1998-09-16 02:39:15 +00:00
|
|
|
General Information
|
2016-08-11 16:10:48 +00:00
|
|
|
-------------------
|
1998-09-16 02:39:15 +00:00
|
|
|
|
2019-04-06 21:57:52 +00:00
|
|
|
Wireshark is a network traffic analyzer, or "sniffer", for Linux, macOS,
|
|
|
|
\*BSD and other Unix and Unix-like operating systems and for Windows.
|
|
|
|
It uses Qt, a graphical user interface library, and libpcap and npcap as
|
|
|
|
packet capture and filtering libraries.
|
1998-09-16 02:39:15 +00:00
|
|
|
|
2008-06-25 22:52:08 +00:00
|
|
|
The Wireshark distribution also comes with TShark, which is a
|
2018-09-21 15:14:08 +00:00
|
|
|
line-oriented sniffer (similar to Sun's snoop or tcpdump) that uses the
|
2000-01-14 08:12:14 +00:00
|
|
|
same dissection, capture-file reading and writing, and packet filtering
|
2006-05-20 17:54:12 +00:00
|
|
|
code as Wireshark, and with editcap, which is a program to read capture
|
2000-01-14 08:12:14 +00:00
|
|
|
files and write the packets from that capture file, possibly in a
|
|
|
|
different capture file format, and with some packets possibly removed
|
|
|
|
from the capture.
|
|
|
|
|
2017-08-11 19:43:48 +00:00
|
|
|
The official home of Wireshark is https://www.wireshark.org.
|
1998-09-16 02:39:15 +00:00
|
|
|
|
2017-08-11 19:43:48 +00:00
|
|
|
The latest distribution can be found in the subdirectory https://www.wireshark.org/download
|
1998-09-16 02:39:15 +00:00
|
|
|
|
|
|
|
|
|
|
|
Installation
|
|
|
|
------------
|
|
|
|
|
2016-08-11 16:10:48 +00:00
|
|
|
The Wireshark project builds and tests regularly on the following platforms:
|
|
|
|
|
|
|
|
- Linux (Ubuntu)
|
|
|
|
- Microsoft Windows
|
2017-04-05 19:15:27 +00:00
|
|
|
- macOS / {Mac} OS X
|
2016-08-11 16:10:48 +00:00
|
|
|
|
|
|
|
Official installation packages are available for Microsoft Windows and
|
|
|
|
macOS.
|
|
|
|
|
|
|
|
It is available as either a standard or add-on package for many popular
|
2020-09-08 21:28:29 +00:00
|
|
|
operating systems and Linux distributions including Debian, Ubuntu, Fedora,
|
2016-08-11 16:10:48 +00:00
|
|
|
CentOS, RHEL, Arch, Gentoo, openSUSE, FreeBSD, DragonFly BSD, NetBSD, and
|
|
|
|
OpenBSD.
|
|
|
|
|
2020-09-08 21:28:29 +00:00
|
|
|
Additionally it is available through many third-party packaging systems
|
2016-08-11 16:10:48 +00:00
|
|
|
such as pkgsrc, OpenCSW, Homebrew, and MacPorts.
|
|
|
|
|
|
|
|
It should run on other Unix-ish systems without too much trouble.
|
|
|
|
|
|
|
|
In some cases the current version of Wireshark might not support your
|
|
|
|
operating system. This is the case for Windows XP, which is supported by
|
|
|
|
Wireshark 1.10 and earlier. In other cases the standard package for
|
|
|
|
Wireshark might simply be old. This is the case for Solaris and HP-UX.
|
|
|
|
|
2022-07-22 20:47:59 +00:00
|
|
|
Python 3 is needed to build Wireshark. AsciiDoctor is required to build
|
|
|
|
the documentation, including the man pages. Perl and flex are required
|
|
|
|
to generate some of the source code.
|
2014-08-12 22:02:11 +00:00
|
|
|
|
2022-07-22 20:47:59 +00:00
|
|
|
You must therefore install Python 3, AsciiDoctor, and GNU "flex" (vanilla
|
|
|
|
"lex" won't work) on systems that lack them. You might need to install
|
|
|
|
Perl as well.
|
1998-09-16 02:39:15 +00:00
|
|
|
|
2016-08-11 16:10:48 +00:00
|
|
|
Full installation instructions can be found in the INSTALL file and in the
|
|
|
|
Developer's Guide at https://www.wireshark.org/docs/wsdg_html_chunked/
|
2014-08-12 22:02:11 +00:00
|
|
|
|
2017-08-11 19:43:48 +00:00
|
|
|
See also the appropriate README._OS_ files for OS-specific installation
|
1999-04-30 21:16:31 +00:00
|
|
|
instructions.
|
1998-12-29 03:12:07 +00:00
|
|
|
|
1998-09-16 02:39:15 +00:00
|
|
|
Usage
|
2014-08-12 22:02:11 +00:00
|
|
|
-----
|
1998-09-16 02:39:15 +00:00
|
|
|
|
2008-06-25 22:52:08 +00:00
|
|
|
In order to capture packets from the network, you need to make the
|
2018-09-21 15:14:08 +00:00
|
|
|
dumpcap program set-UID to root or you need to have access to the
|
2017-08-11 19:43:48 +00:00
|
|
|
appropriate entry under `/dev` if your system is so inclined (BSD-derived
|
2008-06-25 22:52:08 +00:00
|
|
|
systems, and systems such as Solaris and HP-UX that support DLPI,
|
|
|
|
typically fall into this category). Although it might be tempting to
|
|
|
|
make the Wireshark and TShark executables setuid root, or to run them as
|
|
|
|
root please don't. The capture process has been isolated in dumpcap;
|
2018-09-21 15:14:08 +00:00
|
|
|
this simple program is less likely to contain security holes and is thus
|
2008-06-25 22:52:08 +00:00
|
|
|
safer to run as root.
|
1998-12-29 03:12:07 +00:00
|
|
|
|
|
|
|
Please consult the man page for a description of each command-line
|
|
|
|
option and interface feature.
|
1998-09-16 02:39:15 +00:00
|
|
|
|
|
|
|
|
1998-11-12 06:01:27 +00:00
|
|
|
Multiple File Types
|
|
|
|
-------------------
|
|
|
|
|
2018-09-21 19:12:51 +00:00
|
|
|
Wireshark can read packets from a number of different file types. See
|
|
|
|
the Wireshark man page or the Wireshark User's Guide for a list of
|
|
|
|
supported file formats.
|
|
|
|
|
2021-08-19 12:48:52 +00:00
|
|
|
Wireshark can transparently read compressed versions of any of those files if
|
|
|
|
the required compression library was available when Wireshark was compiled.
|
|
|
|
Currently supported compression formats are:
|
|
|
|
|
|
|
|
- GZIP
|
|
|
|
- ZSTD
|
|
|
|
- LZ4
|
|
|
|
|
|
|
|
You can disable zlib support by running `cmake -DENABLE_ZLIB=OFF`.
|
1999-11-29 02:40:15 +00:00
|
|
|
|
2006-05-20 17:54:12 +00:00
|
|
|
Although Wireshark can read AIX iptrace files, the documentation on
|
2017-08-11 19:43:48 +00:00
|
|
|
AIX's iptrace packet-trace command is sparse. The `iptrace` command
|
1999-08-20 04:07:09 +00:00
|
|
|
starts a daemon which you must kill in order to stop the trace. Through
|
|
|
|
experimentation it appears that sending a HUP signal to that iptrace
|
|
|
|
daemon causes a graceful shutdown and a complete packet is written
|
2006-05-20 17:54:12 +00:00
|
|
|
to the trace file. If a partial packet is saved at the end, Wireshark
|
1999-08-20 04:07:09 +00:00
|
|
|
will complain when reading that file, but you will be able to read all
|
2006-05-20 17:54:12 +00:00
|
|
|
other packets. If this occurs, please let the Wireshark developers know
|
2018-09-21 15:14:08 +00:00
|
|
|
at wireshark-dev@wireshark.org; be sure to send us a copy of that trace
|
1999-08-20 04:07:09 +00:00
|
|
|
file if it's small and contains non-sensitive data.
|
|
|
|
|
1999-09-13 03:51:09 +00:00
|
|
|
Support for Lucent/Ascend products is limited to the debug trace output
|
2006-05-20 17:54:12 +00:00
|
|
|
generated by the MAX and Pipline series of products. Wireshark can read
|
2018-09-21 15:14:08 +00:00
|
|
|
the output of the `wandsession`, `wandisplay`, `wannext`, and `wdd`
|
2014-08-12 22:02:11 +00:00
|
|
|
commands.
|
1999-09-13 03:51:09 +00:00
|
|
|
|
2006-05-20 17:54:12 +00:00
|
|
|
Wireshark can also read dump trace output from the Toshiba "Compact Router"
|
1999-10-31 17:46:11 +00:00
|
|
|
line of ISDN routers (TR-600 and TR-650). You can telnet to the router
|
2017-08-11 19:43:48 +00:00
|
|
|
and start a dump session with `snoop dump`.
|
1999-10-31 17:46:11 +00:00
|
|
|
|
2006-05-20 17:54:12 +00:00
|
|
|
CoSine L2 debug output can also be read by Wireshark. To get the L2
|
2018-09-21 15:14:08 +00:00
|
|
|
debug output first enter the diags mode and then use
|
2017-08-11 19:43:48 +00:00
|
|
|
`create-pkt-log-profile` and `apply-pkt-lozg-profile` commands under
|
2002-07-31 19:27:57 +00:00
|
|
|
layer-2 category. For more detail how to use these commands, you
|
2017-08-11 19:43:48 +00:00
|
|
|
should examine the help command by `layer-2 create ?` or `layer-2 apply ?`.
|
2002-07-31 19:27:57 +00:00
|
|
|
|
2014-08-12 22:02:11 +00:00
|
|
|
To use the Lucent/Ascend, Toshiba and CoSine traces with Wireshark, you must
|
|
|
|
capture the trace output to a file on disk. The trace is happening inside
|
2002-07-31 19:27:57 +00:00
|
|
|
the router and the router has no way of saving the trace to a file for you.
|
2017-08-11 19:43:48 +00:00
|
|
|
An easy way of doing this under Unix is to run `telnet <ascend> | tee <outfile>`.
|
1999-10-31 17:46:11 +00:00
|
|
|
Or, if your system has the "script" command installed, you can save
|
2018-09-21 15:14:08 +00:00
|
|
|
a shell session, including telnet, to a file. For example to log to a file
|
|
|
|
named tracefile.out:
|
1999-10-31 17:46:11 +00:00
|
|
|
|
2017-08-11 19:43:48 +00:00
|
|
|
~~~
|
1999-10-31 17:46:11 +00:00
|
|
|
$ script tracefile.out
|
|
|
|
Script started on <date/time>
|
|
|
|
$ telnet router
|
|
|
|
..... do your trace, then exit from the router's telnet session.
|
|
|
|
$ exit
|
|
|
|
Script done on <date/time>
|
2017-08-11 19:43:48 +00:00
|
|
|
~~~
|
1999-10-31 17:46:11 +00:00
|
|
|
|
1999-09-13 03:51:09 +00:00
|
|
|
|
2016-08-11 16:10:48 +00:00
|
|
|
Name Resolution
|
|
|
|
---------------
|
2004-07-15 19:29:49 +00:00
|
|
|
|
2016-08-11 16:10:48 +00:00
|
|
|
Wireshark will attempt to use reverse name resolution capabilities
|
|
|
|
when decoding IPv4 and IPv6 packets.
|
2002-05-29 19:16:40 +00:00
|
|
|
|
2016-08-11 16:10:48 +00:00
|
|
|
If you want to turn off name resolution while using Wireshark, start
|
2017-08-11 19:43:48 +00:00
|
|
|
Wireshark with the `-n` option to turn off all name resolution (including
|
2018-09-21 15:14:08 +00:00
|
|
|
resolution of MAC addresses and TCP/UDP/SMTP port numbers to names) or
|
2017-08-11 19:43:48 +00:00
|
|
|
with the `-N mt` option to turn off name resolution for all
|
2002-05-29 19:16:40 +00:00
|
|
|
network-layer addresses (IPv4, IPv6, IPX).
|
|
|
|
|
|
|
|
You can make that the default setting by opening the Preferences dialog
|
2018-09-21 15:14:08 +00:00
|
|
|
using the Preferences item in the Edit menu, selecting "Name resolution",
|
|
|
|
turning off the appropriate name resolution options, and clicking "OK".
|
2002-05-29 19:16:40 +00:00
|
|
|
|
1998-11-12 06:01:27 +00:00
|
|
|
|
1999-06-21 16:02:22 +00:00
|
|
|
SNMP
|
|
|
|
----
|
2016-08-11 16:10:48 +00:00
|
|
|
|
2006-12-09 01:34:08 +00:00
|
|
|
Wireshark can do some basic decoding of SNMP packets; it can also use
|
2018-09-21 15:14:08 +00:00
|
|
|
the libsmi library to do more sophisticated decoding by reading MIB
|
2006-12-09 01:34:08 +00:00
|
|
|
files and using the information in those files to display OIDs and
|
2018-09-21 15:14:08 +00:00
|
|
|
variable binding values in a friendlier fashion. CMake will automatically
|
|
|
|
determine whether you have the libsmi library on your system. If you
|
|
|
|
have the libsmi library but _do not_ want Wireshark to use it, you can run
|
|
|
|
cmake with the `-DENABLE_SMI=OFF` option.
|
2002-05-20 19:13:20 +00:00
|
|
|
|
1999-08-20 04:07:09 +00:00
|
|
|
How to Report a Bug
|
|
|
|
-------------------
|
2016-08-11 16:10:48 +00:00
|
|
|
|
|
|
|
Wireshark is under constant development, so it is possible that you will
|
2020-08-25 05:21:28 +00:00
|
|
|
encounter a bug while using it. Please report bugs at https://gitlab.com/wireshark/wireshark/-/issues.
|
2008-06-25 22:52:08 +00:00
|
|
|
Be sure you enter into the bug:
|
|
|
|
|
2016-08-11 16:10:48 +00:00
|
|
|
1. The complete build information from the "About Wireshark"
|
2017-08-11 19:43:48 +00:00
|
|
|
item in the Help menu or the output of `wireshark -v` for
|
|
|
|
Wireshark bugs and the output of `tshark -v` for TShark bugs;
|
2008-06-25 22:52:08 +00:00
|
|
|
|
2016-08-11 16:10:48 +00:00
|
|
|
2. If the bug happened on Linux, the Linux distribution you were
|
|
|
|
using, and the version of that distribution;
|
2008-06-25 22:52:08 +00:00
|
|
|
|
2016-08-11 16:10:48 +00:00
|
|
|
3. The command you used to invoke Wireshark, if you ran
|
|
|
|
Wireshark from the command line, or TShark, if you ran
|
|
|
|
TShark, and the sequence of operations you performed that
|
|
|
|
caused the bug to appear.
|
2008-06-25 22:52:08 +00:00
|
|
|
|
|
|
|
If the bug is produced by a particular trace file, please be sure to
|
|
|
|
attach to the bug a trace file along with your bug description. If the
|
|
|
|
trace file contains sensitive information (e.g., passwords), then please
|
|
|
|
do not send it.
|
1999-08-20 04:07:09 +00:00
|
|
|
|
2006-05-20 17:54:12 +00:00
|
|
|
If Wireshark died on you with a 'segmentation violation', 'bus error',
|
2000-08-24 23:33:09 +00:00
|
|
|
'abort', or other error that produces a UNIX core dump file, you can
|
|
|
|
help the developers a lot if you have a debugger installed. A stack
|
|
|
|
trace can be obtained by using your debugger ('gdb' in this example),
|
2006-05-20 17:54:12 +00:00
|
|
|
the wireshark binary, and the resulting core file. Here's an example of
|
2000-08-24 23:33:09 +00:00
|
|
|
how to use the gdb command 'backtrace' to do so.
|
1999-08-20 04:07:09 +00:00
|
|
|
|
2017-08-11 19:43:48 +00:00
|
|
|
~~~
|
2006-05-20 17:54:12 +00:00
|
|
|
$ gdb wireshark core
|
1999-08-20 06:01:07 +00:00
|
|
|
(gdb) backtrace
|
1999-08-20 04:07:09 +00:00
|
|
|
..... prints the stack trace
|
1999-08-20 06:01:07 +00:00
|
|
|
(gdb) quit
|
|
|
|
$
|
2017-08-11 19:43:48 +00:00
|
|
|
~~~
|
1999-06-21 16:02:22 +00:00
|
|
|
|
2006-05-20 17:54:12 +00:00
|
|
|
The core dump file may be named "wireshark.core" rather than "core" on
|
2000-08-24 23:33:09 +00:00
|
|
|
some platforms (e.g., BSD systems). If you got a core dump with
|
2008-06-25 22:52:08 +00:00
|
|
|
TShark rather than Wireshark, use "tshark" as the first argument to
|
2006-05-20 17:54:12 +00:00
|
|
|
the debugger; the core dump may be named "tshark.core".
|
2000-08-24 23:33:09 +00:00
|
|
|
|
2022-07-20 18:52:31 +00:00
|
|
|
License
|
|
|
|
-------
|
|
|
|
|
|
|
|
Wireshark is distributed under the GNU GPLv2. See the file COPYING for
|
|
|
|
the full text of the license. When in doubt the full text is the legally
|
|
|
|
binding part. These notes are just to make it easier for people that are not
|
|
|
|
familiar with the GPLv2.
|
|
|
|
|
|
|
|
There are no restrictions on its use. There are restrictions on its distribution
|
|
|
|
in source or binary form.
|
|
|
|
|
|
|
|
Most parts of Wireshark are covered by a "GPL version 2 or later" license.
|
|
|
|
Some files are covered by different licenses that are compatible with
|
|
|
|
the GPLv2.
|
|
|
|
|
|
|
|
As a notable exception, some utilities distributed with the Wireshark source are
|
|
|
|
covered by other licenses that are not themselves directly compatible with the
|
|
|
|
GPLv2. This is OK, as only the tools themselves are licensed this way, the
|
|
|
|
output of the tools is not considered a derived work, and so can be safely
|
|
|
|
licensed for Wireshark's use. An incomplete selection of these tools includes:
|
|
|
|
- the pidl utility (tools/pidl) is licensed under the GPLv3+.
|
|
|
|
|
|
|
|
Parts of Wireshark can be built and distributed as libraries. These
|
|
|
|
parts are still covered by the GPL, and NOT by the Lesser General Public
|
|
|
|
License or any other license.
|
|
|
|
|
|
|
|
If you integrate all or part of Wireshark into your own application, then
|
|
|
|
that application must be released under a license compatible with the GPL.
|
|
|
|
|
|
|
|
|
1998-09-16 02:39:15 +00:00
|
|
|
Disclaimer
|
|
|
|
----------
|
|
|
|
|
|
|
|
There is no warranty, expressed or implied, associated with this product.
|
|
|
|
Use at your own risk.
|
1999-04-30 20:31:56 +00:00
|
|
|
|
|
|
|
|
2006-05-20 17:54:12 +00:00
|
|
|
Gerald Combs <gerald@wireshark.org>
|
2016-08-11 16:10:48 +00:00
|
|
|
|
2001-11-13 23:55:44 +00:00
|
|
|
Gilbert Ramirez <gram@alumni.rice.edu>
|
2016-08-11 16:10:48 +00:00
|
|
|
|
2020-09-08 23:13:40 +00:00
|
|
|
Guy Harris <gharris@sonic.net>
|