parent
3ef942a0f7
commit
fdb2849d44
78
README
78
README
|
@ -3,31 +3,31 @@ $Id$
|
|||
General Information
|
||||
------- -----------
|
||||
|
||||
Ethereal is a network traffic analyzer, or "sniffer", for Unix and
|
||||
Wireshark is a network traffic analyzer, or "sniffer", for Unix and
|
||||
Unix-like operating systems. It uses GTK+, a graphical user interface
|
||||
library, and libpcap, a packet capture and filtering library.
|
||||
|
||||
The Ethereal distribution also comes with Tethereal, which is a
|
||||
The Wireshark distribution also comes with Tshark, which is a
|
||||
line-oriented sniffer (similar to Sun's snoop, or tcpdump) that uses the
|
||||
same dissection, capture-file reading and writing, and packet filtering
|
||||
code as Ethereal, and with editcap, which is a program to read capture
|
||||
code as Wireshark, and with editcap, which is a program to read capture
|
||||
files and write the packets from that capture file, possibly in a
|
||||
different capture file format, and with some packets possibly removed
|
||||
from the capture.
|
||||
|
||||
The official home of Ethereal is
|
||||
The official home of Wireshark is
|
||||
|
||||
http://www.ethereal.com
|
||||
http://www.wireshark.org
|
||||
|
||||
The latest distribution can be found in the subdirectory
|
||||
|
||||
http://www.ethereal.com/distribution
|
||||
http://www.wireshark.org/distribution
|
||||
|
||||
|
||||
Installation
|
||||
------------
|
||||
|
||||
Ethereal is known to compile and run on the following systems:
|
||||
Wireshark is known to compile and run on the following systems:
|
||||
|
||||
- Linux (2.0 and later kernels, various distributions)
|
||||
- Solaris (2.5.1 and later)
|
||||
|
@ -73,7 +73,7 @@ In order to capture packets from the network, you need to be running as
|
|||
root, or have access to the appropriate entry under /dev if your system
|
||||
is so inclined (BSD-derived systems, and systems such as Solaris and
|
||||
HP-UX that support DLPI, typically fall into this category). Although
|
||||
it might be tempting to make the Ethereal executable setuid root, please
|
||||
it might be tempting to make the Wireshark executable setuid root, please
|
||||
don't - alpha code is by nature not very robust, and liable to contain
|
||||
security holes.
|
||||
|
||||
|
@ -85,13 +85,13 @@ Multiple File Types
|
|||
-------------------
|
||||
|
||||
The wiretap library is a packet-capture library currently under
|
||||
development parallel to ethereal. In the future it is hoped that
|
||||
development parallel to wireshark. In the future it is hoped that
|
||||
wiretap will have more features than libpcap, but wiretap is still in
|
||||
its infancy. However, wiretap is used in ethereal for its ability
|
||||
its infancy. However, wiretap is used in wireshark for its ability
|
||||
to read multiple file types. You can read the following file
|
||||
formats:
|
||||
|
||||
libpcap (tcpdump -w, etc.) - this is Ethereal's native format
|
||||
libpcap (tcpdump -w, etc.) - this is Wireshark's native format
|
||||
snoop and atmsnoop
|
||||
Shomiti/Finisar Surveyor
|
||||
Novell LANalyzer
|
||||
|
@ -121,26 +121,26 @@ Trace files for the EyeSDN USB S0
|
|||
|
||||
In addition, it can read gzipped versions of any of these files
|
||||
automatically, if you have the zlib library available when compiling
|
||||
Ethereal. Ethereal needs a modern version of zlib to be able to use
|
||||
Wireshark. Wireshark needs a modern version of zlib to be able to use
|
||||
zlib to read gzipped files; version 1.1.3 is known to work. Versions
|
||||
prior to 1.0.9 are missing some functions that Ethereal needs and won't
|
||||
prior to 1.0.9 are missing some functions that Wireshark needs and won't
|
||||
work. "./configure" should detect if you have the proper zlib version
|
||||
available and, if you don't, should disable zlib support. You can always
|
||||
use "./configure --disable-zlib" to explicitly disable zlib support.
|
||||
|
||||
Although Ethereal can read AIX iptrace files, the documentation on
|
||||
Although Wireshark can read AIX iptrace files, the documentation on
|
||||
AIX's iptrace packet-trace command is sparse. The 'iptrace' command
|
||||
starts a daemon which you must kill in order to stop the trace. Through
|
||||
experimentation it appears that sending a HUP signal to that iptrace
|
||||
daemon causes a graceful shutdown and a complete packet is written
|
||||
to the trace file. If a partial packet is saved at the end, Ethereal
|
||||
to the trace file. If a partial packet is saved at the end, Wireshark
|
||||
will complain when reading that file, but you will be able to read all
|
||||
other packets. If this occurs, please let the Ethereal developers know
|
||||
at ethereal-dev@ethereal.com, and be sure to send us a copy of that trace
|
||||
other packets. If this occurs, please let the Wireshark developers know
|
||||
at wireshark-dev@wireshark.org, and be sure to send us a copy of that trace
|
||||
file if it's small and contains non-sensitive data.
|
||||
|
||||
Support for Lucent/Ascend products is limited to the debug trace output
|
||||
generated by the MAX and Pipline series of products. Ethereal can read
|
||||
generated by the MAX and Pipline series of products. Wireshark can read
|
||||
the output of the "wandsession" "wandisplay", "wannext", and "wdd"
|
||||
commands. For detailed information on use of these commands, please refer
|
||||
the following pages:
|
||||
|
@ -154,17 +154,17 @@ the following pages:
|
|||
"wdd" on the Pipeline series:
|
||||
http://aos.ascend.com/aos:/gennavviewer.html?doc_id=0900253d80006877
|
||||
|
||||
Ethereal can also read dump trace output from the Toshiba "Compact Router"
|
||||
Wireshark can also read dump trace output from the Toshiba "Compact Router"
|
||||
line of ISDN routers (TR-600 and TR-650). You can telnet to the router
|
||||
and start a dump session with "snoop dump".
|
||||
|
||||
CoSine L2 debug output can also be read by Ethereal. To get the L2
|
||||
CoSine L2 debug output can also be read by Wireshark. To get the L2
|
||||
debug output, get in the diags mode first and then use
|
||||
"create-pkt-log-profile" and "apply-pkt-log-profile" commands under
|
||||
layer-2 category. For more detail how to use these commands, you
|
||||
should examine the help command by "layer-2 create ?" or "layer-2 apply ?".
|
||||
|
||||
To use the Lucent/Ascend, Toshiba and CoSine traces with Ethereal, you must
|
||||
To use the Lucent/Ascend, Toshiba and CoSine traces with Wireshark, you must
|
||||
capture the trace output to a file on disk. The trace is happening inside
|
||||
the router and the router has no way of saving the trace to a file for you.
|
||||
An easy way of doing this under Unix is to run "telnet <ascend> | tee <outfile>".
|
||||
|
@ -183,11 +183,11 @@ Script done on <date/time>
|
|||
|
||||
IPv6
|
||||
----
|
||||
If your operating system includes IPv6 support, ethereal will attempt to
|
||||
If your operating system includes IPv6 support, wireshark will attempt to
|
||||
use reverse name resolution capabilities when decoding IPv6 packets.
|
||||
|
||||
If you want to turn off name resolution while using ethereal, start
|
||||
ethereal with the "-n" option to turn off all name resolution (including
|
||||
If you want to turn off name resolution while using wireshark, start
|
||||
wireshark with the "-n" option to turn off all name resolution (including
|
||||
resolution of MAC addresses and TCP/UDP/SMTP port numbers to names), or
|
||||
with the "-N mt" option to turn off name resolution for all
|
||||
network-layer addresses (IPv4, IPv6, IPX).
|
||||
|
@ -197,22 +197,22 @@ box using the Preferences item in the Edit menu, selecting "Name
|
|||
resolution", turning off the appropriate name resolution options,
|
||||
clicking "Save", and clicking "OK".
|
||||
|
||||
If you would like to compile ethereal without support for IPv6 name
|
||||
If you would like to compile wireshark without support for IPv6 name
|
||||
resolution, use the "--disable-ipv6" option with "./configure". If you
|
||||
compile ethereal without IPv6 name resolution, you will still be able to
|
||||
compile wireshark without IPv6 name resolution, you will still be able to
|
||||
decode IPv6 packets, but you'll only see IPv6 addresses, not host names.
|
||||
|
||||
|
||||
SNMP
|
||||
----
|
||||
Ethereal can do some basic decoding of SNMP packets; it can also use the
|
||||
Wireshark can do some basic decoding of SNMP packets; it can also use the
|
||||
UCD SNMP library, version 4.2.2 or later, to do more sophisticated
|
||||
decoding, by reading MIB files and using the information in those files
|
||||
to display OIDs and variable binding values in a friendlier fashion.
|
||||
The configure script will automatically determine whether you have the
|
||||
UCD SNMP library on your system, and will use it if it's version 4.2.2
|
||||
or later. If you have an SNMP library but _do not_ want to have
|
||||
ethereal use it, you can run configure with the "--without-ucd-snmp"
|
||||
wireshark use it, you can run configure with the "--without-ucd-snmp"
|
||||
option.
|
||||
|
||||
If you have an earlier version of the UCD SNMP library on your system,
|
||||
|
@ -224,8 +224,8 @@ problems, or should configure with "--without-ucd-snmp".
|
|||
|
||||
How to Report a Bug
|
||||
-------------------
|
||||
Ethereal is still under constant development, so it is possible that you will
|
||||
encounter a bug while using it. Please report bugs to ethereal-dev@ethereal.com.
|
||||
Wireshark is still under constant development, so it is possible that you will
|
||||
encounter a bug while using it. Please report bugs to wireshark-dev@wireshark.org.
|
||||
Be sure you tell us:
|
||||
|
||||
1) Operating System and version (the command 'uname -sr' may
|
||||
|
@ -235,11 +235,11 @@ Be sure you tell us:
|
|||
both the version number of the kernel, and which version of
|
||||
which distribution you're running)
|
||||
2) Version of GTK+ (the command 'gtk-config --version' will tell you)
|
||||
3) Version of Ethereal (the command 'ethereal -v' will tell you,
|
||||
3) Version of Wireshark (the command 'wireshark -v' will tell you,
|
||||
unless the bug is so severe as to prevent that from working,
|
||||
and should also tell you the versions of libraries with which
|
||||
it was built)
|
||||
4) The command you used to invoke Ethereal, and the sequence of
|
||||
4) The command you used to invoke Wireshark, and the sequence of
|
||||
operations you performed that caused the bug to appear
|
||||
|
||||
If the bug is produced by a particular trace file, please be sure to send
|
||||
|
@ -247,23 +247,23 @@ a trace file along with your bug description. Please don't send a trace file
|
|||
greater than 1 MB when compressed. If the trace file contains sensitive
|
||||
information (e.g., passwords), then please do not send it.
|
||||
|
||||
If Ethereal died on you with a 'segmentation violation', 'bus error',
|
||||
If Wireshark died on you with a 'segmentation violation', 'bus error',
|
||||
'abort', or other error that produces a UNIX core dump file, you can
|
||||
help the developers a lot if you have a debugger installed. A stack
|
||||
trace can be obtained by using your debugger ('gdb' in this example),
|
||||
the ethereal binary, and the resulting core file. Here's an example of
|
||||
the wireshark binary, and the resulting core file. Here's an example of
|
||||
how to use the gdb command 'backtrace' to do so.
|
||||
|
||||
$ gdb ethereal core
|
||||
$ gdb wireshark core
|
||||
(gdb) backtrace
|
||||
..... prints the stack trace
|
||||
(gdb) quit
|
||||
$
|
||||
|
||||
The core dump file may be named "ethereal.core" rather than "core" on
|
||||
The core dump file may be named "wireshark.core" rather than "core" on
|
||||
some platforms (e.g., BSD systems). If you got a core dump with
|
||||
Tethereal rather than Ethereal, use "tethereal" as the first argument to
|
||||
the debugger; the core dump may be named "tethereal.core".
|
||||
Tshark rather than Wireshark, use "tshark" as the first argument to
|
||||
the debugger; the core dump may be named "tshark.core".
|
||||
|
||||
Disclaimer
|
||||
----------
|
||||
|
@ -272,6 +272,6 @@ There is no warranty, expressed or implied, associated with this product.
|
|||
Use at your own risk.
|
||||
|
||||
|
||||
Gerald Combs <gerald@ethereal.com>
|
||||
Gerald Combs <gerald@wireshark.org>
|
||||
Gilbert Ramirez <gram@alumni.rice.edu>
|
||||
Guy Harris <guy@alum.mit.edu>
|
||||
|
|
Loading…
Reference in New Issue