osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
wireshark/docbook/faq.adoc

1088 lines
53 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

include::attributes.adoc[]
:stylesheet: ws.css
:linkcss:
:copycss: {stylesheet}
:toc:
= Wireshark Frequently Asked Questions
== General Questions
=== What is Wireshark?
Wireshark® is a network protocol analyzer. It lets you capture and
interactively browse the traffic running on a computer network. It has a
rich and powerful feature set and is world's most popular tool of its
kind. It runs on most computing platforms including Windows, macOS,
Linux, and UNIX. Network professionals, security experts, developers,
and educators around the world use it regularly. It is freely available
as open source, and is released under the GNU General Public License
version 2.
It is developed and maintained by a global team of protocol experts,
and it is an example of a
https://en.wikipedia.org/wiki/Disruptive_technology[disruptive
technology].
Wireshark used to be known as Ethereal®. See the next question for
details about the name change. If you're still using Ethereal, it is
strongly recommended that you upgrade to Wireshark as Ethereal is
unsupported and has known security vulnerabilities.
For more information, please see the
https://www.wireshark.org/about.html[About Wireshark] page.
[#wheretogethelp]
=== Where can I get help?
Community support is available on the
https://ask.wireshark.org/[Q&A site]
and on the wireshark-users mailing list.
Subscription information and archives for all of Wireshark's mailing lists can be found at
https://www.wireshark.org/mailman/listinfo[https://www.wireshark.org/mailman/listinfo].
// An IRC channel dedicated to Wireshark can be found at
// irc://irc.freenode.net/wireshark[irc://irc.freenode.net/wireshark].
=== What kind of shark is Wireshark?
_carcharodon photoshopia_.
=== How is Wireshark pronounced, spelled and capitalized?
Wireshark is pronounced as the word _wire_ followed immediately by
the word _shark_. Exact pronunciation and emphasis may vary depending on
your locale (e.g. Arkansas).
It's spelled with a capital _W_, followed by a lower-case _ireshark_.
It is not a CamelCase word, i.e., _WireShark_ is incorrect.
=== How much does Wireshark cost?
Wireshark is "free software"; you can download it without paying any
license fee. The version of Wireshark you download isn't a "demo"
version, with limitations not present in a "full" version; it _is_ the
full version.
The license under which Wireshark is issued is
https://www.gnu.org/licenses/gpl-2.0.html[the GNU General Public License
version 2]. See
https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html[the GNU GPL
FAQ] for some more information.
=== But I just paid someone on eBay for a copy of Wireshark! Did I get ripped off?
That depends. Did they provide any sort of value-added product or
service, such as installation support, installation media, training,
trace file analysis, or funky-colored shark-themed socks? Probably not.
Wireshark is https://www.wireshark.org/download.html[available for
anyone to download, absolutely free, at any time]. Paying for a copy
implies that you should get something for your money.
=== Can I use Wireshark commercially?
Yes, if, for example, you mean "I work for a commercial organization;
can I use Wireshark to capture and analyze network traffic in our
company's networks or in our customer's networks?"
If you mean "Can I use Wireshark as part of my commercial product?",
see link:#derived_work_gpl[the next entry in the FAQ].
=== Can I use Wireshark as part of my commercial product?
As noted, Wireshark is licensed under
https://www.gnu.org/licenses/gpl-2.0.html[the GNU General Public
License, version 2]. The GPL imposes conditions on your use of GPL'ed
code in your own products; you cannot, for example, make a "derived
work" from Wireshark, by making modifications to it, and then sell the
resulting derived work and not allow recipients to give away the
resulting work. You must also make the changes you've made to the
Wireshark source available to all recipients of your modified version;
those changes must also be licensed under the terms of the GPL. See the
https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html[GPL FAQ] for
more details; in particular, note the answer to
https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#GPLCommercially[the
question about modifying a GPLed program and selling it commercially],
and
https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#LinkingWithGPL[the
question about linking GPLed code with other code to make a proprietary
program].
You can combine a GPLed program such as Wireshark and a commercial
program as long as they communicate "at arm's length", as per
https://www.gnu.org/licenses/old-licenses/gpl-2.0-faq.html#GPLInProprietarySystem[this
item in the GPL FAQ].
We recommend keeping Wireshark and your product completely separate,
communicating over sockets or pipes. If you're loading any part of
Wireshark as a DLL, you're probably doing it wrong.
=== Can you help me fill out this compliance form so that I can use Wireshark?
If you need help filling out individual items in the form, youre certainly free to <<wheretogethelp,ask the community>> for help.
If you want someone within the project to fill out the form for you, we simply cant help you.
Wireshark is developed by a team of volunteers, and while we try to make sure that its as easy as possible to obtain and use, filling out a form would mean taking precious time away from other aspects of the project.
=== Can you sign this legal agreement so that I can use Wireshark?
Probably not.
As with the previous question, we really do want you to be able to use Wireshark.
However, while we've been fortunate enough to have developers, educators, and networking experts volunteer their time, so far we haven't had any attorneys volunteer to review contracts for us pro bono.
Asking us to sign a contract is asking us to spend time reviewing that contract and/or paying for an attorney to do so that you can use Wireshark for free.
=== What protocols are currently supported?
There are currently hundreds of supported protocols and media.
Details can be found in the
https://www.wireshark.org/docs/man-pages/wireshark.html[wireshark(1)]
man page.
=== Are there any plans to support {your favorite protocol}?
Support for particular protocols is added to Wireshark as a result of
people contributing that support; no formal plans for adding support for
particular protocols in particular future releases exist.
=== Can Wireshark read capture files from {your favorite network analyzer}?
Support for particular capture file formats is added to Wireshark as
a result of people contributing that support; no formal plans for adding
support for particular capture file formats in particular future
releases exist.
If a network analyzer writes out files in a format already supported by
Wireshark (e.g., in libpcap format), Wireshark may already be able to
read them, unless the analyzer has added its own proprietary extensions
to that format.
If a network analyzer writes out files in its own format, or has added
proprietary extensions to another format, in order to make Wireshark
read captures from that network analyzer, we would either have to have a
specification for the file format, or the extensions, sufficient to give
us enough information to read the parts of the file relevant to
Wireshark, or would need at least one capture file in that format *AND*
a detailed textual analysis of the packets in that capture file (showing
packet time stamps, packet lengths, and the top-level packet header) in
order to reverse-engineer the file format.
Note that there is no guarantee that we will be able to
reverse-engineer a capture file format.
=== What devices can Wireshark use to capture packets?
Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial
(PPP and SLIP) (if the OS on which it's running allows Wireshark to do
so), 802.11 wireless LAN (if the OS on which it's running allows
Wireshark to do so), ATM connections (if the OS on which it's running
allows Wireshark to do so), and the "any" device supported on Linux by
recent versions of libpcap.
See https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/NetworkMedia[the list of
supported capture media on various OSes] for details (several items in
there say "Unknown", which doesn't mean "Wireshark can't capture on
them", it means "we don't know whether it can capture on them"; we
expect that it will be able to capture on many of them, but we haven't
tried it ourselves - if you try one of those types and it works, please
update the wiki page accordingly.
It can also read a variety of capture file formats, including:
* pcap, used by libpcap, tcpdump and various other tools
* Oracle (previously Sun) snoop and atmsnoop captures
* Finisar (previously Shomiti) Surveyor captures
* Microsoft Network Monitor captures
* Novell LANalyzer captures
* AIX's iptrace captures
* Cinco Networks NetXRay captures
* NETSCOUT (previously Network Associates/Network General) Windows-based
Sniffer captures
* Network General/Network Associates DOS-based Sniffer captures
(compressed or uncompressed)
* LiveAction (previously WildPackets/Savvius) *Peek/EtherHelp/Packet Grabber
captures
* RADCOM's WAN/LAN analyzer captures
* Viavi (previously Network Instruments) Observer captures
* Lucent/Ascend router debug output
* Toshiba's ISDN routers dump output
* captures from HP-UX nettl
* the output from i4btrace from the ISDN4BSD project
* traces from the EyeSDN USB S0
* the IPLog format output from the Cisco Secure Intrusion Detection System
* pppd logs (pppdump format)
* the text output from VMS's TCPIPtrace/TCPtrace/UCX$TRACE utilities
* the text output from the DBS Etherwatch VMS utility
* Visual Networks' Visual UpTime traffic capture
* the output from CoSine L2 debug
* the output from InfoVista (formerly Accellent) 5Views LAN agents
* Endace Measurement Systems' ERF format captures
* Linux Bluez Bluetooth stack hcidump -w traces
* Catapult DCT2000 .out files
* Gammu generated text output from Nokia DCT3 phones in Netmonitor mode
* IBM Series (OS/400) Comm traces (ASCII & UNICODE)
* Juniper Netscreen snoop files
* Symbian OS btsnoop files
* TamoSoft CommView files
* Tektronix K12xx 32bit .rf5 format files
* Tektronix K12 text file format captures
* Apple PacketLogger files
* Files from Aethra Telecommunications' PC108 software for their test
instruments
* Citrix NetScaler Trace files
* Android Logcat binary and text format logs
* Colasoft Capsa and Packet Builder captures
* Micropross mplog files
* Unigraf DPA-400 DisplayPort AUX channel monitor traces
* 802.15.4 traces from Daintree's Sensor Network Analyzer
* MPEG-2 Transport Streams as defined in ISO/IEC 13818-1
* Log files from the _candump_ utility
* Logs from the BUSMASTER tool
* Ixia IxVeriWave raw captures
* Rabbit Labs CAM Inspector files
* systemd journal files
* 3GPP TS 32.423 trace files
so that it can read traces from various network types, as captured by
other applications or equipment, even if it cannot itself capture on
those network types.
=== Does Wireshark work on older versions of Windows such as Windows 7?
Each major release branch of Wireshark supports the versions of Windows that are within their product lifecycle at the time of the “.0” release for that branch.
For example, Wireshark 3.2.0 was released in December 2019, shortly before Windows 7 reached the end of its extended support in January 2020. As a result, each of the Wireshark 3.2._x_ releases supports Windows 7, even after January 2020.
See the
link:https://www.wireshark.org/docs/wsug_html_chunked/ChIntroPlatforms.html[Microsoft Windows section of the Users Guide]
and the
link:https://gitlab.com/wireshark/wireshark/-/wikis/Development/LifeCycle[End Of Life Planning section of the Release Life Cycle wiki page]
for more details.
Npcap might not work well on Windows 8 and earlier, so you might want to install WinPcap instead.
== Installing Wireshark
=== I installed the Wireshark RPM (or other package); why did it install TShark but not Wireshark?
Many distributions have separate Wireshark packages, one for non-GUI
components such as TShark, editcap, dumpcap, etc. and one for the GUI.
If this is the case on your system, there's probably a separate package
named “wireshark-qt”. Find it and install it.
== Building Wireshark
=== Why does building Wireshark fail due to missing headers (.h files)?
If this is happening on Linux, it's likely due to missing development library packages.
For example, Debian and Ubuntu ship the GLib library in the libglib2.0-0 package, but ship its header files and other development assets in the libglib2.0-dev package.
We maintain setup scripts (_*-setup.sh_) for many major distributions in the _tools_ directory of the Wireshark sources that can install the required development packages for you.
== Crashes and other fatal errors
=== I have an _XXX_ network card on my machine; if I try to capture on it, why does my machine crash or reset itself?
This is almost certainly a problem with one or more of:
* the operating system you're using;
* the device driver for the interface you're using;
* the libpcap/Npcap library and, if this is Windows, the Npcap device
driver;
so:
* if you are using Windows, see {npcap-main-url}[the Npcap support page] - check the "Patches, Bug Reports, Questions, Suggestions,
etc" section;
* if you are using some Linux distribution, some version of BSD, or some
other UNIX-flavored OS, you should report the problem to the company or
organization that produces the OS (in the case of a Linux distribution,
report the problem to whoever produces the distribution).
=== Why does my machine crash or reset itself when I select "Start" from the "Capture" menu or select "Preferences" from the "Edit" menu?
Both of those operations cause Wireshark to try to build a list of
the interfaces that it can open; it does so by getting a list of
interfaces and trying to open them. There is probably an OS, driver, or,
for Windows, Npcap bug that causes the system to crash when this
happens; see the previous question.
== Capturing packets
[#promiscsniff]
=== When I use Wireshark to capture packets, why do I see only packets to and from my machine, or not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor?
This might be because the interface on which you're capturing is
plugged into an Ethernet or Token Ring switch; on a switched network,
unicast traffic between two ports will not necessarily appear on other
ports - only broadcast and multicast traffic will be sent to all ports.
Note that even if your machine is plugged into a hub, the "hub" may be
a switched hub, in which case you're still on a switched network.
Note also that on the Linksys Web site, they say that their
auto-sensing hubs "broadcast the 10Mb packets to the port that operate
at 10Mb only and broadcast the 100Mb packets to the ports that operate
at 100Mb only", which would indicate that if you sniff on a 10Mb port,
you will not see traffic coming sent to a 100Mb port, and _vice versa_.
This problem has also been reported for Netgear dual-speed hubs, and may
exist for other "auto-sensing" or "dual-speed" hubs.
Some switches have the ability to replicate all traffic on all ports to
a single port so that you can plug your analyzer into that single port
to sniff all traffic. You would have to check the documentation for the
switch to see if this is possible and, if so, to see how to do this. See
https://gitlab.com/wireshark/wireshark/-/wikis/SwitchReference[the switch reference page] on
https://gitlab.com/wireshark/wireshark/-/wikis[the Wireshark Wiki] for information on some
switches. (Note that it's a Wiki, so you can update or fix that
information, or add additional information on those switches or
information on new switches, yourself.)
Note also that many firewall/NAT boxes have a switch built into them;
this includes many of the "cable/DSL router" boxes. If you have a box of
that sort, that has a switch with some number of Ethernet ports into
which you plug machines on your network, and another Ethernet port used
to connect to a cable or DSL modem, you can, at least, sniff traffic
between the machines on your network and the Internet by plugging the
Ethernet port on the router going to the modem, the Ethernet port on the
modem, and the machine on which you're running Wireshark into a hub
(make sure it's not a switching hub, and that, if it's a dual-speed hub,
all three of those ports are running at the same speed.
If your machine is _not_ plugged into a switched network or a
dual-speed hub, or it is plugged into a switched network but the port is
set up to have all traffic replicated to it, the problem might be that
the network interface on which you're capturing doesn't support
"promiscuous" mode, or because your OS can't put the interface into
promiscuous mode. Normally, network interfaces supply to the host only:
* packets sent to one of that host's link-layer addresses;
* broadcast packets;
* multicast packets sent to a multicast address that the host has
configured the interface to accept.
Most network interfaces can also be put in "promiscuous" mode, in which
they supply to the host all network packets they see. Wireshark will try
to put the interface on which it's capturing into promiscuous mode
unless the "Capture packets in promiscuous mode" option is turned off in
the "Capture Options" dialog box, and TShark will try to put the
interface on which it's capturing into promiscuous mode unless the `-p`
option was specified. However, some network interfaces don't support
promiscuous mode, and some OSes might not allow interfaces to be put
into promiscuous mode.
If the interface is not running in promiscuous mode, it won't see any
traffic that isn't intended to be seen by your machine. It *will* see
broadcast packets, and multicast packets sent to a multicast MAC address
the interface is set up to receive.
You should ask the vendor of your network interface whether it supports
promiscuous mode. If it does, you should ask whoever supplied the driver
for the interface (the vendor, or the supplier of the OS you're running
on your machine) whether it supports promiscuous mode with that network
interface.
In the case of wireless LAN interfaces, it appears that, when those
interfaces are promiscuously sniffing, they're running in a
significantly different mode from the mode that they run in when they're
just acting as network interfaces (to the extent that it would be a
significant effort for those drivers to support for promiscuously
sniffing _and_ acting as regular network interfaces at the same time),
so it may be that Windows drivers for those interfaces don't support
promiscuous mode.
=== When I capture with Wireshark, why can't I see any TCP packets other than packets to and from my machine, even though another analyzer on the network sees those packets?
You're probably not seeing _any_ packets other than unicast packets
to or from your machine, and broadcast and multicast packets; a switch
will normally send to a port only unicast traffic sent to the MAC
address for the interface on that port, and broadcast and multicast
traffic - it won't send to that port unicast traffic sent to a MAC
address for some other interface - and a network interface not in
promiscuous mode will receive only unicast traffic sent to the MAC
address for that interface, broadcast traffic, and multicast traffic
sent to a multicast MAC address the interface is set up to receive.
TCP doesn't use broadcast or multicast, so you will only see your own
TCP traffic, but UDP services may use broadcast or multicast so you'll
see some UDP traffic - however, this is not a problem with TCP traffic,
it's a problem with unicast traffic, as you also won't see all UDP
traffic between other machines.
I.e., this is probably link:#promiscsniff[the same question as this
earlier one]; see the response to that question.
=== Why am I only seeing ARP packets when I try to capture traffic?
You're probably on a switched network, and running Wireshark on a
machine that's not sending traffic to the switch and not being sent any
traffic from other machines on the switch. ARP packets are often
broadcast packets, which are sent to all switch ports.
I.e., this is probably link:#promiscsniff[the same question as this
earlier one]; see the response to that question.
=== Why am I not seeing any traffic when I try to capture traffic?
Is the machine running Wireshark sending out any traffic on the
network interface on which you're capturing, or receiving any traffic on
that network, or is there any broadcast traffic on the network or
multicast traffic to a multicast group to which the machine running
Wireshark belongs?
If not, this may just be a problem with promiscuous sniffing, either
due to running on a switched network or a dual-speed hub, or due to
problems with the interface not supporting promiscuous mode; see the
response to link:#promiscsniff[this earlier question].
Otherwise, on Windows, see the response to link:#capprobwin[this
question] and, on a UNIX-flavored OS, see the response to
link:#capprobunix[this question].
=== How do I put an interface into promiscuous mode?
By not disabling promiscuous mode when running Wireshark or TShark.
Note, however, that:
* the form of promiscuous mode that libpcap (the library that programs
such as tcpdump, Wireshark, etc. use to do packet capture) turns on will
*not* necessarily be shown if you run `ifconfig` on the interface on a
UNIX system;
* some network interfaces might not support promiscuous mode, and some
drivers might not allow promiscuous mode to be turned on - see
link:#promiscsniff[this earlier question] for more information on that;
* the fact that you're not seeing any traffic, or are only seeing
broadcast traffic, or aren't seeing any non-broadcast traffic other than
traffic to or from the machine running Wireshark, does not mean that
promiscuous mode isn't on - see link:#promiscsniff[this earlier
question] for more information on that.
I.e., this is probably link:#promiscsniff[the same question as this
earlier one]; see the response to that question.
=== I can set a display filter just fine; why don't capture filters work?
Capture filters currently use a different syntax than display
filters. Here's the corresponding section from the
https://www.wireshark.org/docs/man-pages/wireshark.html[wireshark(1)]
man page:
"Display filters in Wireshark are very powerful; more fields are
filterable in Wireshark than in other protocol analyzers, and the syntax
you can use to create your filters is richer. As Wireshark progresses,
expect more and more protocol fields to be allowed in display filters.
Packet capturing is performed with the pcap library. The capture filter
syntax follows the rules of the pcap library. This syntax is different
from the display filter syntax."
The capture filter syntax used by libpcap can be found in the
http://www.tcpdump.org/tcpdump_man.html[tcpdump(8)] man page.
=== How can I capture packets with CRC errors?
Wireshark can capture only the packets that the packet capture
library - libpcap on UNIX-flavored OSes, and the Npcap port to Windows
of libpcap on Windows - can capture, and libpcap/Npcap can capture only
the packets that the OS's raw packet capture mechanism (or the Npcap
driver, and the underlying OS networking code and network interface
drivers, on Windows) will allow it to capture.
Unless the OS always supplies packets with errors such as invalid CRCs
to the raw packet capture mechanism, or can be configured to do so,
invalid CRCs to the raw packet capture mechanism, Wireshark - and other
programs that capture raw packets, such as tcpdump - cannot capture
those packets. You will have to determine whether your OS needs to be so
configured and, if so, can be so configured, configure it if necessary
and possible, and make whatever changes to libpcap and the packet
capture program you're using are necessary, if any, to support capturing
those packets.
Most OSes probably do *not* support capturing packets with invalid CRCs
on Ethernet, and probably do not support it on most other link-layer
types. Some drivers on some OSes do support it, such as some Ethernet
drivers on FreeBSD; in those OSes, you might always get those packets,
or you might only get them if you capture in promiscuous mode (you'd
have to determine which is the case).
Note that libpcap does not currently supply to programs that use it an
indication of whether the packet's CRC was invalid (because the drivers
themselves do not supply that information to the raw packet capture
mechanism); therefore, Wireshark will not indicate which packets had CRC
errors unless the FCS was captured (see the next question) and you're
using Wireshark 0.9.15 and later, in which case Wireshark will check the
CRC and indicate whether it's correct or not.
=== How can I capture entire frames, including the FCS?
Wireshark can only capture data that the packet capture library -
libpcap on UNIX-flavored OSes, and the Npcap port to Windows of libpcap
on Windows - can capture, and libpcap/Npcap can capture only the data
that the OS's raw packet capture mechanism (or the Npcap driver, and the
underlying OS networking code and network interface drivers, on Windows)
will allow it to capture.
For any particular link-layer network type, unless the OS supplies the
FCS of a frame as part of the frame, or can be configured to do so,
Wireshark - and other programs that capture raw packets, such as tcpdump
- cannot capture the FCS of a frame. You will have to determine whether
your OS needs to be so configured and, if so, can be so configured,
configure it if necessary and possible, and make whatever changes to
libpcap and the packet capture program you're using are necessary, if
any, to support capturing the FCS of a frame.
Most OSes do *not* support capturing the FCS of a frame on Ethernet,
and probably do not support it on most other link-layer types. Some
drivers on some OSes do support it, such as some (all?) Ethernet drivers
on NetBSD and possibly the driver for Apple's gigabit Ethernet interface
in macOS; in those OSes, you might always get the FCS, or you might only
get the FCS if you capture in promiscuous mode (you'd have to determine
which is the case).
Versions of Wireshark prior to 0.9.15 will not treat an Ethernet FCS in
a captured packet as an FCS. 0.9.15 and later will attempt to determine
whether there's an FCS at the end of the frame and, if it thinks there
is, will display it as such, and will check whether it's the correct
CRC-32 value or not.
=== I'm capturing packets on a machine on a VLAN; why don't the packets I'm capturing have VLAN tags?
You might be capturing on what might be called a "VLAN interface" -
the way a particular OS makes VLANs plug into the networking stack
might, for example, be to have a network device object for the physical
interface, which takes VLAN packets, strips off the VLAN header and
constructs an Ethernet header, and passes that packet to an internal
network device object for the VLAN, which then passes the packets onto
various higher-level protocol implementations.
In order to see the raw Ethernet packets, rather than "de-VLANized"
packets, you would have to capture not on the virtual interface for the
VLAN, but on the interface corresponding to the physical network device,
if possible. See https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/VLAN[the
Wireshark Wiki item on VLAN capturing] for details.
=== Why does Wireshark hang after I stop a capture?
The most likely reason for this is that Wireshark is trying to look
up an IP address in the capture to convert it to a name (so that, for
example, it can display the name in the source address or destination
address columns), and that lookup process is taking a very long time.
Wireshark calls a routine in the OS of the machine on which it's
running to convert of IP addresses to the corresponding names. That
routine probably does one or more of:
* a search of a system file listing IP addresses and names;
* a lookup using DNS;
* on UNIX systems, a lookup using NIS;
* on Windows systems, a NetBIOS-over-TCP query.
If a DNS server that's used in an address lookup is not responding, the
lookup will fail, but will only fail after a timeout while the system
routine waits for a reply.
In addition, on Windows systems, if the DNS lookup of the address
fails, either because the server isn't responding or because there are
no records in the DNS that could be used to map the address to a name, a
NetBIOS-over-TCP query will be made. That query involves sending a
message to the NetBIOS-over-TCP name service on that machine, asking for
the name and other information about the machine. If the machine isn't
running software that responds to those queries - for example, many
non-Windows machines wouldn't be running that software - the lookup will
only fail after a timeout. Those timeouts can cause the lookup to take a
long time.
If you disable network address-to-name translation - for example, by
turning off the "Enable network name resolution" option in the "Capture
Options" dialog box for starting a network capture - the lookups of the
address won't be done, which may speed up the process of reading the
capture file after the capture is stopped. You can make that setting the
default by selecting "Preferences" from the "Edit" menu, turning off the
"Enable network name resolution" option in the "Name resolution" options
in the preferences dialog box, and using the "Save" button in that
dialog box; note that this will save _all_ your current preference
settings.
If Wireshark hangs when reading a capture even with network name
resolution turned off, there might, for example, be a bug in one of
Wireshark's dissectors for a protocol causing it to loop infinitely. If
you're not running the most recent release of Wireshark, you should
first upgrade to that release, as, if there's a bug of that sort, it
might've been fixed in a release after the one you're running. If the
hang occurs in the most recent release of Wireshark, the bug should be
reported to mailto:wireshark-dev@wireshark.org[the Wireshark developers'
mailing list] at `wireshark-dev@wireshark.org`.
On UNIX-flavored OSes, please try to force Wireshark to dump core, by
sending it a `SIGABRT` signal (usually signal 6) with the `kill`
command, and then get a stack trace if you have a debugger installed. A
stack trace can be obtained by using your debugger (`gdb` in this
example), the Wireshark binary, and the resulting core file. Here's an
example of how to use the gdb command `backtrace` to do so.
----
$ gdb wireshark core
(gdb) backtrace
..... prints the stack trace
(gdb) quit
$
----
The core dump file may be named "wireshark.core" rather than "core" on
some platforms (e.g., BSD systems).
Also, if at all possible, please send a copy of the capture file that
caused the problem. When capturing packets, Wireshark normally writes
captured packets to a temporary file, which will probably be in `/tmp`
or `/var/tmp` on UNIX-flavored OSes, `\TEMP` on the main system disk
(normally `\Documents and Settings\<your login name>\Local Settings\Temp` on the main system disk on Windows XP and
Server 2003, and `\Users\<your login name>\AppData\Local\Temp` on the main
system disk on Windows Vista and later, so the capture file will
probably be there. If you are capturing on a single interface, it will
have a name of the form,
`wireshark_<iface>_YYYYmmddHHMMSS_XXXXXX.<fmt>`, where <fmt> is the
capture file format (pcap or pcapng), and <iface> is the actual name of
the interface you are capturing on; otherwise, if you are capturing on
multiple interfaces, it will have a name of the form,
`wireshark_<N>_interfaces_YYYYmmddHHMMSS_XXXXXX.<fmt>`, where <N> is the
number of simultaneous interfaces you are capturing on. Please don't
send a trace file greater than 1 MB when compressed; instead, make it
available via FTP or HTTP, or say it's available but leave it up to a
developer to ask for it. If the trace file contains sensitive
information (e.g., passwords), then please do not send it.
== Capturing packets on Windows
[#capprobwin]
=== I'm running Wireshark on Windows; why does some network interface on my machine not show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start", and/or why does Wireshark give me an error if I try to capture on that interface?
Wireshark relies on the Npcap library, the Npcap device driver,
and the facilities that come with the OS on which it's running in
order to do captures.
Therefore, if the OS, the Npcap library, or the Npcap driver don't
support capturing on a particular network interface device, Wireshark
won't be able to capture on that device.
If an interface doesn't show up in the list of interfaces in the
"Interface:" field, and you know the name of the interface, try entering
that name in the "Interface:" field and capturing on that device.
If the attempt to capture on it succeeds, the interface is somehow not
being reported by the mechanism Wireshark uses to get a list of
interfaces. Try listing the interfaces with WinDump; see
https://www.windump.org/[the WinDump Web site] for information on using
WinDump.
You would run WinDump with the `-D` flag; if it lists the interface,
please report this to
mailto:wireshark-dev@wireshark.org[wireshark-dev@wireshark.org] giving
full details of the problem, including
* the operating system you're using, and the version of that operating
system;
* the type of network device you're using;
* the output of WinDump.
If WinDump does _not_ list the interface, this is almost certainly a
problem with one or more of:
* the operating system you're using;
* the device driver for the interface you're using;
* the Npcap library and/or the Npcap device driver;
so first check {npcap-main-url}guide/npcap-users-guide.html[the Npcap User's Guide] to see if your problem is mentioned there.
If not, then see {npcap-main-url}[the main Npcap page] - check the "Patches, Bug Reports, Questions, Suggestions, etc" section.
If you are having trouble capturing on a particular network interface,
first try capturing on that device with WinDump; see
https://www.windump.org/[the WinDump Web site] for information on using
WinDump.
If you can capture on the interface with WinDump, send mail to
mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org]
giving full details of the problem, including
* the operating system you're using, and the version of that operating
system;
* the type of network device you're using;
* the error message you get from Wireshark.
If you _cannot_ capture on the interface with WinDump, this is almost
certainly a problem with one or more of:
* the operating system you're using;
* the device driver for the interface you're using;
* the Npcap library and/or the Npcap device driver;
so first check {npcap-main-url}guide/npcap-users-guide.html[the Npcap User's Guide] to see if your problem is mentioned there.
If not, then see {npcap-main-url}[the main Npcap page] - check the "Patches, Bug Reports, Questions, Suggestions, etc" section.
You may also want to ask the
mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] and
the mailto:dev@nmap.org[dev@nmap.org] mailing
lists to see if anybody happens to know about the problem and know a
workaround or fix for the problem. (Note that you will have to subscribe
to that list in order to be allowed to mail to it; see
{npcap-main-url}[the Npcap support page] for information on the
mailing list.) In your mail, please give full details of the problem, as
described above, and also indicate that the problem occurs with WinDump,
not just with Wireshark.
=== I'm running Wireshark on Windows; why do no network interfaces show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start"?
This is really link:#capprobwin[the same question as a previous one];
see the response to that question.
=== I'm running Wireshark on Windows; why am I not seeing any traffic being sent by the machine running Wireshark?
If you are running some form of VPN client software, it might be
causing this problem; people have seen this problem when they have Check
Point's VPN software installed on their machine. If that's the cause of
the problem, you will have to remove the VPN software in order to have
Wireshark (or any other application using Npcap) see outgoing packets;
unfortunately, neither we nor the Npcap developers know any way to make
Npcap and the VPN software work well together.
Also, some drivers for Windows (especially some wireless network
interface drivers) apparently do not, when running in promiscuous mode,
arrange that outgoing packets are delivered to the software that
requested that the interface run promiscuously; try turning promiscuous
mode off.
=== When I capture on Windows in promiscuous mode, I can see packets other than those sent to or from my machine; however, those packets show up with a "Short Frame" indication, unlike packets to or from my machine. What should I do to arrange that I see those packets in their entirety?
In at least some cases, this appears to be the result of PGPnet
running on the network interface on which you're capturing; turn it off
on that interface.
=== I'm trying to capture 802.11 traffic on Windows; why am I not seeing any packets?
You should first ensure that Npcap was installed with {npcap-main-url}/guide/npcap-devguide.html#npcap-feature-dot11[raw 802.11 support] and that monitor mode is enabled.
At least some 802.11 card drivers on Windows appear not to see any
packets if they're running in promiscuous mode. Try turning promiscuous
mode off; you'll only be able to see packets sent by and received by
your machine, not third-party traffic, and it'll look like Ethernet
traffic and won't include any management or control frames, but that's a
limitation of the card drivers.
// XXX Is this still relevant?
// See the archived
// https://web.archive.org/web/20090226193157/http://www.micro-logix.com/winpcap/Supported.asp[MicroLogix's
// list of cards supported with WinPcap] for information on support of
// various adapters and drivers with WinPcap.
=== I'm trying to capture 802.11 traffic on Windows; why am I seeing packets received by the machine on which I'm capturing traffic, but not packets sent by that machine?
This appears to be another problem with promiscuous mode; try turning
it off.
=== I'm trying to capture Ethernet VLAN traffic on Windows, and I'm capturing on a "raw" Ethernet device rather than a "VLAN interface", so that I can see the VLAN headers; why am I seeing packets received by the machine on which I'm capturing traffic, but not packets sent by that machine?
The way the Windows networking code works probably means that packets
are sent on a "VLAN interface" rather than the "raw" device, so packets
sent by the machine will only be seen when you capture on the "VLAN
interface". If so, you will be unable to see outgoing packets when
capturing on the "raw" device, so you are stuck with a choice between
seeing VLAN headers and seeing outgoing packets.
== Capturing packets on UN*Xes
[#capprobunix]
=== I'm running Wireshark on a UNIX-flavored OS; why does some network interface on my machine not show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start", and/or why does Wireshark give me an error if I try to capture on that interface?
You may need to run Wireshark from an account with sufficient
privileges to capture packets, such as the super-user account, or may
need to give your account sufficient privileges to capture packets. Only
those interfaces that Wireshark can open for capturing show up in that
list; if you don't have sufficient privileges to capture on any
interfaces, no interfaces will show up in the list. See
https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/CapturePrivileges[the Wireshark
Wiki item on capture privileges] for details on how to give a particular
account or account group capture privileges on platforms where that can
be done.
If you are running Wireshark from an account with sufficient
privileges, then note that Wireshark relies on the libpcap library, and
on the facilities that come with the OS on which it's running in order
to do captures. On some OSes, those facilities aren't present by
default; see https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/CaptureSupport[the
Wireshark Wiki item on adding capture support] for details.
And, even if you're running with an account that has sufficient
privileges to capture, and capture support is present in your OS, if the
OS or the libpcap library don't support capturing on a particular
network interface device or particular types of devices, Wireshark won't
be able to capture on that device.
On Solaris, note that libpcap 0.6.2 and earlier didn't support Token
Ring interfaces; the current version, 0.7.2, does support Token Ring,
and the current version of Wireshark works with libpcap 0.7.2 and later.
If an interface doesn't show up in the list of interfaces in the
"Interface:" field, and you know the name of the interface, try entering
that name in the "Interface:" field and capturing on that device.
If the attempt to capture on it succeeds, the interface is somehow not
being reported by the mechanism Wireshark uses to get a list of
interfaces; please report this to
mailto:wireshark-dev@wireshark.org[wireshark-dev@wireshark.org] giving
full details of the problem, including
* the operating system you're using, and the version of that operating
system (for Linux, give both the version number of the kernel and the
name and version number of the distribution you're using);
* the type of network device you're using.
If you are having trouble capturing on a particular network interface,
and you've made sure that (on platforms that require it) you've arranged
that packet capture support is present, as per the above, first try
capturing on that device with `tcpdump`.
If you can capture on the interface with `tcpdump`, send mail to
mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org]
giving full details of the problem, including
* the operating system you're using, and the version of that operating
system (for Linux, give both the version number of the kernel and the
name and version number of the distribution you're using);
* the type of network device you're using;
* the error message you get from Wireshark.
If you _cannot_ capture on the interface with `tcpdump`, this is almost
certainly a problem with one or more of:
* the operating system you're using;
* the device driver for the interface you're using;
* the libpcap library;
so you should report the problem to the company or organization that
produces the OS (in the case of a Linux distribution, report the problem
to whoever produces the distribution).
You may also want to ask the
mailto:wireshark-users@wireshark.org[wireshark-users@wireshark.org] and
the
mailto:tcpdump-workers@lists.tcpdump.org[tcpdump-workers@lists.tcpdump.org]
mailing lists to see if anybody happens to know about the problem and
know a workaround or fix for the problem. In your mail, please give full
details of the problem, as described above, and also indicate that the
problem occurs with `tcpdump` not just with Wireshark.
=== I'm running Wireshark on a UNIX-flavored OS; why do no network interfaces show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start"?
This is really link:#capprobunix[the same question as the previous
one]; see the response to that question.
=== I'm capturing packets on Linux; why do the time stamps have only 100ms resolution, rather than 1us resolution?
Wireshark gets time stamps from libpcap/Npcap, and libpcap/Npcap get
them from the OS kernel, so Wireshark - and any other program using
libpcap, such as tcpdump - is at the mercy of the time stamping code in
the OS for time stamps.
At least on x86-based machines, Linux can get high-resolution time
stamps on newer processors with the Time Stamp Counter (TSC) register;
for example, Intel x86 processors, starting with the Pentium Pro, and
including all x86 processors since then, have had a TSC, and other
vendors probably added the TSC at some point to their families of x86
processors. The Linux kernel must be configured with the CONFIG_X86_TSC
option enabled in order to use the TSC. Make sure this option is enabled
in your kernel.
In addition, some Linux distributions may have bugs in their versions
of the kernel that cause packets not to be given high-resolution time
stamps even if the TSC is enabled. See, for example, bug 61111 for Red
Hat Linux 7.2. If your distribution has a bug such as this, you may have
to run a standard kernel from kernel.org in order to get high-resolution
time stamps.
== Capturing packets on wireless LANs
=== How can I capture raw 802.11 frames, including non-data (management, beacon) frames?
That depends on the operating system on which you're running, and on
the 802.11 interface on which you're capturing.
This would probably require that you capture in promiscuous mode or in
the mode called "monitor mode" or "RFMON mode". On some platforms, or
with some cards, this might require that you capture in monitor mode -
promiscuous mode might not be sufficient. If you want to capture traffic
on networks other than the one with which you're associated, you will
have to capture in monitor mode.
Not all operating systems support capturing non-data packets and, even
on operating systems that do support it, not all drivers, and thus not
all interfaces, support it. Even on those that do, monitor mode might
not be supported by the operating system or by the drivers for all
interfaces.
*NOTE:* an interface running in monitor mode will, on most if not all
platforms, not be able to act as a regular network interface; putting it
into monitor mode will, in effect, take your machine off of whatever
network it's on as long as the interface is in monitor mode, allowing it
only to passively capture packets.
This means that you should disable name resolution when capturing in
monitor mode; otherwise, when Wireshark (or TShark, or tcpdump) tries to
display IP addresses as host names, it will probably block for a long
time trying to resolve the name because it will not be able to
communicate with any DNS or NIS servers.
See https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/WLAN[the Wireshark Wiki
item on 802.11 capturing] for details.
=== How do I capture on an 802.11 device in monitor mode?
Whether you will be able to capture in monitor mode depends on the
operating system, adapter, and driver you're using. See
link:#raw_80211_sniff[the previous question] for information on monitor
mode, including a link to the Wireshark Wiki page that gives details on
802.11 capturing.
== Viewing traffic
=== Why am I seeing lots of packets with incorrect TCP checksums?
If the packets that have incorrect TCP checksums are all being sent
by the machine on which Wireshark is running, this is probably because
the network interface on which you're capturing does TCP checksum
offloading. That means that the TCP checksum is added to the packet by
the network interface, not by the OS's TCP/IP stack; when capturing on
an interface, packets being sent by the host on which you're capturing
are directly handed to the capture interface by the OS, which means that
they are handed to the capture interface without a TCP checksum being
added to them.
The only way to prevent this from happening would be to disable TCP
checksum offloading, but
1. that might not even be possible on some OSes;
2. that could reduce networking performance significantly.
However, you can disable the check that Wireshark does of the TCP
checksum, so that it won't report any packets as having TCP checksum
errors, and so that it won't refuse to do TCP reassembly due to a packet
having an incorrect TCP checksum. That can be set as an Wireshark
preference by selecting "Preferences" from the "Edit" menu, opening up
the "Protocols" list in the left-hand pane of the "Preferences" dialog
box, selecting "TCP", from that list, turning off the "Check the
validity of the TCP checksum when possible" option, clicking "Save" if
you want to save that setting in your preference file, and clicking
"OK".
It can also be set on the Wireshark or TShark command line with a
`-o tcp.check_checksum:false` command-line flag, or manually set in your
preferences file by adding a `tcp.check_checksum:false` line.
=== I've just installed Wireshark, and the traffic on my local LAN is boring. Where can I find more interesting captures?
We have a collection of strange and exotic sample capture files at
https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures[https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures]
=== Why doesn't Wireshark correctly identify RTP packets? It shows them only as UDP.
Wireshark can identify a UDP datagram as containing a packet of a
particular protocol running atop UDP only if
1. The protocol in question has a particular standard port number, and
the UDP source or destination port number is that port
2. Packets of that protocol can be identified by looking for a
"signature" of some type in the packet - i.e., some data that, if
Wireshark finds it in some particular part of a packet, means that the
packet is almost certainly a packet of that type.
3. Some _other_ traffic earlier in the capture indicated that, for
example, UDP traffic between two particular addresses and ports will be
RTP traffic.
RTP doesn't have a standard port number, so 1) doesn't work; it doesn't,
as far as I know, have any "signature", so 2) doesn't work.
That leaves 3). If there's RTSP traffic that sets up an RTP session,
then, at least in some cases, the RTSP dissector will set things up so
that subsequent RTP traffic will be identified. Currently, that's the
only place we do that; there may be other places.
However, there will always be places where Wireshark is simply
*incapable* of deducing that a given UDP flow is RTP; a mechanism would
be needed to allow the user to specify that a given conversation should
be treated as RTP. As of Wireshark 0.8.16, such a mechanism exists; if
you select a UDP or TCP packet, the right mouse button menu will have a
"Decode As..." menu item, which will pop up a dialog box letting you
specify that the source port, the destination port, or both the source
and destination ports of the packet should be dissected as some
particular protocol.
=== Why doesn't Wireshark show Yahoo Messenger packets in captures that contain Yahoo Messenger traffic?
Wireshark only recognizes as Yahoo Messenger traffic packets to or
from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP
segments that start with the middle of a Yahoo Messenger packet that
takes more than one TCP segment will not be recognized as Yahoo
Messenger packets (even if the TCP segment also contains the beginning
of another Yahoo Messenger packet).
== Filtering traffic
=== I saved a filter and tried to use its name to filter the display; why do I get an "Unexpected end of filter string" error?
You cannot use the name of a saved display filter as a filter. To
filter the display, you can enter a display filter expression - *not*
the name of a saved display filter - in the "Filter:" box at the bottom
of the display, and type the <Enter> key or press the "Apply" button
(that does not require you to have a saved filter), or, if you want to
use a saved filter, you can press the "Filter:" button, select the
filter in the dialog box that pops up, and press the "OK" button.
=== How can I search for, or filter, packets that have a particular string anywhere in them?
If you want to do this when capturing, you can't. That's a feature
that would be hard to implement in capture filters without changes to
the capture filter code, which, on many platforms, is in the OS kernel
and, on other platforms, is in the libpcap library.
After capture, you can search for text by selecting _Edit→Find
Packet..._ and making sure _String_ is selected. Alternately, you can
use the "contains" display filter operator or "matches" operator if it's
supported on your system.
=== How do I filter a capture to see traffic for virus XXX?
For some viruses/worms there might be a capture filter to recognize
the virus traffic. Check the
https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters[CaptureFilters] page on the
https://gitlab.com/wireshark/wireshark/-/wikis[Wireshark Wiki] to see if anybody's added
such a filter.
Note that Wireshark was not designed to be an intrusion detection
system; you might be able to use it as an IDS, but in most cases
software designed to be an IDS, such as https://www.snort.org/[Snort] or
https://www.prelude-siem.org/[Prelude], will probably work better.
== Questions Which Are Still Notable Even Though They Arent Asked Much Any More
=== What's up with the name change? Is Wireshark a fork?
In May of 2006, Gerald Combs (the original author of Ethereal) went
to work for CACE Technologies (best known for WinPcap). Unfortunately,
he had to leave the Ethereal trademarks behind.
This left the project in an awkward position. The only reasonable way
to ensure the continued success of the project was to change the name.
This is how Wireshark was born.
Wireshark is almost (but not quite) a fork. Normally a "fork" of an
open source project results in two names, web sites, development teams,
support infrastructures, etc. This is the case with Wireshark except for
one notable exception -- every member of the core development team is
now working on Wireshark. There has been no active development on
Ethereal since the name change. Several parts of the Ethereal web site`
(such as the mailing lists, source code repository, and build farm) have
gone offline.
More information on the name change can be found here:
* https://www.prweb.com/releases/2006/6/prweb396098.htm[Original press
release]
* https://www.linux.com/news/ethereal-changes-name-wireshark[NewsForge article]
* Many other articles in https://www.wireshark.org/bibliography.html[our
bibliography]
View Git Blame Copy Permalink