osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

Better update for the FAQ. We can now use the URL 

http://www.wireshark.org/faq_plain.html, which doesn't have any images
or menus.

svn path=/trunk/; revision=18382
This commit is contained in:
Gerald Combs 2006-06-07 12:54:00 +00:00
parent ab40a87c67
commit a8f1f4b330
3 changed files with 2304 additions and 3068 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2855
FAQ
View File

File diff suppressed because it is too large Load Diff

236
help/faq.txt
View File

@ -8,6 +8,7 @@
INDEX
1. General Questions:
1.1 What is Wireshark?
@ -140,11 +141,12 @@ dialog box popped up by "Capture->Start"?
modem/ISDN modem show up in the list of interfaces in the "Interface:"
field in the dialog box popped up by "Capture->Start"?
8.4 I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows XP/
Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
interface, and it shows up in the "Interface" item in the "Capture
Options" dialog box. Why can no packets be sent on or received from
that network while I'm trying to capture traffic on that interface?
8.4 I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows
XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN,
etc.) interface, and it shows up in the "Interface" item in the
"Capture Options" dialog box. Why can no packets be sent on or
received from that network while I'm trying to capture traffic on that
interface?
8.5 I'm running Wireshark on Windows 95/98/Me, on a machine with more
than one network adapter of the same type; why does Wireshark show all
@ -225,9 +227,9 @@ string anywhere in them?
Q 1.1: What is Wireshark?
A: Gerald Combs, the creator of Ethereal®, has initiated the Wireshark
network protocol analyzer project, a successor to Ethereal®. The
Ethereal® core developer team has moved with Gerald to the Wireshark
A: Gerald Combs, the creator of Ethereal®, has initiated the Wireshark
network protocol analyzer project, a successor to Ethereal®. The
Ethereal® core developer team has moved with Gerald to the Wireshark
project. Consequently, Wireshark is positioned to be the world's most
popular network protocol analyzer. It has a rich and powerful feature
set, and runs on most computing platforms including Windows, OS X, and
@ -238,7 +240,7 @@ For more information, please see the About Wireshark page.
Q 1.2: What's up with the name change? Is Wireshark a fork?
A: In May of 2006, the original author of Ethereal® went to work for
A: In May of 2006, the original author of Ethereal® went to work for
CACE Technologies (best known for WinPcap). At that time he started
the Wireshark open-source project.
@ -253,8 +255,8 @@ Q 1.3: Where can I get help?
A: Community support is available on the wireshark-users mailing list.
Subscription information and archives for all of Wireshark's mailing
lists can be found at http://www.wireshark.org/lists. An IRC channel
dedicated to Wireshark can be found at irc://irc.freenode.net/ethereal
.
dedicated to Wireshark can be found at
irc://irc.freenode.net/ethereal.
Commercial support, training, and development services are available
from CACE Technologies.
@ -349,35 +351,34 @@ tried it ourselves - if you try one of those types and it works,
please send an update to ).
It can also read a variety of capture file formats, including:
• AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
* AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
Grabber captures
AIX's iptrace captures
Accellent's 5Views LAN agent output
Cinco Networks NetXRay captures
Cisco Secure Intrusion Detection System IPLog output
CoSine L2 debug output
DBS Etherwatch VMS text output
Endace Measurement Systems' ERF format captures
EyeSDN USB S0 traces
HP-UX nettl captures
ISDN4BSD project i4btrace captures
Linux Bluez Bluetooth stack hcidump -w traces
Lucent/Ascend router debug output
Microsoft Network Monitor captures
Network Associates Windows-based Sniffer captures
Network General/Network Associates DOS-based Sniffer (compressed
* AIX's iptrace captures
* Accellent's 5Views LAN agent output
* Cinco Networks NetXRay captures
* Cisco Secure Intrusion Detection System IPLog output
* CoSine L2 debug output
* DBS Etherwatch VMS text output
* Endace Measurement Systems' ERF format captures
* EyeSDN USB S0 traces
* HP-UX nettl captures
* ISDN4BSD project i4btrace captures
* Linux Bluez Bluetooth stack hcidump -w traces
* Lucent/Ascend router debug output
* Microsoft Network Monitor captures
* Network Associates Windows-based Sniffer captures
* Network General/Network Associates DOS-based Sniffer (compressed
or uncompressed) captures
Network Instruments Observer version 9 captures
Novell LANalyzer captures
RADCOM's WAN/LAN analyzer captures
Shomiti/Finisar Surveyor captures
Toshiba's ISDN routers dump output
VMS TCPIPtrace/TCPtrace/UCX$TRACE output
Visual Networks' Visual UpTime traffic capture
libpcap, tcpdump and various other tools using tcpdump's capture
* Network Instruments Observer version 9 captures
* Novell LANalyzer captures
* RADCOM's WAN/LAN analyzer captures
* Shomiti/Finisar Surveyor captures
* Toshiba's ISDN routers dump output
* VMS TCPIPtrace/TCPtrace/UCX$TRACE output
* Visual Networks' Visual UpTime traffic capture
* libpcap, tcpdump and various other tools using tcpdump's capture
format
snoop and atmsnoop output
* snoop and atmsnoop output
so that it can read traces from various network types, as captured by
other applications or equipment, even if it cannot itself capture on
@ -404,12 +405,11 @@ A: The program you used to download it may have downloaded it
incorrectly. Web browsers sometimes may do this.
Try downloading it with, for example:
• Wget, for which Windows binaries are available on the SunSITE FTP
* Wget, for which Windows binaries are available on the SunSITE FTP
server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI
offers a GUI interface that uses wget;
WS_FTP from Ipswitch,
the ftp command that comes with Windows.
* WS_FTP from Ipswitch,
* the ftp command that comes with Windows.
If you use the ftp command, make sure you do the transfer in binary
mode rather than ASCII mode, by using the binary command before
@ -565,7 +565,6 @@ then not only does prebinding fail, but startup actually becomes much
slower, because the system tries in vain to perform prebinding "on the
fly" as you launch the application. This fails, causing sometimes huge
delays. To fix the prebinding caches, run the command
sudo /sw/var/lib/fink/prebound/update-package-prebinding.pl -f
6. Crashes and other fatal errors
@ -574,17 +573,15 @@ Q 6.1: I have an XXX network card on my machine; if I try to capture
on it, why does my machine crash or reset itself?
A: This is almost certainly a problem with one or more of:
• the operating system you're using;
• the device driver for the interface you're using;
• the libpcap/WinPcap library and, if this is Windows, the WinPcap
* the operating system you're using;
* the device driver for the interface you're using;
* the libpcap/WinPcap library and, if this is Windows, the WinPcap
device driver;
so:
• if you are using Windows, see the WinPcap support page - check the
* if you are using Windows, see the WinPcap support page - check the
"Submitting bugs" section;
if you are using some Linux distribution, some version of BSD, or
* if you are using some Linux distribution, some version of BSD, or
some other UNIX-flavored OS, you should report the problem to the
company or organization that produces the OS (in the case of a
Linux distribution, report the problem to whoever produces the
@ -650,10 +647,9 @@ network interface on which you're capturing doesn't support
"promiscuous" mode, or because your OS can't put the interface into
promiscuous mode. Normally, network interfaces supply to the host
only:
• packets sent to one of that host's link-layer addresses;
• broadcast packets;
• multicast packets sent to a multicast address that the host has
* packets sent to one of that host's link-layer addresses;
* broadcast packets;
* multicast packets sent to a multicast address that the host has
configured the interface to accept.
Most network interfaces can also be put in "promiscuous" mode, in
@ -744,9 +740,9 @@ Q 7.5: Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?
A: Wireshark can only capture on devices supported by libpcap/WinPcap.
On most OSes, only devices that can act as network interfaces of the
type that support IP are supported as capture devices for libpcap/
WinPcap, although the device doesn't necessarily have to be running as
an IP interface in order to support traffic capture.
type that support IP are supported as capture devices for
libpcap/WinPcap, although the device doesn't necessarily have to be
running as an IP interface in order to support traffic capture.
On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
Measurement Systems' DAG cards, so that a system with one of those
@ -765,15 +761,14 @@ Q 7.6: How do I put an interface into promiscuous mode?
A: By not disabling promiscuous mode when running Wireshark or TShark.
Note, however, that:
• the form of promiscuous mode that libpcap (the library that
* the form of promiscuous mode that libpcap (the library that
programs such as tcpdump, Wireshark, etc. use to do packet
capture) turns on will not necessarily be shown if you run
ifconfig on the interface on a UNIX system;
some network interfaces might not support promiscuous mode, and
* some network interfaces might not support promiscuous mode, and
some drivers might not allow promiscuous mode to be turned on -
see this earlier question for more information on that;
the fact that you're not seeing any traffic, or are only seeing
* the fact that you're not seeing any traffic, or are only seeing
broadcast traffic, or aren't seeing any non-broadcast traffic
other than traffic to or from the machine running Wireshark, does
not mean that promiscuous mode isn't on - see this earlier
@ -799,8 +794,8 @@ Packet capturing is performed with the pcap library. The capture
filter syntax follows the rules of the pcap library. This syntax is
different from the display filter syntax."
The capture filter syntax used by libpcap can be found in the tcpdump
(8) man page.
The capture filter syntax used by libpcap can be found in the
tcpdump(8) man page.
Q 7.8: I'm entering valid capture filters; why do I still get "parse
error" errors?
@ -927,11 +922,10 @@ address columns), and that lookup process is taking a very long time.
Wireshark calls a routine in the OS of the machine on which it's
running to convert of IP addresses to the corresponding names. That
routine probably does one or more of:
• a search of a system file listing IP addresses and names;
• a lookup using DNS;
• on UNIX systems, a lookup using NIS;
• on Windows systems, a NetBIOS-over-TCP query.
* a search of a system file listing IP addresses and names;
* a lookup using DNS;
* on UNIX systems, a lookup using NIS;
* on Windows systems, a NetBIOS-over-TCP query.
If a DNS server that's used in an address lookup is not responding,
the lookup will fail, but will only fail after a timeout while the
@ -975,7 +969,6 @@ and then get a stack trace if you have a debugger installed. A stack
trace can be obtained by using your debugger (gdb in this example),
the Wireshark binary, and the resulting core file. Here's an example
of how to use the gdb command backtrace to do so.
$ gdb wireshark core
(gdb) backtrace
..... prints the stack trace
@ -989,15 +982,15 @@ Also, if at all possible, please send a copy of the capture file that
caused the problem; when capturing packets, Wireshark normally writes
captured packets to a temporary file, which will probably be in /tmp
or /var/tmp on UNIX-flavored OSes, \TEMP on the main system disk
(normally C:) on Windows 9x/Me/NT 4.0, and \Documents and Settings\
your login name\Local Settings\Temp on the main system disk on Windows
2000/Windows XP/Windows Server 2003, so the capture file will probably
be there. It will have a name beginning with ether, with some mixture
of letters and numbers after that. Please don't send a trace file
greater than 1 MB when compressed; instead, make it available via FTP
or HTTP, or say it's available but leave it up to a developer to ask
for it. If the trace file contains sensitive information (e.g.,
passwords), then please do not send it.
(normally C:) on Windows 9x/Me/NT 4.0, and \Documents and
Settings\your login name\Local Settings\Temp on the main system disk
on Windows 2000/Windows XP/Windows Server 2003, so the capture file
will probably be there. It will have a name beginning with ether, with
some mixture of letters and numbers after that. Please don't send a
trace file greater than 1 MB when compressed; instead, make it
available via FTP or HTTP, or say it's available but leave it up to a
developer to ask for it. If the trace file contains sensitive
information (e.g., passwords), then please do not send it.
8. Capturing packets on Windows
@ -1030,19 +1023,16 @@ support capturing on a particular network interface device, Wireshark
won't be able to capture on that device.
Note that:
1. 2.02 and earlier versions of the WinPcap driver and library that
Wireshark uses for packet capture didn't support Token Ring
interfaces; versions 2.1 and later support Token Ring, and the
current version of Wireshark works with (and, in fact, requires)
WinPcap 2.1 or later.
If you are having problems capturing on Token Ring interfaces, and
you have WinPcap 2.02 or an earlier version of WinPcap installed,
you should uninstall WinPcap, download and install the current
version of WinPcap, and then install the latest version of
Wireshark.
2. On Windows 95, 98, or Me, sometimes more than one interface will
be given the same name; if that is the case, you will only be able
to capture on one of those interfaces - it's not clear to which
@ -1053,7 +1043,6 @@ Note that:
capture on the interface you're currently using. In that case, you
might, for example, have to remove the VPN interface from the
system in order to capture on the PPP serial interface.
3. WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows
NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to
avoid those problems, support for PPP WAN interfaces on those
@ -1062,7 +1051,6 @@ Note that:
and various other lines such as T1/E1 lines are all PPP
interfaces, so those interfaces might not show up on the list of
interfaces in the "Capture Options" dialog on those OSes.
On Windows 2000, Windows XP, and Windows Server 2003, but not
Windows NT 4.0 or Windows Vista Beta 1, you should be able to
capture on the "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta
@ -1070,7 +1058,6 @@ Note that:
beta release, you should un-install it and install the final 3.1
release.) See the Wireshark Wiki item on PPP capturing for
details.
4. WinPcap prior to 3.0 does not support multiprocessor machines
(note that machines with a single multi-threaded processor, such
as Intel's new multi-threaded x86 processors, are multiprocessor
@ -1093,18 +1080,16 @@ Web site for information on using WinDump.
You would run WinDump with the -D flag; if it lists the interface,
please report this to wireshark-dev@wireshark.org giving full details
of the problem, including
• the operating system you're using, and the version of that
* the operating system you're using, and the version of that
operating system;
the type of network device you're using;
the output of WinDump.
* the type of network device you're using;
* the output of WinDump.
If WinDump does not list the interface, this is almost certainly a
problem with one or more of:
• the operating system you're using;
• the device driver for the interface you're using;
• the WinPcap library and/or the WinPcap device driver;
* the operating system you're using;
* the device driver for the interface you're using;
* the WinPcap library and/or the WinPcap device driver;
so first check the WinPcap FAQ or the Wiretapped.net mirror of that
FAQ, to see if your problem is mentioned there. If not, then see the
@ -1117,18 +1102,16 @@ site for information on using WinDump.
If you can capture on the interface with WinDump, send mail to
wireshark-users@wireshark.org giving full details of the problem,
including
• the operating system you're using, and the version of that
* the operating system you're using, and the version of that
operating system;
the type of network device you're using;
the error message you get from Wireshark.
* the type of network device you're using;
* the error message you get from Wireshark.
If you cannot capture on the interface with WinDump, this is almost
certainly a problem with one or more of:
• the operating system you're using;
• the device driver for the interface you're using;
• the WinPcap library and/or the WinPcap device driver;
* the operating system you're using;
* the device driver for the interface you're using;
* the WinPcap library and/or the WinPcap device driver;
so first check the WinPcap FAQ or the Wiretapped.net mirror of that
FAQ, to see if your problem is mentioned there. If not, then see the
@ -1150,8 +1133,8 @@ dialog box popped up by "Capture->Start"?
A: This is really the same question as the previous one; see the
response to that question.
Q 8.3: I'm running Wireshark on Windows; why doesn't my serial port/
ADSL modem/ISDN modem show up in the list of interfaces in the
Q 8.3: I'm running Wireshark on Windows; why doesn't my serial
port/ADSL modem/ISDN modem show up in the list of interfaces in the
"Interface:" field in the dialog box popped up by "Capture->Start"?
A: Internet access on those devices is often done with the
@ -1168,11 +1151,12 @@ the "NdisWanAdapter"; if you're using a 3.1 beta release, you should
un-install it and install the final 3.1 release.) See the Wireshark
Wiki item on PPP capturing for details.
Q 8.4: I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows XP
/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
interface, and it shows up in the "Interface" item in the "Capture
Options" dialog box. Why can no packets be sent on or received from
that network while I'm trying to capture traffic on that interface?
Q 8.4: I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows
XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN,
etc.) interface, and it shows up in the "Interface" item in the
"Capture Options" dialog box. Why can no packets be sent on or
received from that network while I'm trying to capture traffic on that
interface?
A: Some versions of WinPcap have problems with PPP WAN interfaces on
Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; one
@ -1198,8 +1182,8 @@ of those adapters other than the first one?
A: Unfortunately, Windows 95/98/Me gives the same name to multiple
instances of the type of same network adapter. Therefore, WinPcap
cannot distinguish between them, so a WinPcap-based application can
capture only on the first such interface; Wireshark is a libpcap/
WinPcap-based application.
capture only on the first such interface; Wireshark is a
libpcap/WinPcap-based application.
Q 8.6: I'm running Wireshark on Windows; why am I not seeing any
traffic being sent by the machine running Wireshark?
@ -1271,9 +1255,9 @@ choice between seeing VLAN headers and seeing outgoing packets.
Q 9.1: I'm running Wireshark on a UNIX-flavored OS; why does some
network interface on my machine not show up in the list of interfaces
in the "Interface:" field in the dialog box popped up by "Capture->
Start", and/or why does Wireshark give me an error if I try to capture
on that interface?
in the "Interface:" field in the dialog box popped up by
"Capture->Start", and/or why does Wireshark give me an error if I try
to capture on that interface?
A: You may need to run Wireshark from an account with sufficient
privileges to capture packets, such as the super-user account, or may
@ -1312,12 +1296,11 @@ If the attempt to capture on it succeeds, the interface is somehow not
being reported by the mechanism Wireshark uses to get a list of
interfaces; please report this to wireshark-dev@wireshark.org giving
full details of the problem, including
• the operating system you're using, and the version of that
* the operating system you're using, and the version of that
operating system (for Linux, give both the version number of the
kernel and the name and version number of the distribution you're
using);
the type of network device you're using.
* the type of network device you're using.
If you are having trouble capturing on a particular network interface,
and you've made sure that (on platforms that require it) you've
@ -1327,20 +1310,18 @@ first try capturing on that device with tcpdump.
If you can capture on the interface with tcpdump, send mail to
wireshark-users@wireshark.org giving full details of the problem,
including
• the operating system you're using, and the version of that
* the operating system you're using, and the version of that
operating system (for Linux, give both the version number of the
kernel and the name and version number of the distribution you're
using);
the type of network device you're using;
the error message you get from Wireshark.
* the type of network device you're using;
* the error message you get from Wireshark.
If you cannot capture on the interface with tcpdump, this is almost
certainly a problem with one or more of:
• the operating system you're using;
• the device driver for the interface you're using;
• the libpcap library;
* the operating system you're using;
* the device driver for the interface you're using;
* the libpcap library;
so you should report the problem to the company or organization that
produces the OS (in the case of a Linux distribution, report the
@ -1363,10 +1344,10 @@ response to that question.
Q 9.3: I'm capturing packets on Linux; why do the time stamps have
only 100ms resolution, rather than 1us resolution?
A: Wireshark gets time stamps from libpcap/WinPcap, and libpcap/
WinPcap get them from the OS kernel, so Wireshark - and any other
program using libpcap, such as tcpdump - is at the mercy of the time
stamping code in the OS for time stamps.
A: Wireshark gets time stamps from libpcap/WinPcap, and
libpcap/WinPcap get them from the OS kernel, so Wireshark - and any
other program using libpcap, such as tcpdump - is at the mercy of the
time stamping code in the OS for time stamps.
At least on x86-based machines, Linux can get high-resolution time
stamps on newer processors with the Time Stamp Counter (TSC) register;
@ -1444,7 +1425,6 @@ being added to them.
The only way to prevent this from happening would be to disable TCP
checksum offloading, but
1. that might not even be possible on some OSes;
2. that could reduce networking performance significantly.
@ -1474,7 +1454,6 @@ them only as UDP.
A: Wireshark can identify a UDP datagram as containing a packet of a
particular protocol running atop UDP only if
1. The protocol in question has a particular standard port number,
and the UDP source or destination port number is that port
2. Packets of that protocol can be identified by looking for a
@ -1561,4 +1540,3 @@ probably work better.
The Bleeding Edge of Snort has a collection of signatures for Snort to
detect various viruses, worms, and the like.

3
make-faq
View File

@ -19,7 +19,8 @@ cat >FAQ <<EOF
EOF
lynx -dump -nolist "http://www.wireshark.org/faq.html" | sed -e '1,/^Index/d' >>FAQ
lynx -dump -nolist "http://www.wireshark.org/faq_plain.html" | \
sed -e '1,/^Index/d' >>FAQ
echo
echo "Now verfiy everything is OK and copy FAQ to help/faq.txt"