Better update for the FAQ. We can now use the URL
http://www.wireshark.org/faq_plain.html, which doesn't have any images or menus. svn path=/trunk/; revision=18382
This commit is contained in:
parent
ab40a87c67
commit
a8f1f4b330
236
help/faq.txt
236
help/faq.txt
|
@ -8,6 +8,7 @@
|
||||||
|
|
||||||
INDEX
|
INDEX
|
||||||
|
|
||||||
|
|
||||||
1. General Questions:
|
1. General Questions:
|
||||||
|
|
||||||
1.1 What is Wireshark?
|
1.1 What is Wireshark?
|
||||||
|
@ -140,11 +141,12 @@ dialog box popped up by "Capture->Start"?
|
||||||
modem/ISDN modem show up in the list of interfaces in the "Interface:"
|
modem/ISDN modem show up in the list of interfaces in the "Interface:"
|
||||||
field in the dialog box popped up by "Capture->Start"?
|
field in the dialog box popped up by "Capture->Start"?
|
||||||
|
|
||||||
8.4 I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows XP/
|
8.4 I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows
|
||||||
Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
|
XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN,
|
||||||
interface, and it shows up in the "Interface" item in the "Capture
|
etc.) interface, and it shows up in the "Interface" item in the
|
||||||
Options" dialog box. Why can no packets be sent on or received from
|
"Capture Options" dialog box. Why can no packets be sent on or
|
||||||
that network while I'm trying to capture traffic on that interface?
|
received from that network while I'm trying to capture traffic on that
|
||||||
|
interface?
|
||||||
|
|
||||||
8.5 I'm running Wireshark on Windows 95/98/Me, on a machine with more
|
8.5 I'm running Wireshark on Windows 95/98/Me, on a machine with more
|
||||||
than one network adapter of the same type; why does Wireshark show all
|
than one network adapter of the same type; why does Wireshark show all
|
||||||
|
@ -225,9 +227,9 @@ string anywhere in them?
|
||||||
|
|
||||||
Q 1.1: What is Wireshark?
|
Q 1.1: What is Wireshark?
|
||||||
|
|
||||||
A: Gerald Combs, the creator of Ethereal®, has initiated the Wireshark
|
A: Gerald Combs, the creator of Ethereal®, has initiated the Wireshark
|
||||||
network protocol analyzer project, a successor to Ethereal®. The
|
network protocol analyzer project, a successor to Ethereal®. The
|
||||||
Ethereal® core developer team has moved with Gerald to the Wireshark
|
Ethereal® core developer team has moved with Gerald to the Wireshark
|
||||||
project. Consequently, Wireshark is positioned to be the world's most
|
project. Consequently, Wireshark is positioned to be the world's most
|
||||||
popular network protocol analyzer. It has a rich and powerful feature
|
popular network protocol analyzer. It has a rich and powerful feature
|
||||||
set, and runs on most computing platforms including Windows, OS X, and
|
set, and runs on most computing platforms including Windows, OS X, and
|
||||||
|
@ -238,7 +240,7 @@ For more information, please see the About Wireshark page.
|
||||||
|
|
||||||
Q 1.2: What's up with the name change? Is Wireshark a fork?
|
Q 1.2: What's up with the name change? Is Wireshark a fork?
|
||||||
|
|
||||||
A: In May of 2006, the original author of Ethereal® went to work for
|
A: In May of 2006, the original author of Ethereal® went to work for
|
||||||
CACE Technologies (best known for WinPcap). At that time he started
|
CACE Technologies (best known for WinPcap). At that time he started
|
||||||
the Wireshark open-source project.
|
the Wireshark open-source project.
|
||||||
|
|
||||||
|
@ -253,8 +255,8 @@ Q 1.3: Where can I get help?
|
||||||
A: Community support is available on the wireshark-users mailing list.
|
A: Community support is available on the wireshark-users mailing list.
|
||||||
Subscription information and archives for all of Wireshark's mailing
|
Subscription information and archives for all of Wireshark's mailing
|
||||||
lists can be found at http://www.wireshark.org/lists. An IRC channel
|
lists can be found at http://www.wireshark.org/lists. An IRC channel
|
||||||
dedicated to Wireshark can be found at irc://irc.freenode.net/ethereal
|
dedicated to Wireshark can be found at
|
||||||
.
|
irc://irc.freenode.net/ethereal.
|
||||||
|
|
||||||
Commercial support, training, and development services are available
|
Commercial support, training, and development services are available
|
||||||
from CACE Technologies.
|
from CACE Technologies.
|
||||||
|
@ -349,35 +351,34 @@ tried it ourselves - if you try one of those types and it works,
|
||||||
please send an update to ).
|
please send an update to ).
|
||||||
|
|
||||||
It can also read a variety of capture file formats, including:
|
It can also read a variety of capture file formats, including:
|
||||||
|
* AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
|
||||||
• AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
|
|
||||||
Grabber captures
|
Grabber captures
|
||||||
• AIX's iptrace captures
|
* AIX's iptrace captures
|
||||||
• Accellent's 5Views LAN agent output
|
* Accellent's 5Views LAN agent output
|
||||||
• Cinco Networks NetXRay captures
|
* Cinco Networks NetXRay captures
|
||||||
• Cisco Secure Intrusion Detection System IPLog output
|
* Cisco Secure Intrusion Detection System IPLog output
|
||||||
• CoSine L2 debug output
|
* CoSine L2 debug output
|
||||||
• DBS Etherwatch VMS text output
|
* DBS Etherwatch VMS text output
|
||||||
• Endace Measurement Systems' ERF format captures
|
* Endace Measurement Systems' ERF format captures
|
||||||
• EyeSDN USB S0 traces
|
* EyeSDN USB S0 traces
|
||||||
• HP-UX nettl captures
|
* HP-UX nettl captures
|
||||||
• ISDN4BSD project i4btrace captures
|
* ISDN4BSD project i4btrace captures
|
||||||
• Linux Bluez Bluetooth stack hcidump -w traces
|
* Linux Bluez Bluetooth stack hcidump -w traces
|
||||||
• Lucent/Ascend router debug output
|
* Lucent/Ascend router debug output
|
||||||
• Microsoft Network Monitor captures
|
* Microsoft Network Monitor captures
|
||||||
• Network Associates Windows-based Sniffer captures
|
* Network Associates Windows-based Sniffer captures
|
||||||
• Network General/Network Associates DOS-based Sniffer (compressed
|
* Network General/Network Associates DOS-based Sniffer (compressed
|
||||||
or uncompressed) captures
|
or uncompressed) captures
|
||||||
• Network Instruments Observer version 9 captures
|
* Network Instruments Observer version 9 captures
|
||||||
• Novell LANalyzer captures
|
* Novell LANalyzer captures
|
||||||
• RADCOM's WAN/LAN analyzer captures
|
* RADCOM's WAN/LAN analyzer captures
|
||||||
• Shomiti/Finisar Surveyor captures
|
* Shomiti/Finisar Surveyor captures
|
||||||
• Toshiba's ISDN routers dump output
|
* Toshiba's ISDN routers dump output
|
||||||
• VMS TCPIPtrace/TCPtrace/UCX$TRACE output
|
* VMS TCPIPtrace/TCPtrace/UCX$TRACE output
|
||||||
• Visual Networks' Visual UpTime traffic capture
|
* Visual Networks' Visual UpTime traffic capture
|
||||||
• libpcap, tcpdump and various other tools using tcpdump's capture
|
* libpcap, tcpdump and various other tools using tcpdump's capture
|
||||||
format
|
format
|
||||||
• snoop and atmsnoop output
|
* snoop and atmsnoop output
|
||||||
|
|
||||||
so that it can read traces from various network types, as captured by
|
so that it can read traces from various network types, as captured by
|
||||||
other applications or equipment, even if it cannot itself capture on
|
other applications or equipment, even if it cannot itself capture on
|
||||||
|
@ -404,12 +405,11 @@ A: The program you used to download it may have downloaded it
|
||||||
incorrectly. Web browsers sometimes may do this.
|
incorrectly. Web browsers sometimes may do this.
|
||||||
|
|
||||||
Try downloading it with, for example:
|
Try downloading it with, for example:
|
||||||
|
* Wget, for which Windows binaries are available on the SunSITE FTP
|
||||||
• Wget, for which Windows binaries are available on the SunSITE FTP
|
|
||||||
server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI
|
server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI
|
||||||
offers a GUI interface that uses wget;
|
offers a GUI interface that uses wget;
|
||||||
• WS_FTP from Ipswitch,
|
* WS_FTP from Ipswitch,
|
||||||
• the ftp command that comes with Windows.
|
* the ftp command that comes with Windows.
|
||||||
|
|
||||||
If you use the ftp command, make sure you do the transfer in binary
|
If you use the ftp command, make sure you do the transfer in binary
|
||||||
mode rather than ASCII mode, by using the binary command before
|
mode rather than ASCII mode, by using the binary command before
|
||||||
|
@ -565,7 +565,6 @@ then not only does prebinding fail, but startup actually becomes much
|
||||||
slower, because the system tries in vain to perform prebinding "on the
|
slower, because the system tries in vain to perform prebinding "on the
|
||||||
fly" as you launch the application. This fails, causing sometimes huge
|
fly" as you launch the application. This fails, causing sometimes huge
|
||||||
delays. To fix the prebinding caches, run the command
|
delays. To fix the prebinding caches, run the command
|
||||||
|
|
||||||
sudo /sw/var/lib/fink/prebound/update-package-prebinding.pl -f
|
sudo /sw/var/lib/fink/prebound/update-package-prebinding.pl -f
|
||||||
|
|
||||||
6. Crashes and other fatal errors
|
6. Crashes and other fatal errors
|
||||||
|
@ -574,17 +573,15 @@ Q 6.1: I have an XXX network card on my machine; if I try to capture
|
||||||
on it, why does my machine crash or reset itself?
|
on it, why does my machine crash or reset itself?
|
||||||
|
|
||||||
A: This is almost certainly a problem with one or more of:
|
A: This is almost certainly a problem with one or more of:
|
||||||
|
* the operating system you're using;
|
||||||
• the operating system you're using;
|
* the device driver for the interface you're using;
|
||||||
• the device driver for the interface you're using;
|
* the libpcap/WinPcap library and, if this is Windows, the WinPcap
|
||||||
• the libpcap/WinPcap library and, if this is Windows, the WinPcap
|
|
||||||
device driver;
|
device driver;
|
||||||
|
|
||||||
so:
|
so:
|
||||||
|
* if you are using Windows, see the WinPcap support page - check the
|
||||||
• if you are using Windows, see the WinPcap support page - check the
|
|
||||||
"Submitting bugs" section;
|
"Submitting bugs" section;
|
||||||
• if you are using some Linux distribution, some version of BSD, or
|
* if you are using some Linux distribution, some version of BSD, or
|
||||||
some other UNIX-flavored OS, you should report the problem to the
|
some other UNIX-flavored OS, you should report the problem to the
|
||||||
company or organization that produces the OS (in the case of a
|
company or organization that produces the OS (in the case of a
|
||||||
Linux distribution, report the problem to whoever produces the
|
Linux distribution, report the problem to whoever produces the
|
||||||
|
@ -650,10 +647,9 @@ network interface on which you're capturing doesn't support
|
||||||
"promiscuous" mode, or because your OS can't put the interface into
|
"promiscuous" mode, or because your OS can't put the interface into
|
||||||
promiscuous mode. Normally, network interfaces supply to the host
|
promiscuous mode. Normally, network interfaces supply to the host
|
||||||
only:
|
only:
|
||||||
|
* packets sent to one of that host's link-layer addresses;
|
||||||
• packets sent to one of that host's link-layer addresses;
|
* broadcast packets;
|
||||||
• broadcast packets;
|
* multicast packets sent to a multicast address that the host has
|
||||||
• multicast packets sent to a multicast address that the host has
|
|
||||||
configured the interface to accept.
|
configured the interface to accept.
|
||||||
|
|
||||||
Most network interfaces can also be put in "promiscuous" mode, in
|
Most network interfaces can also be put in "promiscuous" mode, in
|
||||||
|
@ -744,9 +740,9 @@ Q 7.5: Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?
|
||||||
|
|
||||||
A: Wireshark can only capture on devices supported by libpcap/WinPcap.
|
A: Wireshark can only capture on devices supported by libpcap/WinPcap.
|
||||||
On most OSes, only devices that can act as network interfaces of the
|
On most OSes, only devices that can act as network interfaces of the
|
||||||
type that support IP are supported as capture devices for libpcap/
|
type that support IP are supported as capture devices for
|
||||||
WinPcap, although the device doesn't necessarily have to be running as
|
libpcap/WinPcap, although the device doesn't necessarily have to be
|
||||||
an IP interface in order to support traffic capture.
|
running as an IP interface in order to support traffic capture.
|
||||||
|
|
||||||
On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
|
On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
|
||||||
Measurement Systems' DAG cards, so that a system with one of those
|
Measurement Systems' DAG cards, so that a system with one of those
|
||||||
|
@ -765,15 +761,14 @@ Q 7.6: How do I put an interface into promiscuous mode?
|
||||||
A: By not disabling promiscuous mode when running Wireshark or TShark.
|
A: By not disabling promiscuous mode when running Wireshark or TShark.
|
||||||
|
|
||||||
Note, however, that:
|
Note, however, that:
|
||||||
|
* the form of promiscuous mode that libpcap (the library that
|
||||||
• the form of promiscuous mode that libpcap (the library that
|
|
||||||
programs such as tcpdump, Wireshark, etc. use to do packet
|
programs such as tcpdump, Wireshark, etc. use to do packet
|
||||||
capture) turns on will not necessarily be shown if you run
|
capture) turns on will not necessarily be shown if you run
|
||||||
ifconfig on the interface on a UNIX system;
|
ifconfig on the interface on a UNIX system;
|
||||||
• some network interfaces might not support promiscuous mode, and
|
* some network interfaces might not support promiscuous mode, and
|
||||||
some drivers might not allow promiscuous mode to be turned on -
|
some drivers might not allow promiscuous mode to be turned on -
|
||||||
see this earlier question for more information on that;
|
see this earlier question for more information on that;
|
||||||
• the fact that you're not seeing any traffic, or are only seeing
|
* the fact that you're not seeing any traffic, or are only seeing
|
||||||
broadcast traffic, or aren't seeing any non-broadcast traffic
|
broadcast traffic, or aren't seeing any non-broadcast traffic
|
||||||
other than traffic to or from the machine running Wireshark, does
|
other than traffic to or from the machine running Wireshark, does
|
||||||
not mean that promiscuous mode isn't on - see this earlier
|
not mean that promiscuous mode isn't on - see this earlier
|
||||||
|
@ -799,8 +794,8 @@ Packet capturing is performed with the pcap library. The capture
|
||||||
filter syntax follows the rules of the pcap library. This syntax is
|
filter syntax follows the rules of the pcap library. This syntax is
|
||||||
different from the display filter syntax."
|
different from the display filter syntax."
|
||||||
|
|
||||||
The capture filter syntax used by libpcap can be found in the tcpdump
|
The capture filter syntax used by libpcap can be found in the
|
||||||
(8) man page.
|
tcpdump(8) man page.
|
||||||
|
|
||||||
Q 7.8: I'm entering valid capture filters; why do I still get "parse
|
Q 7.8: I'm entering valid capture filters; why do I still get "parse
|
||||||
error" errors?
|
error" errors?
|
||||||
|
@ -927,11 +922,10 @@ address columns), and that lookup process is taking a very long time.
|
||||||
Wireshark calls a routine in the OS of the machine on which it's
|
Wireshark calls a routine in the OS of the machine on which it's
|
||||||
running to convert of IP addresses to the corresponding names. That
|
running to convert of IP addresses to the corresponding names. That
|
||||||
routine probably does one or more of:
|
routine probably does one or more of:
|
||||||
|
* a search of a system file listing IP addresses and names;
|
||||||
• a search of a system file listing IP addresses and names;
|
* a lookup using DNS;
|
||||||
• a lookup using DNS;
|
* on UNIX systems, a lookup using NIS;
|
||||||
• on UNIX systems, a lookup using NIS;
|
* on Windows systems, a NetBIOS-over-TCP query.
|
||||||
• on Windows systems, a NetBIOS-over-TCP query.
|
|
||||||
|
|
||||||
If a DNS server that's used in an address lookup is not responding,
|
If a DNS server that's used in an address lookup is not responding,
|
||||||
the lookup will fail, but will only fail after a timeout while the
|
the lookup will fail, but will only fail after a timeout while the
|
||||||
|
@ -975,7 +969,6 @@ and then get a stack trace if you have a debugger installed. A stack
|
||||||
trace can be obtained by using your debugger (gdb in this example),
|
trace can be obtained by using your debugger (gdb in this example),
|
||||||
the Wireshark binary, and the resulting core file. Here's an example
|
the Wireshark binary, and the resulting core file. Here's an example
|
||||||
of how to use the gdb command backtrace to do so.
|
of how to use the gdb command backtrace to do so.
|
||||||
|
|
||||||
$ gdb wireshark core
|
$ gdb wireshark core
|
||||||
(gdb) backtrace
|
(gdb) backtrace
|
||||||
..... prints the stack trace
|
..... prints the stack trace
|
||||||
|
@ -989,15 +982,15 @@ Also, if at all possible, please send a copy of the capture file that
|
||||||
caused the problem; when capturing packets, Wireshark normally writes
|
caused the problem; when capturing packets, Wireshark normally writes
|
||||||
captured packets to a temporary file, which will probably be in /tmp
|
captured packets to a temporary file, which will probably be in /tmp
|
||||||
or /var/tmp on UNIX-flavored OSes, \TEMP on the main system disk
|
or /var/tmp on UNIX-flavored OSes, \TEMP on the main system disk
|
||||||
(normally C:) on Windows 9x/Me/NT 4.0, and \Documents and Settings\
|
(normally C:) on Windows 9x/Me/NT 4.0, and \Documents and
|
||||||
your login name\Local Settings\Temp on the main system disk on Windows
|
Settings\your login name\Local Settings\Temp on the main system disk
|
||||||
2000/Windows XP/Windows Server 2003, so the capture file will probably
|
on Windows 2000/Windows XP/Windows Server 2003, so the capture file
|
||||||
be there. It will have a name beginning with ether, with some mixture
|
will probably be there. It will have a name beginning with ether, with
|
||||||
of letters and numbers after that. Please don't send a trace file
|
some mixture of letters and numbers after that. Please don't send a
|
||||||
greater than 1 MB when compressed; instead, make it available via FTP
|
trace file greater than 1 MB when compressed; instead, make it
|
||||||
or HTTP, or say it's available but leave it up to a developer to ask
|
available via FTP or HTTP, or say it's available but leave it up to a
|
||||||
for it. If the trace file contains sensitive information (e.g.,
|
developer to ask for it. If the trace file contains sensitive
|
||||||
passwords), then please do not send it.
|
information (e.g., passwords), then please do not send it.
|
||||||
|
|
||||||
8. Capturing packets on Windows
|
8. Capturing packets on Windows
|
||||||
|
|
||||||
|
@ -1030,19 +1023,16 @@ support capturing on a particular network interface device, Wireshark
|
||||||
won't be able to capture on that device.
|
won't be able to capture on that device.
|
||||||
|
|
||||||
Note that:
|
Note that:
|
||||||
|
|
||||||
1. 2.02 and earlier versions of the WinPcap driver and library that
|
1. 2.02 and earlier versions of the WinPcap driver and library that
|
||||||
Wireshark uses for packet capture didn't support Token Ring
|
Wireshark uses for packet capture didn't support Token Ring
|
||||||
interfaces; versions 2.1 and later support Token Ring, and the
|
interfaces; versions 2.1 and later support Token Ring, and the
|
||||||
current version of Wireshark works with (and, in fact, requires)
|
current version of Wireshark works with (and, in fact, requires)
|
||||||
WinPcap 2.1 or later.
|
WinPcap 2.1 or later.
|
||||||
|
|
||||||
If you are having problems capturing on Token Ring interfaces, and
|
If you are having problems capturing on Token Ring interfaces, and
|
||||||
you have WinPcap 2.02 or an earlier version of WinPcap installed,
|
you have WinPcap 2.02 or an earlier version of WinPcap installed,
|
||||||
you should uninstall WinPcap, download and install the current
|
you should uninstall WinPcap, download and install the current
|
||||||
version of WinPcap, and then install the latest version of
|
version of WinPcap, and then install the latest version of
|
||||||
Wireshark.
|
Wireshark.
|
||||||
|
|
||||||
2. On Windows 95, 98, or Me, sometimes more than one interface will
|
2. On Windows 95, 98, or Me, sometimes more than one interface will
|
||||||
be given the same name; if that is the case, you will only be able
|
be given the same name; if that is the case, you will only be able
|
||||||
to capture on one of those interfaces - it's not clear to which
|
to capture on one of those interfaces - it's not clear to which
|
||||||
|
@ -1053,7 +1043,6 @@ Note that:
|
||||||
capture on the interface you're currently using. In that case, you
|
capture on the interface you're currently using. In that case, you
|
||||||
might, for example, have to remove the VPN interface from the
|
might, for example, have to remove the VPN interface from the
|
||||||
system in order to capture on the PPP serial interface.
|
system in order to capture on the PPP serial interface.
|
||||||
|
|
||||||
3. WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows
|
3. WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows
|
||||||
NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to
|
NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to
|
||||||
avoid those problems, support for PPP WAN interfaces on those
|
avoid those problems, support for PPP WAN interfaces on those
|
||||||
|
@ -1062,7 +1051,6 @@ Note that:
|
||||||
and various other lines such as T1/E1 lines are all PPP
|
and various other lines such as T1/E1 lines are all PPP
|
||||||
interfaces, so those interfaces might not show up on the list of
|
interfaces, so those interfaces might not show up on the list of
|
||||||
interfaces in the "Capture Options" dialog on those OSes.
|
interfaces in the "Capture Options" dialog on those OSes.
|
||||||
|
|
||||||
On Windows 2000, Windows XP, and Windows Server 2003, but not
|
On Windows 2000, Windows XP, and Windows Server 2003, but not
|
||||||
Windows NT 4.0 or Windows Vista Beta 1, you should be able to
|
Windows NT 4.0 or Windows Vista Beta 1, you should be able to
|
||||||
capture on the "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta
|
capture on the "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta
|
||||||
|
@ -1070,7 +1058,6 @@ Note that:
|
||||||
beta release, you should un-install it and install the final 3.1
|
beta release, you should un-install it and install the final 3.1
|
||||||
release.) See the Wireshark Wiki item on PPP capturing for
|
release.) See the Wireshark Wiki item on PPP capturing for
|
||||||
details.
|
details.
|
||||||
|
|
||||||
4. WinPcap prior to 3.0 does not support multiprocessor machines
|
4. WinPcap prior to 3.0 does not support multiprocessor machines
|
||||||
(note that machines with a single multi-threaded processor, such
|
(note that machines with a single multi-threaded processor, such
|
||||||
as Intel's new multi-threaded x86 processors, are multiprocessor
|
as Intel's new multi-threaded x86 processors, are multiprocessor
|
||||||
|
@ -1093,18 +1080,16 @@ Web site for information on using WinDump.
|
||||||
You would run WinDump with the -D flag; if it lists the interface,
|
You would run WinDump with the -D flag; if it lists the interface,
|
||||||
please report this to wireshark-dev@wireshark.org giving full details
|
please report this to wireshark-dev@wireshark.org giving full details
|
||||||
of the problem, including
|
of the problem, including
|
||||||
|
* the operating system you're using, and the version of that
|
||||||
• the operating system you're using, and the version of that
|
|
||||||
operating system;
|
operating system;
|
||||||
• the type of network device you're using;
|
* the type of network device you're using;
|
||||||
• the output of WinDump.
|
* the output of WinDump.
|
||||||
|
|
||||||
If WinDump does not list the interface, this is almost certainly a
|
If WinDump does not list the interface, this is almost certainly a
|
||||||
problem with one or more of:
|
problem with one or more of:
|
||||||
|
* the operating system you're using;
|
||||||
• the operating system you're using;
|
* the device driver for the interface you're using;
|
||||||
• the device driver for the interface you're using;
|
* the WinPcap library and/or the WinPcap device driver;
|
||||||
• the WinPcap library and/or the WinPcap device driver;
|
|
||||||
|
|
||||||
so first check the WinPcap FAQ or the Wiretapped.net mirror of that
|
so first check the WinPcap FAQ or the Wiretapped.net mirror of that
|
||||||
FAQ, to see if your problem is mentioned there. If not, then see the
|
FAQ, to see if your problem is mentioned there. If not, then see the
|
||||||
|
@ -1117,18 +1102,16 @@ site for information on using WinDump.
|
||||||
If you can capture on the interface with WinDump, send mail to
|
If you can capture on the interface with WinDump, send mail to
|
||||||
wireshark-users@wireshark.org giving full details of the problem,
|
wireshark-users@wireshark.org giving full details of the problem,
|
||||||
including
|
including
|
||||||
|
* the operating system you're using, and the version of that
|
||||||
• the operating system you're using, and the version of that
|
|
||||||
operating system;
|
operating system;
|
||||||
• the type of network device you're using;
|
* the type of network device you're using;
|
||||||
• the error message you get from Wireshark.
|
* the error message you get from Wireshark.
|
||||||
|
|
||||||
If you cannot capture on the interface with WinDump, this is almost
|
If you cannot capture on the interface with WinDump, this is almost
|
||||||
certainly a problem with one or more of:
|
certainly a problem with one or more of:
|
||||||
|
* the operating system you're using;
|
||||||
• the operating system you're using;
|
* the device driver for the interface you're using;
|
||||||
• the device driver for the interface you're using;
|
* the WinPcap library and/or the WinPcap device driver;
|
||||||
• the WinPcap library and/or the WinPcap device driver;
|
|
||||||
|
|
||||||
so first check the WinPcap FAQ or the Wiretapped.net mirror of that
|
so first check the WinPcap FAQ or the Wiretapped.net mirror of that
|
||||||
FAQ, to see if your problem is mentioned there. If not, then see the
|
FAQ, to see if your problem is mentioned there. If not, then see the
|
||||||
|
@ -1150,8 +1133,8 @@ dialog box popped up by "Capture->Start"?
|
||||||
A: This is really the same question as the previous one; see the
|
A: This is really the same question as the previous one; see the
|
||||||
response to that question.
|
response to that question.
|
||||||
|
|
||||||
Q 8.3: I'm running Wireshark on Windows; why doesn't my serial port/
|
Q 8.3: I'm running Wireshark on Windows; why doesn't my serial
|
||||||
ADSL modem/ISDN modem show up in the list of interfaces in the
|
port/ADSL modem/ISDN modem show up in the list of interfaces in the
|
||||||
"Interface:" field in the dialog box popped up by "Capture->Start"?
|
"Interface:" field in the dialog box popped up by "Capture->Start"?
|
||||||
|
|
||||||
A: Internet access on those devices is often done with the
|
A: Internet access on those devices is often done with the
|
||||||
|
@ -1168,11 +1151,12 @@ the "NdisWanAdapter"; if you're using a 3.1 beta release, you should
|
||||||
un-install it and install the final 3.1 release.) See the Wireshark
|
un-install it and install the final 3.1 release.) See the Wireshark
|
||||||
Wiki item on PPP capturing for details.
|
Wiki item on PPP capturing for details.
|
||||||
|
|
||||||
Q 8.4: I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows XP
|
Q 8.4: I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows
|
||||||
/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
|
XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN,
|
||||||
interface, and it shows up in the "Interface" item in the "Capture
|
etc.) interface, and it shows up in the "Interface" item in the
|
||||||
Options" dialog box. Why can no packets be sent on or received from
|
"Capture Options" dialog box. Why can no packets be sent on or
|
||||||
that network while I'm trying to capture traffic on that interface?
|
received from that network while I'm trying to capture traffic on that
|
||||||
|
interface?
|
||||||
|
|
||||||
A: Some versions of WinPcap have problems with PPP WAN interfaces on
|
A: Some versions of WinPcap have problems with PPP WAN interfaces on
|
||||||
Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; one
|
Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; one
|
||||||
|
@ -1198,8 +1182,8 @@ of those adapters other than the first one?
|
||||||
A: Unfortunately, Windows 95/98/Me gives the same name to multiple
|
A: Unfortunately, Windows 95/98/Me gives the same name to multiple
|
||||||
instances of the type of same network adapter. Therefore, WinPcap
|
instances of the type of same network adapter. Therefore, WinPcap
|
||||||
cannot distinguish between them, so a WinPcap-based application can
|
cannot distinguish between them, so a WinPcap-based application can
|
||||||
capture only on the first such interface; Wireshark is a libpcap/
|
capture only on the first such interface; Wireshark is a
|
||||||
WinPcap-based application.
|
libpcap/WinPcap-based application.
|
||||||
|
|
||||||
Q 8.6: I'm running Wireshark on Windows; why am I not seeing any
|
Q 8.6: I'm running Wireshark on Windows; why am I not seeing any
|
||||||
traffic being sent by the machine running Wireshark?
|
traffic being sent by the machine running Wireshark?
|
||||||
|
@ -1271,9 +1255,9 @@ choice between seeing VLAN headers and seeing outgoing packets.
|
||||||
|
|
||||||
Q 9.1: I'm running Wireshark on a UNIX-flavored OS; why does some
|
Q 9.1: I'm running Wireshark on a UNIX-flavored OS; why does some
|
||||||
network interface on my machine not show up in the list of interfaces
|
network interface on my machine not show up in the list of interfaces
|
||||||
in the "Interface:" field in the dialog box popped up by "Capture->
|
in the "Interface:" field in the dialog box popped up by
|
||||||
Start", and/or why does Wireshark give me an error if I try to capture
|
"Capture->Start", and/or why does Wireshark give me an error if I try
|
||||||
on that interface?
|
to capture on that interface?
|
||||||
|
|
||||||
A: You may need to run Wireshark from an account with sufficient
|
A: You may need to run Wireshark from an account with sufficient
|
||||||
privileges to capture packets, such as the super-user account, or may
|
privileges to capture packets, such as the super-user account, or may
|
||||||
|
@ -1312,12 +1296,11 @@ If the attempt to capture on it succeeds, the interface is somehow not
|
||||||
being reported by the mechanism Wireshark uses to get a list of
|
being reported by the mechanism Wireshark uses to get a list of
|
||||||
interfaces; please report this to wireshark-dev@wireshark.org giving
|
interfaces; please report this to wireshark-dev@wireshark.org giving
|
||||||
full details of the problem, including
|
full details of the problem, including
|
||||||
|
* the operating system you're using, and the version of that
|
||||||
• the operating system you're using, and the version of that
|
|
||||||
operating system (for Linux, give both the version number of the
|
operating system (for Linux, give both the version number of the
|
||||||
kernel and the name and version number of the distribution you're
|
kernel and the name and version number of the distribution you're
|
||||||
using);
|
using);
|
||||||
• the type of network device you're using.
|
* the type of network device you're using.
|
||||||
|
|
||||||
If you are having trouble capturing on a particular network interface,
|
If you are having trouble capturing on a particular network interface,
|
||||||
and you've made sure that (on platforms that require it) you've
|
and you've made sure that (on platforms that require it) you've
|
||||||
|
@ -1327,20 +1310,18 @@ first try capturing on that device with tcpdump.
|
||||||
If you can capture on the interface with tcpdump, send mail to
|
If you can capture on the interface with tcpdump, send mail to
|
||||||
wireshark-users@wireshark.org giving full details of the problem,
|
wireshark-users@wireshark.org giving full details of the problem,
|
||||||
including
|
including
|
||||||
|
* the operating system you're using, and the version of that
|
||||||
• the operating system you're using, and the version of that
|
|
||||||
operating system (for Linux, give both the version number of the
|
operating system (for Linux, give both the version number of the
|
||||||
kernel and the name and version number of the distribution you're
|
kernel and the name and version number of the distribution you're
|
||||||
using);
|
using);
|
||||||
• the type of network device you're using;
|
* the type of network device you're using;
|
||||||
• the error message you get from Wireshark.
|
* the error message you get from Wireshark.
|
||||||
|
|
||||||
If you cannot capture on the interface with tcpdump, this is almost
|
If you cannot capture on the interface with tcpdump, this is almost
|
||||||
certainly a problem with one or more of:
|
certainly a problem with one or more of:
|
||||||
|
* the operating system you're using;
|
||||||
• the operating system you're using;
|
* the device driver for the interface you're using;
|
||||||
• the device driver for the interface you're using;
|
* the libpcap library;
|
||||||
• the libpcap library;
|
|
||||||
|
|
||||||
so you should report the problem to the company or organization that
|
so you should report the problem to the company or organization that
|
||||||
produces the OS (in the case of a Linux distribution, report the
|
produces the OS (in the case of a Linux distribution, report the
|
||||||
|
@ -1363,10 +1344,10 @@ response to that question.
|
||||||
Q 9.3: I'm capturing packets on Linux; why do the time stamps have
|
Q 9.3: I'm capturing packets on Linux; why do the time stamps have
|
||||||
only 100ms resolution, rather than 1us resolution?
|
only 100ms resolution, rather than 1us resolution?
|
||||||
|
|
||||||
A: Wireshark gets time stamps from libpcap/WinPcap, and libpcap/
|
A: Wireshark gets time stamps from libpcap/WinPcap, and
|
||||||
WinPcap get them from the OS kernel, so Wireshark - and any other
|
libpcap/WinPcap get them from the OS kernel, so Wireshark - and any
|
||||||
program using libpcap, such as tcpdump - is at the mercy of the time
|
other program using libpcap, such as tcpdump - is at the mercy of the
|
||||||
stamping code in the OS for time stamps.
|
time stamping code in the OS for time stamps.
|
||||||
|
|
||||||
At least on x86-based machines, Linux can get high-resolution time
|
At least on x86-based machines, Linux can get high-resolution time
|
||||||
stamps on newer processors with the Time Stamp Counter (TSC) register;
|
stamps on newer processors with the Time Stamp Counter (TSC) register;
|
||||||
|
@ -1444,7 +1425,6 @@ being added to them.
|
||||||
|
|
||||||
The only way to prevent this from happening would be to disable TCP
|
The only way to prevent this from happening would be to disable TCP
|
||||||
checksum offloading, but
|
checksum offloading, but
|
||||||
|
|
||||||
1. that might not even be possible on some OSes;
|
1. that might not even be possible on some OSes;
|
||||||
2. that could reduce networking performance significantly.
|
2. that could reduce networking performance significantly.
|
||||||
|
|
||||||
|
@ -1474,7 +1454,6 @@ them only as UDP.
|
||||||
|
|
||||||
A: Wireshark can identify a UDP datagram as containing a packet of a
|
A: Wireshark can identify a UDP datagram as containing a packet of a
|
||||||
particular protocol running atop UDP only if
|
particular protocol running atop UDP only if
|
||||||
|
|
||||||
1. The protocol in question has a particular standard port number,
|
1. The protocol in question has a particular standard port number,
|
||||||
and the UDP source or destination port number is that port
|
and the UDP source or destination port number is that port
|
||||||
2. Packets of that protocol can be identified by looking for a
|
2. Packets of that protocol can be identified by looking for a
|
||||||
|
@ -1561,4 +1540,3 @@ probably work better.
|
||||||
|
|
||||||
The Bleeding Edge of Snort has a collection of signatures for Snort to
|
The Bleeding Edge of Snort has a collection of signatures for Snort to
|
||||||
detect various viruses, worms, and the like.
|
detect various viruses, worms, and the like.
|
||||||
|
|
||||||
|
|
3
make-faq
3
make-faq
|
@ -19,7 +19,8 @@ cat >FAQ <<EOF
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
lynx -dump -nolist "http://www.wireshark.org/faq.html" | sed -e '1,/^Index/d' >>FAQ
|
lynx -dump -nolist "http://www.wireshark.org/faq_plain.html" | \
|
||||||
|
sed -e '1,/^Index/d' >>FAQ
|
||||||
|
|
||||||
echo
|
echo
|
||||||
echo "Now verfiy everything is OK and copy FAQ to help/faq.txt"
|
echo "Now verfiy everything is OK and copy FAQ to help/faq.txt"
|
||||||
|
|
Loading…
Reference in New Issue