forked from osmocom/wireshark
parent
cec5c81ac3
commit
a0b0489617
338
FAQ
338
FAQ
|
@ -48,15 +48,12 @@
|
|||
|
||||
when I try to build Ethereal from CVS or a CVS snapshot?
|
||||
|
||||
4.3 The link failed because of an undefined reference to
|
||||
snmp_set_full_objid.
|
||||
|
||||
4.4 The link fails with a number of "Output line too long." messages
|
||||
4.3 The link fails with a number of "Output line too long." messages
|
||||
followed by linker errors.
|
||||
|
||||
4.5 The link fails on Solaris because plugin_list is undefined.
|
||||
4.4 The link fails on Solaris because plugin_list is undefined.
|
||||
|
||||
4.6 The build fails on Windows because of conflicts between winsock.h
|
||||
4.5 The build fails on Windows because of conflicts between winsock.h
|
||||
and winsock2.h.
|
||||
|
||||
Using Ethereal:
|
||||
|
@ -69,65 +66,69 @@
|
|||
machine, even though another sniffer on the network sees those
|
||||
packets.
|
||||
|
||||
5.3 I can set a display filter just fine, but capture filters don't
|
||||
5.3 I'm only seeing ARP packets when I try to capture traffic.
|
||||
|
||||
5.4 How do I put an interface into promiscuous mode?
|
||||
|
||||
5.5 I can set a display filter just fine, but capture filters don't
|
||||
work.
|
||||
|
||||
5.4 I'm entering valid capture filters, but I still get "parse error"
|
||||
5.6 I'm entering valid capture filters, but I still get "parse error"
|
||||
errors.
|
||||
|
||||
5.5 I saved a filter and tried to use its name to filter the display,
|
||||
5.7 I saved a filter and tried to use its name to filter the display,
|
||||
but I got an "Unexpected end of filter string" error.
|
||||
|
||||
5.6 Why am I seeing lots of packets with incorrect TCP checksums?
|
||||
5.8 Why am I seeing lots of packets with incorrect TCP checksums?
|
||||
|
||||
5.7 I've just installed Ethereal, and the traffic on my local LAN is
|
||||
5.9 I've just installed Ethereal, and the traffic on my local LAN is
|
||||
boring.
|
||||
|
||||
5.8 When I run Ethereal on Solaris 8, it dies with a Bus Error when I
|
||||
5.10 When I run Ethereal on Solaris 8, it dies with a Bus Error when I
|
||||
start it.
|
||||
|
||||
5.9 I'm running Ethereal on Linux; why do my time stamps have only
|
||||
5.11 I'm running Ethereal on Linux; why do my time stamps have only
|
||||
100ms resolution, rather than 1us resolution?
|
||||
|
||||
5.10 I'm capturing packets on {Windows 95, Windows 98, Windows Me};
|
||||
5.12 I'm capturing packets on {Windows 95, Windows 98, Windows Me};
|
||||
why are the time stamps on packets wrong?
|
||||
|
||||
5.11 When I try to run Ethereal on Windows, it fails to run because it
|
||||
5.13 When I try to run Ethereal on Windows, it fails to run because it
|
||||
can't find packet.dll.
|
||||
|
||||
5.12 Why does some network interface on my machine not show up in the
|
||||
5.14 Why does some network interface on my machine not show up in the
|
||||
list of interfaces in the "Interface:" field in the dialog box popped
|
||||
up by "Capture->Start", and/or why does Ethereal give me an error if I
|
||||
try to capture on that interface?
|
||||
|
||||
5.13 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has
|
||||
5.15 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has
|
||||
a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
|
||||
"Interface" item in the "Capture Options" dialog box. Why can no
|
||||
packets be sent on or received from that network while I'm trying to
|
||||
capture traffic on that interface?
|
||||
|
||||
5.14 I'm running Ethereal on Windows 95/98/Me, on a machine with more
|
||||
5.16 I'm running Ethereal on Windows 95/98/Me, on a machine with more
|
||||
than one network adapter of the same type; Ethereal shows all of those
|
||||
adapters with the same name, but I can't use any of those adapters
|
||||
other than the first one.
|
||||
|
||||
5.15 I have an XXX network card on my machine; if I try to capture on
|
||||
5.17 I have an XXX network card on my machine; if I try to capture on
|
||||
it, my machine crashes or resets itself.
|
||||
|
||||
5.16 My machine crashes or resets itself when I select "Start" from
|
||||
5.18 My machine crashes or resets itself when I select "Start" from
|
||||
the "Capture" menu or select "Preferences" from the "Edit" menu.
|
||||
|
||||
5.17 Does Ethereal work on Windows ME?
|
||||
5.19 Does Ethereal work on Windows ME?
|
||||
|
||||
5.18 Does Ethereal work on Windows XP?
|
||||
5.20 Does Ethereal work on Windows XP?
|
||||
|
||||
5.19 Why doesn't Ethereal correctly identify RTP packets? It shows
|
||||
5.21 Why doesn't Ethereal correctly identify RTP packets? It shows
|
||||
them only as UDP.
|
||||
|
||||
5.20 Why doesn't Ethereal show Yahoo Messenger packets in captures
|
||||
5.22 Why doesn't Ethereal show Yahoo Messenger packets in captures
|
||||
that contain Yahoo Messenger traffic?
|
||||
|
||||
5.21 Why do I get the error
|
||||
5.23 Why do I get the error
|
||||
|
||||
Gdk-ERROR **: Palettized display (256-colour) mode not supported on
|
||||
Windows.
|
||||
|
@ -135,22 +136,22 @@
|
|||
|
||||
when I try to run Ethereal on Windows?
|
||||
|
||||
5.22 When I capture on Windows in promiscuous mode, I can see packets
|
||||
5.24 When I capture on Windows in promiscuous mode, I can see packets
|
||||
other than those sent to or from my machine; however, those packets
|
||||
show up with a "Short Frame" indication, unlike packets to or from my
|
||||
machine. What should I do to arrange that I see those packets in their
|
||||
entirety?
|
||||
|
||||
5.23 How can I capture raw 802.11 packets, including non-data
|
||||
5.25 How can I capture raw 802.11 packets, including non-data
|
||||
(management, beacon) packets?
|
||||
|
||||
5.24 How can I capture packets with CRC errors?
|
||||
5.26 How can I capture packets with CRC errors?
|
||||
|
||||
5.25 How can I capture entire frames, including the FCS?
|
||||
5.27 How can I capture entire frames, including the FCS?
|
||||
|
||||
5.26 Ethereal hangs after I stop a capture.
|
||||
5.28 Ethereal hangs after I stop a capture.
|
||||
|
||||
5.27 How can I search for, or filter, packets that have a particular
|
||||
5.29 How can I search for, or filter, packets that have a particular
|
||||
string anywhere in them?
|
||||
|
||||
GENERAL QUESTIONS
|
||||
|
@ -162,7 +163,7 @@
|
|||
|
||||
Q 1.2: What protocols are currently supported?
|
||||
|
||||
A: There are currently 355 supported protocols and media, listed
|
||||
A: There are currently 366 supported protocols and media, listed
|
||||
below. Descriptions can be found in the ethereal(1) man page.
|
||||
|
||||
802.1q Virtual LAN
|
||||
|
@ -249,11 +250,11 @@
|
|||
Distance Vector Multicast Routing Protocol
|
||||
Distributed Checksum Clearinghouse Prototocl
|
||||
Domain Name Service
|
||||
Dummy Protocol
|
||||
Dynamic DNS Tools Protocol
|
||||
Encapsulating Security Payload
|
||||
Enhanced Interior Gateway Routing Protocol
|
||||
Ethernet
|
||||
Ethernet over IP
|
||||
Extensible Authentication Protocol
|
||||
FC Extended Link Svc
|
||||
FC Fabric Configuration Server
|
||||
|
@ -280,6 +281,8 @@
|
|||
Generic Routing Encapsulation
|
||||
Generic Security Service Application Program Interface
|
||||
Gnutella Protocol
|
||||
HP Extended Local-Link Control
|
||||
HP Remote Maintenance Protocol
|
||||
Hummingbird NFS Daemon
|
||||
HyperSCSI
|
||||
Hypertext Transfer Protocol
|
||||
|
@ -335,6 +338,7 @@
|
|||
MDS Header
|
||||
MMS Message Encapsulation
|
||||
MS Proxy Protocol
|
||||
MSN Messenger Service
|
||||
MSNIP: Multicast Source Notification of Interest Protocol
|
||||
MTP 2 Transparent Proxy
|
||||
MTP 2 User Adaptation Layer
|
||||
|
@ -358,6 +362,7 @@
|
|||
Microsoft Windows Logon Protocol
|
||||
Microsoft Workstation Service
|
||||
Mobile IP
|
||||
Mobile IPv6
|
||||
Modbus/TCP
|
||||
Mount Service
|
||||
MultiProtocol Label Switching Header
|
||||
|
@ -388,6 +393,7 @@
|
|||
Novell Distributed Print System
|
||||
Null/Loopback
|
||||
Open Shortest Path First
|
||||
OpenBSD Encapsulating device
|
||||
OpenBSD Packet Filter log file
|
||||
PC NFS
|
||||
PPP Bandwidth Allocation Control Protocol
|
||||
|
@ -427,6 +433,7 @@
|
|||
RIPng
|
||||
RPC Browser
|
||||
RSTAT
|
||||
RSYNC File Synchroniser
|
||||
RX Protocol
|
||||
Radio Access Network Application Part
|
||||
Radius Protocol
|
||||
|
@ -459,6 +466,7 @@
|
|||
SPRAY
|
||||
SS7 SCCP-User Adaptation Layer
|
||||
SSCOP
|
||||
SSH Protocol
|
||||
Secure Socket Layer
|
||||
Sequenced Packet eXchange
|
||||
Service Advertisement Protocol
|
||||
|
@ -481,6 +489,7 @@
|
|||
Synchronous Data Link Control (SDLC)
|
||||
Syslog message
|
||||
Systems Network Architecture
|
||||
Systems Network Architecture XID
|
||||
TACACS
|
||||
TACACS+
|
||||
TPKT
|
||||
|
@ -498,7 +507,9 @@
|
|||
User Datagram Protocol
|
||||
Virtual Router Redundancy Protocol
|
||||
Virtual Trunking Protocol
|
||||
WAP Binary XML
|
||||
Web Cache Coordination Protocol
|
||||
Wellfleet Breath of Life
|
||||
Wellfleet Compression
|
||||
Wellfleet HDLC
|
||||
Who
|
||||
|
@ -513,6 +524,7 @@
|
|||
X11
|
||||
Xyplex
|
||||
Yahoo Messenger Protocol
|
||||
Yahoo YMSG Messenger Protocol
|
||||
Yellow Pages Bind
|
||||
Yellow Pages Passwd
|
||||
Yellow Pages Service
|
||||
|
@ -668,28 +680,7 @@
|
|||
machine). There is a bug in that version of automake that causes this
|
||||
problem; upgrade to a later version of automake (1.6 or later).
|
||||
|
||||
Q 4.3: The link failed because of an undefined reference to
|
||||
snmp_set_full_objid.
|
||||
|
||||
A: You probably have the shared library for UCD SNMP 4.1.1 installed
|
||||
(so that snmp_set_full_objid is a macro, rather than a routine in the
|
||||
SNMP shared library), but the `development' package for an earlier or
|
||||
later UCD SNMP library (so that snmp_set_full_objid is not defined as
|
||||
a macro, causing Ethereal to attempt to call it as a routine).
|
||||
|
||||
If you are on a Linux system that uses RPMs, and the UCD SNMP packages
|
||||
are installed as RPMs, the command rpm -qa | grep snmp will report the
|
||||
versions of the SNMP packages you have installed; they should all have
|
||||
the same version number, such as 4.0.1 or 4.1.1 or 4.1.2. If they
|
||||
don't, remove the RPM for the development package (which will probably
|
||||
have a name beginning with ucd-snmp-devel) and install the version of
|
||||
the development package with the same version number as the other
|
||||
ucd-snmp packages have.
|
||||
|
||||
After installing the 4.1.1 version of the UCD SNMP header files, do a
|
||||
make clean and then rebuild Ethereal.
|
||||
|
||||
Q 4.4: The link fails with a number of "Output line too long."
|
||||
Q 4.3: The link fails with a number of "Output line too long."
|
||||
messages followed by linker errors.
|
||||
|
||||
A: The version of the sed command on your system is incapable of
|
||||
|
@ -704,7 +695,7 @@
|
|||
searching the directory with the version of sed that came with the OS
|
||||
should make the problem go away.
|
||||
|
||||
Q 4.5: The link fails on Solaris because plugin_list is undefined.
|
||||
Q 4.4: The link fails on Solaris because plugin_list is undefined.
|
||||
|
||||
A: This appears to be due to a problem with some versions of the GTK+
|
||||
and GLib packages from www.sunfreeware.org; un-install those packages,
|
||||
|
@ -717,7 +708,7 @@
|
|||
persists, un-install them and try installing one of the other versions
|
||||
mentioned.)
|
||||
|
||||
Q 4.6: The build fails on Windows because of conflicts between
|
||||
Q 4.5: The build fails on Windows because of conflicts between
|
||||
winsock.h and winsock2.h.
|
||||
|
||||
A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and
|
||||
|
@ -761,9 +752,9 @@
|
|||
this. See, for example:
|
||||
* this documentation from Cisco on the Switched Port Analyzer (SPAN)
|
||||
feature on Catalyst switches;
|
||||
* documentation from HP on how to set `monitoring'/`mirroring' on
|
||||
* documentation from HP on how to set "monitoring"/"mirroring" on
|
||||
ports on the console for HP Advancestack Switch 208 and 224;
|
||||
* the `Network Monitoring Port Features' section of chapter 6 of
|
||||
* the "Network Monitoring Port Features" section of chapter 6 of
|
||||
documentation from HP for HP ProCurve Switches 1600M, 2424M,
|
||||
4000M, and 8000M.
|
||||
|
||||
|
@ -815,7 +806,10 @@
|
|||
In the case of token ring interfaces, the drivers for some of them, on
|
||||
Windows, may require you to enable promiscuous mode in order to
|
||||
capture in promiscuous mode. Ask the vendor of the card how to do
|
||||
this.
|
||||
this, or see, for example, this information on promiscuous mode on
|
||||
some Madge token ring adapters (note that those cards can have
|
||||
promiscuous mode disabled permanently, in which case you can't enable
|
||||
it).
|
||||
|
||||
In the case of wireless LAN interfaces, it appears that, when those
|
||||
interfaces are promiscuously sniffing, they're running in a
|
||||
|
@ -846,10 +840,42 @@
|
|||
traffic, it's a problem with unicast traffic, as you also won't see
|
||||
all UDP traffic between other machines.
|
||||
|
||||
I.e., this is probably the same problem discussed in the previous
|
||||
question; see the response to that question.
|
||||
I.e., this is probably the same question as this earlier one; see the
|
||||
response to that question.
|
||||
|
||||
Q 5.3: I can set a display filter just fine, but capture filters don't
|
||||
Q 5.3: I'm only seeing ARP packets when I try to capture traffic.
|
||||
|
||||
A: You're probably on a switched network, and running Ethereal on a
|
||||
machine that's not sending traffic to the switch and not being sent
|
||||
any traffic from other machines on the switch. ARP packets are often
|
||||
broadcast packets, which are sent to all switch ports.
|
||||
|
||||
I.e., this is probably the same question as this earlier one; see the
|
||||
response to that question.
|
||||
|
||||
Q 5.4: How do I put an interface into promiscuous mode?
|
||||
|
||||
A: By not disabling promiscuous mode when running Ethereal or
|
||||
Tethereal.
|
||||
|
||||
Note, however, that:
|
||||
* the form of promiscuous mode that libpcap (the library that
|
||||
programs such as tcpdump, Ethereal, etc. use to do packet capture)
|
||||
turns on will not necessarily be shown if you run ifconfig on the
|
||||
interface on a UNIX system;
|
||||
* some network interfaces might not support promiscuous mode, and
|
||||
some drivers might not allow promiscuous mode to be turned on -
|
||||
see this earlier question for more information on that;
|
||||
* the fact that you're not seeing any traffic, or are only seeing
|
||||
broadcast traffic, or aren't seeing any non-broadcast traffic
|
||||
other than traffic to or from the machine running Ethereal, does
|
||||
not mean that promiscuous mode isn't on - see this earlier
|
||||
question for more information on that.
|
||||
|
||||
I.e., this is probably the same question as this earlier one; see the
|
||||
response to that question.
|
||||
|
||||
Q 5.5: I can set a display filter just fine, but capture filters don't
|
||||
work.
|
||||
|
||||
A: Capture filters currently use a different syntax than display
|
||||
|
@ -869,7 +895,7 @@
|
|||
The capture filter syntax used by libpcap can be found in the
|
||||
tcpdump(8) man page.
|
||||
|
||||
Q 5.4: I'm entering valid capture filters, but I still get "parse
|
||||
Q 5.6: I'm entering valid capture filters, but I still get "parse
|
||||
error" errors.
|
||||
|
||||
A: There is a bug in some versions of libpcap/WinPcap that cause it to
|
||||
|
@ -901,7 +927,7 @@
|
|||
WinPcap, you will need to un-install WinPcap and then download and
|
||||
install WinPcap 2.3.
|
||||
|
||||
Q 5.5: I saved a filter and tried to use its name to filter the
|
||||
Q 5.7: I saved a filter and tried to use its name to filter the
|
||||
display, but I got an "Unexpected end of filter string" error.
|
||||
|
||||
A: You cannot use the name of a saved display filter as a filter. To
|
||||
|
@ -912,7 +938,7 @@
|
|||
use a saved filter, you can press the "Filter:" button, select the
|
||||
filter in the dialog box that pops up, and press the "OK" button.
|
||||
|
||||
Q 5.6: Why am I seeing lots of packets with incorrect TCP checksums?
|
||||
Q 5.8: Why am I seeing lots of packets with incorrect TCP checksums?
|
||||
|
||||
A: If the packets that have incorrect TCP checksums are all being sent
|
||||
by the machine on which Ethereal is running, this is probably because
|
||||
|
@ -944,14 +970,14 @@
|
|||
tcp.check_checksum:false command-line flag, or manually set in your
|
||||
preferences file by adding a tcp.check_checksum:false line.
|
||||
|
||||
Q 5.7: I've just installed Ethereal, and the traffic on my local LAN
|
||||
Q 5.9: I've just installed Ethereal, and the traffic on my local LAN
|
||||
is boring.
|
||||
|
||||
A: We have a collection of strange and exotic sample capture files at
|
||||
http://www.ethereal.com/sample/
|
||||
|
||||
Q 5.8: When I run Ethereal on Solaris 8, it dies with a Bus Error when
|
||||
I start it.
|
||||
Q 5.10: When I run Ethereal on Solaris 8, it dies with a Bus Error
|
||||
when I start it.
|
||||
|
||||
A: Some versions of the GTK+ library from www.sunfreeware.org appear
|
||||
to be buggy, causing Ethereal to drop core with a Bus Error.
|
||||
|
@ -968,7 +994,7 @@
|
|||
Similar problems may exist with older versions of GTK+ for earlier
|
||||
versions of Solaris.
|
||||
|
||||
Q 5.9: I'm running Ethereal on Linux; why do my time stamps have only
|
||||
Q 5.11: I'm running Ethereal on Linux; why do my time stamps have only
|
||||
100ms resolution, rather than 1us resolution?
|
||||
|
||||
A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap
|
||||
|
@ -994,16 +1020,16 @@
|
|||
have to run a standard kernel from kernel.org in order to get
|
||||
high-resolution time stamps.
|
||||
|
||||
Q 5.10: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
|
||||
Q 5.12: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
|
||||
why are the time stamps on packets wrong?
|
||||
|
||||
A: This is due to a bug in WinPcap. The bug should be fixed in the
|
||||
WinPcap 3.0 alpha release - note that it's an alpha release, so it may
|
||||
WinPcap 3.0 beta release - note that it's an beta release, so it may
|
||||
be buggier than the current production release of WinPcap; please
|
||||
report those bugs to the WinPcap developers, and help them try to
|
||||
track down the problem, so that they can fix it for the final release.
|
||||
|
||||
Q 5.11: When I try to run Ethereal on Windows, it fails to run because
|
||||
Q 5.13: When I try to run Ethereal on Windows, it fails to run because
|
||||
it can't find packet.dll.
|
||||
|
||||
A: In older versions of Ethereal, there were two binary distributions
|
||||
|
@ -1020,7 +1046,7 @@
|
|||
Web site, the local mirror of the WinPcap Web site, or the
|
||||
Wiretapped.net mirror of the WinPcap site.
|
||||
|
||||
Q 5.12: Why does some network interface on my machine not show up in
|
||||
Q 5.14: Why does some network interface on my machine not show up in
|
||||
the list of interfaces in the "Interface:" field in the dialog box
|
||||
popped up by "Capture->Start", and/or why does Ethereal give me an
|
||||
error if I try to capture on that interface?
|
||||
|
@ -1145,7 +1171,7 @@
|
|||
details of the problem, as described above, and also indicate that the
|
||||
problem occurs with tcpdump/WinDump, not just with Ethereal.
|
||||
|
||||
Q 5.13: I'm running Ethereal on Windows NT/2000/XP/Server; my machine
|
||||
Q 5.15: I'm running Ethereal on Windows NT/2000/XP/Server; my machine
|
||||
has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
|
||||
"Interface" item in the "Capture Options" dialog box. Why can no
|
||||
packets be sent on or received from that network while I'm trying to
|
||||
|
@ -1159,7 +1185,7 @@
|
|||
Preferences" dialog box, but this may mean that outgoing packets, or
|
||||
incoming packets, won't be seen in the capture.
|
||||
|
||||
Q 5.14: I'm running Ethereal on Windows 95/98/Me, on a machine with
|
||||
Q 5.16: I'm running Ethereal on Windows 95/98/Me, on a machine with
|
||||
more than one network adapter of the same type; Ethereal shows all of
|
||||
those adapters with the same name, but I can't use any of those
|
||||
adapters other than the first one.
|
||||
|
@ -1170,7 +1196,7 @@
|
|||
capture only on the first such interface; Ethereal is a
|
||||
libpcap/WinPcap-based application.
|
||||
|
||||
Q 5.15: I have an XXX network card on my machine; if I try to capture
|
||||
Q 5.17: I have an XXX network card on my machine; if I try to capture
|
||||
on it, my machine crashes or resets itself.
|
||||
|
||||
A: This is almost certainly a problem with one or more of:
|
||||
|
@ -1188,7 +1214,7 @@
|
|||
Linux distribution, report the problem to whoever produces the
|
||||
distribution).
|
||||
|
||||
Q 5.16: My machine crashes or resets itself when I select "Start" from
|
||||
Q 5.18: My machine crashes or resets itself when I select "Start" from
|
||||
the "Capture" menu or select "Preferences" from the "Edit" menu.
|
||||
|
||||
A: Both of those operations cause Ethereal to try to build a list of
|
||||
|
@ -1197,20 +1223,20 @@
|
|||
or, for Windows, WinPcap bug that causes the system to crash when this
|
||||
happens; see the previous question.
|
||||
|
||||
Q 5.17: Does Ethereal work on Windows ME?
|
||||
Q 5.19: Does Ethereal work on Windows ME?
|
||||
|
||||
A: Yes, but if you want to capture packets, you will need to install
|
||||
the latest version of WinPcap, as 2.02 and earlier versions of WinPcap
|
||||
didn't support Windows ME. You should also install the latest version
|
||||
of Ethereal as well.
|
||||
|
||||
Q 5.18: Does Ethereal work on Windows XP?
|
||||
Q 5.20: Does Ethereal work on Windows XP?
|
||||
|
||||
A: Yes, but if you want to capture packets, you will need to install
|
||||
the latest version of WinPcap, as 2.2 and earlier versions of WinPcap
|
||||
didn't support Windows XP.
|
||||
|
||||
Q 5.19: Why doesn't Ethereal correctly identify RTP packets? It shows
|
||||
Q 5.21: Why doesn't Ethereal correctly identify RTP packets? It shows
|
||||
them only as UDP.
|
||||
|
||||
A: Ethereal can identify a UDP datagram as containing a packet of a
|
||||
|
@ -1243,20 +1269,17 @@
|
|||
both the source and destination ports of the packet should be
|
||||
dissected as some particular protocol.
|
||||
|
||||
Q 5.20: Why doesn't Ethereal show Yahoo Messenger packets in captures
|
||||
Q 5.22: Why doesn't Ethereal show Yahoo Messenger packets in captures
|
||||
that contain Yahoo Messenger traffic?
|
||||
|
||||
A: Ethereal only recognizes as Yahoo Messenger traffic packets to or
|
||||
from TCP port 3050 that begin with "YPNS" or "YHOO". This means that
|
||||
1. TCP segments that start with the middle of a Yahoo Messenger
|
||||
packet that takes more than one TCP segment will not be recognized
|
||||
as Yahoo Messenger packets (even if the TCP segment also contains
|
||||
the beginning of another Yahoo Messenger packet);
|
||||
2. Yahoo Messenger packets that begin with "YMSG", as packets for
|
||||
some versions of the protocol apparently do, will not be
|
||||
recognized as Yahoo Messenger packets.
|
||||
from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP
|
||||
segments that start with the middle of a Yahoo Messenger packet that
|
||||
takes more than one TCP segment will not be recognized as Yahoo
|
||||
Messenger packets (even if the TCP segment also contains the beginning
|
||||
of another Yahoo Messenger packet).
|
||||
|
||||
Q 5.21: Why do I get the error
|
||||
Q 5.23: Why do I get the error
|
||||
|
||||
Gdk-ERROR **: Palettized display (256-colour) mode not supported on
|
||||
Windows.
|
||||
|
@ -1271,7 +1294,7 @@
|
|||
to a display mode with more colors; if it doesn't support more than
|
||||
256 colors, you will be unable to run Ethereal.
|
||||
|
||||
Q 5.22: When I capture on Windows in promiscuous mode, I can see
|
||||
Q 5.24: When I capture on Windows in promiscuous mode, I can see
|
||||
packets other than those sent to or from my machine; however, those
|
||||
packets show up with a "Short Frame" indication, unlike packets to or
|
||||
from my machine. What should I do to arrange that I see those packets
|
||||
|
@ -1281,11 +1304,13 @@
|
|||
running on the network interface on which you're capturing; turn it
|
||||
off on that interface.
|
||||
|
||||
Q 5.23: How can I capture raw 802.11 packets, including non-data
|
||||
Q 5.25: How can I capture raw 802.11 packets, including non-data
|
||||
(management, beacon) packets?
|
||||
|
||||
A: The answer to this depends on the operating system on which you're
|
||||
running and the 802.11 interface you're using.
|
||||
A: That would require that your 802.11 interface run in the mode
|
||||
called "monitor mode" or "RFMON mode". Not all operating systems
|
||||
support that and, even on operating systems that do support it, not
|
||||
all drivers, and thus not all cards, support it.
|
||||
|
||||
Cisco Aironet cards:
|
||||
|
||||
|
@ -1299,7 +1324,8 @@
|
|||
On FreeBSD, the ancontrol utility must be used; do not enable the full
|
||||
Aironet header via BPF, as Ethereal doesn't currently support that.
|
||||
|
||||
On Linux, you will need to do
|
||||
On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will
|
||||
need to do
|
||||
|
||||
echo "Mode: rfmon" >/proc/driver/aironet/ethN/Config
|
||||
|
||||
|
@ -1311,60 +1337,88 @@ echo "Mode: y" >/proc/driver/aironet/ethN/Config
|
|||
|
||||
echo "Mode: ess" >/proc/driver/aironet/ethN/Config
|
||||
|
||||
In either case, Ethereal would have to be linked with libpcap 0.7.1 or
|
||||
later; this means that most Ethereal binary packages won't work unless
|
||||
they're statically linked with libpcap 0.7.1 or later, or they're
|
||||
dynamically linked with libpcap and your system has a libpcap 0.7.1 or
|
||||
later shared library installed (note that libpcap source package from
|
||||
tcpdump.org does not build shared libraries).
|
||||
On Linux with the driver in the 2.4.20 kernel, or with the CVS drivers
|
||||
from the airo-linux SourceForge site, you will have to capture on the
|
||||
wifiN interface if your Aironet card is ethN, after running the
|
||||
commands listed above.
|
||||
|
||||
In all of those cases, Ethereal would have to be linked with libpcap
|
||||
0.7.1 or later; this means that most Ethereal binary packages won't
|
||||
work unless they're statically linked with libpcap 0.7.1 or later, or
|
||||
they're dynamically linked with libpcap and your system has a libpcap
|
||||
0.7.1 or later shared library installed (note that libpcap source
|
||||
package from tcpdump.org does not build shared libraries). Some binary
|
||||
packaging mechanisms might make it difficult to install Ethereal
|
||||
binary packages built to depend on older libpcap binary packages if
|
||||
you have a newer libpcap binary package installed; the installer
|
||||
programs for those packaging mechanisms might support disabling
|
||||
dependency checking so that they will install Ethereal even though a
|
||||
newer version of libpcap is installed.
|
||||
|
||||
Cards using the Prism II chip set (see this page of Linux 802.11
|
||||
information for details on wireless cards, including information on
|
||||
the chips they use):
|
||||
|
||||
You can capture raw 802.11 packets with Prism II cards on Linux
|
||||
systems with the 0.1.14-pre1 or later version of the linux-wlan-ng
|
||||
systems with the 0.1.14-pre6 or later version of the linux-wlan-ng
|
||||
drivers (see the linux-wlan page, and the linux-wlan-ng tarball
|
||||
directory), or with Solomon Peachy's patches to the linux-wlan-ng
|
||||
0.1.13 drivers (see the `0132-packet-v71.diff' link on his software
|
||||
page; the patch speaks of 0.1.13-pre2, but appears to apply to 0.1.13
|
||||
as well). If you are using the 0.1.13 drivers, you might also want his
|
||||
`0132-promisc-v23.diff' patch as well; if you are using the
|
||||
0.1.14-pre1 drivers, you might also want his
|
||||
`014p1-promiscfixes-v1.diff' patches - both of those are already in
|
||||
0.1.14-pre2.
|
||||
directory).
|
||||
|
||||
Those require either Solomon's patch to libpcap 0.7.1 (see his
|
||||
`libpcap-0.7.1-prism.diff' file, or his RPMs of that version of
|
||||
Those require either Solomon Peachy's patch to libpcap 0.7.1 (see his
|
||||
libpcap-0.7.1-prism.diff file, or his RPMs of that version of
|
||||
libpcap), or the current CVS version of libpcap, which includes his
|
||||
patch (download it from the `Current Tar files' section of the
|
||||
tcpdump.org Web site).
|
||||
patch (download it from the "Current Tar files" section of the
|
||||
tcpdump.org Web site). If you apply his patches to libpcap 0.7.1 and
|
||||
rebuild and install libpcap, or if you build and install the current
|
||||
CVS version of libpcap, you would have to rebuild Ethereal from
|
||||
source, linking it with that new version of libpcap; an Ethereal
|
||||
binary package would not work. Ethereal binary packages might work if
|
||||
you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install
|
||||
a libpcap shared library in place of the one on your system.
|
||||
|
||||
You may have to run a command to put the interface into monitor mode,
|
||||
or to change other interface settings.
|
||||
Earlier versions of the linux-wlan-ng drivers don't allow Ethereal to
|
||||
directly capture raw 802.11 packets on Prism II cards; however, on
|
||||
Linux systems with the linux-wlan-ng drivers version 0.1.6, the
|
||||
Prismdump utility can be used to capture packets; it saves packets in
|
||||
a form that Ethereal can read. Prismdump can be downloaded from this
|
||||
page on the developer.axis.com Web site.
|
||||
or to change other interface settings, and you might have to capture
|
||||
on a wlanN interface rather than a ethN interface, in order to capture
|
||||
raw 802.11 packets. The interface settings are available in your
|
||||
wlan-ng.conf file. See the wlan-ng FAQ for additional information.
|
||||
|
||||
On other platforms, capturing raw 802.11 packets on Prism II cards is
|
||||
not currently supported.
|
||||
|
||||
Orinoco Silver and Gold cards:
|
||||
|
||||
On Linux systems, when using either the orinoco_cs-0.09b driver or the
|
||||
driver in at least some versions of the Linux kernel, the
|
||||
`orinoco-09b-packet-1.diff' patch on the Orinoco Monitor Mode Patch
|
||||
Page should allow you to do capture raw 802.11 packets.
|
||||
On Linux systems, there are patches on the Orinoco Monitor Mode Patch
|
||||
Page that should allow you to do capture raw 802.11 packets. You will
|
||||
have to determine which version of the driver you have, and select the
|
||||
appropriate patch.
|
||||
|
||||
The patch appears to apply to the driver in the 2.4.18 kernel, but we
|
||||
don't know whether it works; the directions on that page are for the
|
||||
pcmcia-cs drivers, not for the driver in the kernel itself.
|
||||
Note that the page indicates that not all versions of the Orinoco
|
||||
firmware support this patch. The Orinoco patches require Solomon
|
||||
Peachy's libpcap patches.
|
||||
firmware support this patch. It says, for some versions of the patch,
|
||||
"This patch should allow monitor mode with v8.10 firmware (untested w/
|
||||
8.42);" if you have version 8.10 or later firmware on your Orinoco
|
||||
cards, you might have to use those patches, with the corresponding
|
||||
versions of the Orinoco driver, in order to run in monitor mode.
|
||||
|
||||
That patch is written for the drivers included with the pcmcia-cs
|
||||
drivers, but works equally well for the Orinoco drivers provided with
|
||||
Linux kernels up to 2.4.20. To apply a patch to your kernel drivers,
|
||||
simply copy the orinoco-09b-patch.diff file to the
|
||||
/usr/src/linux/drivers/net directory and patch according to the
|
||||
directions on the Orinoco Monitor Mode Patch Page. You can double-
|
||||
check the version of the Orinoco drivers that shipped with your kernel
|
||||
by examining the first few lines of the orinoco.c file.
|
||||
|
||||
Te Orinoco patches require either Solomon Peachy's patch to libpcap
|
||||
0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that
|
||||
version of libpcap), or the current CVS version of libpcap, which
|
||||
includes his patch (download it from the "Current Tar files" section
|
||||
of the tcpdump.org Web site). If you apply his patches to libpcap
|
||||
0.7.1 and rebuild and install libpcap, or if you build and install the
|
||||
current CVS version of libpcap, you would have to rebuild Ethereal
|
||||
from source, linking it with that new version of libpcap; an Ethereal
|
||||
binary package would not work. Ethereal binary packages might work if
|
||||
you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install
|
||||
a libpcap shared library in place of the one on your system.
|
||||
|
||||
On other platforms, capturing raw 802.11 packets on Orinoco cards is
|
||||
not currently supported.
|
||||
|
@ -1373,15 +1427,15 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config
|
|||
|
||||
With other 802.11 interfaces, no platform allows Ethereal to capture
|
||||
raw 802.11 packets, as far as we know. If you know of other 802.11
|
||||
interfaces that are supported (note that there are many `Prism II
|
||||
cards', so your card might be a Prism II card), please let us know,
|
||||
interfaces that are supported (note that there are many "Prism II
|
||||
cards", so your card might be a Prism II card), please let us know,
|
||||
and include URLs for sites containing any necessary patches to add
|
||||
this support.
|
||||
|
||||
On platforms that don't allow Ethereal to capture raw 802.11 packets,
|
||||
the 802.11 network will appear like an Ethernet to Ethereal.
|
||||
|
||||
Q 5.24: How can I capture packets with CRC errors?
|
||||
Q 5.26: How can I capture packets with CRC errors?
|
||||
|
||||
A: Ethereal can capture only the packets that the packet capture
|
||||
library - libpcap on UNIX-flavored OSes, and the WinPcap port to
|
||||
|
@ -1398,7 +1452,7 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config
|
|||
libpcap and the packet capture program you're using are necessary to
|
||||
support capturing those packets.
|
||||
|
||||
Q 5.25: How can I capture entire frames, including the FCS?
|
||||
Q 5.27: How can I capture entire frames, including the FCS?
|
||||
|
||||
A: Ethereal can't capture any data that the packet capture library -
|
||||
libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of
|
||||
|
@ -1418,7 +1472,7 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config
|
|||
not support capturing the FCS of a frame on Ethernet, and probably do
|
||||
not support it on most other link-layer types.
|
||||
|
||||
Q 5.26: Ethereal hangs after I stop a capture.
|
||||
Q 5.28: Ethereal hangs after I stop a capture.
|
||||
|
||||
A: The most likely reason for this is that Ethereal is trying to look
|
||||
up an IP address in the capture to convert it to a name (so that, for
|
||||
|
@ -1449,12 +1503,12 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config
|
|||
lookup to take a long time.
|
||||
|
||||
If you disable network address-to-name translation - for example, by
|
||||
turning off the `Enable network name resolution' option in the `Name
|
||||
resolution' options in the dialog box you get by selecting
|
||||
`Preferences' from the `Edit' menu - the lookups of the address won't
|
||||
turning off the "Enable network name resolution" option in the "Name
|
||||
resolution" options in the dialog box you get by selecting
|
||||
"Preferences" from the "Edit" menu - the lookups of the address won't
|
||||
be done, which may speed up the process of reading the capture file
|
||||
after the capture is stopped. You can make that setting the default by
|
||||
using the `Save' button in that dialog box; note that this will save
|
||||
using the "Save" button in that dialog box; note that this will save
|
||||
all your current preference settings.
|
||||
|
||||
If Ethereal hangs when reading a capture even with network name
|
||||
|
@ -1488,7 +1542,7 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config
|
|||
contains sensitive information (e.g., passwords), then please do not
|
||||
send it.
|
||||
|
||||
Q 5.27: How can I search for, or filter, packets that have a
|
||||
Q 5.29: How can I search for, or filter, packets that have a
|
||||
particular string anywhere in them?
|
||||
|
||||
A: Currently, you can't.
|
||||
|
@ -1510,4 +1564,4 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config
|
|||
list.
|
||||
For corrections/additions/suggestions for this page, please send email
|
||||
to: ethereal-web[AT]ethereal.com
|
||||
Last modified: Wed, March 05 2003.
|
||||
Last modified: Thu, March 20 2003.
|
||||
|
|
352
FAQ.include
352
FAQ.include
|
@ -49,15 +49,12 @@ const char *faq_part[] = {
|
|||
"\n"
|
||||
" when I try to build Ethereal from CVS or a CVS snapshot?\n"
|
||||
"\n"
|
||||
" 4.3 The link failed because of an undefined reference to\n"
|
||||
" snmp_set_full_objid.\n"
|
||||
"\n"
|
||||
" 4.4 The link fails with a number of \"Output line too long.\" messages\n"
|
||||
" 4.3 The link fails with a number of \"Output line too long.\" messages\n"
|
||||
" followed by linker errors. \n"
|
||||
"\n"
|
||||
" 4.5 The link fails on Solaris because plugin_list is undefined. \n"
|
||||
" 4.4 The link fails on Solaris because plugin_list is undefined. \n"
|
||||
"\n"
|
||||
" 4.6 The build fails on Windows because of conflicts between winsock.h\n"
|
||||
" 4.5 The build fails on Windows because of conflicts between winsock.h\n"
|
||||
" and winsock2.h. \n"
|
||||
"\n"
|
||||
" Using Ethereal:\n"
|
||||
|
@ -70,65 +67,69 @@ const char *faq_part[] = {
|
|||
" machine, even though another sniffer on the network sees those\n"
|
||||
" packets.\n"
|
||||
"\n"
|
||||
" 5.3 I can set a display filter just fine, but capture filters don't\n"
|
||||
" 5.3 I'm only seeing ARP packets when I try to capture traffic.\n"
|
||||
"\n"
|
||||
" 5.4 How do I put an interface into promiscuous mode?\n"
|
||||
"\n"
|
||||
" 5.5 I can set a display filter just fine, but capture filters don't\n"
|
||||
" work.\n"
|
||||
"\n"
|
||||
" 5.4 I'm entering valid capture filters, but I still get \"parse error\"\n"
|
||||
" 5.6 I'm entering valid capture filters, but I still get \"parse error\"\n"
|
||||
" errors.\n"
|
||||
"\n"
|
||||
" 5.5 I saved a filter and tried to use its name to filter the display,\n"
|
||||
" 5.7 I saved a filter and tried to use its name to filter the display,\n"
|
||||
" but I got an \"Unexpected end of filter string\" error.\n"
|
||||
"\n"
|
||||
" 5.6 Why am I seeing lots of packets with incorrect TCP checksums?\n"
|
||||
" 5.8 Why am I seeing lots of packets with incorrect TCP checksums?\n"
|
||||
"\n"
|
||||
" 5.7 I've just installed Ethereal, and the traffic on my local LAN is\n"
|
||||
" 5.9 I've just installed Ethereal, and the traffic on my local LAN is\n"
|
||||
" boring.\n"
|
||||
"\n"
|
||||
" 5.8 When I run Ethereal on Solaris 8, it dies with a Bus Error when I\n"
|
||||
" 5.10 When I run Ethereal on Solaris 8, it dies with a Bus Error when I\n"
|
||||
" start it.\n"
|
||||
"\n"
|
||||
" 5.9 I'm running Ethereal on Linux; why do my time stamps have only\n"
|
||||
" 5.11 I'm running Ethereal on Linux; why do my time stamps have only\n"
|
||||
" 100ms resolution, rather than 1us resolution?\n"
|
||||
"\n"
|
||||
" 5.10 I'm capturing packets on {Windows 95, Windows 98, Windows Me};\n"
|
||||
" 5.12 I'm capturing packets on {Windows 95, Windows 98, Windows Me};\n"
|
||||
" why are the time stamps on packets wrong? \n"
|
||||
"\n"
|
||||
" 5.11 When I try to run Ethereal on Windows, it fails to run because it\n"
|
||||
" 5.13 When I try to run Ethereal on Windows, it fails to run because it\n"
|
||||
" can't find packet.dll.\n"
|
||||
"\n"
|
||||
" 5.12 Why does some network interface on my machine not show up in the\n"
|
||||
" 5.14 Why does some network interface on my machine not show up in the\n"
|
||||
" list of interfaces in the \"Interface:\" field in the dialog box popped\n"
|
||||
" up by \"Capture->Start\", and/or why does Ethereal give me an error if I\n"
|
||||
" try to capture on that interface? \n"
|
||||
"\n"
|
||||
" 5.13 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has\n"
|
||||
" 5.15 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has\n"
|
||||
" a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the\n"
|
||||
" \"Interface\" item in the \"Capture Options\" dialog box. Why can no\n"
|
||||
" packets be sent on or received from that network while I'm trying to\n"
|
||||
" capture traffic on that interface?\n"
|
||||
"\n"
|
||||
" 5.14 I'm running Ethereal on Windows 95/98/Me, on a machine with more\n"
|
||||
" 5.16 I'm running Ethereal on Windows 95/98/Me, on a machine with more\n"
|
||||
" than one network adapter of the same type; Ethereal shows all of those\n"
|
||||
" adapters with the same name, but I can't use any of those adapters\n"
|
||||
" other than the first one.\n"
|
||||
"\n"
|
||||
" 5.15 I have an XXX network card on my machine; if I try to capture on\n"
|
||||
" 5.17 I have an XXX network card on my machine; if I try to capture on\n"
|
||||
" it, my machine crashes or resets itself. \n"
|
||||
"\n"
|
||||
" 5.16 My machine crashes or resets itself when I select \"Start\" from\n"
|
||||
" 5.18 My machine crashes or resets itself when I select \"Start\" from\n"
|
||||
" the \"Capture\" menu or select \"Preferences\" from the \"Edit\" menu. \n"
|
||||
"\n"
|
||||
" 5.17 Does Ethereal work on Windows ME? \n"
|
||||
" 5.19 Does Ethereal work on Windows ME? \n"
|
||||
"\n"
|
||||
" 5.18 Does Ethereal work on Windows XP? \n"
|
||||
" 5.20 Does Ethereal work on Windows XP? \n"
|
||||
"\n"
|
||||
" 5.19 Why doesn't Ethereal correctly identify RTP packets? It shows\n"
|
||||
" 5.21 Why doesn't Ethereal correctly identify RTP packets? It shows\n"
|
||||
" them only as UDP.\n"
|
||||
"\n"
|
||||
" 5.20 Why doesn't Ethereal show Yahoo Messenger packets in captures\n"
|
||||
" 5.22 Why doesn't Ethereal show Yahoo Messenger packets in captures\n"
|
||||
" that contain Yahoo Messenger traffic?\n"
|
||||
"\n"
|
||||
" 5.21 Why do I get the error \n"
|
||||
" 5.23 Why do I get the error \n"
|
||||
"\n"
|
||||
" Gdk-ERROR **: Palettized display (256-colour) mode not supported on\n"
|
||||
" Windows.\n"
|
||||
|
@ -136,22 +137,22 @@ const char *faq_part[] = {
|
|||
"\n"
|
||||
" when I try to run Ethereal on Windows?\n"
|
||||
"\n"
|
||||
" 5.22 When I capture on Windows in promiscuous mode, I can see packets\n"
|
||||
" 5.24 When I capture on Windows in promiscuous mode, I can see packets\n"
|
||||
" other than those sent to or from my machine; however, those packets\n"
|
||||
" show up with a \"Short Frame\" indication, unlike packets to or from my\n"
|
||||
" machine. What should I do to arrange that I see those packets in their\n"
|
||||
" entirety? \n"
|
||||
"\n"
|
||||
" 5.23 How can I capture raw 802.11 packets, including non-data\n"
|
||||
" 5.25 How can I capture raw 802.11 packets, including non-data\n"
|
||||
" (management, beacon) packets? \n"
|
||||
"\n"
|
||||
" 5.24 How can I capture packets with CRC errors? \n"
|
||||
" 5.26 How can I capture packets with CRC errors? \n"
|
||||
"\n"
|
||||
" 5.25 How can I capture entire frames, including the FCS? \n"
|
||||
" 5.27 How can I capture entire frames, including the FCS? \n"
|
||||
"\n"
|
||||
" 5.26 Ethereal hangs after I stop a capture. \n"
|
||||
" 5.28 Ethereal hangs after I stop a capture. \n"
|
||||
"\n"
|
||||
" 5.27 How can I search for, or filter, packets that have a particular\n"
|
||||
" 5.29 How can I search for, or filter, packets that have a particular\n"
|
||||
" string anywhere in them? \n"
|
||||
"\n"
|
||||
" GENERAL QUESTIONS \n"
|
||||
|
@ -163,7 +164,7 @@ const char *faq_part[] = {
|
|||
"\n"
|
||||
" Q 1.2: What protocols are currently supported?\n"
|
||||
"\n"
|
||||
" A: There are currently 355 supported protocols and media, listed\n"
|
||||
" A: There are currently 366 supported protocols and media, listed\n"
|
||||
" below. Descriptions can be found in the ethereal(1) man page.\n"
|
||||
"\n"
|
||||
" 802.1q Virtual LAN\n"
|
||||
|
@ -250,11 +251,11 @@ const char *faq_part[] = {
|
|||
" Distance Vector Multicast Routing Protocol\n"
|
||||
" Distributed Checksum Clearinghouse Prototocl\n"
|
||||
" Domain Name Service\n"
|
||||
" Dummy Protocol\n"
|
||||
" Dynamic DNS Tools Protocol\n"
|
||||
" Encapsulating Security Payload\n"
|
||||
" Enhanced Interior Gateway Routing Protocol\n"
|
||||
" Ethernet\n"
|
||||
" Ethernet over IP\n"
|
||||
" Extensible Authentication Protocol\n"
|
||||
" FC Extended Link Svc\n"
|
||||
" FC Fabric Configuration Server\n"
|
||||
|
@ -281,6 +282,8 @@ const char *faq_part[] = {
|
|||
" Generic Routing Encapsulation\n"
|
||||
" Generic Security Service Application Program Interface\n"
|
||||
" Gnutella Protocol\n"
|
||||
" HP Extended Local-Link Control\n"
|
||||
" HP Remote Maintenance Protocol\n"
|
||||
" Hummingbird NFS Daemon\n"
|
||||
" HyperSCSI\n"
|
||||
" Hypertext Transfer Protocol\n"
|
||||
|
@ -336,6 +339,7 @@ const char *faq_part[] = {
|
|||
" MDS Header\n"
|
||||
" MMS Message Encapsulation\n"
|
||||
" MS Proxy Protocol\n"
|
||||
" MSN Messenger Service\n"
|
||||
" MSNIP: Multicast Source Notification of Interest Protocol\n"
|
||||
" MTP 2 Transparent Proxy\n"
|
||||
" MTP 2 User Adaptation Layer\n"
|
||||
|
@ -359,6 +363,7 @@ const char *faq_part[] = {
|
|||
" Microsoft Windows Logon Protocol\n"
|
||||
" Microsoft Workstation Service\n"
|
||||
" Mobile IP\n"
|
||||
" Mobile IPv6\n"
|
||||
" Modbus/TCP\n"
|
||||
" Mount Service\n"
|
||||
" MultiProtocol Label Switching Header\n"
|
||||
|
@ -389,18 +394,19 @@ const char *faq_part[] = {
|
|||
" Novell Distributed Print System\n"
|
||||
" Null/Loopback\n"
|
||||
" Open Shortest Path First\n"
|
||||
" OpenBSD Encapsulating device\n"
|
||||
" OpenBSD Packet Filter log file\n"
|
||||
" PC NFS\n"
|
||||
" PPP Bandwidth Allocation Control Protocol\n"
|
||||
" PPP Bandwidth Allocation Protocol\n"
|
||||
,
|
||||
|
||||
" PPP CDP Control Protocol\n"
|
||||
" PPP Callback Control Protocol\n"
|
||||
" PPP Challenge Handshake Authentication Protocol\n"
|
||||
" PPP Compressed Datagram\n"
|
||||
" PPP Compression Control Protocol\n"
|
||||
" PPP IP Control Protocol\n"
|
||||
,
|
||||
|
||||
" PPP IPv6 Control Protocol\n"
|
||||
" PPP Link Control Protocol\n"
|
||||
" PPP MPLS Control Protocol\n"
|
||||
|
@ -430,6 +436,7 @@ const char *faq_part[] = {
|
|||
" RIPng\n"
|
||||
" RPC Browser\n"
|
||||
" RSTAT\n"
|
||||
" RSYNC File Synchroniser\n"
|
||||
" RX Protocol\n"
|
||||
" Radio Access Network Application Part\n"
|
||||
" Radius Protocol\n"
|
||||
|
@ -462,6 +469,7 @@ const char *faq_part[] = {
|
|||
" SPRAY\n"
|
||||
" SS7 SCCP-User Adaptation Layer\n"
|
||||
" SSCOP\n"
|
||||
" SSH Protocol\n"
|
||||
" Secure Socket Layer\n"
|
||||
" Sequenced Packet eXchange\n"
|
||||
" Service Advertisement Protocol\n"
|
||||
|
@ -484,6 +492,7 @@ const char *faq_part[] = {
|
|||
" Synchronous Data Link Control (SDLC)\n"
|
||||
" Syslog message\n"
|
||||
" Systems Network Architecture\n"
|
||||
" Systems Network Architecture XID\n"
|
||||
" TACACS\n"
|
||||
" TACACS+\n"
|
||||
" TPKT\n"
|
||||
|
@ -501,7 +510,9 @@ const char *faq_part[] = {
|
|||
" User Datagram Protocol\n"
|
||||
" Virtual Router Redundancy Protocol\n"
|
||||
" Virtual Trunking Protocol\n"
|
||||
" WAP Binary XML\n"
|
||||
" Web Cache Coordination Protocol\n"
|
||||
" Wellfleet Breath of Life\n"
|
||||
" Wellfleet Compression\n"
|
||||
" Wellfleet HDLC\n"
|
||||
" Who\n"
|
||||
|
@ -516,6 +527,7 @@ const char *faq_part[] = {
|
|||
" X11\n"
|
||||
" Xyplex\n"
|
||||
" Yahoo Messenger Protocol\n"
|
||||
" Yahoo YMSG Messenger Protocol\n"
|
||||
" Yellow Pages Bind\n"
|
||||
" Yellow Pages Passwd\n"
|
||||
" Yellow Pages Service\n"
|
||||
|
@ -671,28 +683,7 @@ const char *faq_part[] = {
|
|||
" machine). There is a bug in that version of automake that causes this\n"
|
||||
" problem; upgrade to a later version of automake (1.6 or later).\n"
|
||||
"\n"
|
||||
" Q 4.3: The link failed because of an undefined reference to\n"
|
||||
" snmp_set_full_objid.\n"
|
||||
"\n"
|
||||
" A: You probably have the shared library for UCD SNMP 4.1.1 installed\n"
|
||||
" (so that snmp_set_full_objid is a macro, rather than a routine in the\n"
|
||||
" SNMP shared library), but the `development' package for an earlier or\n"
|
||||
" later UCD SNMP library (so that snmp_set_full_objid is not defined as\n"
|
||||
" a macro, causing Ethereal to attempt to call it as a routine).\n"
|
||||
"\n"
|
||||
" If you are on a Linux system that uses RPMs, and the UCD SNMP packages\n"
|
||||
" are installed as RPMs, the command rpm -qa | grep snmp will report the\n"
|
||||
" versions of the SNMP packages you have installed; they should all have\n"
|
||||
" the same version number, such as 4.0.1 or 4.1.1 or 4.1.2. If they\n"
|
||||
" don't, remove the RPM for the development package (which will probably\n"
|
||||
" have a name beginning with ucd-snmp-devel) and install the version of\n"
|
||||
" the development package with the same version number as the other\n"
|
||||
" ucd-snmp packages have.\n"
|
||||
"\n"
|
||||
" After installing the 4.1.1 version of the UCD SNMP header files, do a\n"
|
||||
" make clean and then rebuild Ethereal.\n"
|
||||
"\n"
|
||||
" Q 4.4: The link fails with a number of \"Output line too long.\"\n"
|
||||
" Q 4.3: The link fails with a number of \"Output line too long.\"\n"
|
||||
" messages followed by linker errors. \n"
|
||||
"\n"
|
||||
" A: The version of the sed command on your system is incapable of\n"
|
||||
|
@ -707,7 +698,7 @@ const char *faq_part[] = {
|
|||
" searching the directory with the version of sed that came with the OS\n"
|
||||
" should make the problem go away.\n"
|
||||
"\n"
|
||||
" Q 4.5: The link fails on Solaris because plugin_list is undefined. \n"
|
||||
" Q 4.4: The link fails on Solaris because plugin_list is undefined. \n"
|
||||
"\n"
|
||||
" A: This appears to be due to a problem with some versions of the GTK+\n"
|
||||
" and GLib packages from www.sunfreeware.org; un-install those packages,\n"
|
||||
|
@ -720,7 +711,7 @@ const char *faq_part[] = {
|
|||
" persists, un-install them and try installing one of the other versions\n"
|
||||
" mentioned.)\n"
|
||||
"\n"
|
||||
" Q 4.6: The build fails on Windows because of conflicts between\n"
|
||||
" Q 4.5: The build fails on Windows because of conflicts between\n"
|
||||
" winsock.h and winsock2.h. \n"
|
||||
"\n"
|
||||
" A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and\n"
|
||||
|
@ -764,9 +755,9 @@ const char *faq_part[] = {
|
|||
" this. See, for example:\n"
|
||||
" * this documentation from Cisco on the Switched Port Analyzer (SPAN)\n"
|
||||
" feature on Catalyst switches;\n"
|
||||
" * documentation from HP on how to set `monitoring'/`mirroring' on\n"
|
||||
" * documentation from HP on how to set \"monitoring\"/\"mirroring\" on\n"
|
||||
" ports on the console for HP Advancestack Switch 208 and 224;\n"
|
||||
" * the `Network Monitoring Port Features' section of chapter 6 of\n"
|
||||
" * the \"Network Monitoring Port Features\" section of chapter 6 of\n"
|
||||
" documentation from HP for HP ProCurve Switches 1600M, 2424M,\n"
|
||||
" 4000M, and 8000M.\n"
|
||||
"\n"
|
||||
|
@ -801,8 +792,6 @@ const char *faq_part[] = {
|
|||
" off in the \"Capture Options\" dialog box, and Tethereal will try to put\n"
|
||||
" the interface on which it's capturing into promiscuous mode unless the\n"
|
||||
" -p option was specified. However, some network interfaces don't\n"
|
||||
,
|
||||
|
||||
" support promiscuous mode, and some OSes might not allow interfaces to\n"
|
||||
" be put into promiscuous mode.\n"
|
||||
"\n"
|
||||
|
@ -812,6 +801,8 @@ const char *faq_part[] = {
|
|||
" address the interface is set up to receive.\n"
|
||||
"\n"
|
||||
" You should ask the vendor of your network interface whether it\n"
|
||||
,
|
||||
|
||||
" supports promiscuous mode. If it does, you should ask whoever supplied\n"
|
||||
" the driver for the interface (the vendor, or the supplier of the OS\n"
|
||||
" you're running on your machine) whether it supports promiscuous mode\n"
|
||||
|
@ -820,7 +811,10 @@ const char *faq_part[] = {
|
|||
" In the case of token ring interfaces, the drivers for some of them, on\n"
|
||||
" Windows, may require you to enable promiscuous mode in order to\n"
|
||||
" capture in promiscuous mode. Ask the vendor of the card how to do\n"
|
||||
" this.\n"
|
||||
" this, or see, for example, this information on promiscuous mode on\n"
|
||||
" some Madge token ring adapters (note that those cards can have\n"
|
||||
" promiscuous mode disabled permanently, in which case you can't enable\n"
|
||||
" it).\n"
|
||||
"\n"
|
||||
" In the case of wireless LAN interfaces, it appears that, when those\n"
|
||||
" interfaces are promiscuously sniffing, they're running in a\n"
|
||||
|
@ -851,10 +845,42 @@ const char *faq_part[] = {
|
|||
" traffic, it's a problem with unicast traffic, as you also won't see\n"
|
||||
" all UDP traffic between other machines.\n"
|
||||
"\n"
|
||||
" I.e., this is probably the same problem discussed in the previous\n"
|
||||
" question; see the response to that question.\n"
|
||||
" I.e., this is probably the same question as this earlier one; see the\n"
|
||||
" response to that question.\n"
|
||||
"\n"
|
||||
" Q 5.3: I can set a display filter just fine, but capture filters don't\n"
|
||||
" Q 5.3: I'm only seeing ARP packets when I try to capture traffic.\n"
|
||||
"\n"
|
||||
" A: You're probably on a switched network, and running Ethereal on a\n"
|
||||
" machine that's not sending traffic to the switch and not being sent\n"
|
||||
" any traffic from other machines on the switch. ARP packets are often\n"
|
||||
" broadcast packets, which are sent to all switch ports.\n"
|
||||
"\n"
|
||||
" I.e., this is probably the same question as this earlier one; see the\n"
|
||||
" response to that question.\n"
|
||||
"\n"
|
||||
" Q 5.4: How do I put an interface into promiscuous mode?\n"
|
||||
"\n"
|
||||
" A: By not disabling promiscuous mode when running Ethereal or\n"
|
||||
" Tethereal.\n"
|
||||
"\n"
|
||||
" Note, however, that:\n"
|
||||
" * the form of promiscuous mode that libpcap (the library that\n"
|
||||
" programs such as tcpdump, Ethereal, etc. use to do packet capture)\n"
|
||||
" turns on will not necessarily be shown if you run ifconfig on the\n"
|
||||
" interface on a UNIX system;\n"
|
||||
" * some network interfaces might not support promiscuous mode, and\n"
|
||||
" some drivers might not allow promiscuous mode to be turned on -\n"
|
||||
" see this earlier question for more information on that;\n"
|
||||
" * the fact that you're not seeing any traffic, or are only seeing\n"
|
||||
" broadcast traffic, or aren't seeing any non-broadcast traffic\n"
|
||||
" other than traffic to or from the machine running Ethereal, does\n"
|
||||
" not mean that promiscuous mode isn't on - see this earlier\n"
|
||||
" question for more information on that.\n"
|
||||
"\n"
|
||||
" I.e., this is probably the same question as this earlier one; see the\n"
|
||||
" response to that question.\n"
|
||||
"\n"
|
||||
" Q 5.5: I can set a display filter just fine, but capture filters don't\n"
|
||||
" work.\n"
|
||||
"\n"
|
||||
" A: Capture filters currently use a different syntax than display\n"
|
||||
|
@ -874,7 +900,7 @@ const char *faq_part[] = {
|
|||
" The capture filter syntax used by libpcap can be found in the\n"
|
||||
" tcpdump(8) man page.\n"
|
||||
"\n"
|
||||
" Q 5.4: I'm entering valid capture filters, but I still get \"parse\n"
|
||||
" Q 5.6: I'm entering valid capture filters, but I still get \"parse\n"
|
||||
" error\" errors.\n"
|
||||
"\n"
|
||||
" A: There is a bug in some versions of libpcap/WinPcap that cause it to\n"
|
||||
|
@ -906,7 +932,7 @@ const char *faq_part[] = {
|
|||
" WinPcap, you will need to un-install WinPcap and then download and\n"
|
||||
" install WinPcap 2.3.\n"
|
||||
"\n"
|
||||
" Q 5.5: I saved a filter and tried to use its name to filter the\n"
|
||||
" Q 5.7: I saved a filter and tried to use its name to filter the\n"
|
||||
" display, but I got an \"Unexpected end of filter string\" error.\n"
|
||||
"\n"
|
||||
" A: You cannot use the name of a saved display filter as a filter. To\n"
|
||||
|
@ -917,7 +943,7 @@ const char *faq_part[] = {
|
|||
" use a saved filter, you can press the \"Filter:\" button, select the\n"
|
||||
" filter in the dialog box that pops up, and press the \"OK\" button.\n"
|
||||
"\n"
|
||||
" Q 5.6: Why am I seeing lots of packets with incorrect TCP checksums?\n"
|
||||
" Q 5.8: Why am I seeing lots of packets with incorrect TCP checksums?\n"
|
||||
"\n"
|
||||
" A: If the packets that have incorrect TCP checksums are all being sent\n"
|
||||
" by the machine on which Ethereal is running, this is probably because\n"
|
||||
|
@ -949,14 +975,14 @@ const char *faq_part[] = {
|
|||
" tcp.check_checksum:false command-line flag, or manually set in your\n"
|
||||
" preferences file by adding a tcp.check_checksum:false line.\n"
|
||||
"\n"
|
||||
" Q 5.7: I've just installed Ethereal, and the traffic on my local LAN\n"
|
||||
" Q 5.9: I've just installed Ethereal, and the traffic on my local LAN\n"
|
||||
" is boring.\n"
|
||||
"\n"
|
||||
" A: We have a collection of strange and exotic sample capture files at\n"
|
||||
" http://www.ethereal.com/sample/\n"
|
||||
"\n"
|
||||
" Q 5.8: When I run Ethereal on Solaris 8, it dies with a Bus Error when\n"
|
||||
" I start it.\n"
|
||||
" Q 5.10: When I run Ethereal on Solaris 8, it dies with a Bus Error\n"
|
||||
" when I start it.\n"
|
||||
"\n"
|
||||
" A: Some versions of the GTK+ library from www.sunfreeware.org appear\n"
|
||||
" to be buggy, causing Ethereal to drop core with a Bus Error.\n"
|
||||
|
@ -973,7 +999,7 @@ const char *faq_part[] = {
|
|||
" Similar problems may exist with older versions of GTK+ for earlier\n"
|
||||
" versions of Solaris.\n"
|
||||
"\n"
|
||||
" Q 5.9: I'm running Ethereal on Linux; why do my time stamps have only\n"
|
||||
" Q 5.11: I'm running Ethereal on Linux; why do my time stamps have only\n"
|
||||
" 100ms resolution, rather than 1us resolution?\n"
|
||||
"\n"
|
||||
" A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap\n"
|
||||
|
@ -999,16 +1025,16 @@ const char *faq_part[] = {
|
|||
" have to run a standard kernel from kernel.org in order to get\n"
|
||||
" high-resolution time stamps.\n"
|
||||
"\n"
|
||||
" Q 5.10: I'm capturing packets on {Windows 95, Windows 98, Windows Me};\n"
|
||||
" Q 5.12: I'm capturing packets on {Windows 95, Windows 98, Windows Me};\n"
|
||||
" why are the time stamps on packets wrong? \n"
|
||||
"\n"
|
||||
" A: This is due to a bug in WinPcap. The bug should be fixed in the\n"
|
||||
" WinPcap 3.0 alpha release - note that it's an alpha release, so it may\n"
|
||||
" WinPcap 3.0 beta release - note that it's an beta release, so it may\n"
|
||||
" be buggier than the current production release of WinPcap; please\n"
|
||||
" report those bugs to the WinPcap developers, and help them try to\n"
|
||||
" track down the problem, so that they can fix it for the final release.\n"
|
||||
"\n"
|
||||
" Q 5.11: When I try to run Ethereal on Windows, it fails to run because\n"
|
||||
" Q 5.13: When I try to run Ethereal on Windows, it fails to run because\n"
|
||||
" it can't find packet.dll.\n"
|
||||
"\n"
|
||||
" A: In older versions of Ethereal, there were two binary distributions\n"
|
||||
|
@ -1025,7 +1051,7 @@ const char *faq_part[] = {
|
|||
" Web site, the local mirror of the WinPcap Web site, or the\n"
|
||||
" Wiretapped.net mirror of the WinPcap site.\n"
|
||||
"\n"
|
||||
" Q 5.12: Why does some network interface on my machine not show up in\n"
|
||||
" Q 5.14: Why does some network interface on my machine not show up in\n"
|
||||
" the list of interfaces in the \"Interface:\" field in the dialog box\n"
|
||||
" popped up by \"Capture->Start\", and/or why does Ethereal give me an\n"
|
||||
" error if I try to capture on that interface? \n"
|
||||
|
@ -1150,7 +1176,7 @@ const char *faq_part[] = {
|
|||
" details of the problem, as described above, and also indicate that the\n"
|
||||
" problem occurs with tcpdump/WinDump, not just with Ethereal.\n"
|
||||
"\n"
|
||||
" Q 5.13: I'm running Ethereal on Windows NT/2000/XP/Server; my machine\n"
|
||||
" Q 5.15: I'm running Ethereal on Windows NT/2000/XP/Server; my machine\n"
|
||||
" has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the\n"
|
||||
" \"Interface\" item in the \"Capture Options\" dialog box. Why can no\n"
|
||||
" packets be sent on or received from that network while I'm trying to\n"
|
||||
|
@ -1164,7 +1190,7 @@ const char *faq_part[] = {
|
|||
" Preferences\" dialog box, but this may mean that outgoing packets, or\n"
|
||||
" incoming packets, won't be seen in the capture.\n"
|
||||
"\n"
|
||||
" Q 5.14: I'm running Ethereal on Windows 95/98/Me, on a machine with\n"
|
||||
" Q 5.16: I'm running Ethereal on Windows 95/98/Me, on a machine with\n"
|
||||
" more than one network adapter of the same type; Ethereal shows all of\n"
|
||||
" those adapters with the same name, but I can't use any of those\n"
|
||||
" adapters other than the first one.\n"
|
||||
|
@ -1175,8 +1201,10 @@ const char *faq_part[] = {
|
|||
" capture only on the first such interface; Ethereal is a\n"
|
||||
" libpcap/WinPcap-based application.\n"
|
||||
"\n"
|
||||
" Q 5.15: I have an XXX network card on my machine; if I try to capture\n"
|
||||
" Q 5.17: I have an XXX network card on my machine; if I try to capture\n"
|
||||
" on it, my machine crashes or resets itself. \n"
|
||||
,
|
||||
|
||||
"\n"
|
||||
" A: This is almost certainly a problem with one or more of:\n"
|
||||
" * the operating system you're using;\n"
|
||||
|
@ -1193,7 +1221,7 @@ const char *faq_part[] = {
|
|||
" Linux distribution, report the problem to whoever produces the\n"
|
||||
" distribution).\n"
|
||||
"\n"
|
||||
" Q 5.16: My machine crashes or resets itself when I select \"Start\" from\n"
|
||||
" Q 5.18: My machine crashes or resets itself when I select \"Start\" from\n"
|
||||
" the \"Capture\" menu or select \"Preferences\" from the \"Edit\" menu. \n"
|
||||
"\n"
|
||||
" A: Both of those operations cause Ethereal to try to build a list of\n"
|
||||
|
@ -1202,22 +1230,20 @@ const char *faq_part[] = {
|
|||
" or, for Windows, WinPcap bug that causes the system to crash when this\n"
|
||||
" happens; see the previous question.\n"
|
||||
"\n"
|
||||
" Q 5.17: Does Ethereal work on Windows ME? \n"
|
||||
,
|
||||
|
||||
" Q 5.19: Does Ethereal work on Windows ME? \n"
|
||||
"\n"
|
||||
" A: Yes, but if you want to capture packets, you will need to install\n"
|
||||
" the latest version of WinPcap, as 2.02 and earlier versions of WinPcap\n"
|
||||
" didn't support Windows ME. You should also install the latest version\n"
|
||||
" of Ethereal as well.\n"
|
||||
"\n"
|
||||
" Q 5.18: Does Ethereal work on Windows XP? \n"
|
||||
" Q 5.20: Does Ethereal work on Windows XP? \n"
|
||||
"\n"
|
||||
" A: Yes, but if you want to capture packets, you will need to install\n"
|
||||
" the latest version of WinPcap, as 2.2 and earlier versions of WinPcap\n"
|
||||
" didn't support Windows XP.\n"
|
||||
"\n"
|
||||
" Q 5.19: Why doesn't Ethereal correctly identify RTP packets? It shows\n"
|
||||
" Q 5.21: Why doesn't Ethereal correctly identify RTP packets? It shows\n"
|
||||
" them only as UDP.\n"
|
||||
"\n"
|
||||
" A: Ethereal can identify a UDP datagram as containing a packet of a\n"
|
||||
|
@ -1250,20 +1276,17 @@ const char *faq_part[] = {
|
|||
" both the source and destination ports of the packet should be\n"
|
||||
" dissected as some particular protocol.\n"
|
||||
"\n"
|
||||
" Q 5.20: Why doesn't Ethereal show Yahoo Messenger packets in captures\n"
|
||||
" Q 5.22: Why doesn't Ethereal show Yahoo Messenger packets in captures\n"
|
||||
" that contain Yahoo Messenger traffic?\n"
|
||||
"\n"
|
||||
" A: Ethereal only recognizes as Yahoo Messenger traffic packets to or\n"
|
||||
" from TCP port 3050 that begin with \"YPNS\" or \"YHOO\". This means that\n"
|
||||
" 1. TCP segments that start with the middle of a Yahoo Messenger\n"
|
||||
" packet that takes more than one TCP segment will not be recognized\n"
|
||||
" as Yahoo Messenger packets (even if the TCP segment also contains\n"
|
||||
" the beginning of another Yahoo Messenger packet);\n"
|
||||
" 2. Yahoo Messenger packets that begin with \"YMSG\", as packets for\n"
|
||||
" some versions of the protocol apparently do, will not be\n"
|
||||
" recognized as Yahoo Messenger packets.\n"
|
||||
" from TCP port 3050 that begin with \"YPNS\", \"YHOO\", or \"YMSG\". TCP\n"
|
||||
" segments that start with the middle of a Yahoo Messenger packet that\n"
|
||||
" takes more than one TCP segment will not be recognized as Yahoo\n"
|
||||
" Messenger packets (even if the TCP segment also contains the beginning\n"
|
||||
" of another Yahoo Messenger packet).\n"
|
||||
"\n"
|
||||
" Q 5.21: Why do I get the error \n"
|
||||
" Q 5.23: Why do I get the error \n"
|
||||
"\n"
|
||||
" Gdk-ERROR **: Palettized display (256-colour) mode not supported on\n"
|
||||
" Windows.\n"
|
||||
|
@ -1278,7 +1301,7 @@ const char *faq_part[] = {
|
|||
" to a display mode with more colors; if it doesn't support more than\n"
|
||||
" 256 colors, you will be unable to run Ethereal.\n"
|
||||
"\n"
|
||||
" Q 5.22: When I capture on Windows in promiscuous mode, I can see\n"
|
||||
" Q 5.24: When I capture on Windows in promiscuous mode, I can see\n"
|
||||
" packets other than those sent to or from my machine; however, those\n"
|
||||
" packets show up with a \"Short Frame\" indication, unlike packets to or\n"
|
||||
" from my machine. What should I do to arrange that I see those packets\n"
|
||||
|
@ -1288,11 +1311,13 @@ const char *faq_part[] = {
|
|||
" running on the network interface on which you're capturing; turn it\n"
|
||||
" off on that interface.\n"
|
||||
"\n"
|
||||
" Q 5.23: How can I capture raw 802.11 packets, including non-data\n"
|
||||
" Q 5.25: How can I capture raw 802.11 packets, including non-data\n"
|
||||
" (management, beacon) packets? \n"
|
||||
"\n"
|
||||
" A: The answer to this depends on the operating system on which you're\n"
|
||||
" running and the 802.11 interface you're using.\n"
|
||||
" A: That would require that your 802.11 interface run in the mode\n"
|
||||
" called \"monitor mode\" or \"RFMON mode\". Not all operating systems\n"
|
||||
" support that and, even on operating systems that do support it, not\n"
|
||||
" all drivers, and thus not all cards, support it.\n"
|
||||
"\n"
|
||||
" Cisco Aironet cards:\n"
|
||||
"\n"
|
||||
|
@ -1306,7 +1331,8 @@ const char *faq_part[] = {
|
|||
" On FreeBSD, the ancontrol utility must be used; do not enable the full\n"
|
||||
" Aironet header via BPF, as Ethereal doesn't currently support that.\n"
|
||||
"\n"
|
||||
" On Linux, you will need to do\n"
|
||||
" On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will\n"
|
||||
" need to do\n"
|
||||
"\n"
|
||||
"echo \"Mode: rfmon\" >/proc/driver/aironet/ethN/Config\n"
|
||||
"\n"
|
||||
|
@ -1318,60 +1344,88 @@ const char *faq_part[] = {
|
|||
"\n"
|
||||
"echo \"Mode: ess\" >/proc/driver/aironet/ethN/Config\n"
|
||||
"\n"
|
||||
" In either case, Ethereal would have to be linked with libpcap 0.7.1 or\n"
|
||||
" later; this means that most Ethereal binary packages won't work unless\n"
|
||||
" they're statically linked with libpcap 0.7.1 or later, or they're\n"
|
||||
" dynamically linked with libpcap and your system has a libpcap 0.7.1 or\n"
|
||||
" later shared library installed (note that libpcap source package from\n"
|
||||
" tcpdump.org does not build shared libraries).\n"
|
||||
" On Linux with the driver in the 2.4.20 kernel, or with the CVS drivers\n"
|
||||
" from the airo-linux SourceForge site, you will have to capture on the\n"
|
||||
" wifiN interface if your Aironet card is ethN, after running the\n"
|
||||
" commands listed above.\n"
|
||||
"\n"
|
||||
" In all of those cases, Ethereal would have to be linked with libpcap\n"
|
||||
" 0.7.1 or later; this means that most Ethereal binary packages won't\n"
|
||||
" work unless they're statically linked with libpcap 0.7.1 or later, or\n"
|
||||
" they're dynamically linked with libpcap and your system has a libpcap\n"
|
||||
" 0.7.1 or later shared library installed (note that libpcap source\n"
|
||||
" package from tcpdump.org does not build shared libraries). Some binary\n"
|
||||
" packaging mechanisms might make it difficult to install Ethereal\n"
|
||||
" binary packages built to depend on older libpcap binary packages if\n"
|
||||
" you have a newer libpcap binary package installed; the installer\n"
|
||||
" programs for those packaging mechanisms might support disabling\n"
|
||||
" dependency checking so that they will install Ethereal even though a\n"
|
||||
" newer version of libpcap is installed.\n"
|
||||
"\n"
|
||||
" Cards using the Prism II chip set (see this page of Linux 802.11\n"
|
||||
" information for details on wireless cards, including information on\n"
|
||||
" the chips they use):\n"
|
||||
"\n"
|
||||
" You can capture raw 802.11 packets with Prism II cards on Linux\n"
|
||||
" systems with the 0.1.14-pre1 or later version of the linux-wlan-ng\n"
|
||||
" systems with the 0.1.14-pre6 or later version of the linux-wlan-ng\n"
|
||||
" drivers (see the linux-wlan page, and the linux-wlan-ng tarball\n"
|
||||
" directory), or with Solomon Peachy's patches to the linux-wlan-ng\n"
|
||||
" 0.1.13 drivers (see the `0132-packet-v71.diff' link on his software\n"
|
||||
" page; the patch speaks of 0.1.13-pre2, but appears to apply to 0.1.13\n"
|
||||
" as well). If you are using the 0.1.13 drivers, you might also want his\n"
|
||||
" `0132-promisc-v23.diff' patch as well; if you are using the\n"
|
||||
" 0.1.14-pre1 drivers, you might also want his\n"
|
||||
" `014p1-promiscfixes-v1.diff' patches - both of those are already in\n"
|
||||
" 0.1.14-pre2.\n"
|
||||
" directory).\n"
|
||||
"\n"
|
||||
" Those require either Solomon's patch to libpcap 0.7.1 (see his\n"
|
||||
" `libpcap-0.7.1-prism.diff' file, or his RPMs of that version of\n"
|
||||
" Those require either Solomon Peachy's patch to libpcap 0.7.1 (see his\n"
|
||||
" libpcap-0.7.1-prism.diff file, or his RPMs of that version of\n"
|
||||
" libpcap), or the current CVS version of libpcap, which includes his\n"
|
||||
" patch (download it from the `Current Tar files' section of the\n"
|
||||
" tcpdump.org Web site).\n"
|
||||
" patch (download it from the \"Current Tar files\" section of the\n"
|
||||
" tcpdump.org Web site). If you apply his patches to libpcap 0.7.1 and\n"
|
||||
" rebuild and install libpcap, or if you build and install the current\n"
|
||||
" CVS version of libpcap, you would have to rebuild Ethereal from\n"
|
||||
" source, linking it with that new version of libpcap; an Ethereal\n"
|
||||
" binary package would not work. Ethereal binary packages might work if\n"
|
||||
" you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install\n"
|
||||
" a libpcap shared library in place of the one on your system.\n"
|
||||
"\n"
|
||||
" You may have to run a command to put the interface into monitor mode,\n"
|
||||
" or to change other interface settings.\n"
|
||||
" Earlier versions of the linux-wlan-ng drivers don't allow Ethereal to\n"
|
||||
" directly capture raw 802.11 packets on Prism II cards; however, on\n"
|
||||
" Linux systems with the linux-wlan-ng drivers version 0.1.6, the\n"
|
||||
" Prismdump utility can be used to capture packets; it saves packets in\n"
|
||||
" a form that Ethereal can read. Prismdump can be downloaded from this\n"
|
||||
" page on the developer.axis.com Web site.\n"
|
||||
" or to change other interface settings, and you might have to capture\n"
|
||||
" on a wlanN interface rather than a ethN interface, in order to capture\n"
|
||||
" raw 802.11 packets. The interface settings are available in your\n"
|
||||
" wlan-ng.conf file. See the wlan-ng FAQ for additional information.\n"
|
||||
"\n"
|
||||
" On other platforms, capturing raw 802.11 packets on Prism II cards is\n"
|
||||
" not currently supported.\n"
|
||||
"\n"
|
||||
" Orinoco Silver and Gold cards:\n"
|
||||
"\n"
|
||||
" On Linux systems, when using either the orinoco_cs-0.09b driver or the\n"
|
||||
" driver in at least some versions of the Linux kernel, the\n"
|
||||
" `orinoco-09b-packet-1.diff' patch on the Orinoco Monitor Mode Patch\n"
|
||||
" Page should allow you to do capture raw 802.11 packets.\n"
|
||||
" On Linux systems, there are patches on the Orinoco Monitor Mode Patch\n"
|
||||
" Page that should allow you to do capture raw 802.11 packets. You will\n"
|
||||
" have to determine which version of the driver you have, and select the\n"
|
||||
" appropriate patch.\n"
|
||||
"\n"
|
||||
" The patch appears to apply to the driver in the 2.4.18 kernel, but we\n"
|
||||
" don't know whether it works; the directions on that page are for the\n"
|
||||
" pcmcia-cs drivers, not for the driver in the kernel itself.\n"
|
||||
" Note that the page indicates that not all versions of the Orinoco\n"
|
||||
" firmware support this patch. The Orinoco patches require Solomon\n"
|
||||
" Peachy's libpcap patches.\n"
|
||||
" firmware support this patch. It says, for some versions of the patch,\n"
|
||||
" \"This patch should allow monitor mode with v8.10 firmware (untested w/\n"
|
||||
" 8.42);\" if you have version 8.10 or later firmware on your Orinoco\n"
|
||||
" cards, you might have to use those patches, with the corresponding\n"
|
||||
" versions of the Orinoco driver, in order to run in monitor mode.\n"
|
||||
"\n"
|
||||
" That patch is written for the drivers included with the pcmcia-cs\n"
|
||||
" drivers, but works equally well for the Orinoco drivers provided with\n"
|
||||
" Linux kernels up to 2.4.20. To apply a patch to your kernel drivers,\n"
|
||||
" simply copy the orinoco-09b-patch.diff file to the\n"
|
||||
" /usr/src/linux/drivers/net directory and patch according to the\n"
|
||||
" directions on the Orinoco Monitor Mode Patch Page. You can double-\n"
|
||||
" check the version of the Orinoco drivers that shipped with your kernel\n"
|
||||
" by examining the first few lines of the orinoco.c file.\n"
|
||||
"\n"
|
||||
" Te Orinoco patches require either Solomon Peachy's patch to libpcap\n"
|
||||
" 0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that\n"
|
||||
" version of libpcap), or the current CVS version of libpcap, which\n"
|
||||
" includes his patch (download it from the \"Current Tar files\" section\n"
|
||||
" of the tcpdump.org Web site). If you apply his patches to libpcap\n"
|
||||
" 0.7.1 and rebuild and install libpcap, or if you build and install the\n"
|
||||
" current CVS version of libpcap, you would have to rebuild Ethereal\n"
|
||||
" from source, linking it with that new version of libpcap; an Ethereal\n"
|
||||
" binary package would not work. Ethereal binary packages might work if\n"
|
||||
" you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install\n"
|
||||
" a libpcap shared library in place of the one on your system.\n"
|
||||
"\n"
|
||||
" On other platforms, capturing raw 802.11 packets on Orinoco cards is\n"
|
||||
" not currently supported.\n"
|
||||
|
@ -1380,15 +1434,15 @@ const char *faq_part[] = {
|
|||
"\n"
|
||||
" With other 802.11 interfaces, no platform allows Ethereal to capture\n"
|
||||
" raw 802.11 packets, as far as we know. If you know of other 802.11\n"
|
||||
" interfaces that are supported (note that there are many `Prism II\n"
|
||||
" cards', so your card might be a Prism II card), please let us know,\n"
|
||||
" interfaces that are supported (note that there are many \"Prism II\n"
|
||||
" cards\", so your card might be a Prism II card), please let us know,\n"
|
||||
" and include URLs for sites containing any necessary patches to add\n"
|
||||
" this support.\n"
|
||||
"\n"
|
||||
" On platforms that don't allow Ethereal to capture raw 802.11 packets,\n"
|
||||
" the 802.11 network will appear like an Ethernet to Ethereal.\n"
|
||||
"\n"
|
||||
" Q 5.24: How can I capture packets with CRC errors? \n"
|
||||
" Q 5.26: How can I capture packets with CRC errors? \n"
|
||||
"\n"
|
||||
" A: Ethereal can capture only the packets that the packet capture\n"
|
||||
" library - libpcap on UNIX-flavored OSes, and the WinPcap port to\n"
|
||||
|
@ -1405,7 +1459,7 @@ const char *faq_part[] = {
|
|||
" libpcap and the packet capture program you're using are necessary to\n"
|
||||
" support capturing those packets.\n"
|
||||
"\n"
|
||||
" Q 5.25: How can I capture entire frames, including the FCS? \n"
|
||||
" Q 5.27: How can I capture entire frames, including the FCS? \n"
|
||||
"\n"
|
||||
" A: Ethereal can't capture any data that the packet capture library -\n"
|
||||
" libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of\n"
|
||||
|
@ -1425,7 +1479,7 @@ const char *faq_part[] = {
|
|||
" not support capturing the FCS of a frame on Ethernet, and probably do\n"
|
||||
" not support it on most other link-layer types.\n"
|
||||
"\n"
|
||||
" Q 5.26: Ethereal hangs after I stop a capture. \n"
|
||||
" Q 5.28: Ethereal hangs after I stop a capture. \n"
|
||||
"\n"
|
||||
" A: The most likely reason for this is that Ethereal is trying to look\n"
|
||||
" up an IP address in the capture to convert it to a name (so that, for\n"
|
||||
|
@ -1456,12 +1510,12 @@ const char *faq_part[] = {
|
|||
" lookup to take a long time.\n"
|
||||
"\n"
|
||||
" If you disable network address-to-name translation - for example, by\n"
|
||||
" turning off the `Enable network name resolution' option in the `Name\n"
|
||||
" resolution' options in the dialog box you get by selecting\n"
|
||||
" `Preferences' from the `Edit' menu - the lookups of the address won't\n"
|
||||
" turning off the \"Enable network name resolution\" option in the \"Name\n"
|
||||
" resolution\" options in the dialog box you get by selecting\n"
|
||||
" \"Preferences\" from the \"Edit\" menu - the lookups of the address won't\n"
|
||||
" be done, which may speed up the process of reading the capture file\n"
|
||||
" after the capture is stopped. You can make that setting the default by\n"
|
||||
" using the `Save' button in that dialog box; note that this will save\n"
|
||||
" using the \"Save\" button in that dialog box; note that this will save\n"
|
||||
" all your current preference settings.\n"
|
||||
"\n"
|
||||
" If Ethereal hangs when reading a capture even with network name\n"
|
||||
|
@ -1495,7 +1549,7 @@ const char *faq_part[] = {
|
|||
" contains sensitive information (e.g., passwords), then please do not\n"
|
||||
" send it.\n"
|
||||
"\n"
|
||||
" Q 5.27: How can I search for, or filter, packets that have a\n"
|
||||
" Q 5.29: How can I search for, or filter, packets that have a\n"
|
||||
" particular string anywhere in them? \n"
|
||||
"\n"
|
||||
" A: Currently, you can't.\n"
|
||||
|
@ -1517,7 +1571,7 @@ const char *faq_part[] = {
|
|||
" list. \n"
|
||||
" For corrections/additions/suggestions for this page, please send email\n"
|
||||
" to: ethereal-web[AT]ethereal.com\n"
|
||||
" Last modified: Wed, March 05 2003.\n"
|
||||
" Last modified: Thu, March 20 2003.\n"
|
||||
};
|
||||
#define FAQ_PARTS 4
|
||||
#define FAQ_SIZE 68530
|
||||
#define FAQ_SIZE 71384
|
||||
|
|
Loading…
Reference in New Issue