 or nanoseconds: ''<num>s/ms/us/ns''. If no postfix is given default to
-microseconds. If this option is given, then instead of packet(7)'s TX_RING
-interface, trafgen will use sendto(2) I/O for network packets, even if the
-<time> argument is 0. This option is useful for a couple of reasons: i)
-comparison between sendto(2) and TX_RING performance, ii) low-traffic packet
-probing for a given interval, iii) ping-like debugging with specific payload
-patterns. Furthermore, the TX_RING interface does not cope with interpacket
-gaps.
-.PP
-.SS -b <rate>, --rate <rate>
+microseconds. If this option is given, then instead of
+.BR packet (7)'s
+TX_RING interface, trafgen will use
+.BR sendto (2)
+I/O for network packets, even if the <time> argument is 0. This option is useful
+for a couple of reasons:
+
+  1) comparison between
+.BR sendto (2)
+and TX_RING performance,
+  2) low-traffic packet probing for a given interval,
+  3) ping-like debugging with specific payload patterns.
+
+Furthermore, the TX_RING interface does not cope with interpacket gaps.
+.TP
+.B -b <rate>, --rate <rate>
 Specify the packet send rate <num>pps/B/kB/MB/GB/kbit/Mbit/Gbit/KiB/MiB/GiB units.
-Like with the -t,--gap option, the packets are sent in slow mode.
-.PP
-.SS -S <size>, --ring-size <size>
-Manually define the TX_RING resp. TX_RING size in ''<num>KiB/MiB/GiB''. On
+Like with the \fB-t\fP/\fB--gap\fP option, the packets are sent in slow mode.
+.TP
+.B -S <size>, --ring-size <size>
+Manually define the TX_RING resp. TX_RING size in ''<num>KiB/MiB/GiB''. By
 default the size is being determined based on the network connectivity rate.
-.PP
-.SS -E <uint>, --seed <uint>
+.TP
+.B -E <uint>, --seed <uint>
 Manually set the seed for pseudo random number generator (PRNG) in trafgen. By
 default, a random seed from /dev/urandom is used to feed glibc's PRNG. If that
 fails, it falls back to the unix timestamp. It can be useful to set the seed
 manually in order to be able to reproduce a trafgen session, e.g. after fuzz
 testing.
-.PP
-.SS -u <uid>, --user <uid> resp. -g <gid>, --group <gid>
+.TP
+.B -u <uid>, --user <uid> resp. -g <gid>, --group <gid>
 After ring setup, drop privileges to a non-root user/group combination.
-.PP
-.SS -H, --prio-high
+.TP
+.B -H, --prio-high
 Set this process as a high priority process in order to achieve a higher
 scheduling rate resp. CPU time. This is however not the default setting, since
 it could lead to starvation of other processes, for example low priority kernel
 threads.
-.PP
-.SS -A, --no-sock-mem
+.TP
+.B -A, --no-sock-mem
 Do not change systems default socket memory setting during testrun.
 Default is to boost socket buffer memory during the test to:
-.PP
-   /proc/sys/net/core/rmem_default:4194304
-   /proc/sys/net/core/wmem_default:4194304
-   /proc/sys/net/core/rmem_max:104857600
-   /proc/sys/net/core/wmem_max:104857600
-.PP
-.SS -Q, --notouch-irq
+
+  /proc/sys/net/core/rmem_default:4194304
+  /proc/sys/net/core/wmem_default:4194304
+  /proc/sys/net/core/rmem_max:104857600
+  /proc/sys/net/core/wmem_max:104857600
+.TP
+.B -Q, --notouch-irq
 Do not reassign the NIC's IRQ CPU affinity settings.
-.PP
-.SS -q, --qdisc-path
+.TP
+.B -q, --qdisc-path
 Since Linux 3.14, the kernel supports a socket option PACKET_QDISC_BYPASS,
-which trafgen enables by default.  This options disables the qdisc bypass,
+which trafgen enables by default. This options disables the qdisc bypass,
 and uses the normal send path through the kernel's qdisc (traffic control)
 layer, which can be usefully for testing the qdisc path.
-.PP
-.SS -V, --verbose
+.TP
+.B -V, --verbose
 Let trafgen be more talkative and let it print the parsed configuration and
 some ring buffer statistics.
-.PP
-.SS -e, --example
+.TP
+.B -e, --example
 Show a built-in packet configuration example. This might be a good starting
 point for an initial packet configuration scenario.
-.PP
-.SS -C, --no-cpu-stats
+.TP
+.B -C, --no-cpu-stats
 Do not print CPU time statistics on exit.
-.PP
-.SS -v, --version
+.TP
+.B -v, --version
 Show version information and exit.
-.PP
-.SS -h, --help
+.TP
+.B -h, --help
 Show user help and exit.
 .PP
 .SH SYNTAX
@@ -803,7 +817,7 @@ Furthermore, there are two types of comments in trafgen configuration files:
   2. Single-line Shell-style comments:   #  put comment here
 .PP
 Next to all of this, a configuration can be passed through the C preprocessor
-before the trafgen compiler gets to see it with option \-\-cpp. To give you a
+before the trafgen compiler gets to see it with option \fB--cpp\fP. To give you a
 taste of a more advanced example, run ''trafgen \-e'', fields are commented:
 .PP
    /* Note: dynamic elements make trafgen slower! */
@@ -906,48 +920,48 @@ The above example rewritten using the header generation functions:
    }
 .PP
 .SH USAGE EXAMPLE
-.PP
-.SS trafgen --dev eth0 --conf trafgen.cfg
+.TP
+.B trafgen --dev eth0 --conf trafgen.cfg
 This is the most simple and, probably, the most common use of trafgen. It
 will generate traffic defined in the configuration file ''trafgen.cfg'' and
 transmit this via the ''eth0'' networking device. All online CPUs are used.
-.PP
-.SS trafgen -e | trafgen -i - -o lo --cpp -n 1
+.TP
+.B trafgen -e | trafgen -i - -o lo --cpp -n 1
 This is an example where we send one packet of the built-in example through
 the loopback device. The example configuration is passed via stdin and also
 through the C preprocessor before trafgen's packet compiler will see it.
-.PP
-.SS trafgen --dev eth0 --conf fuzzing.cfg --smoke-test 10.0.0.1
+.TP
+.B trafgen --dev eth0 --conf fuzzing.cfg --smoke-test 10.0.0.1
 Read the ''fuzzing.cfg'' packet configuration file (which contains drnd()
 calls) and send out the generated packets to the ''eth0'' device. After each
 sent packet, ping probe the attacked host with address 10.0.0.1 to check if
 it's still alive. This also means, that we utilize 1 CPU only, and do not
 use the TX_RING, but sendto(2) packet I/O due to ''slow mode''.
-.PP
-.SS trafgen --dev wlan0 --rfraw --conf beacon-test.txf -V --cpus 2
+.TP
+.B trafgen --dev wlan0 --rfraw --conf beacon-test.txf -V --cpus 2
 As an output device ''wlan0'' is used and put into monitoring mode, thus we
 are going to transmit raw 802.11 frames through the air. Use the
- ''beacon-test.txf'' configuration file, set trafgen into verbose mode and
+''beacon-test.txf'' configuration file, set trafgen into verbose mode and
 use only 2 CPUs.
-.PP
-.SS trafgen --dev em1 --conf frag_dos.cfg --rand --gap 1000us
+.TP
+.B trafgen --dev em1 --conf frag_dos.cfg --rand --gap 1000us
 Use trafgen in sendto(2) mode instead of TX_RING mode and sleep after each
 sent packet a static timegap for 1000us. Generate packets from ''frag_dos.cfg''
 and select next packets to send randomly instead of a round-robin fashion.
 The output device for packets is ''em1''.
-.PP
-.SS trafgen --dev eth0 --conf icmp.cfg --rand --num 1400000 -k1000
+.TP
+.B trafgen --dev eth0 --conf icmp.cfg --rand --num 1400000 -k1000
 Send only 1400000 packets using the ''icmp.cfg'' configuration file and then
 exit trafgen. Select packets randomly from that file for transmission and
 send them out via ''eth0''. Also, trigger the kernel every 1000us for batching
 the ring frames from user space (default is 10us).
-.PP
-.SS trafgen --dev eth0 --conf tcp_syn.cfg -u `id -u bob` -g `id -g bob`
+.TP
+.B trafgen --dev eth0 --conf tcp_syn.cfg -u `id -u bob` -g `id -g bob`
 Send out packets generated from the configuration file ''tcp_syn.cfg'' via
 the ''eth0'' networking device. After setting up the ring for transmission,
 drop credentials to the non-root user/group bob/bob.
-.PP
-.SS trafgen --dev eth0 '{ fill(0xff, 6), 0x00, 0x02, 0xb3, rnd(3), c16(0x0800), fill(0xca, 64) }' -n 1
+.TP
+.B trafgen --dev eth0 '{ fill(0xff, 6), 0x00, 0x02, 0xb3, rnd(3), c16(0x0800), fill(0xca, 64) }' -n 1
 Send out 1 invaid IPv4 packet built from command line to all hosts.
 .PP
 .SH NOTE
@@ -955,18 +969,23 @@ Send out 1 invaid IPv4 packet built from command line to all hosts.
 trafgen can saturate a Gigabit Ethernet link without problems. As always,
 of course, this depends on your hardware as well. Not everywhere where it
 says Gigabit Ethernet on the box, will you reach almost physical line rate!
-Please also read the netsniff-ng(8) man page, section NOTE for further
-details about tuning your system e.g. with tuned(8).
+Please also read the
+.BR netsniff-ng (8)
+man page, section NOTE for further details about tuning your system e.g. with
+.BR tuned (8).
 .PP
 If you intend to use trafgen on a 10-Gbit/s Ethernet NIC, make sure you
-are using a multiqueue tc(8) discipline, and make sure that the packets
-you generate with trafgen will have a good distribution among tx_hashes
-so that you'll actually make use of multiqueues.
+are using a multiqueue
+.BR tc(8)
+discipline, and make sure that the packets you generate with trafgen will have a
+good distribution among tx_hashes so that you'll actually make use of
+multiqueues.
 .PP
 For introducing bit errors, delays with random variation and more, there
 is no built-in option in trafgen. Rather, one should reuse existing methods
-for that which integrate nicely with trafgen, such as tc(8) with its
-different disciplines, i.e. netem.
+for that which integrate nicely with trafgen, such as
+.BR tc (8)
+with its different disciplines, i.e. \fBnetem\fP.
 .PP
 For more complex packet configurations, it is recommended to use high-level
 scripting for generating trafgen packet configurations in a more automated