Better update for the FAQ. We can now use the URL
http://www.wireshark.org/faq_plain.html, which doesn't have any images or menus. svn path=/trunk/; revision=18382
This commit is contained in:
parent
ab40a87c67
commit
a8f1f4b330
236
help/faq.txt
236
help/faq.txt
|
@ -8,6 +8,7 @@
|
|||
|
||||
INDEX
|
||||
|
||||
|
||||
1. General Questions:
|
||||
|
||||
1.1 What is Wireshark?
|
||||
|
@ -140,11 +141,12 @@ dialog box popped up by "Capture->Start"?
|
|||
modem/ISDN modem show up in the list of interfaces in the "Interface:"
|
||||
field in the dialog box popped up by "Capture->Start"?
|
||||
|
||||
8.4 I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows XP/
|
||||
Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
|
||||
interface, and it shows up in the "Interface" item in the "Capture
|
||||
Options" dialog box. Why can no packets be sent on or received from
|
||||
that network while I'm trying to capture traffic on that interface?
|
||||
8.4 I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows
|
||||
XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN,
|
||||
etc.) interface, and it shows up in the "Interface" item in the
|
||||
"Capture Options" dialog box. Why can no packets be sent on or
|
||||
received from that network while I'm trying to capture traffic on that
|
||||
interface?
|
||||
|
||||
8.5 I'm running Wireshark on Windows 95/98/Me, on a machine with more
|
||||
than one network adapter of the same type; why does Wireshark show all
|
||||
|
@ -225,9 +227,9 @@ string anywhere in them?
|
|||
|
||||
Q 1.1: What is Wireshark?
|
||||
|
||||
A: Gerald Combs, the creator of Ethereal®, has initiated the Wireshark
|
||||
network protocol analyzer project, a successor to Ethereal®. The
|
||||
Ethereal® core developer team has moved with Gerald to the Wireshark
|
||||
A: Gerald Combs, the creator of Ethereal®, has initiated the Wireshark
|
||||
network protocol analyzer project, a successor to Ethereal®. The
|
||||
Ethereal® core developer team has moved with Gerald to the Wireshark
|
||||
project. Consequently, Wireshark is positioned to be the world's most
|
||||
popular network protocol analyzer. It has a rich and powerful feature
|
||||
set, and runs on most computing platforms including Windows, OS X, and
|
||||
|
@ -238,7 +240,7 @@ For more information, please see the About Wireshark page.
|
|||
|
||||
Q 1.2: What's up with the name change? Is Wireshark a fork?
|
||||
|
||||
A: In May of 2006, the original author of Ethereal® went to work for
|
||||
A: In May of 2006, the original author of Ethereal® went to work for
|
||||
CACE Technologies (best known for WinPcap). At that time he started
|
||||
the Wireshark open-source project.
|
||||
|
||||
|
@ -253,8 +255,8 @@ Q 1.3: Where can I get help?
|
|||
A: Community support is available on the wireshark-users mailing list.
|
||||
Subscription information and archives for all of Wireshark's mailing
|
||||
lists can be found at http://www.wireshark.org/lists. An IRC channel
|
||||
dedicated to Wireshark can be found at irc://irc.freenode.net/ethereal
|
||||
.
|
||||
dedicated to Wireshark can be found at
|
||||
irc://irc.freenode.net/ethereal.
|
||||
|
||||
Commercial support, training, and development services are available
|
||||
from CACE Technologies.
|
||||
|
@ -349,35 +351,34 @@ tried it ourselves - if you try one of those types and it works,
|
|||
please send an update to ).
|
||||
|
||||
It can also read a variety of capture file formats, including:
|
||||
|
||||
• AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
|
||||
* AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
|
||||
Grabber captures
|
||||
• AIX's iptrace captures
|
||||
• Accellent's 5Views LAN agent output
|
||||
• Cinco Networks NetXRay captures
|
||||
• Cisco Secure Intrusion Detection System IPLog output
|
||||
• CoSine L2 debug output
|
||||
• DBS Etherwatch VMS text output
|
||||
• Endace Measurement Systems' ERF format captures
|
||||
• EyeSDN USB S0 traces
|
||||
• HP-UX nettl captures
|
||||
• ISDN4BSD project i4btrace captures
|
||||
• Linux Bluez Bluetooth stack hcidump -w traces
|
||||
• Lucent/Ascend router debug output
|
||||
• Microsoft Network Monitor captures
|
||||
• Network Associates Windows-based Sniffer captures
|
||||
• Network General/Network Associates DOS-based Sniffer (compressed
|
||||
* AIX's iptrace captures
|
||||
* Accellent's 5Views LAN agent output
|
||||
* Cinco Networks NetXRay captures
|
||||
* Cisco Secure Intrusion Detection System IPLog output
|
||||
* CoSine L2 debug output
|
||||
* DBS Etherwatch VMS text output
|
||||
* Endace Measurement Systems' ERF format captures
|
||||
* EyeSDN USB S0 traces
|
||||
* HP-UX nettl captures
|
||||
* ISDN4BSD project i4btrace captures
|
||||
* Linux Bluez Bluetooth stack hcidump -w traces
|
||||
* Lucent/Ascend router debug output
|
||||
* Microsoft Network Monitor captures
|
||||
* Network Associates Windows-based Sniffer captures
|
||||
* Network General/Network Associates DOS-based Sniffer (compressed
|
||||
or uncompressed) captures
|
||||
• Network Instruments Observer version 9 captures
|
||||
• Novell LANalyzer captures
|
||||
• RADCOM's WAN/LAN analyzer captures
|
||||
• Shomiti/Finisar Surveyor captures
|
||||
• Toshiba's ISDN routers dump output
|
||||
• VMS TCPIPtrace/TCPtrace/UCX$TRACE output
|
||||
• Visual Networks' Visual UpTime traffic capture
|
||||
• libpcap, tcpdump and various other tools using tcpdump's capture
|
||||
* Network Instruments Observer version 9 captures
|
||||
* Novell LANalyzer captures
|
||||
* RADCOM's WAN/LAN analyzer captures
|
||||
* Shomiti/Finisar Surveyor captures
|
||||
* Toshiba's ISDN routers dump output
|
||||
* VMS TCPIPtrace/TCPtrace/UCX$TRACE output
|
||||
* Visual Networks' Visual UpTime traffic capture
|
||||
* libpcap, tcpdump and various other tools using tcpdump's capture
|
||||
format
|
||||
• snoop and atmsnoop output
|
||||
* snoop and atmsnoop output
|
||||
|
||||
so that it can read traces from various network types, as captured by
|
||||
other applications or equipment, even if it cannot itself capture on
|
||||
|
@ -404,12 +405,11 @@ A: The program you used to download it may have downloaded it
|
|||
incorrectly. Web browsers sometimes may do this.
|
||||
|
||||
Try downloading it with, for example:
|
||||
|
||||
• Wget, for which Windows binaries are available on the SunSITE FTP
|
||||
* Wget, for which Windows binaries are available on the SunSITE FTP
|
||||
server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI
|
||||
offers a GUI interface that uses wget;
|
||||
• WS_FTP from Ipswitch,
|
||||
• the ftp command that comes with Windows.
|
||||
* WS_FTP from Ipswitch,
|
||||
* the ftp command that comes with Windows.
|
||||
|
||||
If you use the ftp command, make sure you do the transfer in binary
|
||||
mode rather than ASCII mode, by using the binary command before
|
||||
|
@ -565,7 +565,6 @@ then not only does prebinding fail, but startup actually becomes much
|
|||
slower, because the system tries in vain to perform prebinding "on the
|
||||
fly" as you launch the application. This fails, causing sometimes huge
|
||||
delays. To fix the prebinding caches, run the command
|
||||
|
||||
sudo /sw/var/lib/fink/prebound/update-package-prebinding.pl -f
|
||||
|
||||
6. Crashes and other fatal errors
|
||||
|
@ -574,17 +573,15 @@ Q 6.1: I have an XXX network card on my machine; if I try to capture
|
|||
on it, why does my machine crash or reset itself?
|
||||
|
||||
A: This is almost certainly a problem with one or more of:
|
||||
|
||||
• the operating system you're using;
|
||||
• the device driver for the interface you're using;
|
||||
• the libpcap/WinPcap library and, if this is Windows, the WinPcap
|
||||
* the operating system you're using;
|
||||
* the device driver for the interface you're using;
|
||||
* the libpcap/WinPcap library and, if this is Windows, the WinPcap
|
||||
device driver;
|
||||
|
||||
so:
|
||||
|
||||
• if you are using Windows, see the WinPcap support page - check the
|
||||
* if you are using Windows, see the WinPcap support page - check the
|
||||
"Submitting bugs" section;
|
||||
• if you are using some Linux distribution, some version of BSD, or
|
||||
* if you are using some Linux distribution, some version of BSD, or
|
||||
some other UNIX-flavored OS, you should report the problem to the
|
||||
company or organization that produces the OS (in the case of a
|
||||
Linux distribution, report the problem to whoever produces the
|
||||
|
@ -650,10 +647,9 @@ network interface on which you're capturing doesn't support
|
|||
"promiscuous" mode, or because your OS can't put the interface into
|
||||
promiscuous mode. Normally, network interfaces supply to the host
|
||||
only:
|
||||
|
||||
• packets sent to one of that host's link-layer addresses;
|
||||
• broadcast packets;
|
||||
• multicast packets sent to a multicast address that the host has
|
||||
* packets sent to one of that host's link-layer addresses;
|
||||
* broadcast packets;
|
||||
* multicast packets sent to a multicast address that the host has
|
||||
configured the interface to accept.
|
||||
|
||||
Most network interfaces can also be put in "promiscuous" mode, in
|
||||
|
@ -744,9 +740,9 @@ Q 7.5: Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?
|
|||
|
||||
A: Wireshark can only capture on devices supported by libpcap/WinPcap.
|
||||
On most OSes, only devices that can act as network interfaces of the
|
||||
type that support IP are supported as capture devices for libpcap/
|
||||
WinPcap, although the device doesn't necessarily have to be running as
|
||||
an IP interface in order to support traffic capture.
|
||||
type that support IP are supported as capture devices for
|
||||
libpcap/WinPcap, although the device doesn't necessarily have to be
|
||||
running as an IP interface in order to support traffic capture.
|
||||
|
||||
On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
|
||||
Measurement Systems' DAG cards, so that a system with one of those
|
||||
|
@ -765,15 +761,14 @@ Q 7.6: How do I put an interface into promiscuous mode?
|
|||
A: By not disabling promiscuous mode when running Wireshark or TShark.
|
||||
|
||||
Note, however, that:
|
||||
|
||||
• the form of promiscuous mode that libpcap (the library that
|
||||
* the form of promiscuous mode that libpcap (the library that
|
||||
programs such as tcpdump, Wireshark, etc. use to do packet
|
||||
capture) turns on will not necessarily be shown if you run
|
||||
ifconfig on the interface on a UNIX system;
|
||||
• some network interfaces might not support promiscuous mode, and
|
||||
* some network interfaces might not support promiscuous mode, and
|
||||
some drivers might not allow promiscuous mode to be turned on -
|
||||
see this earlier question for more information on that;
|
||||
• the fact that you're not seeing any traffic, or are only seeing
|
||||
* the fact that you're not seeing any traffic, or are only seeing
|
||||
broadcast traffic, or aren't seeing any non-broadcast traffic
|
||||
other than traffic to or from the machine running Wireshark, does
|
||||
not mean that promiscuous mode isn't on - see this earlier
|
||||
|
@ -799,8 +794,8 @@ Packet capturing is performed with the pcap library. The capture
|
|||
filter syntax follows the rules of the pcap library. This syntax is
|
||||
different from the display filter syntax."
|
||||
|
||||
The capture filter syntax used by libpcap can be found in the tcpdump
|
||||
(8) man page.
|
||||
The capture filter syntax used by libpcap can be found in the
|
||||
tcpdump(8) man page.
|
||||
|
||||
Q 7.8: I'm entering valid capture filters; why do I still get "parse
|
||||
error" errors?
|
||||
|
@ -927,11 +922,10 @@ address columns), and that lookup process is taking a very long time.
|
|||
Wireshark calls a routine in the OS of the machine on which it's
|
||||
running to convert of IP addresses to the corresponding names. That
|
||||
routine probably does one or more of:
|
||||
|
||||
• a search of a system file listing IP addresses and names;
|
||||
• a lookup using DNS;
|
||||
• on UNIX systems, a lookup using NIS;
|
||||
• on Windows systems, a NetBIOS-over-TCP query.
|
||||
* a search of a system file listing IP addresses and names;
|
||||
* a lookup using DNS;
|
||||
* on UNIX systems, a lookup using NIS;
|
||||
* on Windows systems, a NetBIOS-over-TCP query.
|
||||
|
||||
If a DNS server that's used in an address lookup is not responding,
|
||||
the lookup will fail, but will only fail after a timeout while the
|
||||
|
@ -975,7 +969,6 @@ and then get a stack trace if you have a debugger installed. A stack
|
|||
trace can be obtained by using your debugger (gdb in this example),
|
||||
the Wireshark binary, and the resulting core file. Here's an example
|
||||
of how to use the gdb command backtrace to do so.
|
||||
|
||||
$ gdb wireshark core
|
||||
(gdb) backtrace
|
||||
..... prints the stack trace
|
||||
|
@ -989,15 +982,15 @@ Also, if at all possible, please send a copy of the capture file that
|
|||
caused the problem; when capturing packets, Wireshark normally writes
|
||||
captured packets to a temporary file, which will probably be in /tmp
|
||||
or /var/tmp on UNIX-flavored OSes, \TEMP on the main system disk
|
||||
(normally C:) on Windows 9x/Me/NT 4.0, and \Documents and Settings\
|
||||
your login name\Local Settings\Temp on the main system disk on Windows
|
||||
2000/Windows XP/Windows Server 2003, so the capture file will probably
|
||||
be there. It will have a name beginning with ether, with some mixture
|
||||
of letters and numbers after that. Please don't send a trace file
|
||||
greater than 1 MB when compressed; instead, make it available via FTP
|
||||
or HTTP, or say it's available but leave it up to a developer to ask
|
||||
for it. If the trace file contains sensitive information (e.g.,
|
||||
passwords), then please do not send it.
|
||||
(normally C:) on Windows 9x/Me/NT 4.0, and \Documents and
|
||||
Settings\your login name\Local Settings\Temp on the main system disk
|
||||
on Windows 2000/Windows XP/Windows Server 2003, so the capture file
|
||||
will probably be there. It will have a name beginning with ether, with
|
||||
some mixture of letters and numbers after that. Please don't send a
|
||||
trace file greater than 1 MB when compressed; instead, make it
|
||||
available via FTP or HTTP, or say it's available but leave it up to a
|
||||
developer to ask for it. If the trace file contains sensitive
|
||||
information (e.g., passwords), then please do not send it.
|
||||
|
||||
8. Capturing packets on Windows
|
||||
|
||||
|
@ -1030,19 +1023,16 @@ support capturing on a particular network interface device, Wireshark
|
|||
won't be able to capture on that device.
|
||||
|
||||
Note that:
|
||||
|
||||
1. 2.02 and earlier versions of the WinPcap driver and library that
|
||||
Wireshark uses for packet capture didn't support Token Ring
|
||||
interfaces; versions 2.1 and later support Token Ring, and the
|
||||
current version of Wireshark works with (and, in fact, requires)
|
||||
WinPcap 2.1 or later.
|
||||
|
||||
If you are having problems capturing on Token Ring interfaces, and
|
||||
you have WinPcap 2.02 or an earlier version of WinPcap installed,
|
||||
you should uninstall WinPcap, download and install the current
|
||||
version of WinPcap, and then install the latest version of
|
||||
Wireshark.
|
||||
|
||||
2. On Windows 95, 98, or Me, sometimes more than one interface will
|
||||
be given the same name; if that is the case, you will only be able
|
||||
to capture on one of those interfaces - it's not clear to which
|
||||
|
@ -1053,7 +1043,6 @@ Note that:
|
|||
capture on the interface you're currently using. In that case, you
|
||||
might, for example, have to remove the VPN interface from the
|
||||
system in order to capture on the PPP serial interface.
|
||||
|
||||
3. WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows
|
||||
NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to
|
||||
avoid those problems, support for PPP WAN interfaces on those
|
||||
|
@ -1062,7 +1051,6 @@ Note that:
|
|||
and various other lines such as T1/E1 lines are all PPP
|
||||
interfaces, so those interfaces might not show up on the list of
|
||||
interfaces in the "Capture Options" dialog on those OSes.
|
||||
|
||||
On Windows 2000, Windows XP, and Windows Server 2003, but not
|
||||
Windows NT 4.0 or Windows Vista Beta 1, you should be able to
|
||||
capture on the "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta
|
||||
|
@ -1070,7 +1058,6 @@ Note that:
|
|||
beta release, you should un-install it and install the final 3.1
|
||||
release.) See the Wireshark Wiki item on PPP capturing for
|
||||
details.
|
||||
|
||||
4. WinPcap prior to 3.0 does not support multiprocessor machines
|
||||
(note that machines with a single multi-threaded processor, such
|
||||
as Intel's new multi-threaded x86 processors, are multiprocessor
|
||||
|
@ -1093,18 +1080,16 @@ Web site for information on using WinDump.
|
|||
You would run WinDump with the -D flag; if it lists the interface,
|
||||
please report this to wireshark-dev@wireshark.org giving full details
|
||||
of the problem, including
|
||||
|
||||
• the operating system you're using, and the version of that
|
||||
* the operating system you're using, and the version of that
|
||||
operating system;
|
||||
• the type of network device you're using;
|
||||
• the output of WinDump.
|
||||
* the type of network device you're using;
|
||||
* the output of WinDump.
|
||||
|
||||
If WinDump does not list the interface, this is almost certainly a
|
||||
problem with one or more of:
|
||||
|
||||
• the operating system you're using;
|
||||
• the device driver for the interface you're using;
|
||||
• the WinPcap library and/or the WinPcap device driver;
|
||||
* the operating system you're using;
|
||||
* the device driver for the interface you're using;
|
||||
* the WinPcap library and/or the WinPcap device driver;
|
||||
|
||||
so first check the WinPcap FAQ or the Wiretapped.net mirror of that
|
||||
FAQ, to see if your problem is mentioned there. If not, then see the
|
||||
|
@ -1117,18 +1102,16 @@ site for information on using WinDump.
|
|||
If you can capture on the interface with WinDump, send mail to
|
||||
wireshark-users@wireshark.org giving full details of the problem,
|
||||
including
|
||||
|
||||
• the operating system you're using, and the version of that
|
||||
* the operating system you're using, and the version of that
|
||||
operating system;
|
||||
• the type of network device you're using;
|
||||
• the error message you get from Wireshark.
|
||||
* the type of network device you're using;
|
||||
* the error message you get from Wireshark.
|
||||
|
||||
If you cannot capture on the interface with WinDump, this is almost
|
||||
certainly a problem with one or more of:
|
||||
|
||||
• the operating system you're using;
|
||||
• the device driver for the interface you're using;
|
||||
• the WinPcap library and/or the WinPcap device driver;
|
||||
* the operating system you're using;
|
||||
* the device driver for the interface you're using;
|
||||
* the WinPcap library and/or the WinPcap device driver;
|
||||
|
||||
so first check the WinPcap FAQ or the Wiretapped.net mirror of that
|
||||
FAQ, to see if your problem is mentioned there. If not, then see the
|
||||
|
@ -1150,8 +1133,8 @@ dialog box popped up by "Capture->Start"?
|
|||
A: This is really the same question as the previous one; see the
|
||||
response to that question.
|
||||
|
||||
Q 8.3: I'm running Wireshark on Windows; why doesn't my serial port/
|
||||
ADSL modem/ISDN modem show up in the list of interfaces in the
|
||||
Q 8.3: I'm running Wireshark on Windows; why doesn't my serial
|
||||
port/ADSL modem/ISDN modem show up in the list of interfaces in the
|
||||
"Interface:" field in the dialog box popped up by "Capture->Start"?
|
||||
|
||||
A: Internet access on those devices is often done with the
|
||||
|
@ -1168,11 +1151,12 @@ the "NdisWanAdapter"; if you're using a 3.1 beta release, you should
|
|||
un-install it and install the final 3.1 release.) See the Wireshark
|
||||
Wiki item on PPP capturing for details.
|
||||
|
||||
Q 8.4: I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows XP
|
||||
/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
|
||||
interface, and it shows up in the "Interface" item in the "Capture
|
||||
Options" dialog box. Why can no packets be sent on or received from
|
||||
that network while I'm trying to capture traffic on that interface?
|
||||
Q 8.4: I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows
|
||||
XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN,
|
||||
etc.) interface, and it shows up in the "Interface" item in the
|
||||
"Capture Options" dialog box. Why can no packets be sent on or
|
||||
received from that network while I'm trying to capture traffic on that
|
||||
interface?
|
||||
|
||||
A: Some versions of WinPcap have problems with PPP WAN interfaces on
|
||||
Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; one
|
||||
|
@ -1198,8 +1182,8 @@ of those adapters other than the first one?
|
|||
A: Unfortunately, Windows 95/98/Me gives the same name to multiple
|
||||
instances of the type of same network adapter. Therefore, WinPcap
|
||||
cannot distinguish between them, so a WinPcap-based application can
|
||||
capture only on the first such interface; Wireshark is a libpcap/
|
||||
WinPcap-based application.
|
||||
capture only on the first such interface; Wireshark is a
|
||||
libpcap/WinPcap-based application.
|
||||
|
||||
Q 8.6: I'm running Wireshark on Windows; why am I not seeing any
|
||||
traffic being sent by the machine running Wireshark?
|
||||
|
@ -1271,9 +1255,9 @@ choice between seeing VLAN headers and seeing outgoing packets.
|
|||
|
||||
Q 9.1: I'm running Wireshark on a UNIX-flavored OS; why does some
|
||||
network interface on my machine not show up in the list of interfaces
|
||||
in the "Interface:" field in the dialog box popped up by "Capture->
|
||||
Start", and/or why does Wireshark give me an error if I try to capture
|
||||
on that interface?
|
||||
in the "Interface:" field in the dialog box popped up by
|
||||
"Capture->Start", and/or why does Wireshark give me an error if I try
|
||||
to capture on that interface?
|
||||
|
||||
A: You may need to run Wireshark from an account with sufficient
|
||||
privileges to capture packets, such as the super-user account, or may
|
||||
|
@ -1312,12 +1296,11 @@ If the attempt to capture on it succeeds, the interface is somehow not
|
|||
being reported by the mechanism Wireshark uses to get a list of
|
||||
interfaces; please report this to wireshark-dev@wireshark.org giving
|
||||
full details of the problem, including
|
||||
|
||||
• the operating system you're using, and the version of that
|
||||
* the operating system you're using, and the version of that
|
||||
operating system (for Linux, give both the version number of the
|
||||
kernel and the name and version number of the distribution you're
|
||||
using);
|
||||
• the type of network device you're using.
|
||||
* the type of network device you're using.
|
||||
|
||||
If you are having trouble capturing on a particular network interface,
|
||||
and you've made sure that (on platforms that require it) you've
|
||||
|
@ -1327,20 +1310,18 @@ first try capturing on that device with tcpdump.
|
|||
If you can capture on the interface with tcpdump, send mail to
|
||||
wireshark-users@wireshark.org giving full details of the problem,
|
||||
including
|
||||
|
||||
• the operating system you're using, and the version of that
|
||||
* the operating system you're using, and the version of that
|
||||
operating system (for Linux, give both the version number of the
|
||||
kernel and the name and version number of the distribution you're
|
||||
using);
|
||||
• the type of network device you're using;
|
||||
• the error message you get from Wireshark.
|
||||
* the type of network device you're using;
|
||||
* the error message you get from Wireshark.
|
||||
|
||||
If you cannot capture on the interface with tcpdump, this is almost
|
||||
certainly a problem with one or more of:
|
||||
|
||||
• the operating system you're using;
|
||||
• the device driver for the interface you're using;
|
||||
• the libpcap library;
|
||||
* the operating system you're using;
|
||||
* the device driver for the interface you're using;
|
||||
* the libpcap library;
|
||||
|
||||
so you should report the problem to the company or organization that
|
||||
produces the OS (in the case of a Linux distribution, report the
|
||||
|
@ -1363,10 +1344,10 @@ response to that question.
|
|||
Q 9.3: I'm capturing packets on Linux; why do the time stamps have
|
||||
only 100ms resolution, rather than 1us resolution?
|
||||
|
||||
A: Wireshark gets time stamps from libpcap/WinPcap, and libpcap/
|
||||
WinPcap get them from the OS kernel, so Wireshark - and any other
|
||||
program using libpcap, such as tcpdump - is at the mercy of the time
|
||||
stamping code in the OS for time stamps.
|
||||
A: Wireshark gets time stamps from libpcap/WinPcap, and
|
||||
libpcap/WinPcap get them from the OS kernel, so Wireshark - and any
|
||||
other program using libpcap, such as tcpdump - is at the mercy of the
|
||||
time stamping code in the OS for time stamps.
|
||||
|
||||
At least on x86-based machines, Linux can get high-resolution time
|
||||
stamps on newer processors with the Time Stamp Counter (TSC) register;
|
||||
|
@ -1444,7 +1425,6 @@ being added to them.
|
|||
|
||||
The only way to prevent this from happening would be to disable TCP
|
||||
checksum offloading, but
|
||||
|
||||
1. that might not even be possible on some OSes;
|
||||
2. that could reduce networking performance significantly.
|
||||
|
||||
|
@ -1474,7 +1454,6 @@ them only as UDP.
|
|||
|
||||
A: Wireshark can identify a UDP datagram as containing a packet of a
|
||||
particular protocol running atop UDP only if
|
||||
|
||||
1. The protocol in question has a particular standard port number,
|
||||
and the UDP source or destination port number is that port
|
||||
2. Packets of that protocol can be identified by looking for a
|
||||
|
@ -1561,4 +1540,3 @@ probably work better.
|
|||
|
||||
The Bleeding Edge of Snort has a collection of signatures for Snort to
|
||||
detect various viruses, worms, and the like.
|
||||
|
||||
|
|
3
make-faq
3
make-faq
|
@ -19,7 +19,8 @@ cat >FAQ <<EOF
|
|||
|
||||
EOF
|
||||
|
||||
lynx -dump -nolist "http://www.wireshark.org/faq.html" | sed -e '1,/^Index/d' >>FAQ
|
||||
lynx -dump -nolist "http://www.wireshark.org/faq_plain.html" | \
|
||||
sed -e '1,/^Index/d' >>FAQ
|
||||
|
||||
echo
|
||||
echo "Now verfiy everything is OK and copy FAQ to help/faq.txt"
|
||||
|
|
Loading…
Reference in New Issue