From 23c9a1e036445c17ec4bbc5d0fcbea4f588253c1 Mon Sep 17 00:00:00 2001 From: Gerald Combs Date: Mon, 11 Feb 2019 14:24:18 -0800 Subject: [PATCH] Convert the FAQ to Asciidoctor and remove old help files. Convert our self-generating FAQ to Asciidoctor via the following steps: - `help/faq.py > /tmp/faq.html`. - `pandoc -t asciidoc -o docbook/faq.adoc /tmp/faq.html`. - Manually clean up the markup using a text editor. Question and answer content was left intact. Removing or updating obsolete content will have to be done in a separate change. The Asciidoctor project uses the .adoc extension, so start using it here as well. The contents of the "help" directory appear to have been used for offline support in help_url.c, but that functionality was removed in 2008 in 242e3b78bc. Its content is covered in the User's Guide and man pages so remove it. Change-Id: I9060eefe97cfc137f8b414077c30f814379b576a Reviewed-on: https://code.wireshark.org/review/32014 Petri-Dish: Gerald Combs Tested-by: Petri Dish Buildbot Reviewed-by: Gerald Combs --- CMakeLists.txt | 58 +- docbook/CMakeLists.txt | 13 + docbook/faq.adoc | 1108 ++++++++++++++++++ help/capture_filters.txt | 78 -- help/capturing.txt | 82 -- help/display_filters.txt | 41 - help/faq.py | 1822 ----------------------------- help/getting_started.txt | 91 -- help/overview.txt | 36 - help/toc | 6 - packaging/nsis/CMakeLists.txt | 3 +- packaging/nsis/config.nsh.in | 2 +- packaging/nsis/wireshark.nsi | 11 +- packaging/wix/CMakeLists.txt | 3 +- packaging/wix/ComponentGroups.wxi | 53 +- packaging/wix/Features.wxi | 7 +- ui/help_url.c | 2 +- 17 files changed, 1151 insertions(+), 2265 deletions(-) create mode 100755 docbook/faq.adoc delete mode 100644 help/capture_filters.txt delete mode 100644 help/capturing.txt delete mode 100644 help/display_filters.txt delete mode 100755 help/faq.py delete mode 100644 help/getting_started.txt delete mode 100644 help/overview.txt delete mode 100644 help/toc diff --git a/CMakeLists.txt b/CMakeLists.txt index 8a2d37e820..6bfd0dcb47 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1638,15 +1638,6 @@ set(INSTALL_DIRS wimaxasncp ) -# FIXME: The help files are textfified on Windows into the staging dir. -# The DATAFILE_DIR depends on CMAKE_CFG_INTDIR therefore it cannot be -# added to an install() command with build systems supporting multiple -# configurations in the build tree (e.g.: Visual Studio). -if(NOT WIN32) - list(APPEND INSTALL_DIRS help) -endif() - - set(INSTALL_FILES cfilters colorfilters @@ -1883,12 +1874,6 @@ endif(WIN32) # List of extra dependencies for the "copy_data_files" target set(copy_data_files_depends) -# glob patterns relative to the source directory that should be copied to -# ${DATAFILE_DIR} (including directory prefixes) -set(DATA_FILES_SRC - "help/toc" -) - if(WIN32) foreach(_text_file ${TEXTIFY_FILES}) add_custom_command(OUTPUT ${CMAKE_BINARY_DIR}/${_text_file}.txt @@ -1929,45 +1914,6 @@ foreach(_install_file ${INSTALL_FILES}) list(APPEND copy_data_files_depends "${_output_file}") endforeach() -# faq.txt is handled separately below. -set(_help_source_files - help/capture_filters.txt - help/capturing.txt - help/display_filters.txt - help/getting_started.txt - help/overview.txt -) - -if(WIN32) - file(TO_NATIVE_PATH "${DATAFILE_DIR}/help" _help_dest_dir) - foreach(_help_file IN LISTS _help_source_files) - add_custom_command(OUTPUT "${DATAFILE_DIR}/${_help_file}" - COMMAND ${CMAKE_COMMAND} -E make_directory "${DATAFILE_DIR}/help" - COMMAND ${POWERSHELL_COMMAND} "${CMAKE_SOURCE_DIR}/tools/textify.ps1" - -Destination "${_help_dest_dir}" - "${CMAKE_SOURCE_DIR}/${_help_file}" - DEPENDS - "${CMAKE_SOURCE_DIR}/${_help_file}" - ) - list(APPEND copy_data_files_depends "${DATAFILE_DIR}/${_help_file}") - endforeach() -else() - list(APPEND DATA_FILES_SRC ${_help_source_files}) -endif(WIN32) - -# Create help/faq.txt when missing -add_custom_command(OUTPUT "${DATAFILE_DIR}/help/faq.txt" - COMMAND ${CMAKE_COMMAND} -E make_directory "${DATAFILE_DIR}/help" - COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_SOURCE_DIR}/help/faq.py -b > faq.tmp.html - COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_SOURCE_DIR}/tools/html2text.py - faq.tmp.html > "${DATAFILE_DIR}/help/faq.txt" - COMMAND ${CMAKE_COMMAND} -E remove faq.tmp.html - DEPENDS - "${CMAKE_SOURCE_DIR}/help/faq.py" - "${CMAKE_SOURCE_DIR}/tools/html2text.py" -) -list(APPEND copy_data_files_depends "${DATAFILE_DIR}/help/faq.txt") - # Install LUA files in staging directory such that LUA can used when Wireshark # is ran from the build directory. For install targets, see # epan/wslua/CMakeLists.txt @@ -1993,8 +1939,10 @@ if(LUA_FOUND AND ENABLE_LUA) endif(LUA_FOUND AND ENABLE_LUA) # doc/*.html handled elsewhere. +# Glob patterns relative to the source directory that should be copied to +# ${DATAFILE_DIR} (including directory prefixes) # TODO shouldn't this use full (relative) paths instead of glob patterns? -list(APPEND DATA_FILES_SRC +set(DATA_FILES_SRC "tpncp/tpncp.dat" "wimaxasncp/*.dtd" "wimaxasncp/*.xml" diff --git a/docbook/CMakeLists.txt b/docbook/CMakeLists.txt index df1d861e12..e1296b991f 100644 --- a/docbook/CMakeLists.txt +++ b/docbook/CMakeLists.txt @@ -535,6 +535,19 @@ if( ASCIIDOCTOR_FOUND ) ASCIIDOCTOR2TXT( release-notes.asciidoc ) endif() +# FAQ + +add_custom_target( faq_html DEPENDS faq.html ) +set_docbook_target_properties(faq_html) + +add_custom_target( faq ) +set_docbook_target_properties(faq) +add_dependencies ( faq faq_html ) + +if( ASCIIDOCTOR_FOUND ) + ASCIIDOCTOR2HTML( faq.adoc copy_ws.css ) +endif() + # # Editor modelines - http://www.wireshark.org/tools/modelines.html # diff --git a/docbook/faq.adoc b/docbook/faq.adoc new file mode 100755 index 0000000000..66c31e4f28 --- /dev/null +++ b/docbook/faq.adoc @@ -0,0 +1,1108 @@ += Wireshark Frequently Asked Questions +:stylesheet: ws.css +:toc: + +== General Questions + +=== What is Wireshark? + +Wireshark® is a network protocol analyzer. It lets you capture and +interactively browse the traffic running on a computer network. It has a +rich and powerful feature set and is world's most popular tool of its +kind. It runs on most computing platforms including Windows, macOS, +Linux, and UNIX. Network professionals, security experts, developers, +and educators around the world use it regularly. It is freely available +as open source, and is released under the GNU General Public License +version 2. + +It is developed and maintained by a global team of protocol experts, +and it is an example of a +https://en.wikipedia.org/wiki/Disruptive_technology[disruptive +technology]. + +Wireshark used to be known as Ethereal®. See the next question for +details about the name change. If you're still using Ethereal, it is +strongly recommended that you upgrade to Wireshark as Ethereal is +unsupported and has known security vulnerabilities. + +For more information, please see the +https://www.wireshark.org/about.html[About Wireshark] page. + +=== What's up with the name change? Is Wireshark a fork? + +In May of 2006, Gerald Combs (the original author of Ethereal) went +to work for CACE Technologies (best known for WinPcap). Unfortunately, +he had to leave the Ethereal trademarks behind. + +This left the project in an awkward position. The only reasonable way +to ensure the continued success of the project was to change the name. +This is how Wireshark was born. + +Wireshark is almost (but not quite) a fork. Normally a "fork" of an +open source project results in two names, web sites, development teams, +support infrastructures, etc. This is the case with Wireshark except for +one notable exception -- every member of the core development team is +now working on Wireshark. There has been no active development on +Ethereal since the name change. Several parts of the Ethereal web site` +(such as the mailing lists, source code repository, and build farm) have +gone offline. + +More information on the name change can be found here: + +* http://www.prweb.com/releases/2006/6/prweb396098.htm[Original press +release] +* http://archive09.linux.com/articles/54968[NewsForge article] +* Many other articles in https://www.wireshark.org/bibliography.html[our +bibliography] + +=== Where can I get help? + +Community support is available on the https://ask.wireshark.org/[Q&A +site] and on the wireshark-users mailing list. Subscription information +and archives for all of Wireshark's mailing lists can be found at +https://www.wireshark.org/mailman/listinfo[https://www.wireshark.org/mailman/listinfo]. +An IRC channel dedicated to Wireshark can be found at +irc://irc.freenode.net/wireshark[irc://irc.freenode.net/wireshark]. + +Self-paced and instructor-led training is available at +http://www.wiresharktraining.com[Wireshark University]. Wireshark +University also offers certification via the Wireshark Certified Network +Analyst program. + +=== What kind of shark is Wireshark? + +_carcharodon photoshopia_. + +=== How is Wireshark pronounced, spelled and capitalized? + +Wireshark is pronounced as the word _wire_ followed immediately by +the word _shark_. Exact pronunciation and emphasis may vary depending on +your locale (e.g. Arkansas). + +It's spelled with a capital _W_, followed by a lower-case _ireshark_. +It is not a CamelCase word, i.e., _WireShark_ is incorrect. + +=== How much does Wireshark cost? + +Wireshark is "free software"; you can download it without paying any +license fee. The version of Wireshark you download isn't a "demo" +version, with limitations not present in a "full" version; it _is_ the +full version. + +The license under which Wireshark is issued is +https://www.gnu.org/licenses/gpl-2.0.html[the GNU General Public License +version 2]. See +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html[the GNU GPL +FAQ] for some more information. + +=== But I just paid someone on eBay for a copy of Wireshark! Did I get ripped off? + +That depends. Did they provide any sort of value-added product or +service, such as installation support, installation media, training, +trace file analysis, or funky-colored shark-themed socks? Probably not. + +Wireshark is https://www.wireshark.org/download.html[available for +anyone to download, absolutely free, at any time]. Paying for a copy +implies that you should get something for your money. + +=== Can I use Wireshark commercially? + +Yes, if, for example, you mean "I work for a commercial organization; +can I use Wireshark to capture and analyze network traffic in our +company's networks or in our customer's networks?" + +If you mean "Can I use Wireshark as part of my commercial product?", +see link:#derived_work_gpl[the next entry in the FAQ]. + +=== Can I use Wireshark as part of my commercial product? + +As noted, Wireshark is licensed under +https://www.gnu.org/licenses/gpl-2.0.html[the GNU General Public +License, version 2]. The GPL imposes conditions on your use of GPL'ed +code in your own products; you cannot, for example, make a "derived +work" from Wireshark, by making modifications to it, and then sell the +resulting derived work and not allow recipients to give away the +resulting work. You must also make the changes you've made to the +Wireshark source available to all recipients of your modified version; +those changes must also be licensed under the terms of the GPL. See the +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html[GPL FAQ] for +more details; in particular, note the answer to +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#GPLCommercially[the +question about modifying a GPLed program and selling it commercially], +and +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#LinkingWithGPL[the +question about linking GPLed code with other code to make a proprietary +program]. + +You can combine a GPLed program such as Wireshark and a commercial +program as long as they communicate "at arm's length", as per +https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#GPLInProprietarySystem[this +item in the GPL FAQ]. + +We recommend keeping Wireshark and your product completely separate, +communicating over sockets or pipes. If you're loading any part of +Wireshark as a DLL, you're probably doing it wrong. + +=== What protocols are currently supported? + +There are currently hundreds of supported protocols and media. +Details can be found in the +https://www.wireshark.org/docs/man-pages/wireshark.html[wireshark(1)] +man page. + +=== Are there any plans to support {your favorite protocol}? + +Support for particular protocols is added to Wireshark as a result of +people contributing that support; no formal plans for adding support for +particular protocols in particular future releases exist. + +=== Can Wireshark read capture files from {your favorite network analyzer}? + +Support for particular capture file formats is added to Wireshark as +a result of people contributing that support; no formal plans for adding +support for particular capture file formats in particular future +releases exist. + +If a network analyzer writes out files in a format already supported by +Wireshark (e.g., in libpcap format), Wireshark may already be able to +read them, unless the analyzer has added its own proprietary extensions +to that format. + +If a network analyzer writes out files in its own format, or has added +proprietary extensions to another format, in order to make Wireshark +read captures from that network analyzer, we would either have to have a +specification for the file format, or the extensions, sufficient to give +us enough information to read the parts of the file relevant to +Wireshark, or would need at least one capture file in that format *AND* +a detailed textual analysis of the packets in that capture file (showing +packet time stamps, packet lengths, and the top-level packet header) in +order to reverse-engineer the file format. + +Note that there is no guarantee that we will be able to +reverse-engineer a capture file format. + +=== What devices can Wireshark use to capture packets? + +Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial +(PPP and SLIP) (if the OS on which it's running allows Wireshark to do +so), 802.11 wireless LAN (if the OS on which it's running allows +Wireshark to do so), ATM connections (if the OS on which it's running +allows Wireshark to do so), and the "any" device supported on Linux by +recent versions of libpcap. + +See https://wiki.wireshark.org/CaptureSetup/NetworkMedia[the list of +supported capture media on various OSes] for details (several items in +there say "Unknown", which doesn't mean "Wireshark can't capture on +them", it means "we don't know whether it can capture on them"; we +expect that it will be able to capture on many of them, but we haven't +tried it ourselves - if you try one of those types and it works, please +update the wiki page accordingly. + +It can also read a variety of capture file formats, including: + +* AG Group/WildPackets/Savvius +EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet Grabber captures +* AIX's iptrace captures +* Accellent's 5Views LAN agent output +* Cinco Networks NetXRay captures +* Cisco Secure Intrusion Detection System IPLog output +* CoSine L2 debug output +* DBS Etherwatch VMS text output +* Endace Measurement Systems' ERF format captures +* EyeSDN USB S0 traces +* HP-UX nettl captures +* ISDN4BSD project i4btrace captures +* Linux Bluez Bluetooth stack hcidump -w traces +* Lucent/Ascend router debug output +* Microsoft Network Monitor captures +* Network Associates Windows-based Sniffer captures +* Network General/Network Associates DOS-based Sniffer (compressed or +uncompressed) captures +* Network Instruments Observer version 9 captures +* Novell LANalyzer captures +* RADCOM's WAN/LAN analyzer captures +* Shomiti/Finisar Surveyor captures +* Toshiba's ISDN routers dump output +* VMS TCPIPtrace/TCPtrace/UCX$TRACE output +* Visual Networks' Visual UpTime traffic capture +* libpcap, tcpdump and various other tools using tcpdump's capture +format +* snoop and atmsnoop output + +so that it can read traces from various network types, as captured by +other applications or equipment, even if it cannot itself capture on +those network types. + +=== Does Wireshark work on Windows Vista or Windows Server 2008? + +Yes, but if you want to capture packets as a normal user, you must +make sure npf.sys is loaded. Wireshark's installer enables this by +default. This is not a concern if you run Wireshark as Administrator, +but this is discouraged. See the +https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#windows[CapturePrivileges] +page on the wiki for more details. + +== Installing Wireshark + +=== I installed the Wireshark RPM (or other package); why did it install TShark but not Wireshark? + +Many distributions have separate Wireshark packages, one for non-GUI +components such as TShark, editcap, dumpcap, etc. and one for the GUI. +If this is the case on your system, there's probably a separate package +named “wireshark-qt”. Find it and install it. + +== Building Wireshark + +=== I have libpcap installed; why did the configure script not find pcap.h or bpf.h? + +Are you sure pcap.h and bpf.h are installed? The official +distribution of libpcap only installs the libpcap.a library file when +"make install" is run. To install pcap.h and bpf.h, you must run "make +install-incl". If you're running Debian or Redhat, make sure you have +the "libpcap-dev" or "libpcap-devel" packages installed. + +It's also possible that pcap.h and bpf.h have been installed in a +strange location. If this is the case, you may have to tweak aclocal.m4. + +== Starting Wireshark + +=== When I try to run Wireshark, why does it complain about `sprint_realloc_objid` being undefined? + +Wireshark can only be linked with version 4.2.2 or later of UCD SNMP. +Your version of Wireshark was dynamically linked with such a version of +UCD SNMP; however, you have an older version of UCD SNMP installed, +which means that when Wireshark is run, it tries to link to the older +version, and fails. You will have to replace that version of UCD SNMP +with version 4.2.2 or a later version. + +=== I've installed Wireshark from Fink on macOS; why is it very slow to start up? + +When an application is installed on macOS, prior to 10.4, it is +usually "prebound" to speed up launching the application. (That's what +the "Optimizing" phase of installation is.) + +Fink normally performs prebinding automatically when you install a +package. However, in some rare cases, for whatever reason the prebinding +caches get corrupt, and then not only does prebinding fail, but startup +actually becomes much slower, because the system tries in vain to +perform prebinding "on the fly" as you launch the application. This +fails, causing sometimes huge delays. + +To fix the prebinding caches, run the command + +---- +$ sudo /sw/var/lib/fink/prebound/update-package-prebinding.pl -f +---- + +== Crashes and other fatal errors + +=== I have an XXX network card on my machine; if I try to capture on it, why does my machine crash or reset itself? + +This is almost certainly a problem with one or more of: + +* the operating system you're using; +* the device driver for the interface you're using; +* the libpcap/Npcap library and, if this is Windows, the Npcap device +driver; + +so: + +* if you are using Windows, see https://nmap.org/npcap/[the Npcap +support page] - check the "Patches, Bug Reports, Questions, Suggestions, +etc" section; +* if you are using some Linux distribution, some version of BSD, or some +other UNIX-flavored OS, you should report the problem to the company or +organization that produces the OS (in the case of a Linux distribution, +report the problem to whoever produces the distribution). + +=== Why does my machine crash or reset itself when I select "Start" from the "Capture" menu or select "Preferences" from the "Edit" menu? + +Both of those operations cause Wireshark to try to build a list of +the interfaces that it can open; it does so by getting a list of +interfaces and trying to open them. There is probably an OS, driver, or, +for Windows, Npcap bug that causes the system to crash when this +happens; see the previous question. + +== Capturing packets + +[[promiscsniff]] +=== When I use Wireshark to capture packets, why do I see only packets to and from my machine, or not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor? + +This might be because the interface on which you're capturing is +plugged into an Ethernet or Token Ring switch; on a switched network, +unicast traffic between two ports will not necessarily appear on other +ports - only broadcast and multicast traffic will be sent to all ports. + +Note that even if your machine is plugged into a hub, the "hub" may be +a switched hub, in which case you're still on a switched network. + +Note also that on the Linksys Web site, they say that their +auto-sensing hubs "broadcast the 10Mb packets to the port that operate +at 10Mb only and broadcast the 100Mb packets to the ports that operate +at 100Mb only", which would indicate that if you sniff on a 10Mb port, +you will not see traffic coming sent to a 100Mb port, and _vice versa_. +This problem has also been reported for Netgear dual-speed hubs, and may +exist for other "auto-sensing" or "dual-speed" hubs. + +Some switches have the ability to replicate all traffic on all ports to +a single port so that you can plug your analyzer into that single port +to sniff all traffic. You would have to check the documentation for the +switch to see if this is possible and, if so, to see how to do this. See +https://wiki.wireshark.org/SwitchReference[the switch reference page] on +https://wiki.wireshark.org/[the Wireshark Wiki] for information on some +switches. (Note that it's a Wiki, so you can update or fix that +information, or add additional information on those switches or +information on new switches, yourself.) + +Note also that many firewall/NAT boxes have a switch built into them; +this includes many of the "cable/DSL router" boxes. If you have a box of +that sort, that has a switch with some number of Ethernet ports into +which you plug machines on your network, and another Ethernet port used +to connect to a cable or DSL modem, you can, at least, sniff traffic +between the machines on your network and the Internet by plugging the +Ethernet port on the router going to the modem, the Ethernet port on the +modem, and the machine on which you're running Wireshark into a hub +(make sure it's not a switching hub, and that, if it's a dual-speed hub, +all three of those ports are running at the same speed. + +If your machine is _not_ plugged into a switched network or a +dual-speed hub, or it is plugged into a switched network but the port is +set up to have all traffic replicated to it, the problem might be that +the network interface on which you're capturing doesn't support +"promiscuous" mode, or because your OS can't put the interface into +promiscuous mode. Normally, network interfaces supply to the host only: + +* packets sent to one of that host's link-layer addresses; +* broadcast packets; +* multicast packets sent to a multicast address that the host has +configured the interface to accept. + +Most network interfaces can also be put in "promiscuous" mode, in which +they supply to the host all network packets they see. Wireshark will try +to put the interface on which it's capturing into promiscuous mode +unless the "Capture packets in promiscuous mode" option is turned off in +the "Capture Options" dialog box, and TShark will try to put the +interface on which it's capturing into promiscuous mode unless the `-p` +option was specified. However, some network interfaces don't support +promiscuous mode, and some OSes might not allow interfaces to be put +into promiscuous mode. + +If the interface is not running in promiscuous mode, it won't see any +traffic that isn't intended to be seen by your machine. It *will* see +broadcast packets, and multicast packets sent to a multicast MAC address +the interface is set up to receive. + +You should ask the vendor of your network interface whether it supports +promiscuous mode. If it does, you should ask whoever supplied the driver +for the interface (the vendor, or the supplier of the OS you're running +on your machine) whether it supports promiscuous mode with that network +interface. + +In the case of token ring interfaces, the drivers for some of them, on +Windows, may require you to enable promiscuous mode in order to capture +in promiscuous mode. See +https://wiki.wireshark.org/CaptureSetup/TokenRing[the Wireshark Wiki +item on Token Ring capturing] for details. + +In the case of wireless LAN interfaces, it appears that, when those +interfaces are promiscuously sniffing, they're running in a +significantly different mode from the mode that they run in when they're +just acting as network interfaces (to the extent that it would be a +significant effort for those drivers to support for promiscuously +sniffing _and_ acting as regular network interfaces at the same time), +so it may be that Windows drivers for those interfaces don't support +promiscuous mode. + +=== When I capture with Wireshark, why can't I see any TCP packets other than packets to and from my machine, even though another analyzer on the network sees those packets? + +You're probably not seeing _any_ packets other than unicast packets +to or from your machine, and broadcast and multicast packets; a switch +will normally send to a port only unicast traffic sent to the MAC +address for the interface on that port, and broadcast and multicast +traffic - it won't send to that port unicast traffic sent to a MAC +address for some other interface - and a network interface not in +promiscuous mode will receive only unicast traffic sent to the MAC +address for that interface, broadcast traffic, and multicast traffic +sent to a multicast MAC address the interface is set up to receive. + +TCP doesn't use broadcast or multicast, so you will only see your own +TCP traffic, but UDP services may use broadcast or multicast so you'll +see some UDP traffic - however, this is not a problem with TCP traffic, +it's a problem with unicast traffic, as you also won't see all UDP +traffic between other machines. + +I.e., this is probably link:#promiscsniff[the same question as this +earlier one]; see the response to that question. + +=== Why am I only seeing ARP packets when I try to capture traffic? + +You're probably on a switched network, and running Wireshark on a +machine that's not sending traffic to the switch and not being sent any +traffic from other machines on the switch. ARP packets are often +broadcast packets, which are sent to all switch ports. + +I.e., this is probably link:#promiscsniff[the same question as this +earlier one]; see the response to that question. + +=== Why am I not seeing any traffic when I try to capture traffic? + +Is the machine running Wireshark sending out any traffic on the +network interface on which you're capturing, or receiving any traffic on +that network, or is there any broadcast traffic on the network or +multicast traffic to a multicast group to which the machine running +Wireshark belongs? + +If not, this may just be a problem with promiscuous sniffing, either +due to running on a switched network or a dual-speed hub, or due to +problems with the interface not supporting promiscuous mode; see the +response to link:#promiscsniff[this earlier question]. + +Otherwise, on Windows, see the response to link:#capprobwin[this +question] and, on a UNIX-flavored OS, see the response to +link:#capprobunix[this question]. + +=== Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)? + +Wireshark can only capture on devices supported by libpcap/Npcap. On +most OSes, only devices that can act as network interfaces of the type +that support IP are supported as capture devices for libpcap/Npcap, +although the device doesn't necessarily have to be running as an IP +interface in order to support traffic capture. + +On Linux and FreeBSD, libpcap 0.8 and later support the API for +http://www.endace.com/products.htm[Endace Measurement Systems' DAG +cards], so that a system with one of those cards, and its driver and +libraries, installed can capture traffic with those cards with +libpcap-based applications. You would either have to have a version of +Wireshark built with that version of libpcap, or a dynamically-linked +version of Wireshark and a shared libpcap library with DAG support, in +order to do so with Wireshark. You should ask Endace whether that could +be used to capture traffic on, for example, your T1/E1 link. + +See https://wiki.wireshark.org/CaptureSetup/SS7[the SS7 capture setup +page] on https://wiki.wireshark.org/[the Wireshark Wiki] for current +information on capturing SS7 traffic on TDM links. + +=== How do I put an interface into promiscuous mode? + +By not disabling promiscuous mode when running Wireshark or TShark. + +Note, however, that: + +* the form of promiscuous mode that libpcap (the library that programs +such as tcpdump, Wireshark, etc. use to do packet capture) turns on will +*not* necessarily be shown if you run `ifconfig` on the interface on a +UNIX system; +* some network interfaces might not support promiscuous mode, and some +drivers might not allow promiscuous mode to be turned on - see +link:#promiscsniff[this earlier question] for more information on that; +* the fact that you're not seeing any traffic, or are only seeing +broadcast traffic, or aren't seeing any non-broadcast traffic other than +traffic to or from the machine running Wireshark, does not mean that +promiscuous mode isn't on - see link:#promiscsniff[this earlier +question] for more information on that. + +I.e., this is probably link:#promiscsniff[the same question as this +earlier one]; see the response to that question. + +=== I can set a display filter just fine; why don't capture filters work? + +Capture filters currently use a different syntax than display +filters. Here's the corresponding section from the +https://www.wireshark.org/docs/man-pages/wireshark.html[wireshark(1)] +man page: + +"Display filters in Wireshark are very powerful; more fields are +filterable in Wireshark than in other protocol analyzers, and the syntax +you can use to create your filters is richer. As Wireshark progresses, +expect more and more protocol fields to be allowed in display filters. + +Packet capturing is performed with the pcap library. The capture filter +syntax follows the rules of the pcap library. This syntax is different +from the display filter syntax." + +The capture filter syntax used by libpcap can be found in the +http://www.tcpdump.org/tcpdump_man.html[tcpdump(8)] man page. + +=== How can I capture packets with CRC errors? + +Wireshark can capture only the packets that the packet capture +library - libpcap on UNIX-flavored OSes, and the Npcap port to Windows +of libpcap on Windows - can capture, and libpcap/Npcap can capture only +the packets that the OS's raw packet capture mechanism (or the Npcap +driver, and the underlying OS networking code and network interface +drivers, on Windows) will allow it to capture. + +Unless the OS always supplies packets with errors such as invalid CRCs +to the raw packet capture mechanism, or can be configured to do so, +invalid CRCs to the raw packet capture mechanism, Wireshark - and other +programs that capture raw packets, such as tcpdump - cannot capture +those packets. You will have to determine whether your OS needs to be so +configured and, if so, can be so configured, configure it if necessary +and possible, and make whatever changes to libpcap and the packet +capture program you're using are necessary, if any, to support capturing +those packets. + +Most OSes probably do *not* support capturing packets with invalid CRCs +on Ethernet, and probably do not support it on most other link-layer +types. Some drivers on some OSes do support it, such as some Ethernet +drivers on FreeBSD; in those OSes, you might always get those packets, +or you might only get them if you capture in promiscuous mode (you'd +have to determine which is the case). + +Note that libpcap does not currently supply to programs that use it an +indication of whether the packet's CRC was invalid (because the drivers +themselves do not supply that information to the raw packet capture +mechanism); therefore, Wireshark will not indicate which packets had CRC +errors unless the FCS was captured (see the next question) and you're +using Wireshark 0.9.15 and later, in which case Wireshark will check the +CRC and indicate whether it's correct or not. + +=== How can I capture entire frames, including the FCS? + +Wireshark can only capture data that the packet capture library - +libpcap on UNIX-flavored OSes, and the Npcap port to Windows of libpcap +on Windows - can capture, and libpcap/Npcap can capture only the data +that the OS's raw packet capture mechanism (or the Npcap driver, and the +underlying OS networking code and network interface drivers, on Windows) +will allow it to capture. + +For any particular link-layer network type, unless the OS supplies the +FCS of a frame as part of the frame, or can be configured to do so, +Wireshark - and other programs that capture raw packets, such as tcpdump +- cannot capture the FCS of a frame. You will have to determine whether +your OS needs to be so configured and, if so, can be so configured, +configure it if necessary and possible, and make whatever changes to +libpcap and the packet capture program you're using are necessary, if +any, to support capturing the FCS of a frame. + +Most OSes do *not* support capturing the FCS of a frame on Ethernet, +and probably do not support it on most other link-layer types. Some +drivres on some OSes do support it, such as some (all?) Ethernet drivers +on NetBSD and possibly the driver for Apple's gigabit Ethernet interface +in macOS; in those OSes, you might always get the FCS, or you might only +get the FCS if you capture in promiscuous mode (you'd have to determine +which is the case). + +Versions of Wireshark prior to 0.9.15 will not treat an Ethernet FCS in +a captured packet as an FCS. 0.9.15 and later will attempt to determine +whether there's an FCS at the end of the frame and, if it thinks there +is, will display it as such, and will check whether it's the correct +CRC-32 value or not. + +=== I'm capturing packets on a machine on a VLAN; why don't the packets I'm capturing have VLAN tags? + +You might be capturing on what might be called a "VLAN interface" - +the way a particular OS makes VLANs plug into the networking stack +might, for example, be to have a network device object for the physical +interface, which takes VLAN packets, strips off the VLAN header and +constructs an Ethernet header, and passes that packet to an internal +network device object for the VLAN, which then passes the packets onto +various higher-level protocol implementations. + +In order to see the raw Ethernet packets, rather than "de-VLANized" +packets, you would have to capture not on the virtual interface for the +VLAN, but on the interface corresponding to the physical network device, +if possible. See https://wiki.wireshark.org/CaptureSetup/VLAN[the +Wireshark Wiki item on VLAN capturing] for details. + +=== Why does Wireshark hang after I stop a capture? + +The most likely reason for this is that Wireshark is trying to look +up an IP address in the capture to convert it to a name (so that, for +example, it can display the name in the source address or destination +address columns), and that lookup process is taking a very long time. + +Wireshark calls a routine in the OS of the machine on which it's +running to convert of IP addresses to the corresponding names. That +routine probably does one or more of: + +* a search of a system file listing IP addresses and names; +* a lookup using DNS; +* on UNIX systems, a lookup using NIS; +* on Windows systems, a NetBIOS-over-TCP query. + +If a DNS server that's used in an address lookup is not responding, the +lookup will fail, but will only fail after a timeout while the system +routine waits for a reply. + +In addition, on Windows systems, if the DNS lookup of the address +fails, either because the server isn't responding or because there are +no records in the DNS that could be used to map the address to a name, a +NetBIOS-over-TCP query will be made. That query involves sending a +message to the NetBIOS-over-TCP name service on that machine, asking for +the name and other information about the machine. If the machine isn't +running software that responds to those queries - for example, many +non-Windows machines wouldn't be running that software - the lookup will +only fail after a timeout. Those timeouts can cause the lookup to take a +long time. + +If you disable network address-to-name translation - for example, by +turning off the "Enable network name resolution" option in the "Capture +Options" dialog box for starting a network capture - the lookups of the +address won't be done, which may speed up the process of reading the +capture file after the capture is stopped. You can make that setting the +default by selecting "Preferences" from the "Edit" menu, turning off the +"Enable network name resolution" option in the "Name resolution" options +in the preferences disalog box, and using the "Save" button in that +dialog box; note that this will save _all_ your current preference +settings. + +If Wireshark hangs when reading a capture even with network name +resolution turned off, there might, for example, be a bug in one of +Wireshark's dissectors for a protocol causing it to loop infinitely. If +you're not running the most recent release of Wireshark, you should +first upgrade to that release, as, if there's a bug of that sort, it +might've been fixed in a release after the one you're running. If the +hang occurs in the most recent release of Wireshark, the bug should be +reported to mailto:wireshark-dev@wireshark.org[the Wireshark developers' +mailing list] at `wireshark-dev@wireshark.org`. + +On UNIX-flavored OSes, please try to force Wireshark to dump core, by +sending it a `SIGABRT` signal (usually signal 6) with the `kill` +command, and then get a stack trace if you have a debugger installed. A +stack trace can be obtained by using your debugger (`gdb` in this +example), the Wireshark binary, and the resulting core file. Here's an +example of how to use the gdb command `backtrace` to do so. + +---- +$ gdb wireshark core +(gdb) backtrace +..... prints the stack trace +(gdb) quit +$ +---- + +The core dump file may be named "wireshark.core" rather than "core" on +some platforms (e.g., BSD systems). + +Also, if at all possible, please send a copy of the capture file that +caused the problem. When capturing packets, Wireshark normally writes +captured packets to a temporary file, which will probably be in `/tmp` +or `/var/tmp` on UNIX-flavored OSes, `\TEMP` on the main system disk +(normally `\Documents and Settings\`your login name +`\Local Settings\Temp` on the main system disk on Windows Windows XP and +Server 2003, and `\Users\your login name\AppData\Local\Temp` on the main +system disk on Windows Vista and later, so the capture file will +probably be there. If you are capturing on a single interface, it will +have a name of the form, +`wireshark__YYYYmmddHHMMSS_XXXXXX.`, where is the +capture file format (pcap or pcapng), and is the actual name of +the interface you are capturing on; otherwise, if you are capturing on +multiple interfaces, it will have a name of the form, +`wireshark__interfaces_YYYYmmddHHMMSS_XXXXXX.`, where is the +number of simultaneous interfaces you are capturing on. Please don't +send a trace file greater than 1 MB when compressed; instead, make it +available via FTP or HTTP, or say it's available but leave it up to a +developer to ask for it. If the trace file contains sensitive +information (e.g., passwords), then please do not send it. + +== Capturing packets on Windows + +[[capprobwin]] +=== I'm running Wireshark on Windows; why does some network interface on my machine not show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start", and/or why does Wireshark give me an error if I try to capture on that interface? + +Wireshark relies on the Npcap library, on the Npcap device driver, +and and on the facilities that come with the OS on which it's running in +order to do captures. + +Therefore, if the OS, the Npcap library, or the Npcap driver don't +support capturing on a particular network interface device, Wireshark +won't be able to capture on that device. + +If an interface doesn't show up in the list of interfaces in the +"Interface:" field, and you know the name of the interface, try entering +that name in the "Interface:" field and capturing on that device. + +If the attempt to capture on it succeeds, the interface is somehow not +being reported by the mechanism Wireshark uses to get a list of +interfaces. Try listing the interfaces with WinDump; see +https://www.windump.org/[the WinDump Web site] for information on using +WinDump. + +You would run WinDump with the `-D` flag; if it lists the interface, +please report this to +mailto:wireshark-dev@wireshark.org[wireshark-dev@wireshark.org] giving +full details of the problem, including + +* the operating system you're using, and the version of that operating +system; +* the type of network device you're using; +* the output of WinDump. + +If WinDump does _not_ list the interface, this is almost certainly a +problem with one or more of: + +* the operating system you're using; +* the device driver for the interface you're using; +* the WinPcap library and/or the WinPcap device driver; + +so first check https://nmap.org/npcap/guide/[the Npcap User's Guide] to +see if your problem is mentioned there. If not, then see +https://nmap.org/npcap/[the main Npcap page] - check the "Patches, Bug +Reports, Questions, Suggestions, etc" section. + +If you are having trouble capturing on a particular network interface, +first try capturing on that device with WinDump; see +https://www.windump.org/[the WinDump Web site] for information on using +WinDump. + +If you can capture on the interface with WinDump, send mail to +mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] +giving full details of the problem, including + +* the operating system you're using, and the version of that operating +system; +* the type of network device you're using; +* the error message you get from Wireshark. + +If you _cannot_ capture on the interface with WinDump, this is almost +certainly a problem with one or more of: + +* the operating system you're using; +* the device driver for the interface you're using; +* the Npcap library and/or the Npcap device driver; + +so first check https://nmap.org/npcap/guide/[the Npcap User's Guide] to +see if your problem is mentioned there. If not, then see +https://nmap.org/npcap/[the main Npcap page] - check the "Patches, Bug +Reports, Questions, Suggestions, etc" section. + +You may also want to ask the +mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] and +the mailto:winpcap-users@winpcap.org[winpcap-users@winpcap.org] mailing +lists to see if anybody happens to know about the problem and know a +workaround or fix for the problem. (Note that you will have to subscribe +to that list in order to be allowed to mail to it; see +https://nmap.org/npcap/[the Npcap support page] for information on the +mailing list.) In your mail, please give full details of the problem, as +described above, and also indicate that the problem occurs with WinDump, +not just with Wireshark. + +=== I'm running Wireshark on Windows; why do no network interfaces show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start"? + +This is really link:#capprobwin[the same question as a previous one]; +see the response to that question. + +=== I'm running Wireshark on Windows; why am I not seeing any traffic being sent by the machine running Wireshark? + +If you are running some form of VPN client software, it might be +causing this problem; people have seen this problem when they have Check +Point's VPN software installed on their machine. If that's the cause of +the problem, you will have to remove the VPN software in order to have +Wireshark (or any other application using Npcap) see outgoing packets; +unfortunately, neither we nor the Npcap developers know any way to make +Npcap and the VPN software work well together. + +Also, some drivers for Windows (especially some wireless network +interface drivers) apparently do not, when running in promiscuous mode, +arrange that outgoing packets are delivered to the software that +requested that the interface run promiscuously; try turning promiscuous +mode off. + +=== When I capture on Windows in promiscuous mode, I can see packets other than those sent to or from my machine; however, those packets show up with a "Short Frame" indication, unlike packets to or from my machine. What should I do to arrange that I see those packets in their entirety? + +In at least some cases, this appears to be the result of PGPnet +running on the network interface on which you're capturing; turn it off +on that interface. + +=== I'm trying to capture 802.11 traffic on Windows; why am I not seeing any packets? + +At least some 802.11 card drivers on Windows appear not to see any +packets if they're running in promiscuous mode. Try turning promiscuous +mode off; you'll only be able to see packets sent by and received by +your machine, not third-party traffic, and it'll look like Ethernet +traffic and won't include any management or control frames, but that's a +limitation of the card drivers. + +See the archived +https://web.archive.org/web/20090226193157/http://www.micro-logix.com/winpcap/Supported.asp[MicroLogix's +list of cards supported with WinPcap] for information on support of +various adapters and drivers with WinPcap. + +=== I'm trying to capture 802.11 traffic on Windows; why am I seeing packets received by the machine on which I'm capturing traffic, but not packets sent by that machine? + +This appears to be another problem with promiscuous mode; try turning +it off. + +=== I'm trying to capture Ethernet VLAN traffic on Windows, and I'm capturing on a "raw" Ethernet device rather than a "VLAN interface", so that I can see the VLAN headers; why am I seeing packets received by the machine on which I'm capturing traffic, but not packets sent by that machine? + +The way the Windows networking code works probably means that packets +are sent on a "VLAN interface" rather than the "raw" device, so packets +sent by the machine will only be seen when you capture on the "VLAN +interface". If so, you will be unable to see outgoing packets when +capturing on the "raw" device, so you are stuck with a choice between +seeing VLAN headers and seeing outgoing packets. + +== Capturing packets on UN*Xes + +[[capprobunix]] +=== I'm running Wireshark on a UNIX-flavored OS; why does some network interface on my machine not show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start", and/or why does Wireshark give me an error if I try to capture on that interface? + +You may need to run Wireshark from an account with sufficient +privileges to capture packets, such as the super-user account, or may +need to give your account sufficient privileges to capture packets. Only +those interfaces that Wireshark can open for capturing show up in that +list; if you don't have sufficient privileges to capture on any +interfaces, no interfaces will show up in the list. See +https://wiki.wireshark.org/CaptureSetup/CapturePrivileges[the Wireshark +Wiki item on capture privileges] for details on how to give a particular +account or account group capture privileges on platforms where that can +be done. + +If you are running Wireshark from an account with sufficient +privileges, then note that Wireshark relies on the libpcap library, and +on the facilities that come with the OS on which it's running in order +to do captures. On some OSes, those facilities aren't present by +default; see https://wiki.wireshark.org/CaptureSetup/CaptureSupport[the +Wireshark Wiki item on adding capture support] for details. + +And, even if you're running with an account that has sufficient +privileges to capture, and capture support is present in your OS, if the +OS or the libpcap library don't support capturing on a particular +network interface device or particular types of devices, Wireshark won't +be able to capture on that device. + +On Solaris, note that libpcap 0.6.2 and earlier didn't support Token +Ring interfaces; the current version, 0.7.2, does support Token Ring, +and the current version of Wireshark works with libpcap 0.7.2 and later. + +If an interface doesn't show up in the list of interfaces in the +"Interface:" field, and you know the name of the interface, try entering +that name in the "Interface:" field and capturing on that device. + +If the attempt to capture on it succeeds, the interface is somehow not +being reported by the mechanism Wireshark uses to get a list of +interfaces; please report this to +mailto:wireshark-dev@wireshark.org[wireshark-dev@wireshark.org] giving +full details of the problem, including + +* the operating system you're using, and the version of that operating +system (for Linux, give both the version number of the kernel and the +name and version number of the distribution you're using); +* the type of network device you're using. + +If you are having trouble capturing on a particular network interface, +and you've made sure that (on platforms that require it) you've arranged +that packet capture support is present, as per the above, first try +capturing on that device with `tcpdump`. + +If you can capture on the interface with `tcpdump`, send mail to +mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] +giving full details of the problem, including + +* the operating system you're using, and the version of that operating +system (for Linux, give both the version number of the kernel and the +name and version number of the distribution you're using); +* the type of network device you're using; +* the error message you get from Wireshark. + +If you _cannot_ capture on the interface with `tcpdump`, this is almost +certainly a problem with one or more of: + +* the operating system you're using; +* the device driver for the interface you're using; +* the libpcap library; + +so you should report the problem to the company or organization that +produces the OS (in the case of a Linux distribution, report the problem +to whoever produces the distribution). + +You may also want to ask the +mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] and +the +mailto:tcpdump-workers@lists.tcpdump.org[tcpdump-workers@lists.tcpdump.org] +mailing lists to see if anybody happens to know about the problem and +know a workaround or fix for the problem. In your mail, please give full +details of the problem, as described above, and also indicate that the +problem occurs with `tcpdump` not just with Wireshark. + +=== I'm running Wireshark on a UNIX-flavored OS; why do no network interfaces show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start"? + +This is really link:#capprobunix[the same question as the previous +one]; see the response to that question. + +=== I'm capturing packets on Linux; why do the time stamps have only 100ms resolution, rather than 1us resolution? + +Wireshark gets time stamps from libpcap/Npcap, and libpcap/Npcap get +them from the OS kernel, so Wireshark - and any other program using +libpcap, such as tcpdump - is at the mercy of the time stamping code in +the OS for time stamps. + +At least on x86-based machines, Linux can get high-resolution time +stamps on newer processors with the Time Stamp Counter (TSC) register; +for example, Intel x86 processors, starting with the Pentium Pro, and +including all x86 processors since then, have had a TSC, and other +vendors probably added the TSC at some point to their families of x86 +processors. The Linux kernel must be configured with the CONFIG_X86_TSC +option enabled in order to use the TSC. Make sure this option is enabled +in your kernel. + +In addition, some Linux distributions may have bugs in their versions +of the kernel that cause packets not to be given high-resolution time +stamps even if the TSC is enabled. See, for example, bug 61111 for Red +Hat Linux 7.2. If your distribution has a bug such as this, you may have +to run a standard kernel from kernel.org in order to get high-resolution +time stamps. + +== Capturing packets on wireless LANs + +=== How can I capture raw 802.11 frames, including non-data (management, beacon) frames? + +That depends on the operating system on which you're running, and on +the 802.11 interface on which you're capturing. + +This would probably require that you capture in promiscuous mode or in +the mode called "monitor mode" or "RFMON mode". On some platforms, or +with some cards, this might require that you capture in monitor mode - +promiscuous mode might not be sufficient. If you want to capture traffic +on networks other than the one with which you're associated, you will +have to capture in monitor mode. + +Not all operating systems support capturing non-data packets and, even +on operating systems that do support it, not all drivers, and thus not +all interfaces, support it. Even on those that do, monitor mode might +not be supported by the operating system or by the drivers for all +interfaces. + +*NOTE:* an interface running in monitor mode will, on most if not all +platforms, not be able to act as a regular network interface; putting it +into monitor mode will, in effect, take your machine off of whatever +network it's on as long as the interface is in monitor mode, allowing it +only to passively capture packets. + +This means that you should disable name resolution when capturing in +monitor mode; otherwise, when Wireshark (or TShark, or tcpdump) tries to +display IP addresses as host names, it will probably block for a long +time trying to resolve the name because it will not be able to +communicate with any DNS or NIS servers. + +See https://wiki.wireshark.org/CaptureSetup/WLAN[the Wireshark Wiki +item on 802.11 capturing] for details. + +=== How do I capture on an 802.11 device in monitor mode? + +Whether you will be able to capture in monitor mode depends on the +operating system, adapter, and driver you're using. See +link:#raw_80211_sniff[the previous question] for information on monitor +mode, including a link to the Wireshark Wiki page that gives details on +802.11 capturing. + +== Viewing traffic + +=== Why am I seeing lots of packets with incorrect TCP checksums? + +If the packets that have incorrect TCP checksums are all being sent +by the machine on which Wireshark is running, this is probably because +the network interface on which you're capturing does TCP checksum +offloading. That means that the TCP checksum is added to the packet by +the network interface, not by the OS's TCP/IP stack; when capturing on +an interface, packets being sent by the host on which you're capturing +are directly handed to the capture interface by the OS, which means that +they are handed to the capture interface without a TCP checksum being +added to them. + +The only way to prevent this from happening would be to disable TCP +checksum offloading, but + +1. that might not even be possible on some OSes; +2. that could reduce networking performance significantly. + +However, you can disable the check that Wireshark does of the TCP +checksum, so that it won't report any packets as having TCP checksum +errors, and so that it won't refuse to do TCP reassembly due to a packet +having an incorrect TCP checksum. That can be set as an Wireshark +preference by selecting "Preferences" from the "Edit" menu, opening up +the "Protocols" list in the left-hand pane of the "Preferences" dialog +box, selecting "TCP", from that list, turning off the "Check the +validity of the TCP checksum when possible" option, clicking "Save" if +you want to save that setting in your preference file, and clicking +"OK". + +It can also be set on the Wireshark or TShark command line with a +`-o tcp.check_checksum:false` command-line flag, or manually set in your +preferences file by adding a `tcp.check_checksum:false` line. + +=== I've just installed Wireshark, and the traffic on my local LAN is boring. Where can I find more interesting captures? + +We have a collection of strange and exotic sample capture files at +https://wiki.wireshark.org/SampleCaptures[https://wiki.wireshark.org/SampleCaptures] + +=== Why doesn't Wireshark correctly identify RTP packets? It shows them only as UDP. + +Wireshark can identify a UDP datagram as containing a packet of a +particular protocol running atop UDP only if + +1. The protocol in question has a particular standard port number, and +the UDP source or destination port number is that port +2. Packets of that protocol can be identified by looking for a +"signature" of some type in the packet - i.e., some data that, if +Wireshark finds it in some particular part of a packet, means that the +packet is almost certainly a packet of that type. +3. Some _other_ traffic earlier in the capture indicated that, for +example, UDP traffic between two particular addresses and ports will be +RTP traffic. + +RTP doesn't have a standard port number, so 1) doesn't work; it doesn't, +as far as I know, have any "signature", so 2) doesn't work. + +That leaves 3). If there's RTSP traffic that sets up an RTP session, +then, at least in some cases, the RTSP dissector will set things up so +that subsequent RTP traffic will be identified. Currently, that's the +only place we do that; there may be other places. + +However, there will always be places where Wireshark is simply +*incapable* of deducing that a given UDP flow is RTP; a mechanism would +be needed to allow the user to specify that a given conversation should +be treated as RTP. As of Wireshark 0.8.16, such a mechanism exists; if +you select a UDP or TCP packet, the right mouse button menu will have a +"Decode As..." menu item, which will pop up a dialog box letting you +specify that the source port, the destination port, or both the source +and destination ports of the packet should be dissected as some +particular protocol. + +=== Why doesn't Wireshark show Yahoo Messenger packets in captures that contain Yahoo Messenger traffic? + +Wireshark only recognizes as Yahoo Messenger traffic packets to or +from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP +segments that start with the middle of a Yahoo Messenger packet that +takes more than one TCP segment will not be recognized as Yahoo +Messenger packets (even if the TCP segment also contains the beginning +of another Yahoo Messenger packet). + +== Filtering traffic + +=== I saved a filter and tried to use its name to filter the display; why do I get an "Unexpected end of filter string" error? + +You cannot use the name of a saved display filter as a filter. To +filter the display, you can enter a display filter expression - *not* +the name of a saved display filter - in the "Filter:" box at the bottom +of the display, and type the key or press the "Apply" button +(that does not require you to have a saved filter), or, if you want to +use a saved filter, you can press the "Filter:" button, select the +filter in the dialog box that pops up, and press the "OK" button. + +=== How can I search for, or filter, packets that have a particular string anywhere in them? + +If you want to do this when capturing, you can't. That's a feature +that would be hard to implement in capture filters without changes to +the capture filter code, which, on many platforms, is in the OS kernel +and, on other platforms, is in the libpcap library. + +After capture, you can search for text by selecting _Edit→Find +Packet..._ and making sure _String_ is selected. Alternately, you can +use the "contains" display filter operator or "matches" operator if it's +supported on your system. + +=== How do I filter a capture to see traffic for virus XXX? + +For some viruses/worms there might be a capture filter to recognize +the virus traffic. Check the +https://wiki.wireshark.org/CaptureFilters[CaptureFilters] page on the +https://wiki.wireshark.org/[Wireshark Wiki] to see if anybody's added +such a filter. + +Note that Wireshark was not designed to be an intrusion detection +system; you might be able to use it as an IDS, but in most cases +software designed to be an IDS, such as https://www.snort.org/[Snort] or +https://www.prelude-siem.org/[Prelude], will probably work better. diff --git a/help/capture_filters.txt b/help/capture_filters.txt deleted file mode 100644 index a238f7d936..0000000000 --- a/help/capture_filters.txt +++ /dev/null @@ -1,78 +0,0 @@ -Filtering packets while capturing ---------------------------------- -Capture Filters are used to filter out uninteresting packets already at capture time. This is done to reduce the size of the resulting capture (file) and is especially useful on high traffic networks or for long term capturing. - -Wireshark uses the pcap (libpcap/WinPcap) filter language for capture filters. This language is explained in the tcpdump man page under "expression" (http://www.tcpdump.org and search for "selects which"). - -Note: This capture filter language is different from the one used for the Wireshark display filters! - -------------------------------------------------- - -Some common examples --------------------- -Example Ethernet: capture all traffic to and from the Ethernet address 08:00:08:15:ca:fe - -ether host 08:00:08:15:ca:fe - -Example IP: capture all traffic to and from the IP address 192.168.0.10 - -host 192.168.0.10 - -Example TCP: capture all traffic to and from the TCP port 80 (http) of all machines - -tcp port 80 - -Examples combined: capture all traffic to and from 192.168.0.10 except http - -host 192.168.0.10 and not tcp port 80 - -Beware: if you capture TCP/IP traffic with the primitives "host" or "port", you will not see the ARP traffic belonging to it! - -------------------------------------------------- - -Capture Filter Syntax ---------------------- -The following is a short description of the capture filter language syntax. For a further reference, have a look at: http://www.tcpdump.org/tcpdump_man.html - -A capture filter takes the form of a series of primitive expressions, connected by conjunctions (and/or) and optionally preceded by not: - -[not] primitive [and|or [not] primitive ...] - -A primitive is simply one of the following: - -[src|dst] host - -This primitive allows you to filter on a host IP address or name. You can optionally precede the primitive with the keyword src|dst to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears as either the source or the destination address will be selected. - -ether [src|dst] host - -This primitive allows you to filter on Ethernet host addresses. You can optionally include the keyword src|dst between the keywords ether and host to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears in either the source or destination address will be selected. - -gateway host - -This primitive allows you to filter on packets that used host as a gateway. That is, where the Ethernet source or destination was host but neither the source nor destination IP address was host. - -[src|dst] net [{mask }|{len }] - -This primitive allows you to filter on network numbers. You can optionally precede this primitive with the keyword src|dst to specify that you are only interested in a source or destination network. If neither of these are present, packets will be selected that have the specified network in either the source or destination address. In addition, you can specify either the netmask or the CIDR (Classless Inter-Domain Routing) prefix for the network if they are different from your own. - -[tcp|udp] [src|dst] port - -This primitive allows you to filter on TCP and UDP port numbers. You can optionally precede this primitive with the keywords src|dst and tcp|udp which allow you to specify that you are only interested in source or destination ports and TCP or UDP packets respectively. The keywords tcp|udp must appear before src|dst. -If these are not specified, packets will be selected for both the TCP and UDP protocols and when the specified address appears in either the source or destination port field. - -less|greater - -This primitive allows you to filter on packets whose length was less than or equal to the specified length, or greater than or equal to the specified length, respectively. - -ip|ether proto - -This primitive allows you to filter on the specified protocol at either the Ethernet layer or the IP layer. - -ether|ip broadcast|multicast - -This primitive allows you to filter on either Ethernet or IP broadcasts or multicasts. - - relop - -This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets. Please see the tcpdump man pages for more details. diff --git a/help/capturing.txt b/help/capturing.txt deleted file mode 100644 index 5d297536ed..0000000000 --- a/help/capturing.txt +++ /dev/null @@ -1,82 +0,0 @@ -Capturing ---------- -This section will explain the capturing options and give hints on what to do in some special cases. - - -Capture options ---------------- -The capture options can be logically divided into the following categories: - --input --filtering --stop conditions --storing --display while capturing - -Input options -------------- --Interface: You have to choose which interface (network card) will be used to capture packets from. Be sure to select the correct one, as it's a common mistake to select the wrong interface. - --Link-layer header type: unless you are in the rare case that you will need this, just keep the default. - -Filtering options ------------------ --Capture packets in promiscuous mode: Usually a network card will only capture the traffic to its own network address. If you want to capture all traffic that the network card can "see", mark this option. See the FAQ for some more details of capturing packets from a switched network. - --Limit each packet to xy bytes: Will limit the maximum size to be captured of each packet, this includes the link-layer header and all subsequent headers. This can be useful when an error is known to be in the first 20 bytes of a packet, for example, as the size of the resulting capture file will be reduced. - --Capture Filter: Use a capture filter to reduce the amount of packets to be captured. See "Capture Filters" in this help for further information how to use it. - -Storing options ---------------- --File: You can choose the file to which captured data will be written. If you don't enter something here a temporary file will be used. - --Use multiple files: Instead of using a single capture file, multiple files will be created. The generated filenames will contain an incrementing number and the start time of the capture. For example, if you choose "/foo.cap" in the "File" field, files like "/foo_00001_20040205110102.cap", "/foo_00002_20040205110102.cap", ... will be created. -This feature can be useful if you do long term capturing, as working with a single capture file of several GB usually isn't very fast. - -Stop condition options ----------------------- -These three fields should be obvious; the capture process will be automatically stopped if one of the selected conditions is exceeded. - -Display while capturing options -------------------------------- --Update list of packets in real time: Using this will show the captured packets immediately on the main screen. -Please note: this will slow down capturing, so increased packet drops might appear. - --Automatic scrolling in live capture: This will scroll the "Packet List" automatically to the latest captured packet, when the "Update List of packets in real time" option is used. - --Name resolution: perform the corresponding name resolution while capturing. - - - -High performance capturing --------------------------- -When your network traffic is high, you might need to take some steps to ensure Wireshark doesn't get behind on its capture, particularly if you're running it on a slow computer. - -When Wireshark cannot keep up, packets are dropped. To help avoid this as much as possible: - -a) Don't use the "Update list of packets in real time" option (see above). This has a significant performance penalty. - -b) Close other programs that might slow down your system, such as virus scanner software, server processes, etc. - -c) It might be a good idea not to use a capture filter. This will depend on the task you have to do. -As a rule of thumb: if you want to see most of the packets and only filter a small number out, don't use a capture filter (you can use a display filter later). If you only want to capture a small proportion of the packets, it might be better to set a capture filter, as this will reduce the number of packets that have to be saved. - -d) If you still get packet drops, it might be an idea to use a tool dedicated to packet capturing and only use Wireshark for displaying and analyzing the packets. - -Have a look at tshark, the command line variant of wireshark, which is included in this package. -XXX: add a list of possibly useful standalone capture programs. - - - -Long term capturing -------------------- -By "Long term capturing", it's meant to capture data from a network for several hours or even days. Long term capturing will usually result in huge capture files, being hundreds of MB's or even several GB's in size! - -Before doing a long term capture, get familiar with the options to use for it, as you might not get what you desire. Doing a long term capture not getting the results needed, is usually wasting a lot of time. ;-) - -Rules of thumb for this task: --Use the ring buffer feature when you expect very large capture files. --Don't use the "Update list of packets in real time" option. --Set an appropriate capture filter, when you are only interested in some special packets from the net. - diff --git a/help/display_filters.txt b/help/display_filters.txt deleted file mode 100644 index 28303ff04e..0000000000 --- a/help/display_filters.txt +++ /dev/null @@ -1,41 +0,0 @@ -Filtering packets while viewing -------------------------------- -After capturing packets or loading some network traffic from a file, Wireshark will display the packet data immediately on the screen. - -Using display filters, you can choose which packets should (not) be shown on the screen. This is useful to reduce the "noise" usually on the network, showing only the packets you want to. So you can concentrate on the things you are really interested in. - -The display filter will not affect the data captured, it will only select which packets of the captured data are displayed on the screen. - -Every time you change the filter string, all packets will be reread from the capture file (or from memory), and processed by the display filter "machine". Packet by packet, this "machine" is asked, if this particular packet should be shown or not. - -Wireshark offers a very powerful display filter language for this. It can be used for a wide range of purposes, from simply: "show only packets from a specific IP address", or on the other hand, to very complex filters like: "find all packets where a special application specific flag is set". - -Note: This display filter language is different from the one used for the Wireshark capture filters! - -------------------------------------------------- - -Some common examples --------------------- -Example Ethernet: display all traffic to and from the Ethernet address 08.00.08.15.ca.fe - -eth.addr==08.00.08.15.ca.fe - -Example IP: display all traffic to and from the IP address 192.168.0.10 - -ip.addr==192.168.0.10 - -Example TCP: display all traffic to and from the TCP port 80 (http) of all machines - -tcp.port==80 - -Examples combined: display all traffic to and from 192.168.0.10 except http - -ip.addr==192.168.0.10 && tcp.port!=80 - -Beware: The filter string builds a logical expression, which must be true to show the packet. The && is a "logical and", "A && B" means: A must be true AND B must be true to show the packet (it doesn't mean: A will be shown AND B will be shown). - -------------------------------------------------- - -Hint ----- -Filtering can lead to side effects, which are sometimes not obvious at first sight. Example: If you capture TCP/IP traffic with the primitive "ip", you will not see the ARP traffic belonging to it, as this is a lower protocol layer than IP! diff --git a/help/faq.py b/help/faq.py deleted file mode 100755 index 4d1560d492..0000000000 --- a/help/faq.py +++ /dev/null @@ -1,1822 +0,0 @@ -#!/usr/bin/env python -# -# faq.py -# -# Routines to assemble a FAQ list for the Wireshark web site. -# Questions and answer content can be found below. Section and -# question numbers will be automatically generated. -# -# Wireshark - Network traffic analyzer -# By Gerald Combs -# Copyright 1998 Gerald Combs -# -# SPDX-License-Identifier: GPL-2.0-or-later - -import sys -import string - -class faq_section: - def __init__(self, name, secnum): - self.name = name - self.secnum = secnum - self.qa = [] - self.subsecs = [] - - def add_qa(self, question, answer, tag): - q_num = len(self.qa) + 1 - q_id = "%s.%d" % (self.get_num_string(), q_num) - self.qa.append( (q_id, question, answer, tag) ) - - def get_all_qa(self): - return self.qa - - def add_subsec(self, subsec): - self.subsecs.append(subsec) - - def get_all_subsecs(self): - return self.subsecs - - def get_num_string(self): - return "%d" % (self.secnum) - - def get_name(self): - return self.name - - def get_num_name(self): - return "%s. %s" % (self.get_num_string(), self.name) - - def get_header_level(self): - return 3 - - def print_index(self): - print(("%s:\n" % (self.get_num_string(), self.get_header_level(), self.get_num_name(), self.get_header_level()))) - for qa in self.qa: - id = qa[0] - question = qa[1] - print('

') - print(('%s %s\n' % (id, id, question))) - print('

') - for subsec in self.subsecs: - subsec.print_index() - - def print_contents(self): - # Table header - print((""" - %s -""" % (self.get_header_level(), self.get_num_string(), self.get_num_name(), self.get_header_level()))) - - # Questions and Answers - for qa in self.qa: - id = qa[0] - question = qa[1] - answer = qa[2] - tag = qa[3] - - print('

') - if tag is not None: - print(('' % (tag))) - print(('Q %s: %s' % (id, id, id, question))) - print('

') - - print('

') - print('A:\n') - print(answer) - print('

') - - # Subsections - for subsec in self.subsecs: - subsec.print_contents() - - # Table footer - print("") - -class faq_subsection(faq_section): - def __init__(self, name, secnum, subsecnum): - self.name = name - self.secnum = secnum - self.subsecnum = subsecnum - self.qa = [] - self.subsecs = [] - - def get_num_string(self): - return "%d.%d" % (self.secnum, self.subsecnum) - - def get_header_level(self): - return 2 - -class faq_subsubsection(faq_section): - def __init__(self, name, secnum, subsecnum, subsubsecnum): - self.name = name - self.secnum = secnum - self.subsecnum = subsecnum - self.subsubsecnum = subsubsecnum - self.qa = [] - self.subsecs = [] - - def get_num_string(self): - return "%d.%d.%d" % (self.secnum, self.subsecnum, self.subsubsecnum) - - def get_header_level(self): - return 2 - -sec_num = 0 -subsec_num = 0 -subsubsec_num = 0 -sections = [] -current_section = None -parent_section = None -grandparent_section = None -current_question = None -current_tag = None - -# Make a URL of itself -def selflink(text): - return "%s" % (text, text) - -# Add a section -def section(name): - global sec_num - global subsec_num - global subsubsec_num - global current_section - global grandparent_section - assert not current_question - sec_num = sec_num + 1 - subsec_num = 0 - subsubsec_num = 0 - sec = faq_section(name, sec_num) - sections.append(sec) - current_section = sec - grandparent_section = sec - -# Add a subsection -def subsection(name): - global subsec_num - global subsubsec_num - global current_section - global parent_section - global grandparent_section - assert not current_question - subsec_num = subsec_num + 1 - subsubsec_num = 0 - sec = faq_subsection(name, sec_num, subsec_num) - grandparent_section.add_subsec(sec) - current_section = sec - parent_section = sec - -# Add a subsubsection -def subsubsection(name): - global subsubsec_num - global current_section - global parent_section - assert not current_question - subsubsec_num = subsubsec_num + 1 - sec = faq_subsubsection(name, sec_num, subsec_num, subsubsec_num) - parent_section.add_subsec(sec) - current_section = sec - -# Add a question -def question(text, tag=None): - global current_question - global current_tag - assert current_section - assert not current_question - assert not current_tag - current_question = text - current_tag = tag - -# Add an answer -def answer(text): - global current_question - global current_tag - assert current_section - assert current_question - current_section.add_qa(current_question, text, current_tag) - current_question = None - current_tag = None - - -# Create the index -def create_index(): - print(""" -

Index

-""") - for sec in sections: - sec.print_index() - - print(""" -""") - - -# Print result -def create_output(header='', footer=''): - - print(header) - create_index() - - for sec in sections: - sec.print_contents() - - print(footer) - -def main(): - header = '''\ - - - - -Wireshark Frequently Asked Questions - - -''' - footer = '''\ - - -''' - - if len(sys.argv) > 1 and sys.argv[1] == '-b': # Only print the document body - header = '' - footer = '' - - create_output(header, footer) - -################################################################# -section("General Questions") -################################################################# - -question("What is Wireshark?") -answer(""" -Wireshark® is a network protocol analyzer. It lets you capture and -interactively browse the traffic running on a computer network. It has -a rich and powerful feature set and is world's most popular tool of its -kind. It runs on most computing platforms including Windows, macOS, -Linux, and UNIX. Network professionals, security experts, developers, -and educators around the world use it regularly. It is freely available -as open source, and is released under the GNU General Public License -version 2. - -
- -It is developed and maintained by a global team of protocol experts, and -it is an example of a -disruptive -technology. - -
- -Wireshark used to be known as Ethereal®. See the next question -for details about the name change. If you're still using Ethereal, it -is strongly recommended that you upgrade to Wireshark as Ethereal is -unsupported and has known security vulnerabilities. - -
- -For more information, please see the -About Wireshark -page. -""") - - -question("What's up with the name change? Is Wireshark a fork?") -answer(""" -In May of 2006, Gerald Combs (the original author of Ethereal) -went to work for CACE Technologies (best known for WinPcap). -Unfortunately, he had to leave the Ethereal trademarks behind. - -
- -This left the project in an awkward position. The only reasonable way -to ensure the continued success of the project was to change the name. -This is how Wireshark was born. - -
- -Wireshark is almost (but not quite) a fork. Normally a "fork" of an open source -project results in two names, web sites, development teams, support -infrastructures, etc. This is the case with Wireshark except for one notable -exception -- every member of the core development team is now working on -Wireshark. There has been no active development on Ethereal since the name -change. Several parts of the Ethereal web site (such as the mailing lists, -source code repository, and build farm) have gone offline. - -
- -More information on the name change can be found here: -

- -

-""") - - -question("Where can I get help?") -answer(""" -Community support is available on the -Q&A site and on the -wireshark-users mailing list. Subscription information and archives for -all of Wireshark's mailing lists can be found at %s. An IRC channel -dedicated to Wireshark can be found at %s. - -
- -Self-paced and instructor-led training is available at Wireshark University. -Wireshark University also offers certification via the Wireshark -Certified Network Analyst program. - -""" % (selflink("https://www.wireshark.org/mailman/listinfo"), - selflink("irc://irc.freenode.net/wireshark") - )) - - -question("What kind of shark is Wireshark?") -answer(""" -carcharodon photoshopia. -""") - - -question("How is Wireshark pronounced, spelled and capitalized?") -answer(""" -Wireshark is pronounced as the word wire followed immediately by -the word shark. Exact pronunciation and emphasis may vary -depending on your locale (e.g. Arkansas). - -
- -It's spelled with a capital W, followed by a lower-case -ireshark. It is not a CamelCase word, i.e., WireShark -is incorrect. -""") - - -question("How much does Wireshark cost?", "but_thats_not_all") -answer(""" -Wireshark is "free software"; you can download it without paying any -license fee. The version of Wireshark you download isn't a "demo" -version, with limitations not present in a "full" version; it -is the full version. - -
- -The license under which Wireshark is issued is the GNU General Public -License version 2. See the GNU -GPL FAQ for some more information. -""") - -question("But I just paid someone on eBay for a copy of Wireshark! Did I get ripped off?") -answer(""" -That depends. Did they provide any sort of value-added product or service, such -as installation support, installation media, training, trace file analysis, or -funky-colored shark-themed socks? Probably not. - -
- -Wireshark is available for -anyone to download, absolutely free, at any time. Paying for a copy implies -that you should get something for your money. -""") - -question("Can I use Wireshark commercially?") -answer(""" -Yes, if, for example, you mean "I work for a commercial organization; -can I use Wireshark to capture and analyze network traffic in our -company's networks or in our customer's networks?" - -
- -If you mean "Can I use Wireshark as part of my commercial product?", see -the next entry in the FAQ. -""") - - -question("Can I use Wireshark as part of my commercial product?", -"derived_work_gpl") - -answer(""" -As noted, Wireshark is licensed under the GNU General Public -License, version 2. The GPL imposes conditions on your use of GPL'ed -code in your own products; you cannot, for example, make a "derived -work" from Wireshark, by making modifications to it, and then sell the -resulting derived work and not allow recipients to give away the -resulting work. You must also make the changes you've made to the -Wireshark source available to all recipients of your modified version; -those changes must also be licensed under the terms of the GPL. See the -GPL -FAQ for more details; in particular, note the answer to the -question about modifying a GPLed program and selling it -commercially, and the -question about linking GPLed code with other code to make a proprietary -program. - -
- -You can combine a GPLed program such as Wireshark and a commercial -program as long as they communicate "at arm's length", as per this -item in the GPL FAQ. - -
- -We recommend keeping Wireshark and your product completely separate, -communicating over sockets or pipes. If you're loading any part of -Wireshark as a DLL, you're probably doing it wrong. -""") - -question("What protocols are currently supported?") -answer(""" -There are currently hundreds of supported -protocols and media. Details can be found in the -wireshark(1) -man page. -""") - - -question("Are there any plans to support {your favorite protocol}?") -answer(""" -Support for particular protocols is added to Wireshark as a result of -people contributing that support; no formal plans for adding support for -particular protocols in particular future releases exist. -""") - - -question("""Can Wireshark read capture files from {your favorite network -analyzer}?""") - -answer(""" -Support for particular capture file formats is added to Wireshark as a result -of people contributing that support; no formal plans for adding support for -particular capture file formats in particular future releases exist. - -
- -If a network analyzer writes out files in a format already supported by -Wireshark (e.g., in libpcap format), Wireshark may already be able to read -them, unless the analyzer has added its own proprietary extensions to -that format. - -
- -If a network analyzer writes out files in its own format, or has added -proprietary extensions to another format, in order to make Wireshark read -captures from that network analyzer, we would either have to have a -specification for the file format, or the extensions, sufficient to give -us enough information to read the parts of the file relevant to -Wireshark, or would need at least one capture file in that format -AND a detailed textual analysis of the packets in that -capture file (showing packet time stamps, packet lengths, and the -top-level packet header) in order to reverse-engineer the file -format. - -
- -Note that there is no guarantee that we will be able to reverse-engineer -a capture file format. -""") - - -question("What devices can Wireshark use to capture packets?") -answer(""" -Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial (PPP -and SLIP) (if the OS on which it's running allows Wireshark to do so), -802.11 wireless LAN (if the OS on which it's running allows Wireshark to -do so), ATM connections (if the OS on which it's running allows Wireshark -to do so), and the "any" device supported on Linux by recent versions of -libpcap. - -
- -See the list of -supported capture media on various OSes for details (several items -in there say "Unknown", which doesn't mean "Wireshark can't capture on -them", it means "we don't know whether it can capture on them"; we -expect that it will be able to capture on many of them, but we haven't -tried it ourselves - if you try one of those types and it works, please -update the wiki page accordingly. - -
- -It can also read a variety of capture file formats, including: - -

-
    - -
  • AG Group/WildPackets/Savvius EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet Grabber captures -
  • AIX's iptrace captures -
  • Accellent's 5Views LAN agent output -
  • Cinco Networks NetXRay captures -
  • Cisco Secure Intrusion Detection System IPLog output -
  • CoSine L2 debug output -
  • DBS Etherwatch VMS text output -
  • Endace Measurement Systems' ERF format captures -
  • EyeSDN USB S0 traces -
  • HP-UX nettl captures -
  • ISDN4BSD project i4btrace captures -
  • Linux Bluez Bluetooth stack hcidump -w traces -
  • Lucent/Ascend router debug output -
  • Microsoft Network Monitor captures -
  • Network Associates Windows-based Sniffer captures -
  • Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures -
  • Network Instruments Observer version 9 captures -
  • Novell LANalyzer captures -
  • RADCOM's WAN/LAN analyzer captures -
  • Shomiti/Finisar Surveyor captures -
  • Toshiba's ISDN routers dump output -
  • VMS TCPIPtrace/TCPtrace/UCX$TRACE output -
  • Visual Networks' Visual UpTime traffic capture -
  • libpcap, tcpdump and various other tools using tcpdump's capture format -
  • snoop and atmsnoop output - -
- -

-so that it can read traces from various network types, as captured by -other applications or equipment, even if it cannot itself capture on -those network types. -""") - -question(""" -Does Wireshark work on Windows Vista or Windows Server 2008? -""") - -answer(""" -Yes, but if you want to capture packets as a normal user, you must make sure -npf.sys is loaded. Wireshark's installer enables this by default. This is not a -concern if you run Wireshark as Administrator, but this is discouraged. See the -CapturePrivileges -page on the wiki for more details. -""") - - -################################################################# -section("Installing Wireshark") -################################################################# - - -question("""I installed the Wireshark RPM (or other package); why did -it install TShark but not Wireshark?""") - -answer(""" -Many distributions have separate Wireshark packages, one for non-GUI -components such as TShark, editcap, dumpcap, etc. and one for the GUI. -If this is the case on your system, there's probably a separate package -named wireshark-qt. Find it and install it. -""") - - -################################################################# -section("Building Wireshark") -################################################################# - - -question("""I have libpcap installed; why did the configure script not -find pcap.h or bpf.h?""") - -answer(""" -Are you sure pcap.h and bpf.h are installed? The official distribution -of libpcap only installs the libpcap.a library file when "make install" -is run. To install pcap.h and bpf.h, you must run "make install-incl". -If you're running Debian or Redhat, make sure you have the "libpcap-dev" -or "libpcap-devel" packages installed. - -
- -It's also possible that pcap.h and bpf.h have been installed in a strange -location. If this is the case, you may have to tweak aclocal.m4. -""") - - -################################################################# -section("Starting Wireshark") -################################################################# - - -question("""When I try to run Wireshark, why does it complain about -sprint_realloc_objid being undefined?""") - -answer(""" -Wireshark can only be linked with version 4.2.2 or later of UCD SNMP. -Your version of Wireshark was dynamically linked with such a version of -UCD SNMP; however, you have an older version of UCD SNMP installed, -which means that when Wireshark is run, it tries to link to the older -version, and fails. You will have to replace that version of UCD SNMP -with version 4.2.2 or a later version. -""") - -question(""" -I've installed Wireshark from Fink on macOS; why is it very slow to -start up? -""") - -answer(""" -When an application is installed on macOS, prior to 10.4, it is usually -"prebound" to speed up launching the application. (That's what the -"Optimizing" phase of installation is.) - -
- -Fink normally performs prebinding automatically when you install a -package. However, in some rare cases, for whatever reason the prebinding -caches get corrupt, and then not only does prebinding fail, but startup -actually becomes much slower, because the system tries in vain to -perform prebinding "on the fly" as you launch the application. This -fails, causing sometimes huge delays. - -
- -To fix the prebinding caches, run the command -

- -
-	sudo /sw/var/lib/fink/prebound/update-package-prebinding.pl -f
-
-

-""") - -################################################################# -section("Crashes and other fatal errors") -################################################################# - - -question(""" -I have an XXX network card on my machine; if I try to capture on it, why -does my machine crash or reset itself? -""") - -answer(""" -This is almost certainly a problem with one or more of: -

- -
    -
  • the operating system you're using; -
  • the device driver for the interface you're using; -
  • the libpcap/Npcap library and, if this is Windows, the Npcap -device driver; -
- -

-so: -

- -
    -
  • if you are using Windows, see the Npcap support -page - check the "Patches, Bug Reports, Questions, Suggestions, etc" section; - -
  • if you are using some Linux distribution, some version of BSD, or -some other UNIX-flavored OS, you should report the problem to the -company or organization that produces the OS (in the case of a Linux -distribution, report the problem to whoever produces the distribution). -
-

-""") - -question(""" -Why does my machine crash or reset itself when I select "Start" from the -"Capture" menu or select "Preferences" from the "Edit" menu? -""") - -answer(""" -Both of those operations cause Wireshark to try to build a list of the -interfaces that it can open; it does so by getting a list of interfaces -and trying to open them. There is probably an OS, driver, or, for -Windows, Npcap bug that causes the system to crash when this happens; -see the previous question. -""") - -################################################################# -section("Capturing packets") -################################################################# - - -question("""When I use Wireshark to capture packets, why do I see only -packets to and from my machine, or not see all the traffic I'm expecting -to see from or to the machine I'm trying to monitor?""", "promiscsniff") - -answer(""" -This might be because the interface on which you're capturing is plugged -into an Ethernet or Token Ring switch; on a switched network, unicast -traffic between two ports will not necessarily appear on other ports - -only broadcast and multicast traffic will be sent to all ports. - -
- -Note that even if your machine is plugged into a hub, the "hub" may be -a switched hub, in which case you're still on a switched network. - -
- -Note also that on the Linksys Web site, they say that their -auto-sensing hubs "broadcast the 10Mb packets to the port that operate -at 10Mb only and broadcast the 100Mb packets to the ports that operate -at 100Mb only", which would indicate that if you sniff on a 10Mb port, -you will not see traffic coming sent to a 100Mb port, and vice -versa. This problem has also been reported for Netgear dual-speed -hubs, and may exist for other "auto-sensing" or "dual-speed" hubs. - -
- -Some switches have the ability to replicate all traffic on all ports to -a single port so that you can plug your analyzer into that single port to -sniff all traffic. You would have to check the documentation for the -switch to see if this is possible and, if so, to see how to do this. -See the switch -reference page on the Wireshark -Wiki for information on some switches. (Note that it's a Wiki, so -you can update or fix that information, or add additional information on -those switches or information on new switches, yourself.) - -
- -Note also that many firewall/NAT boxes have a switch built into them; -this includes many of the "cable/DSL router" boxes. If you have a box -of that sort, that has a switch with some number of Ethernet ports into -which you plug machines on your network, and another Ethernet port used -to connect to a cable or DSL modem, you can, at least, sniff traffic -between the machines on your network and the Internet by plugging -the Ethernet port on the router going to the modem, the Ethernet port on -the modem, and the machine on which you're running Wireshark into a hub -(make sure it's not a switching hub, and that, if it's a dual-speed hub, -all three of those ports are running at the same speed. - -
- -If your machine is not plugged into a switched network or a -dual-speed hub, or it is plugged into a switched network but the port is -set up to have all traffic replicated to it, the problem might be that -the network interface on which you're capturing doesn't support -"promiscuous" mode, or because your OS can't put the interface into -promiscuous mode. Normally, network interfaces supply to the host only: -

- -
    -
  • packets sent to one of that host's link-layer addresses; -
  • broadcast packets; -
  • multicast packets sent to a multicast address that the host has - configured the interface to accept. -
- -

-Most network interfaces can also be put in "promiscuous" mode, in which -they supply to the host all network packets they see. Wireshark will try -to put the interface on which it's capturing into promiscuous mode -unless the "Capture packets in promiscuous mode" option is turned off in -the "Capture Options" dialog box, and TShark will try to put the -interface on which it's capturing into promiscuous mode unless the --p option was specified. However, some network interfaces -don't support promiscuous mode, and some OSes might not allow interfaces -to be put into promiscuous mode. - -
- -If the interface is not running in promiscuous mode, it won't see any -traffic that isn't intended to be seen by your machine. It -will see broadcast packets, and multicast packets sent -to a multicast MAC address the interface is set up to receive. - -
- -You should ask the vendor of your network interface whether it supports -promiscuous mode. If it does, you should ask whoever supplied the -driver for the interface (the vendor, or the supplier of the OS you're -running on your machine) whether it supports promiscuous mode with that -network interface. - -
- -In the case of token ring interfaces, the drivers for some of them, on -Windows, may require you to enable promiscuous mode in order to capture -in promiscuous mode. See the Wireshark -Wiki item on Token Ring capturing for details. - -
- -In the case of wireless LAN interfaces, it appears that, when those -interfaces are promiscuously sniffing, they're running in a -significantly different mode from the mode that they run in when they're -just acting as network interfaces (to the extent that it would be a -significant effort for those drivers to support for promiscuously -sniffing and acting as regular network interfaces at the same -time), so it may be that Windows drivers for those interfaces don't -support promiscuous mode. -""") - -question("""When I capture with Wireshark, why can't I see any TCP -packets other than packets to and from my machine, even though another -analyzer on the network sees those packets?""") - -answer(""" -You're probably not seeing any packets other than unicast -packets to or from your machine, and broadcast and multicast packets; a -switch will normally send to a port only unicast traffic sent to the MAC -address for the interface on that port, and broadcast and multicast -traffic - it won't send to that port unicast traffic sent to a MAC -address for some other interface - and a network interface not in -promiscuous mode will receive only unicast traffic sent to the MAC -address for that interface, broadcast traffic, and multicast traffic -sent to a multicast MAC address the interface is set up to receive. - -
- -TCP doesn't use broadcast or multicast, so you will only see your own -TCP traffic, but UDP services may use broadcast or multicast so you'll -see some UDP traffic - however, this is not a problem with TCP traffic, -it's a problem with unicast traffic, as you also won't see all UDP -traffic between other machines. - -
- -I.e., this is probably the same question -as this earlier one; see the response to that question. -""") - -question("""Why am I only seeing ARP packets when I try to capture -traffic?""") - -answer(""" -You're probably on a switched network, and running Wireshark on a machine -that's not sending traffic to the switch and not being sent any traffic -from other machines on the switch. ARP packets are often broadcast -packets, which are sent to all switch ports. - -
- -I.e., this is probably the same question -as this earlier one; see the response to that question. -""") - -question(""" -Why am I not seeing any traffic when I try to capture traffic?""") - -answer(""" -Is the machine running Wireshark sending out any traffic on the network -interface on which you're capturing, or receiving any traffic on that -network, or is there any broadcast traffic on the network or multicast -traffic to a multicast group to which the machine running Wireshark -belongs? - -
- -If not, this may just be a problem with promiscuous sniffing, either due -to running on a switched network or a dual-speed hub, or due to problems -with the interface not supporting promiscuous mode; see the response to -this earlier question. - -
- -Otherwise, on Windows, see the response to this -question and, on a UNIX-flavored OS, see the response to this question. -""") - -question(""" -Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)? -""") - -answer(""" -Wireshark can only capture on devices supported by libpcap/Npcap. On -most OSes, only devices that can act as network interfaces of the type -that support IP are supported as capture devices for libpcap/Npcap, -although the device doesn't necessarily have to be running as an IP -interface in order to support traffic capture. - -
- -On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace Measurement Systems' -DAG cards, so that a system with one of those cards, and its driver -and libraries, installed can capture traffic with those cards with -libpcap-based applications. You would either have to have a version of -Wireshark built with that version of libpcap, or a dynamically-linked -version of Wireshark and a shared libpcap library with DAG support, in -order to do so with Wireshark. You should ask Endace whether that could -be used to capture traffic on, for example, your T1/E1 link. - -
- -See the SS7 capture -setup page on the Wireshark -Wiki for current information on capturing SS7 traffic on TDM -links. -""") - -question("""How do I put an interface into promiscuous mode?""") - -answer(""" -By not disabling promiscuous mode when running Wireshark or TShark. - -
- -Note, however, that: -

-
    -
  • the form of promiscuous mode that libpcap (the library that -programs such as tcpdump, Wireshark, etc. use to do packet capture) -turns on will not necessarily be shown if you run -ifconfig on the interface on a UNIX system; -
  • some network interfaces might not support promiscuous mode, and some -drivers might not allow promiscuous mode to be turned on - see this earlier question for more information on -that; -
  • the fact that you're not seeing any traffic, or are only seeing -broadcast traffic, or aren't seeing any non-broadcast traffic other than -traffic to or from the machine running Wireshark, does not mean that -promiscuous mode isn't on - see this earlier -question for more information on that. -
- -

-I.e., this is probably the same question -as this earlier one; see the response to that question. -""") - -question(""" -I can set a display filter just fine; why don't capture filters work? -""") - -answer(""" -Capture filters currently use a different syntax than display filters. Here's -the corresponding section from the -wireshark(1) -man page: - -
- -"Display filters in Wireshark are very powerful; more fields are filterable -in Wireshark than in other protocol analyzers, and the syntax you can -use to create your filters is richer. As Wireshark progresses, expect -more and more protocol fields to be allowed in display filters. - -
- -Packet capturing is performed with the pcap library. The capture filter -syntax follows the rules of the pcap library. This syntax is different -from the display filter syntax." - -
- -The capture filter syntax used by libpcap can be found in the -tcpdump(8) -man page. -""") - -question(""" -How can I capture packets with CRC errors? -""") - -answer(""" -Wireshark can capture only the packets that the packet capture library - -libpcap on UNIX-flavored OSes, and the Npcap port to Windows of libpcap -on Windows - can capture, and libpcap/Npcap can capture only the -packets that the OS's raw packet capture mechanism (or the Npcap -driver, and the underlying OS networking code and network interface -drivers, on Windows) will allow it to capture. - -
- -Unless the OS always supplies packets with errors such as invalid CRCs -to the raw packet capture mechanism, or can be configured to do so, -invalid CRCs to the raw packet capture mechanism, Wireshark - and other -programs that capture raw packets, such as tcpdump - cannot capture -those packets. You will have to determine whether your OS needs to be -so configured and, if so, can be so configured, configure it if -necessary and possible, and make whatever changes to libpcap and the -packet capture program you're using are necessary, if any, to support -capturing those packets. - -
- -Most OSes probably do not support capturing packets -with invalid CRCs on Ethernet, and probably do not support it on most -other link-layer types. Some drivers on some OSes do support it, such -as some Ethernet drivers on FreeBSD; in those OSes, you might always get -those packets, or you might only get them if you capture in promiscuous -mode (you'd have to determine which is the case). - -
- -Note that libpcap does not currently supply to programs that use it an -indication of whether the packet's CRC was invalid (because the drivers -themselves do not supply that information to the raw packet capture -mechanism); therefore, Wireshark will not indicate which packets had CRC -errors unless the FCS was captured (see the next question) and you're -using Wireshark 0.9.15 and later, in which case Wireshark will check the -CRC and indicate whether it's correct or not. -""") - -question(""" -How can I capture entire frames, including the FCS? -""") - -answer(""" -Wireshark can only capture data that the packet capture library - -libpcap on UNIX-flavored OSes, and the Npcap port to Windows of -libpcap on Windows - can capture, and libpcap/Npcap can capture only -the data that the OS's raw packet capture mechanism (or the Npcap -driver, and the underlying OS networking code and network interface -drivers, on Windows) will allow it to capture. - -
- -For any particular link-layer network type, unless the OS supplies the -FCS of a frame as part of the frame, or can be configured to do so, -Wireshark - and other programs that capture raw packets, such as tcpdump -- cannot capture the FCS of a frame. You will have to determine whether -your OS needs to be so configured and, if so, can be so configured, -configure it if necessary and possible, and make whatever changes to -libpcap and the packet capture program you're using are necessary, if -any, to support capturing the FCS of a frame. - -
- -Most OSes do not support capturing the FCS of a frame -on Ethernet, and probably do not support it on most other link-layer -types. Some drivres on some OSes do support it, such as some (all?) -Ethernet drivers on NetBSD and possibly the driver for Apple's gigabit -Ethernet interface in macOS; in those OSes, you might always get the -FCS, or you might only get the FCS if you capture in promiscuous mode -(you'd have to determine which is the case). - -
- -Versions of Wireshark prior to 0.9.15 will not treat an Ethernet FCS in a -captured packet as an FCS. 0.9.15 and later will attempt to determine -whether there's an FCS at the end of the frame and, if it thinks there -is, will display it as such, and will check whether it's the correct -CRC-32 value or not. -""") - -question(""" -I'm capturing packets on a machine on a VLAN; why don't the packets I'm -capturing have VLAN tags? -""") - -answer(""" -You might be capturing on what might be called a "VLAN interface" - the -way a particular OS makes VLANs plug into the networking stack might, -for example, be to have a network device object for the physical -interface, which takes VLAN packets, strips off the VLAN header and -constructs an Ethernet header, and passes that packet to an internal -network device object for the VLAN, which then passes the packets onto -various higher-level protocol implementations. - -
- -In order to see the raw Ethernet packets, rather than "de-VLANized" -packets, you would have to capture not on the virtual interface for the -VLAN, but on the interface corresponding to the physical network device, -if possible. See the Wireshark Wiki -item on VLAN capturing for details. -""") - -question(""" -Why does Wireshark hang after I stop a capture? -""") - -answer(""" -The most likely reason for this is that Wireshark is trying to look up an -IP address in the capture to convert it to a name (so that, for example, -it can display the name in the source address or destination address -columns), and that lookup process is taking a very long time. - -
- -Wireshark calls a routine in the OS of the machine on which it's running -to convert of IP addresses to the corresponding names. That routine -probably does one or more of: -

-
  • a search of a system file listing IP addresses and names; -
  • a lookup using DNS; -
  • on UNIX systems, a lookup using NIS; -
  • on Windows systems, a NetBIOS-over-TCP query. -
- -

-If a DNS server that's used in an address lookup is not responding, the -lookup will fail, but will only fail after a timeout while the system -routine waits for a reply. - -
- -In addition, on Windows systems, if the DNS lookup of the address fails, -either because the server isn't responding or because there are no -records in the DNS that could be used to map the address to a name, a -NetBIOS-over-TCP query will be made. That query involves sending a -message to the NetBIOS-over-TCP name service on that machine, asking for -the name and other information about the machine. If the machine isn't -running software that responds to those queries - for example, many -non-Windows machines wouldn't be running that software - the lookup will -only fail after a timeout. Those timeouts can cause the lookup to take -a long time. - -
- -If you disable network address-to-name translation - for example, by -turning off the "Enable network name resolution" option in the "Capture -Options" dialog box for starting a network capture - the lookups of the -address won't be done, which may speed up the process of reading the -capture file after the capture is stopped. You can make that setting -the default by selecting "Preferences" from the "Edit" menu, turning off -the "Enable network name resolution" option in the "Name resolution" -options in the preferences disalog box, and using the "Save" button in -that dialog box; note that this will save all your current -preference settings. - -
- -If Wireshark hangs when reading a capture even with network name -resolution turned off, there might, for example, be a bug in one of -Wireshark's dissectors for a protocol causing it to loop infinitely. If -you're not running the most recent release of Wireshark, you should first -upgrade to that release, as, if there's a bug of that sort, it might've -been fixed in a release after the one you're running. If the hang -occurs in the most recent release of Wireshark, the bug should be -reported to the Wireshark -developers' mailing list at wireshark-dev@wireshark.org. - -
- -On UNIX-flavored OSes, please try to force Wireshark to dump core, by -sending it a SIGABRT signal (usually signal 6) with the -kill command, and then get a stack trace if you have a debugger -installed. A stack trace can be obtained by using your debugger -(gdb in this example), the Wireshark binary, and the resulting -core file. Here's an example of how to use the gdb command -backtrace to do so. -

- -
-        $ gdb wireshark core
-        (gdb) backtrace
-        ..... prints the stack trace
-        (gdb) quit
-        $
-
- -

-The core dump file may be named "wireshark.core" rather than "core" on -some platforms (e.g., BSD systems). - -
- -Also, if at all possible, please send a copy of the capture file that caused -the problem. When capturing packets, Wireshark normally writes captured -packets to a temporary file, which will probably be in /tmp or -/var/tmp on UNIX-flavored OSes, \\TEMP on the main system disk -(normally \\Documents and Settings\\your login name -\\Local Settings\\Temp on the main system disk on Windows -Windows XP and Server 2003, and -\\Users\\your login name\\AppData\\Local\\Temp on the main -system disk on Windows Vista and later, so the capture file will probably be there. If you -are capturing on a single interface, it will have a name of the form, -wireshark_<iface>_YYYYmmddHHMMSS_XXXXXX.<fmt>, where -<fmt> is the capture file format (pcap or pcapng), and <iface> is -the actual name of the interface you are capturing on; otherwise, if you are -capturing on multiple interfaces, it will have a name of the form, -wireshark_<N>_interfaces_YYYYmmddHHMMSS_XXXXXX.<fmt>, where <N> -is the number of simultaneous interfaces you are capturing on. Please don't -send a trace file greater than 1 MB when compressed; instead, make it available -via FTP or HTTP, or say it's available but leave it up to a developer to ask -for it. If the trace file contains sensitive information (e.g., passwords), -then please do not send it. -""") - - -################################################################# -section("Capturing packets on Windows") -################################################################# - -question(""" -I'm running Wireshark on Windows; why does some network interface on my -machine not show up in the list of interfaces in the "Interface:" field -in the dialog box popped up by "Capture->Start", and/or why does -Wireshark give me an error if I try to capture on that interface? -""", "capprobwin") - -answer(""" - -Wireshark relies on the Npcap library, on the Npcap device driver, and -and on the facilities that come with the OS on which it's running in -order to do captures. - -
- -Therefore, if the OS, the Npcap library, or the Npcap driver don't -support capturing on a particular network interface device, Wireshark -won't be able to capture on that device. - -
- -If an interface doesn't show up in the list of interfaces in the -"Interface:" field, and you know the name of the interface, try entering -that name in the "Interface:" field and capturing on that device. - -
- -If the attempt to capture on it succeeds, the interface is somehow not -being reported by the mechanism Wireshark uses to get a list of -interfaces. Try listing the interfaces with WinDump; see the WinDump Web site -for information on using WinDump. - -
- -You would run WinDump with the -D flag; if it lists the -interface, please report this to wireshark-dev@wireshark.org -giving full details of the problem, including -

- -
    -
  • the operating system you're using, and the version of that operating -system; -
  • the type of network device you're using; -
  • the output of WinDump. -
- -

-If WinDump does not list the interface, -this is almost certainly a problem with one or more of: -

- -
    -
  • the operating system you're using; -
  • the device driver for the interface you're using; -
  • the WinPcap library and/or the WinPcap device driver; -
- -

-so first check the -Npcap User's Guide to see if your problem is mentioned there. If not, then see the main Npcap page -- check the "Patches, Bug Reports, Questions, Suggestions, etc" section. - -
- -If you are having trouble capturing on a particular network interface, -first try capturing on that device with WinDump; see the WinDump Web site -for information on using WinDump. - -
- -If you can capture on the interface with WinDump, send mail to wireshark-users@wireshark.org -giving full details of the problem, including -

- -
    -
  • the operating system you're using, and the version of that operating -system; -
  • the type of network device you're using; -
  • the error message you get from Wireshark. -
- -

-If you cannot capture on the interface with WinDump, -this is almost certainly a problem with one or more of: -

- -
    -
  • the operating system you're using; -
  • the device driver for the interface you're using; -
  • the Npcap library and/or the Npcap device driver; -
- -

-so first check the -Npcap User's Guide to see if your problem is mentioned there. If not, then see the main Npcap page -- check the "Patches, Bug Reports, Questions, Suggestions, etc" section. - -
- -You may also want to ask the wireshark-users@wireshark.org -and the winpcap-users@winpcap.org -mailing lists to see if anybody happens to know about the problem and -know a workaround or fix for the problem. (Note that you will have to -subscribe to that list in order to be allowed to mail to it; see the Npcap support -page for information on the mailing list.) In your mail, -please give full details of the problem, as described above, and also -indicate that the problem occurs with WinDump, not just with Wireshark. -""") - -question(""" -I'm running Wireshark on Windows; why do no network interfaces show up in -the list of interfaces in the "Interface:" field in the dialog box -popped up by "Capture->Start"? -""") - -answer(""" -This is really the same question as a previous -one; see the response to that question. -""") - -question(""" -I'm running Wireshark on Windows; why am I not seeing any traffic being -sent by the machine running Wireshark?""") - -answer(""" -If you are running some form of VPN client software, it might be causing -this problem; people have seen this problem when they have Check Point's -VPN software installed on their machine. If that's the cause of the -problem, you will have to remove the VPN software in order to have -Wireshark (or any other application using Npcap) see outgoing packets; -unfortunately, neither we nor the Npcap developers know any way to -make Npcap and the VPN software work well together. - -
- -Also, some drivers for Windows (especially some wireless network -interface drivers) apparently do not, when running in promiscuous mode, -arrange that outgoing packets are delivered to the software that -requested that the interface run promiscuously; try turning promiscuous -mode off. -""") - -question(""" -When I capture on Windows in promiscuous mode, I can see packets other -than those sent to or from my machine; however, those packets show up -with a "Short Frame" indication, unlike packets to or from my machine. -What should I do to arrange that I see those packets in their entirety? -""") - -answer(""" -In at least some cases, this appears to be the result of PGPnet running -on the network interface on which you're capturing; turn it off on that -interface. -""") - -question(""" -I'm trying to capture 802.11 traffic on Windows; why am I not seeing any -packets? -""", "win802_11promisc") - -answer(""" -At least some 802.11 card drivers on Windows appear not to see any -packets if they're running in promiscuous mode. Try turning promiscuous -mode off; you'll only be able to see packets sent by and received by -your machine, not third-party traffic, and it'll look like Ethernet -traffic and won't include any management or control frames, but that's a -limitation of the card drivers. - -
- -See the archived MicroLogix's -list of cards supported with WinPcap for information on -support of various adapters and drivers with WinPcap. -""") - -question(""" -I'm trying to capture 802.11 traffic on Windows; why am I seeing packets -received by the machine on which I'm capturing traffic, but not packets -sent by that machine? -""") - -answer(""" -This appears to be another problem with promiscuous mode; try turning it -off. -""") - -question(""" -I'm trying to capture Ethernet VLAN traffic on Windows, and I'm -capturing on a "raw" Ethernet device rather than a "VLAN interface", so -that I can see the VLAN headers; why am I seeing packets received by the -machine on which I'm capturing traffic, but not packets sent by that -machine? -""") - -answer(""" -The way the Windows networking code works probably means that packets -are sent on a "VLAN interface" rather than the "raw" device, so packets -sent by the machine will only be seen when you capture on the "VLAN -interface". If so, you will be unable to see outgoing packets when -capturing on the "raw" device, so you are stuck with a choice between -seeing VLAN headers and seeing outgoing packets. -""") - -################################################################# -section("Capturing packets on UN*Xes") -################################################################# - -question(""" -I'm running Wireshark on a UNIX-flavored OS; why does some network -interface on my machine not show up in the list of interfaces in the -"Interface:" field in the dialog box popped up by "Capture->Start", -and/or why does Wireshark give me an error if I try to capture on that -interface? """, "capprobunix") - -answer(""" -You may need to run Wireshark from an account with sufficient privileges -to capture packets, such as the super-user account, or may need to give -your account sufficient privileges to capture packets. Only those -interfaces that Wireshark can open for capturing show up in that list; if -you don't have sufficient privileges to capture on any interfaces, no -interfaces will show up in the list. See -the -Wireshark Wiki item on capture privileges for details on how to give -a particular account or account group capture privileges on platforms -where that can be done. - -
- -If you are running Wireshark from an account with sufficient privileges, -then note that Wireshark relies on the libpcap library, and on the -facilities that come with the OS on which it's running in order to do -captures. On some OSes, those facilities aren't present by default; see -the -Wireshark Wiki item on adding capture support for details. - -
- -And, even if you're running with an account that has sufficient -privileges to capture, and capture support is present in your OS, if the -OS or the libpcap library don't support capturing on a particular -network interface device or particular types of devices, Wireshark won't -be able to capture on that device. - -
- -On Solaris, note that libpcap 0.6.2 and earlier didn't support Token -Ring interfaces; the current version, 0.7.2, does support Token Ring, -and the current version of Wireshark works with libpcap 0.7.2 and later. - -
- -If an interface doesn't show up in the list of interfaces in the -"Interface:" field, and you know the name of the interface, try entering -that name in the "Interface:" field and capturing on that device. - -
- -If the attempt to capture on it succeeds, the interface is somehow not -being reported by the mechanism Wireshark uses to get a list of -interfaces; please report this to wireshark-dev@wireshark.org -giving full details of the problem, including -

- -
    -
  • the operating system you're using, and the version of that operating -system (for Linux, give both the version number of the kernel and the -name and version number of the distribution you're using); -
  • the type of network device you're using. -
- -

-If you are having trouble capturing on a particular network interface, -and you've made sure that (on platforms that require it) you've arranged -that packet capture support is present, as per the above, first try -capturing on that device with tcpdump. - -
- -If you can capture on the interface with tcpdump, send mail to -wireshark-users@wireshark.org -giving full details of the problem, including -

- -
    -
  • the operating system you're using, and the version of that operating -system (for Linux, give both the version number of the kernel and the -name and version number of the distribution you're using); -
  • the type of network device you're using; -
  • the error message you get from Wireshark. -
- -

-If you cannot capture on the interface with tcpdump, -this is almost certainly a problem with one or more of: -

- -
    -
  • the operating system you're using; -
  • the device driver for the interface you're using; -
  • the libpcap library; -
- -

-so you should report the problem to the company or organization that -produces the OS (in the case of a Linux distribution, report the problem -to whoever produces the distribution). - -
- -You may also want to ask the wireshark-users@wireshark.org -and the tcpdump-workers@lists.tcpdump.org -mailing lists to see if anybody happens to know about the problem and -know a workaround or fix for the problem. In your mail, please give -full details of the problem, as described above, and also indicate that -the problem occurs with tcpdump not just with Wireshark. -""") - -question(""" -I'm running Wireshark on a UNIX-flavored OS; why do no network interfaces -show up in the list of interfaces in the "Interface:" field in the -dialog box popped up by "Capture->Start"? -""") - -answer(""" -This is really the same question as the previous -one; see the response to that question. -""") - -question("""I'm capturing packets on Linux; why do the time stamps have -only 100ms resolution, rather than 1us resolution?""") - -answer(""" -Wireshark gets time stamps from libpcap/Npcap, and -libpcap/Npcap get them from the OS kernel, so Wireshark - and any other -program using libpcap, such as tcpdump - is at the mercy of the time -stamping code in the OS for time stamps. - -
- -At least on x86-based machines, Linux can get high-resolution time -stamps on newer processors with the Time Stamp Counter (TSC) register; -for example, Intel x86 processors, starting with the Pentium Pro, and -including all x86 processors since then, have had a TSC, and other -vendors probably added the TSC at some point to their families of x86 -processors. - -The Linux kernel must be configured with the CONFIG_X86_TSC option -enabled in order to use the TSC. Make sure this option is enabled in -your kernel. - -
- -In addition, some Linux distributions may have bugs in their versions of -the kernel that cause packets not to be given high-resolution time -stamps even if the TSC is enabled. See, for example, bug 61111 for Red -Hat Linux 7.2. If your distribution has a bug such as this, you may -have to run a standard kernel from kernel.org in order to get -high-resolution time stamps. -""") - -################################################################# -section("Capturing packets on wireless LANs") -################################################################# - - -question(""" -How can I capture raw 802.11 frames, including non-data (management, -beacon) frames? -""", "raw_80211_sniff") - -answer(""" -That depends on the operating system on which you're running, and on the -802.11 interface on which you're capturing. - -
- -This would probably require that you capture in promiscuous mode or in -the mode called "monitor mode" or "RFMON mode". On some platforms, or -with some cards, this might require that you capture in monitor mode - -promiscuous mode might not be sufficient. If you want to capture -traffic on networks other than the one with which you're associated, you -will have to capture in monitor mode. - -
- -Not all operating systems support capturing non-data packets and, even -on operating systems that do support it, not all drivers, and thus not -all interfaces, support it. Even on those that do, monitor mode might -not be supported by the operating system or by the drivers for all -interfaces. - -
- -NOTE: an interface running in monitor mode will, on -most if not all platforms, not be able to act as a regular network -interface; putting it into monitor mode will, in effect, take your -machine off of whatever network it's on as long as the interface is in -monitor mode, allowing it only to passively capture packets. - -
- -This means that you should disable name resolution when capturing in -monitor mode; otherwise, when Wireshark (or TShark, or tcpdump) tries -to display IP addresses as host names, it will probably block for a long -time trying to resolve the name because it will not be able to -communicate with any DNS or NIS servers. - -
- -See the Wireshark -Wiki item on 802.11 capturing for details. -""") - -question(""" -How do I capture on an 802.11 device in monitor mode?""", -"monitor") - -answer(""" -Whether you will be able to capture in monitor mode depends on the -operating system, adapter, and driver you're using. -See the previous question for information -on monitor mode, including a link to the Wireshark Wiki page that gives -details on 802.11 capturing. -""") - -################################################################# -section("Viewing traffic") -################################################################# - - -question("Why am I seeing lots of packets with incorrect TCP checksums?") - -answer(""" -If the packets that have incorrect TCP checksums are all being sent by -the machine on which Wireshark is running, this is probably because the -network interface on which you're capturing does TCP checksum -offloading. That means that the TCP checksum is added to the packet by -the network interface, not by the OS's TCP/IP stack; when capturing on -an interface, packets being sent by the host on which you're capturing -are directly handed to the capture interface by the OS, which means that -they are handed to the capture interface without a TCP checksum being -added to them. - -
- -The only way to prevent this from happening would be to disable TCP -checksum offloading, but -

- -
    -
  1. that might not even be possible on some OSes; -
  2. that could reduce networking performance significantly. -
- -

-However, you can disable the check that Wireshark does of the TCP -checksum, so that it won't report any packets as having TCP checksum -errors, and so that it won't refuse to do TCP reassembly due to a packet -having an incorrect TCP checksum. That can be set as an Wireshark -preference by selecting "Preferences" from the "Edit" menu, opening up -the "Protocols" list in the left-hand pane of the "Preferences" dialog -box, selecting "TCP", from that list, turning off the "Check the -validity of the TCP checksum when possible" option, clicking "Save" if -you want to save that setting in your preference file, and clicking -"OK". - -
- -It can also be set on the Wireshark or TShark command line with a --o tcp.check_checksum:false command-line flag, or manually set -in your preferences file by adding a tcp.check_checksum:false -line. -""") - -question(""" -I've just installed Wireshark, and the traffic on my local LAN -is boring. Where can I find more interesting captures? -""") - -answer(""" -We have a collection of strange and exotic sample capture -files at %s""" % (selflink("https://wiki.wireshark.org/SampleCaptures"))) - - -question(""" -Why doesn't Wireshark correctly identify RTP packets? It shows them -only as UDP.""") - -answer(""" -Wireshark can identify a UDP datagram as containing a packet of a -particular protocol running atop UDP only if -

- -
    -
  1. The protocol in question has a particular standard port -number, and the UDP source or destination port number is that port - -
  2. Packets of that protocol can be identified by looking for a -"signature" of some type in the packet - i.e., some data -that, if Wireshark finds it in some particular part of a -packet, means that the packet is almost certainly a packet of -that type. - -
  3. Some other traffic earlier in the capture indicated that, -for example, UDP traffic between two particular addresses and -ports will be RTP traffic. -
- -

-RTP doesn't have a standard port number, so 1) doesn't work; it doesn't, -as far as I know, have any "signature", so 2) doesn't work. - -
- -That leaves 3). If there's RTSP traffic that sets up an RTP session, -then, at least in some cases, the RTSP dissector will set things up so -that subsequent RTP traffic will be identified. Currently, that's the -only place we do that; there may be other places. - -
- -However, there will always be places where Wireshark is simply -incapable of deducing that a given UDP flow is RTP; a mechanism -would be needed to allow the user to specify that a given conversation -should be treated as RTP. As of Wireshark 0.8.16, such a mechanism -exists; if you select a UDP or TCP packet, the right mouse button menu -will have a "Decode As..." menu item, which will pop up a dialog box -letting you specify that the source port, the destination port, or both -the source and destination ports of the packet should be dissected as -some particular protocol. -""") - -question(""" -Why doesn't Wireshark show Yahoo Messenger packets in captures that -contain Yahoo Messenger traffic?""") - -answer(""" -Wireshark only recognizes as Yahoo Messenger traffic packets to or from TCP -port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP segments that -start with the middle of a Yahoo Messenger packet that takes more than one -TCP segment will not be recognized as Yahoo Messenger packets (even if the -TCP segment also contains the beginning of another Yahoo Messenger -packet). -""") - -################################################################# -section("Filtering traffic") -################################################################# - - -question("""I saved a filter and tried to use its name to filter the -display; why do I get an "Unexpected end of filter string" error?""") - -answer(""" -You cannot use the name of a saved display filter as a filter. To -filter the display, you can enter a display filter expression - -not the name of a saved display filter - in the -"Filter:" box at the bottom of the display, and type the <Enter> key or -press the "Apply" button (that does not require you to have a saved -filter), or, if you want to use a saved filter, you can press the -"Filter:" button, select the filter in the dialog box that pops up, and -press the "OK" button.""") - -question(""" -How can I search for, or filter, packets that have a particular string -anywhere in them? -""") - -answer(""" -If you want to do this when capturing, you can't. That's a feature that -would be hard to implement in capture filters without changes to the -capture filter code, which, on many platforms, is in the OS kernel and, -on other platforms, is in the libpcap library. - -
- -After capture, you can search for text by selecting Edit→Find -Packet... and making sure String is selected. Alternately, you can -use the "contains" display filter operator or "matches" operator if it's -supported on your system. -""") - -question(""" -How do I filter a capture to see traffic for virus XXX? -""") - -answer(""" -For some viruses/worms there might be a capture filter to recognize the -virus traffic. Check the CaptureFilters page -on the Wireshark Wiki to see if -anybody's added such a filter. - -
- -Note that Wireshark was not designed to be an intrusion detection system; -you might be able to use it as an IDS, but in most cases software -designed to be an IDS, such as Snort -or Prelude, will probably work -better. -""") - -################################################################# -if __name__ == '__main__': - sys.exit(main()) -################################################################# diff --git a/help/getting_started.txt b/help/getting_started.txt deleted file mode 100644 index 8e69889e95..0000000000 --- a/help/getting_started.txt +++ /dev/null @@ -1,91 +0,0 @@ -Getting started ---------------- -This text will try to take you though the first steps of using Wireshark. - - -Display -------- -When you start Wireshark, you will see the program window vertically divided into the following parts: - --window title --menu --main toolbar --packet list (empty) --packet details (empty) --packet bytes (empty) --statusbar (with filter toolbar) - -As Wireshark has no packet data when started, most of the program's window is just empty. - -Many of the features available in the menu will also be on the main toolbar. - -First capture file ------------------- -The first thing you probably want to do is look at some captured network data/packets. -This can be achieved by two methods: - --open an already existing capture file --capture something from your own network - -It might be easier to start with an example capture file from "http://www.wireshark.org/sample" before capturing your own data. - -You can open a capture file through the menu "File->Open..." (or the toolbar). - -Please note: the common file extension for capture files is ".cap" (or ".cap.gz" for gzipped ones). - -After opening a capture file, you will hopefully see some more packet data on the screen. :-) - -Display fields --------------- -In the "packet list", you will see several columns with a packet number, timestamp(s), addresses and a protocol specific summary of that packet. Here you can select a packet to be shown in the "packet details" below. - -In the "packet details", the details of the currently selected packet are shown. You can expand the tree nodes to get even more details about that packet. - -The "packet bytes" will simply show all the packet data in a hexdump style. It will show the same packet as in the "packet details", only with a different representation. -When you select something in the "packet details", it will be highlighted in the "packet bytes" and vice-versa. - -All three display fields have their own context menu, available by clicking the right mouse button inside that part of the window. - -How to analyze protocol specific network data itself is not in the scope of this text. - -Display filters ---------------- -You can reduce the number of packets shown (to filter out the uninteresting ones) by setting a display filter. Please see "Display Filters" in this help dialog for further information how the display filters should be used. - -Coloring Rules --------------- -The packet list can be colored; this means applying different colors for different packets. For example you could choose to have all HTTP packets shown in red and all other TCP traffic shown in yellow. There are two types of color rules, temporary (only used in this session) and permanent (save between sessions). - -Temporary coloring rules can be created by either pressing and one of the number keys (0-9). This will create a conversation color rule based on the currently selected packet. Temporary color rules can also be added by choosing "color X" from different menus. - -Under "View->Coloring Rules..." you will see a list of permanentcolor rules. This list is processed for each packet from top to bottom, until one of the rules matches (in which case the color settings of that rule are used for that packet). If no rule matches, the packet will not be colored at all. - -Please note: setting lots of color rules can slow down processing time a bit when showing huge capture files. - -Other display things --------------------- -You can mark packets, so that you can easily find packets of interest again later. -You can set a time reference, if you are interested in seeing timings relative to a specific packet (e.g. get time differences relative to the start of some data transfer). -But remember: These settings will not be saved - they are forgotten when the capture file is closed. - - -Capture from the network ------------------------- -Most likely you will now want to get some "real life" packet data captured from your own network interface. - -When opening the capture dialog with "Capture->Start...", you will see lots of settings to choose from. For your first test, just keep the default settings. - -After clicking "OK", the capture starts and a dialog shows up, giving the actual count of captured packets and some very basic packet statistics. - -When you stop the capture, you will get the same screen as if you had opened a capture file from disk, using the "File->Open" command. - -See the "Capturing" section of this help for further information about capturing. - - -Conclusion ----------- -There are a lot more features than described here. Just have a look at the menus to see them all. :-) - -For more information about Wireshark, see: "http://www.wireshark.org". You can get a user's guide and other useful information there. - -We hope this helped you with the first steps of using Wireshark and that you will enjoy using this program. diff --git a/help/overview.txt b/help/overview.txt deleted file mode 100644 index 03d4ea2a27..0000000000 --- a/help/overview.txt +++ /dev/null @@ -1,36 +0,0 @@ -Wireshark is a GUI network protocol analyzer. - -It lets you interactively browse packet data from a live network or from a previously saved capture file. - -See: http://www.wireshark.org for new versions, documentation, ... - -Wireshark's native capture file format is libpcap format, which is also the format used by tcpdump and various other tools. So Wireshark can read capture files from: - --libpcap/WinPcap, tcpdump and various other tools using tcpdump's capture format --snoop and atmsnoop --Shomiti/Finisar Surveyor captures --Novell LANalyzer captures --Microsoft Network Monitor captures --AIX's iptrace captures --Cinco Networks NetXRay captures --Network Associates Windows-based Sniffer captures --Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures --AG Group/WildPackets/Savvius EtherPeek/TokenPeek/AiroPeek/EtherHelp/PacketGrabber captures --RADCOM's WAN/LAN analyzer captures --Network Instruments Observer version 9 captures --Lucent/Ascend router debug output --files from HP-UX's nettl --Toshiba's ISDN routers dump output --the output from i4btrace from the ISDN4BSD project --traces from the EyeSDN USB S0. --the output in IPLog format from the Cisco Secure Intrusion Detection System --pppd logs (pppdump format) --the output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities --the text output from the DBS Etherwatch VMS utility --Visual Networks' Visual UpTime traffic capture --the output from CoSine L2 debug --the output from Accellent's 5Views LAN agents --Endace Measurement Systems' ERF format captures --Linux Bluez Bluetooth stack hcidump -w traces - -There is no need to tell Wireshark what type of file you are reading; it will determine the file type by itself. Wireshark is also capable of reading any of these file formats if they are compressed using gzip. Wireshark recognizes this directly from the file; the '.gz' extension is not required for this purpose. diff --git a/help/toc b/help/toc deleted file mode 100644 index da500082c7..0000000000 --- a/help/toc +++ /dev/null @@ -1,6 +0,0 @@ -Overview:overview.txt -Getting started:getting_started.txt -Capturing:capturing.txt -Capture Filters:capture_filters.txt -Display Filters:display_filters.txt -FAQ:faq.txt diff --git a/packaging/nsis/CMakeLists.txt b/packaging/nsis/CMakeLists.txt index 1a5a8aec9a..1439de94ff 100644 --- a/packaging/nsis/CMakeLists.txt +++ b/packaging/nsis/CMakeLists.txt @@ -35,7 +35,7 @@ set(PROGRAM_NAME ${CMAKE_PROJECT_NAME}) file(TO_NATIVE_PATH "${CMAKE_SOURCE_DIR}" TOP_SRC_DIR) # STAGING_DIR depends on the build configuration so we pass it # on the command line below. -file(TO_NATIVE_PATH "${CMAKE_BINARY_DIR}/docbook" USER_GUIDE_DIR) +file(TO_NATIVE_PATH "${CMAKE_BINARY_DIR}/docbook" DOCBOOK_DIR) if(WIRESHARK_TARGET_PLATFORM STREQUAL "win32") set(TARGET_MACHINE x86) elseif(WIRESHARK_TARGET_PLATFORM STREQUAL "win64") @@ -204,6 +204,7 @@ macro( ADD_NSIS_PACKAGE_TARGET ) ${NSIS_FILES} copy_data_files user_guide_chm + faq_html ${DATAFILE_DIR}/uninstall.exe ) set_target_properties(nsis_package_prep PROPERTIES FOLDER "Packaging") diff --git a/packaging/nsis/config.nsh.in b/packaging/nsis/config.nsh.in index b75be6d3b4..78ae18092e 100644 --- a/packaging/nsis/config.nsh.in +++ b/packaging/nsis/config.nsh.in @@ -23,7 +23,7 @@ #cmakedefine MMDBRESOLVE_EXE @MMDBRESOLVE_EXE@ -#cmakedefine USER_GUIDE_DIR "@USER_GUIDE_DIR@" +#cmakedefine DOCBOOK_DIR "@DOCBOOK_DIR@" #cmakedefine SMI_DIR "@SMI_DIR@" diff --git a/packaging/nsis/wireshark.nsi b/packaging/nsis/wireshark.nsi index 6cf9654dff..06625648af 100644 --- a/packaging/nsis/wireshark.nsi +++ b/packaging/nsis/wireshark.nsi @@ -1159,11 +1159,12 @@ SectionEnd SectionGroupEnd ; "Tools" -!ifdef USER_GUIDE_DIR -Section "User's Guide" SecUsersGuide +!ifdef DOCBOOK_DIR +Section "Documentation" SecDocumentation ;------------------------------------------- SetOutPath $INSTDIR -File "${USER_GUIDE_DIR}\user-guide.chm" +File "${DOCBOOK_DIR}\user-guide.chm" +File "${DOCBOOK_DIR}\faq.html" SectionEnd !endif @@ -1215,8 +1216,8 @@ SectionEnd !insertmacro MUI_DESCRIPTION_TEXT ${SecRandpkt} "Random packet generator." !insertmacro MUI_DESCRIPTION_TEXT ${SecMMDBResolve} "MaxMind Database resolution tool" -!ifdef USER_GUIDE_DIR - !insertmacro MUI_DESCRIPTION_TEXT ${SecUsersGuide} "Install an offline copy of the User's Guide." +!ifdef DOCBOOK_DIR + !insertmacro MUI_DESCRIPTION_TEXT ${SecDocumentation} "Install an offline copy of the User's Guide and FAQ." !endif !insertmacro MUI_FUNCTION_DESCRIPTION_END diff --git a/packaging/wix/CMakeLists.txt b/packaging/wix/CMakeLists.txt index abff036480..7011f0f7ef 100644 --- a/packaging/wix/CMakeLists.txt +++ b/packaging/wix/CMakeLists.txt @@ -58,7 +58,7 @@ set(PROGRAM_NAME ${CMAKE_PROJECT_NAME}) file(TO_NATIVE_PATH "${CMAKE_SOURCE_DIR}" TOP_SRC_DIR) # STAGING_DIR depends on the build configuration so we pass it # on the command line below. -file(TO_NATIVE_PATH "${CMAKE_BINARY_DIR}/docbook" USER_GUIDE_DIR) +file(TO_NATIVE_PATH "${CMAKE_BINARY_DIR}/docbook" DOCBOOK_DIR) if(WIRESHARK_TARGET_PLATFORM STREQUAL "win32") set(TARGET_MACHINE x86) elseif(WIRESHARK_TARGET_PLATFORM STREQUAL "win64") @@ -264,6 +264,7 @@ macro( ADD_WIX_PACKAGE_TARGET ) ${WIX_FILES} copy_data_files user_guide_chm + faq_html ) set_target_properties(wix_package_prep PROPERTIES FOLDER "Packaging") diff --git a/packaging/wix/ComponentGroups.wxi b/packaging/wix/ComponentGroups.wxi index ba4709fc59..03f4caf851 100644 --- a/packaging/wix/ComponentGroups.wxi +++ b/packaging/wix/ComponentGroups.wxi @@ -221,44 +221,6 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -569,18 +531,27 @@ - + - + + + + + + + + + - + + diff --git a/packaging/wix/Features.wxi b/packaging/wix/Features.wxi index 102de25704..8f441fda24 100644 --- a/packaging/wix/Features.wxi +++ b/packaging/wix/Features.wxi @@ -20,7 +20,6 @@ - @@ -91,9 +90,9 @@ - - - + + + diff --git a/ui/help_url.c b/ui/help_url.c index 5875754440..d8aee0ffb6 100644 --- a/ui/help_url.c +++ b/ui/help_url.c @@ -44,7 +44,7 @@ topic_online_url(topic_action_e action) return "https://www.wireshark.org/docs/wsug_html_chunked/"; break; case(ONLINEPAGE_FAQ): - return "http://www.wireshark.org/faq.html"; + return "https://www.wireshark.org/faq.html"; break; case(ONLINEPAGE_ASK): return "https://ask.wireshark.org";