dd9b2e2ab5
svn path=/trunk/; revision=14681
2153 lines
97 KiB
Text
2153 lines
97 KiB
Text
|
|
The Ethereal FAQ
|
|
|
|
Note: This is just an ASCII snapshot of the faq and may not be up to
|
|
date. Please go to http://www.ethereal.com/faq.html for the up
|
|
to date version. The version of this snapshot can be found at
|
|
the end of this document.
|
|
|
|
INDEX
|
|
|
|
|
|
1. General Questions:
|
|
|
|
1.1 Where can I get help?
|
|
|
|
1.2 How much does Ethereal cost?
|
|
|
|
1.3 Can I use Ethereal commercially?
|
|
|
|
1.4 Can I use Ethereal as part of my commercial product?
|
|
|
|
1.5 What protocols are currently supported?
|
|
|
|
1.6 Are there any plans to support {your favorite protocol}?
|
|
|
|
1.7 Can Ethereal read capture files from {your favorite network analyzer}?
|
|
|
|
1.8 What devices can Ethereal use to capture packets?
|
|
|
|
1.9 How do you pronounce Ethereal? Where did the name come from?
|
|
|
|
2. Downloading Ethereal:
|
|
|
|
2.1 I downloaded the Win32 installer, but when I try to run it, I get an
|
|
error.
|
|
|
|
2.2 When I try to download the WinPcap driver and library, I can't get to
|
|
the WinPcap Web site.
|
|
|
|
3. Installing Ethereal:
|
|
|
|
3.1 I installed an Ethereal RPM, but Ethereal doesn't seem to be installed;
|
|
only Tethereal is installed.
|
|
|
|
4. Building Ethereal:
|
|
|
|
4.1 The configure script can't find pcap.h or bpf.h, but I have libpcap
|
|
installed.
|
|
|
|
4.2 Why do I get the error
|
|
|
|
dftest_DEPENDENCIES was already defined in condition TRUE, which implies
|
|
condition HAVE_PLUGINS_TRUE
|
|
|
|
when I try to build Ethereal from SVN or a SVN snapshot?
|
|
|
|
4.3 The link fails with a number of "Output line too long." messages
|
|
followed by linker errors.
|
|
|
|
4.4 The link fails on Solaris because plugin_list is undefined.
|
|
|
|
4.5 The build fails on Windows because of conflicts between winsock.h and
|
|
winsock2.h.
|
|
|
|
5. Using Ethereal:
|
|
|
|
5.1 When I use Ethereal to capture packets, I see only packets to and from
|
|
my machine, or I'm not seeing all the traffic I'm expecting to see from or
|
|
to the machine I'm trying to monitor.
|
|
|
|
5.2 I can't see any TCP packets other than packets to and from my machine,
|
|
even though another analyzer on the network sees those packets.
|
|
|
|
5.3 I'm only seeing ARP packets when I try to capture traffic.
|
|
|
|
5.4 I'm running Ethereal on Windows; why does some network interface on my
|
|
machine not show up in the list of interfaces in the "Interface:" field in
|
|
the dialog box popped up by "Capture->Start", and/or why does Ethereal give
|
|
me an error if I try to capture on that interface?
|
|
|
|
5.5 I'm running Ethereal on Windows; why do no network interfaces show up in
|
|
the list of interfaces in the "Interface:" field in the dialog box popped up
|
|
by "Capture->Start"?
|
|
|
|
5.6 I'm running Ethereal on Windows; why doesn't my serial port/ADSL
|
|
modem/ISDN modem show up in the list of interfaces in the "Interface:" field
|
|
in the dialog box popped up by "Capture->Start"?
|
|
|
|
5.7 I'm running Ethereal on a UNIX-flavored OS; why does some network
|
|
interface on my machine not show up in the list of interfaces in the
|
|
"Interface:" field in the dialog box popped up by "Capture->Start", and/or
|
|
why does Ethereal give me an error if I try to capture on that interface?
|
|
|
|
5.8 I'm running Ethereal on a UNIX-flavored OS; why do no network interfaces
|
|
show up in the list of interfaces in the "Interface:" field in the dialog
|
|
box popped up by "Capture->Start"?
|
|
|
|
5.9 Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
|
|
|
|
5.10 How do I put an interface into promiscuous mode?
|
|
|
|
5.11 I can set a display filter just fine, but capture filters don't work.
|
|
|
|
5.12 I'm entering valid capture filters, but I still get "parse error"
|
|
errors.
|
|
|
|
5.13 I saved a filter and tried to use its name to filter the display, but I
|
|
got an "Unexpected end of filter string" error.
|
|
|
|
5.14 Why am I seeing lots of packets with incorrect TCP checksums?
|
|
|
|
5.15 I've just installed Ethereal, and the traffic on my local LAN is
|
|
boring.
|
|
|
|
5.16 When I run Ethereal on Solaris 8, it dies with a Bus Error when I start
|
|
it.
|
|
|
|
5.17 When I run Ethereal, I get an error
|
|
|
|
Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_resize):
|
|
assertion `height > 0' failed.
|
|
|
|
5.18 When I run Tethereal with the "-x" option, it crashes with an error
|
|
|
|
"** ERROR **: file print.c: line 691 (print_line): should not be reached.
|
|
|
|
5.19 When I run Ethereal on Windows NT, it dies with a Dr. Watson error,
|
|
reporting an "Integer division by zero" exception, when I start it.
|
|
|
|
5.20 When I try to run Ethereal, it complains about sprint_realloc_objid
|
|
being undefined.
|
|
|
|
5.21 I'm running Ethereal on Linux; why do my time stamps have only 100ms
|
|
resolution, rather than 1us resolution?
|
|
|
|
5.22 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; why are
|
|
the time stamps on packets wrong?
|
|
|
|
5.23 When I try to run Ethereal on Windows, it fails to run because it can't
|
|
find packet.dll.
|
|
|
|
5.24 I'm running Ethereal on Windows NT 4.0/Windows 2000/Windows XP/Windows
|
|
Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.) interface, and
|
|
it shows up in the "Interface" item in the "Capture Options" dialog box. Why
|
|
can no packets be sent on or received from that network while I'm trying to
|
|
capture traffic on that interface?
|
|
|
|
5.25 I'm running Ethereal on Windows 95/98/Me, on a machine with more than
|
|
one network adapter of the same type; Ethereal shows all of those adapters
|
|
with the same name, but I can't use any of those adapters other than the
|
|
first one.
|
|
|
|
5.26 I'm running Ethereal on Windows, and I'm not seeing any traffic being
|
|
sent by the machine running Ethereal.
|
|
|
|
5.27 I'm trying to capture traffic but I'm not seeing any.
|
|
|
|
5.28 I have an XXX network card on my machine; if I try to capture on it, my
|
|
machine crashes or resets itself.
|
|
|
|
5.29 My machine crashes or resets itself when I select "Start" from the
|
|
"Capture" menu or select "Preferences" from the "Edit" menu.
|
|
|
|
5.30 Does Ethereal work on Windows Me?
|
|
|
|
5.31 Does Ethereal work on Windows XP?
|
|
|
|
5.32 Why doesn't Ethereal correctly identify RTP packets? It shows them only
|
|
as UDP.
|
|
|
|
5.33 Why doesn't Ethereal show Yahoo Messenger packets in captures that
|
|
contain Yahoo Messenger traffic?
|
|
|
|
5.34 Why do I get the error
|
|
|
|
Gdk-ERROR **: Palettized display (256-colour) mode not supported on
|
|
Windows.
|
|
aborting....
|
|
|
|
when I try to run Ethereal on Windows?
|
|
|
|
5.35 When I capture on Windows in promiscuous mode, I can see packets other
|
|
than those sent to or from my machine; however, those packets show up with a
|
|
"Short Frame" indication, unlike packets to or from my machine. What should
|
|
I do to arrange that I see those packets in their entirety?
|
|
|
|
5.36 I'm capturing packets on a machine on a VLAN; why don't the packets I'm
|
|
capturing have VLAN tags?
|
|
|
|
5.37 How can I capture raw 802.11 frames, including non-data (management,
|
|
beacon) frames?
|
|
|
|
5.38 How do I capture on an 802.11 device in monitor mode?
|
|
|
|
5.39 I'm trying to capture 802.11 traffic on Windows; why am I not seeing
|
|
any packets?
|
|
|
|
5.40 I'm trying to capture 802.11 traffic on Windows; why am I seeing
|
|
packets received by the machine on which I'm capturing traffic, but not
|
|
packets sent by that machine?
|
|
|
|
5.41 How can I capture packets with CRC errors?
|
|
|
|
5.42 How can I capture entire frames, including the FCS?
|
|
|
|
5.43 Why does Ethereal hang after I stop a capture?
|
|
|
|
5.44 How can I search for, or filter, packets that have a particular string
|
|
anywhere in them?
|
|
|
|
5.45 How do I filter a capture to see traffic for virus XXX?
|
|
|
|
1. General Questions
|
|
|
|
Q 1.1: Where can I get help?
|
|
|
|
A: Support is available on the ethereal-users mailing list. Subscription
|
|
information and archives for all of Ethereal's mailing lists can be found at
|
|
http://www.ethereal.com/lists
|
|
|
|
Q 1.2: How much does Ethereal cost?
|
|
|
|
A: Ethereal is "free software"; you can download it without paying any
|
|
license fee. The version of Ethereal you download isn't a "demo" version,
|
|
with limitations not present in a "full" version; it is the full version.
|
|
|
|
The license under which Ethereal is issued is the GNU General Public
|
|
License. See the GNU GPL FAQ for some more information.
|
|
|
|
Q 1.3: Can I use Ethereal commercially?
|
|
|
|
A: Yes, if, for example, you mean "I work for a commercial organization; can
|
|
I use Ethereal to capture and analyze network traffic in our company's
|
|
networks or in our customer's networks?"
|
|
|
|
If you mean "Can I use Ethereal as part of my commercial product?", see the
|
|
next entry in the FAQ.
|
|
|
|
Q 1.4: Can I use Ethereal as part of my commercial product?
|
|
|
|
A: As noted, Ethereal is licensed under the GNU General Public License. The
|
|
GPL imposes conditions on your use of GPL'ed code in your own products; you
|
|
cannot, for example, make a "derived work" from Ethereal, by making
|
|
modifications to it, and then sell the resulting derived work and not allow
|
|
recipients to give away the resulting work. You must also make the changes
|
|
you've made to the Ethereal source available to all recipients of your
|
|
modified version; those changes must also be licensed under the terms of the
|
|
GPL. See the GPL FAQ for more details; in particular, note the answer to the
|
|
question about modifying a GPLed program and selling it commercially, and
|
|
the question about linking GPLed code with other code to make a proprietary
|
|
program.
|
|
|
|
You can combine a GPLed program such as Ethereal and a commercial program as
|
|
long as they communicate "at arm's length", as per this item in the GPL FAQ.
|
|
|
|
Q 1.5: What protocols are currently supported?
|
|
|
|
A: There are currently 683 supported protocols and media, listed below.
|
|
Descriptions can be found in the ethereal(1) man page.
|
|
|
|
3Com XNS Encapsulation
|
|
3GPP2 A11
|
|
802.1q Virtual LAN
|
|
802.1x Authentication
|
|
AAL type 2 signalling protocol - Capability set 1 (Q.2630.1)
|
|
ACN
|
|
AFS (4.0) Replication Server call declarations
|
|
AIM Administrative
|
|
AIM Advertisements
|
|
AIM Buddylist Service
|
|
AIM Chat Navigation
|
|
AIM Chat Service
|
|
AIM Directory Search
|
|
AIM E-mail
|
|
AIM Generic Service
|
|
AIM ICQ
|
|
AIM Invitation Service
|
|
AIM Location
|
|
AIM Messaging
|
|
AIM OFT
|
|
AIM Popup
|
|
AIM Privacy Management Service
|
|
AIM Server Side Info
|
|
AIM Server Side Themes
|
|
AIM Signon
|
|
AIM Statistics
|
|
AIM Translate
|
|
AIM User Lookup
|
|
ANSI A-I/F BSMAP
|
|
ANSI A-I/F DTAP
|
|
ANSI IS-637-A (SMS) Teleservice Layer
|
|
ANSI IS-637-A (SMS) Transport Layer
|
|
ANSI IS-683-A (OTA (Mobile))
|
|
ANSI IS-801 (Location Services (PLD))
|
|
ANSI Mobile Application Part
|
|
AOL Instant Messenger
|
|
ARCNET
|
|
ASN.1 decoding
|
|
ATAoverEthernet
|
|
ATM
|
|
ATM AAL1
|
|
ATM AAL3/4
|
|
ATM LAN Emulation
|
|
ATM OAM AAL
|
|
AVS WLAN Capture header
|
|
AX/4000 Test Block
|
|
Active Directory Setup
|
|
Ad hoc On-demand Distance Vector Routing Protocol
|
|
Adaptive Multi-Rate
|
|
Address Resolution Protocol
|
|
AgentX
|
|
Aggregate Server Access Protocol
|
|
Alert Standard Forum
|
|
Alteon - Transparent Proxy Cache Protocol
|
|
Andrew File System (AFS)
|
|
Apache JServ Protocol v1.3
|
|
Apple IP-over-IEEE 1394
|
|
AppleTalk Filing Protocol
|
|
AppleTalk Session Protocol
|
|
AppleTalk Transaction Protocol packet
|
|
Appletalk Address Resolution Protocol
|
|
Application Configuration Access Protocol
|
|
Art-Net
|
|
Aruba - Aruba Discovery Protocol
|
|
Async data over ISDN (V.120)
|
|
Asynchronous Layered Coding
|
|
Authentication Header
|
|
BACnet Virtual Link Control
|
|
BEA Tuxedo
|
|
BSSAP/BSAP
|
|
Banyan Vines ARP
|
|
Banyan Vines Echo
|
|
Banyan Vines Fragmentation Protocol
|
|
Banyan Vines ICP
|
|
Banyan Vines IP
|
|
Banyan Vines IPC
|
|
Banyan Vines LLC
|
|
Banyan Vines RTP
|
|
Banyan Vines SPP
|
|
Base Station Subsystem GPRS Protocol
|
|
Basic Encoding Rules (ASN.1 X.690)
|
|
Bearer Independent Call Control
|
|
Bi-directional Fault Detection Control Message
|
|
BitTorrent
|
|
Blocks Extensible Exchange Protocol
|
|
Blubster/Piolet MANOLITO Protocol
|
|
Boardwalk
|
|
Boot Parameters
|
|
Bootstrap Protocol
|
|
Border Gateway Protocol
|
|
Building Automation and Control Network APDU
|
|
Building Automation and Control Network NPDU
|
|
CBAPhysicalDevice
|
|
CCSDS
|
|
CDS Clerk Server Calls
|
|
Camel
|
|
Cast Client Control Protocol
|
|
Certificate Management Protocol
|
|
Certificate Request Message Format
|
|
Check Point High Availability Protocol
|
|
Checkpoint FW-1
|
|
Cisco Auto-RP
|
|
Cisco Discovery Protocol
|
|
Cisco Group Management Protocol
|
|
Cisco HDLC
|
|
Cisco Hot Standby Router Protocol
|
|
Cisco ISL
|
|
Cisco Interior Gateway Routing Protocol
|
|
Cisco NetFlow
|
|
Cisco SLARP
|
|
Cisco Session Management
|
|
Clearcase NFS
|
|
CoSine IPNOS L2 debug output
|
|
Common Industrial Protocol
|
|
Common Open Policy Service
|
|
Common Unix Printing System (CUPS) Browsing Protocol
|
|
Compuserve GIF
|
|
Configuration Test Protocol (loopback)
|
|
Connectionless Lightweight Directory Access Protocol
|
|
Coseventcomm Dissector Using GIOP API
|
|
Cosnaming Dissector Using GIOP API
|
|
Cross Point Frame Injector
|
|
Cryptographic Message Syntax
|
|
DCE Distributed Time Service Local Server
|
|
DCE Distributed Time Service Provider
|
|
DCE Name Service
|
|
DCE RPC
|
|
DCE Security ID Mapper
|
|
DCE/DFS BUDB
|
|
DCE/RPC BOS Server
|
|
DCE/RPC BUTC
|
|
DCE/RPC CDS Solicitation
|
|
DCE/RPC Conversation Manager
|
|
DCE/RPC Directory Acl Interface
|
|
DCE/RPC Endpoint Mapper
|
|
DCE/RPC Endpoint Mapper v4
|
|
DCE/RPC FLDB
|
|
DCE/RPC FLDB UBIK TRANSFER
|
|
DCE/RPC FLDB UBIKVOTE
|
|
DCE/RPC ICL RPC
|
|
DCE/RPC Kerberos V
|
|
DCE/RPC NCS 1.5.1 Local Location Broker
|
|
DCE/RPC Operations between registry server replicas
|
|
DCE/RPC Prop Attr
|
|
DCE/RPC RS_ACCT
|
|
DCE/RPC RS_BIND
|
|
DCE/RPC RS_MISC
|
|
DCE/RPC RS_PROP_ACCT
|
|
DCE/RPC RS_UNIX
|
|
DCE/RPC Registry Password Management
|
|
DCE/RPC Registry Server Attributes Schema
|
|
DCE/RPC Registry server propagation interface - ACLs.
|
|
DCE/RPC Registry server propagation interface - PGO items
|
|
DCE/RPC Registry server propagation interface - properties and poli
|
|
cies
|
|
DCE/RPC Remote Management
|
|
DCE/RPC Repserver Calls
|
|
DCE/RPC TokenServer Calls
|
|
DCE/RPC UpServer
|
|
DCOM
|
|
DCOM IDispatch
|
|
DCOM IRemoteActivation
|
|
DCOM OXID Resolver
|
|
DEC Spanning Tree Protocol
|
|
DFS Calls
|
|
DG Gryphon Protocol
|
|
DHCP Failover
|
|
DHCPv6
|
|
DICOM
|
|
DNS Control Program Server
|
|
DOCSIS 1.1
|
|
DOCSIS Appendix C TLV's
|
|
DOCSIS Baseline Privacy Key Management Attributes
|
|
DOCSIS Baseline Privacy Key Management Request
|
|
DOCSIS Baseline Privacy Key Management Response
|
|
DOCSIS Dynamic Service Addition Acknowledge
|
|
DOCSIS Dynamic Service Addition Request
|
|
DOCSIS Dynamic Service Addition Response
|
|
DOCSIS Dynamic Service Change Acknowledgement
|
|
DOCSIS Dynamic Service Change Request
|
|
DOCSIS Dynamic Service Change Response
|
|
DOCSIS Dynamic Service Delete Request
|
|
DOCSIS Dynamic Service Delete Response
|
|
DOCSIS Initial Ranging Message
|
|
DOCSIS Mac Management
|
|
DOCSIS Range Request Message
|
|
DOCSIS Ranging Response
|
|
DOCSIS Registration Acknowledge
|
|
DOCSIS Registration Requests
|
|
DOCSIS Registration Responses
|
|
DOCSIS Upstream Bandwidth Allocation
|
|
DOCSIS Upstream Channel Change Request
|
|
DOCSIS Upstream Channel Change Response
|
|
DOCSIS Upstream Channel Descriptor
|
|
DOCSIS Upstream Channel Descriptor Type 29
|
|
DOCSIS Vendor Specific Endodings
|
|
DPNSS/DASS2-User Adaptation Layer
|
|
DRSUAPI
|
|
Data
|
|
Data Link SWitching
|
|
Data Stream Interface
|
|
Datagram Delivery Protocol
|
|
Decompressed SigComp message as raw text
|
|
Diameter Protocol
|
|
Digital Audio Access Protocol
|
|
Distance Vector Multicast Routing Protocol
|
|
Distcc Distributed Compiler
|
|
Distributed Checksum Clearinghouse Protocol
|
|
Distributed Network Protocol 3.0
|
|
Domain Name Service
|
|
Dynamic DNS Tools Protocol
|
|
Dynamic Trunking Protocol
|
|
ENTTEC
|
|
Echo
|
|
Encapsulating Security Payload
|
|
Endpoint Name Resolution Protocol
|
|
Enhanced Interior Gateway Routing Protocol
|
|
EtherNet/IP (Industrial Protocol)
|
|
Etheric
|
|
Ethernet
|
|
Ethernet over IP
|
|
Extended Security Services
|
|
Extensible Authentication Protocol
|
|
FC Extended Link Svc
|
|
FC Fabric Configuration Server
|
|
FCIP
|
|
FTP Data
|
|
FTServer Operations
|
|
Fiber Distributed Data Interface
|
|
Fibre Channel
|
|
Fibre Channel Common Transport
|
|
Fibre Channel Fabric Zone Server
|
|
Fibre Channel Name Server
|
|
Fibre Channel Protocol for SCSI
|
|
Fibre Channel SW_ILS
|
|
Fibre Channel Security Protocol
|
|
Fibre Channel Single Byte Command
|
|
File Transfer Protocol (FTP)
|
|
Financial Information eXchange Protocol
|
|
Frame
|
|
Frame Relay
|
|
G.723
|
|
GARP Multicast Registration Protocol
|
|
GARP VLAN Registration Protocol
|
|
GPRS Network service
|
|
GPRS Tunneling Protocol
|
|
GSM A-I/F BSSMAP
|
|
GSM A-I/F DTAP
|
|
GSM A-I/F RP
|
|
GSM SMS TPDU (GSM 03.40)
|
|
GSM Short Message Service User Data
|
|
GSM_MobileAPplication
|
|
General Inter-ORB Protocol
|
|
Generic Routing Encapsulation
|
|
Generic Security Service Application Program Interface
|
|
Gnutella Protocol
|
|
H.248 MEGACO
|
|
H235-SECURITY-MESSAGES
|
|
HP Extended Local-Link Control
|
|
HP Remote Maintenance Protocol
|
|
HP Switch Protocol
|
|
HP-UX Network Tracing and Logging
|
|
Hummingbird NFS Daemon
|
|
HyperSCSI
|
|
Hypertext Transfer Protocol
|
|
ICBAAccoCallback
|
|
ICBAAccoCallback2
|
|
ICBAAccoMgt
|
|
ICBAAccoMgt2
|
|
ICBAAccoServer
|
|
ICBAAccoServer2
|
|
ICBAAccoServerSRT
|
|
ICBAAccoSync
|
|
ICBABrowse
|
|
ICBABrowse2
|
|
ICBAGroupError
|
|
ICBAGroupErrorEvent
|
|
ICBALogicalDevice
|
|
ICBALogicalDevice2
|
|
ICBAPersist
|
|
ICBAPersist2
|
|
ICBAPhysicalDevice
|
|
ICBAPhysicalDevice2
|
|
ICBAPhysicalDevicePC
|
|
ICBAPhysicalDevicePCEvent
|
|
ICBARTAuto
|
|
ICBARTAuto2
|
|
ICBAState
|
|
ICBAStateEvent
|
|
ICBASystemProperties
|
|
ICBATime
|
|
ICQ Protocol
|
|
IEEE 802.11 Radiotap Capture header
|
|
IEEE 802.11 wireless LAN
|
|
IEEE 802.11 wireless LAN management frame
|
|
IEEE802a OUI Extended Ethertype
|
|
ILMI
|
|
INAP
|
|
IP Device Control (SS7 over IP)
|
|
IP Over FC
|
|
IP Payload Compression
|
|
IP Virtual Services Sync Daemon
|
|
IPX Message
|
|
IPX Routing Information Protocol
|
|
IPX WAN
|
|
IRemUnknown
|
|
IRemUnknown2
|
|
ISDN
|
|
ISDN Q.921-User Adaptation Layer
|
|
ISDN User Part
|
|
ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol
|
|
ISO 8073 COTP Connection-Oriented Transport Protocol
|
|
ISO 8327-1 OSI Session Protocol
|
|
ISO 8473 CLNP ConnectionLess Network Protocol
|
|
ISO 8602 CLTP ConnectionLess Transport Protocol
|
|
ISO 8823 OSI Presentation Protocol
|
|
ISO 9542 ESIS Routeing Information Exchange Protocol
|
|
ISystemActivator ISystemActivator Resolver
|
|
ITU-T E.164 number
|
|
ITU-T Recommendation H.261
|
|
ITU-T Recommendation H.263 RTP Payload header (RFC2190)
|
|
InMon sFlow
|
|
Information Access Protocol
|
|
Intel ANS probe
|
|
Intelligent Platform Management Interface
|
|
Inter-Access-Point Protocol
|
|
Inter-Asterisk eXchange v2
|
|
InterSwitch Message Protocol
|
|
Interbase
|
|
Internet Cache Protocol
|
|
Internet Communications Engine Protocol
|
|
Internet Content Adaptation Protocol
|
|
Internet Control Message Protocol
|
|
Internet Control Message Protocol v6
|
|
Internet Group Management Protocol
|
|
Internet Group membership Authentication Protocol
|
|
Internet Message Access Protocol
|
|
Internet Printing Protocol
|
|
Internet Protocol
|
|
Internet Protocol Version 6
|
|
Internet Relay Chat
|
|
Internet Security Association and Key Management Protocol
|
|
Internetwork Datagram Protocol
|
|
Internetwork Packet eXchange
|
|
IrCOMM Protocol
|
|
IrDA Link Access Protocol
|
|
IrDA Link Management Protocol
|
|
JPEG File Interchange Format
|
|
JXTA P2P
|
|
Jabber XML Messaging
|
|
Java RMI
|
|
Java Serialization
|
|
Juniper
|
|
Kerberized Internet Negotiation of Key
|
|
Kerberos
|
|
Kerberos Administration
|
|
Kerberos v4
|
|
Kernel Lock Manager
|
|
LWAP Control Message
|
|
LWAPP Encapsulated Packet
|
|
LWAPP Layer 3 Packet
|
|
Label Distribution Protocol
|
|
Laplink
|
|
Layer 2 Tunneling Protocol
|
|
Light Weight DNS RESolver (BIND9)
|
|
Lightweight Directory Access Protocol
|
|
Line Printer Daemon Protocol
|
|
Line-based text data
|
|
Link Access Procedure Balanced (LAPB)
|
|
Link Access Procedure Balanced Ethernet (LAPBETHER)
|
|
Link Access Procedure, Channel D (LAPD)
|
|
Link Management Protocol (LMP)
|
|
Linux cooked-mode capture
|
|
Local Management Interface
|
|
LocalTalk Link Access Protocol
|
|
Log Message
|
|
Logical Link Control GPRS
|
|
Logical-Link Control
|
|
Logotype Certificate Extensions
|
|
Lucent/Ascend debug output
|
|
MAC Control
|
|
MAP_DialoguePDU
|
|
MDS Header
|
|
MEGACO
|
|
MIME Multipart Media Encapsulation
|
|
MMS Message Encapsulation
|
|
MS Kpasswd
|
|
MS Proxy Protocol
|
|
MSN Messenger Service
|
|
MSNIP: Multicast Source Notification of Interest Protocol
|
|
MTP 2 Transparent Proxy
|
|
MTP 2 User Adaptation Layer
|
|
MTP 3 User Adaptation Layer
|
|
MTP2 Peer Adaptation Layer
|
|
Media Gateway Control Protocol
|
|
Media Type
|
|
Media Type: application/x-jxta-msg
|
|
Media Type: message/http
|
|
Message Transfer Part Level 2
|
|
Message Transfer Part Level 3
|
|
Message Transfer Part Level 3 Management
|
|
Meta Analysis Tracing Engine
|
|
Microsoft Distributed File System
|
|
Microsoft Distributed Link Tracking Server Service
|
|
Microsoft Encrypted File System Service
|
|
Microsoft Eventlog Service
|
|
Microsoft Exchange MAPI
|
|
Microsoft File Replication Service
|
|
Microsoft File Replication Service API
|
|
Microsoft Local Security Architecture
|
|
Microsoft Messenger Service
|
|
Microsoft Network Logon
|
|
Microsoft Plug and Play service
|
|
Microsoft Registry
|
|
Microsoft Routing and Remote Access Service
|
|
Microsoft Security Account Manager
|
|
Microsoft Server Service
|
|
Microsoft Service Control
|
|
Microsoft Spool Subsystem
|
|
Microsoft Task Scheduler Service
|
|
Microsoft Telephony API Service
|
|
Microsoft Windows Browser Protocol
|
|
Microsoft Windows Lanman Remote API Protocol
|
|
Microsoft Windows Logon Protocol (Old)
|
|
Microsoft Workstation Service
|
|
Mobile IP
|
|
Mobile IPv6
|
|
Modbus/TCP
|
|
Monotone Netsync
|
|
Mount Service
|
|
MultiProtocol Label Switching Header
|
|
Multicast Router DISCovery protocol
|
|
Multicast Source Discovery Protocol
|
|
Multiprotocol Label Switching Echo
|
|
MySQL Protocol
|
|
NFSACL
|
|
NFSAUTH
|
|
NIS+
|
|
NIS+ Callback
|
|
NSPI
|
|
NTLM Secure Service Provider
|
|
Name Binding Protocol
|
|
Name Management Protocol over IPX
|
|
Negative-acknowledgment Oriented Reliable Multicast
|
|
NetBIOS
|
|
NetBIOS Datagram Service
|
|
NetBIOS Name Service
|
|
NetBIOS Session Service
|
|
NetBIOS over IPX
|
|
NetScape Certificate Extensions
|
|
NetWare Core Protocol
|
|
NetWare Link Services Protocol
|
|
NetWare Serialization Protocol
|
|
Network Data Management Protocol
|
|
Network File System
|
|
Network Lock Manager Protocol
|
|
Network News Transfer Protocol
|
|
Network Service Over IP
|
|
Network Status Monitor CallBack Protocol
|
|
Network Status Monitor Protocol
|
|
Network Time Protocol
|
|
Nortel SONMP
|
|
Novell Distributed Print System
|
|
Novell Modular Authentication Service
|
|
Null/Loopback
|
|
OSI ISO 8571 FTAM Protocol
|
|
OSI ISO/IEC 10035-1 ACSE Protocol
|
|
Online Certificate Status Protocol
|
|
Open Policy Service Interface
|
|
Open Shortest Path First
|
|
OpenBSD Encapsulating device
|
|
OpenBSD Packet Filter log file
|
|
OpenBSD Packet Filter log file, pre 3.4
|
|
Optimized Link State Routing Protocol
|
|
PC NFS
|
|
PKCS#1
|
|
PKINIT
|
|
PKIX CERT File Format
|
|
PKIX Qualified
|
|
PKIX Time Stamp Protocol
|
|
PKIX1Explitit
|
|
PKIX1Implitit
|
|
PKIXProxy (RFC3820)
|
|
PPP Bandwidth Allocation Control Protocol
|
|
PPP Bandwidth Allocation Protocol
|
|
PPP CDP Control Protocol
|
|
PPP Callback Control Protocol
|
|
PPP Challenge Handshake Authentication Protocol
|
|
PPP Compressed Datagram
|
|
PPP Compression Control Protocol
|
|
PPP IP Control Protocol
|
|
PPP IPv6 Control Protocol
|
|
PPP In HDLC-Like Framing
|
|
PPP Link Control Protocol
|
|
PPP MPLS Control Protocol
|
|
PPP Multilink Protocol
|
|
PPP Multiplexing
|
|
PPP OSI Control Protocol
|
|
PPP Password Authentication Protocol
|
|
PPP VJ Compression
|
|
PPP-over-Ethernet Discovery
|
|
PPP-over-Ethernet Session
|
|
PPPMux Control Protocol
|
|
PROFINET DCP
|
|
PROFINET IO
|
|
PROFINET Real-Time Protocol
|
|
Packed Encoding Rules (ASN.1 X.691)
|
|
Packet Cable Lawful Intercept
|
|
PacketCable
|
|
Plan 9 9P
|
|
Point-to-Point Protocol
|
|
Point-to-Point Tunnelling Protocol
|
|
Port Aggregation Protocol
|
|
Portmap
|
|
Post Office Protocol
|
|
PostgreSQL
|
|
Pragmatic General Multicast
|
|
Precision Time Protocol (IEEE1588)
|
|
Prism
|
|
Privilege Server operations
|
|
Protocol Independent Multicast
|
|
Q.2931
|
|
Q.931
|
|
Q.933
|
|
Quake II Network Protocol
|
|
Quake III Arena Network Protocol
|
|
Quake Network Protocol
|
|
QuakeWorld Network Protocol
|
|
Qualified Logical Link Control
|
|
RDM
|
|
RFC 2250 MPEG1
|
|
RFC 2833 RTP Event
|
|
RIPng
|
|
RPC Browser
|
|
RS Interface properties
|
|
RSTAT
|
|
RSYNC File Synchroniser
|
|
RTcfg
|
|
RX Protocol
|
|
Radio Access Network Application Part
|
|
Radius Protocol
|
|
Raw packet data
|
|
Real Data Transport
|
|
Real Time Streaming Protocol
|
|
Real-Time Media Access Control
|
|
Real-Time Publish-Subscribe Wire Protocol
|
|
Real-Time Transport Protocol
|
|
Real-time Transport Control Protocol
|
|
Redback
|
|
Redundant Link Management Protocol
|
|
Registry Server Attributes Manipulation Interface
|
|
Registry server administration operations.
|
|
Reliable UDP
|
|
Remote Management Control Protocol
|
|
Remote Override interface
|
|
Remote Procedure Call
|
|
Remote Program Load
|
|
Remote Quota
|
|
Remote Shell
|
|
Remote Shutdown
|
|
Remote Wall protocol
|
|
Remote sec_login preauth interface.
|
|
Resource ReserVation Protocol (RSVP)
|
|
Retix Spanning Tree Protocol
|
|
Rlogin Protocol
|
|
Routing Information Protocol
|
|
Routing Table Maintenance Protocol
|
|
SADMIND
|
|
SCSI
|
|
SEBEK - Kernel Data Capture
|
|
SGI Mount Service
|
|
SMB (Server Message Block Protocol)
|
|
SMB MailSlot Protocol
|
|
SMB Pipe Protocol
|
|
SNA-over-Ethernet
|
|
SNMP Multiplex Protocol
|
|
SPNEGO-KRB5
|
|
SPRAY
|
|
SS7 SCCP-User Adaptation Layer
|
|
SSCF-NNI
|
|
SSCOP
|
|
SSH Protocol
|
|
Secure Socket Layer
|
|
Sequenced Packet Protocol
|
|
Sequenced Packet eXchange
|
|
Serial Infrared
|
|
Service Advertisement Protocol
|
|
Service Location Protocol
|
|
Session Announcement Protocol
|
|
Session Description Protocol
|
|
Session Initiation Protocol
|
|
Session Initiation Protocol (SIP as raw text)
|
|
Short Message Peer to Peer
|
|
Short Message Relaying Service
|
|
Signaling Compression
|
|
Signalling Connection Control Part
|
|
Signalling Connection Control Part Management
|
|
Simple Mail Transfer Protocol
|
|
Simple Network Management Protocol
|
|
Simple Traversal of UDP Through NAT
|
|
Sinec H1 Protocol
|
|
Sipfrag
|
|
Skinny Client Control Protocol
|
|
SliMP3 Communication Protocol
|
|
Slow Protocols
|
|
Socks Protocol
|
|
SoulSeek Protocol
|
|
Spanning Tree Protocol
|
|
Spnego
|
|
Stream Control Transmission Protocol
|
|
Subnetwork Dependent Convergence Protocol
|
|
Symantec Enterprise Firewall
|
|
Synchronous Data Link Control (SDLC)
|
|
Syslog message
|
|
Systems Network Architecture
|
|
Systems Network Architecture XID
|
|
T.38
|
|
TACACS
|
|
TACACS+
|
|
TDMA RTmac Discipline
|
|
TEI Management Procedure, Channel D (LAPD)
|
|
TPKT
|
|
Tabular Data Stream
|
|
Tazmen Sniffer Protocol
|
|
Telnet
|
|
Teredo IPv6 over UDP tunneling
|
|
Time Protocol
|
|
Time Synchronization Protocol
|
|
Tiny Transport Protocol
|
|
Token-Ring
|
|
Token-Ring Media Access Control
|
|
Transaction Capabilities Application Part
|
|
Transmission Control Protocol
|
|
Transparent Network Substrate Protocol
|
|
Transport Adapter Layer Interface v1.0, RFC 3094
|
|
Trivial File Transfer Protocol
|
|
UDP Encapsulation of IPsec Packets
|
|
Universal Computer Protocol
|
|
Unlicensed Mobile Access
|
|
User Datagram Protocol
|
|
V5.2-User Adaptation Layer
|
|
Virtual Network Computing
|
|
Virtual Router Redundancy Protocol
|
|
Virtual Trunking Protocol
|
|
WAP Binary XML
|
|
WAP Session Initiation Request
|
|
Web Cache Coordination Protocol
|
|
WebSphere MQ
|
|
WebSphere MQ Programmable Command Formats
|
|
Wellfleet Breath of Life
|
|
Wellfleet Compression
|
|
Wellfleet HDLC
|
|
Who
|
|
Windows 2000 DNS
|
|
Wireless Session Protocol
|
|
Wireless Transaction Protocol
|
|
Wireless Transport Layer Security
|
|
X Display Manager Control Protocol
|
|
X.25
|
|
X.25 over TCP
|
|
X.29
|
|
X.509 Authentication Framework
|
|
X.509 Certificate Extensions
|
|
X.509 Information Framework
|
|
X.509 Selected Attribute Types
|
|
X11
|
|
X711 CMIP
|
|
Xyplex
|
|
Yahoo Messenger Protocol
|
|
Yahoo YMSG Messenger Protocol
|
|
Yellow Pages Bind
|
|
Yellow Pages Passwd
|
|
Yellow Pages Service
|
|
Yellow Pages Transfer
|
|
Zebra Protocol
|
|
Zone Information Protocol
|
|
eDonkey Protocol
|
|
eXtensible Markup Language
|
|
giFT Internet File Transfer
|
|
h225
|
|
h245
|
|
h450
|
|
iSCSI
|
|
iSNS
|
|
|
|
Q 1.6: Are there any plans to support {your favorite protocol}?
|
|
|
|
A: Support for particular protocols is added to Ethereal as a result of
|
|
people contributing that support; no formal plans for adding support for
|
|
particular protocols in particular future releases exist.
|
|
|
|
Q 1.7: Can Ethereal read capture files from {your favorite network
|
|
analyzer}?
|
|
|
|
A: Support for particular protocols is added to Ethereal as a result of
|
|
people contributing that support; no formal plans for adding support for
|
|
particular protocols in particular future releases exist.
|
|
|
|
If a network analyzer writes out files in a format already supported by
|
|
Ethereal (e.g., in libpcap format), Ethereal may already be able to read
|
|
them, unless the analyzer has added its own proprietary extensions to that
|
|
format.
|
|
|
|
If a network analyzer writes out files in its own format, or has added
|
|
proprietary extensions to another format, in order to make Ethereal read
|
|
captures from that network analyzer, we would either have to have a
|
|
specification for the file format, or the extensions, sufficient to give us
|
|
enough information to read the parts of the file relevant to Ethereal, or
|
|
would need at least one capture file in that format AND a detailed textual
|
|
analysis of the packets in that capture file (showing packet time stamps,
|
|
packet lengths, and the top-level packet header) in order to
|
|
reverse-engineer the file format.
|
|
|
|
Note that there is no guarantee that we will be able to reverse-engineer a
|
|
capture file format.
|
|
|
|
Q 1.8: What devices can Ethereal use to capture packets?
|
|
|
|
A: Ethereal can read live data from Ethernet, Token-Ring, FDDI, serial (PPP
|
|
and SLIP) (if the OS on which it's running allows Ethereal to do so), 802.11
|
|
wireless LAN (if the OS on which it's running allows Ethereal to do so), ATM
|
|
connections (if the OS on which it's running allows Ethereal to do so), and
|
|
the "any" device supported on Linux by recent versions of libpcap. See the
|
|
list of supported capture media on various OSes for details (several items
|
|
in there say "Unknown", which doesn't mean "Ethereal can't capture on them",
|
|
it means "we don't know whether it can capture on them"; we expect that it
|
|
will be able to capture on many of them, but we haven't tried it ourselves -
|
|
if you try one of those types and it works, please send an update to
|
|
ethereal-web[AT]ethereal.com ).
|
|
|
|
It can also read a variety of capture file formats, including:
|
|
* AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
|
|
Grabber captures
|
|
* AIX's iptrace captures
|
|
* Accellent's 5Views LAN agent output
|
|
* Cinco Networks NetXRay captures
|
|
* Cisco Secure Intrusion Detection System IPLog output
|
|
* CoSine L2 debug output
|
|
* DBS Etherwatch VMS text output
|
|
* Endace Measurement Systems' ERF format captures
|
|
* EyeSDN USB S0 traces
|
|
* HP-UX nettl captures
|
|
* ISDN4BSD project i4btrace captures
|
|
* Linux Bluez Bluetooth stack hcidump -w traces
|
|
* Lucent/Ascend router debug output
|
|
* Microsoft Network Monitor captures
|
|
* Network Associates Windows-based Sniffer captures
|
|
* Network General/Network Associates DOS-based Sniffer (compressed or
|
|
uncompressed) captures
|
|
* Network Instruments Observer version 9 captures
|
|
* Novell LANalyzer captures
|
|
* RADCOM's WAN/LAN analyzer captures
|
|
* Shomiti/Finisar Surveyor captures
|
|
* Toshiba's ISDN routers dump output
|
|
* VMS TCPIPtrace/TCPtrace/UCX$TRACE output
|
|
* Visual Networks' Visual UpTime traffic capture
|
|
* libpcap, tcpdump and various other tools using tcpdump's capture format
|
|
* snoop and atmsnoop output
|
|
|
|
so that it can read traces from various network types, as captured by other
|
|
applications or equipment, even if it cannot itself capture on those network
|
|
types.
|
|
|
|
Q 1.9: How do you pronounce Ethereal? Where did the name come from?
|
|
|
|
A: The English pronunciation can be found in Merriam-Webster's online
|
|
dictionary at
|
|
http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=ethereal.
|
|
|
|
According to the book "Computer Networks" by Andrew Tannenbaum, Ethernet was
|
|
named after the "luminiferous ether" which was once thought to carry
|
|
electromagnetic radiation. Taking that into consideration, Ethereal seemed
|
|
like an appropriate name for something that started out as an Ethernet
|
|
analyzer.
|
|
|
|
2. Downloading Ethereal
|
|
|
|
Q 2.1: I downloaded the Win32 installer, but when I try to run it, I get an
|
|
error.
|
|
|
|
A: The program you used to download it may have downloaded it incorrectly.
|
|
Web browsers sometimes may do this.
|
|
|
|
Try downloading it with, for example:
|
|
* Wget, for which Windows binaries are available on the SunSITE FTP server
|
|
at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI offers a GUI
|
|
interface that uses wget;
|
|
* WS_FTP from Ipswitch,
|
|
* the ftp command that comes with Windows.
|
|
|
|
If you use the ftp command, make sure you do the transfer in binary mode
|
|
rather than ASCII mode, by using the binary command before transferring the
|
|
file.
|
|
|
|
Q 2.2: When I try to download the WinPcap driver and library, I can't get to
|
|
the WinPcap Web site.
|
|
|
|
A: As is the case with all Web sites, that site won't necessarily always be
|
|
accessible; the server may be down due to a problem or down for maintenance,
|
|
or there may be a networking problem between you and the server. You should
|
|
try again later, or try the local mirror or the Wiretapped.net mirror.
|
|
|
|
3. Installing Ethereal
|
|
|
|
Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be
|
|
installed; only Tethereal is installed.
|
|
|
|
A: Older versions of the Red Hat RPMs for Ethereal put only the non-GUI
|
|
components into the ethereal RPM, the fact that Ethereal is a GUI program
|
|
nonwithstanding; newer versions make it a bit clearer by giving that RPM a
|
|
name starting with ethereal-base.
|
|
|
|
In those older versions, there's a separate ethereal-gnome RPM that includes
|
|
GUI components such as Ethereal itself, the fact that Ethereal doesn't use
|
|
GNOME nonwithstanding; newer versions make it a bit clearer by giving that
|
|
RPM a name starting with ethereal-gtk+.
|
|
|
|
Find the ethereal-gnome or ethereal-gtk+ RPM, and install that also.
|
|
|
|
4. Building Ethereal
|
|
|
|
Q 4.1: The configure script can't find pcap.h or bpf.h, but I have libpcap
|
|
installed.
|
|
|
|
A: Are you sure pcap.h and bpf.h are installed? The official distribution of
|
|
libpcap only installs the libpcap.a library file when "make install" is run.
|
|
To install pcap.h and bpf.h, you must run "make install-incl". If you're
|
|
running Debian or Redhat, make sure you have the "libpcap-dev" or
|
|
"libpcap-devel" packages installed.
|
|
|
|
It's also possible that pcap.h and bpf.h have been installed in a strange
|
|
location. If this is the case, you may have to tweak aclocal.m4.
|
|
|
|
Q 4.2: Why do I get the error
|
|
|
|
dftest_DEPENDENCIES was already defined in condition TRUE, which implies
|
|
condition HAVE_PLUGINS_TRUE
|
|
|
|
when I try to build Ethereal from SVN or a SVN snapshot?
|
|
|
|
A: You probably have automake 1.5 installed on your machine (the command
|
|
automake --version will report the version of automake on your machine).
|
|
There is a bug in that version of automake that causes this problem; upgrade
|
|
to a later version of automake (1.6 or later).
|
|
|
|
Q 4.3: The link fails with a number of "Output line too long." messages
|
|
followed by linker errors.
|
|
|
|
A: The version of the sed command on your system is incapable of handling
|
|
very long lines. On Solaris, for example, /usr/bin/sed has a line length
|
|
limit too low to allow libtool to work; /usr/xpg4/bin/sed can handle it, as
|
|
can GNU sed if you have it installed.
|
|
|
|
On Solaris, changing your command search path to search /usr/xpg4/bin before
|
|
/usr/bin should make the problem go away; on any platform on which you have
|
|
this problem, installing GNU sed and changing your command path to search
|
|
the directory in which it is installed before searching the directory with
|
|
the version of sed that came with the OS should make the problem go away.
|
|
|
|
Q 4.4: The link fails on Solaris because plugin_list is undefined.
|
|
|
|
A: This appears to be due to a problem with some versions of the GTK+ and
|
|
GLib packages from www.sunfreeware.org; un-install those packages, and try
|
|
getting the 1.2.10 versions from that site, or the versions from The Written
|
|
Word, or the versions from Sun's GNOME distribution, or the versions from
|
|
the supplemental software CD that comes with the Solaris media kit, or build
|
|
them from source from the GTK Web site. Then re-run the configuration
|
|
script, and try rebuilding Ethereal. (If you get the 1.2.10 versions from
|
|
www.sunfreeware.org, and the problem persists, un-install them and try
|
|
installing one of the other versions mentioned.)
|
|
|
|
Q 4.5: The build fails on Windows because of conflicts between winsock.h and
|
|
winsock2.h.
|
|
|
|
A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and the
|
|
corresponding version of the developer's pack, in order to be able to
|
|
compile Ethereal; it will not compile with older versions of the developer's
|
|
pack. The symptoms of this failure are conflicts between definitions in
|
|
winsock.h and in winsock2.h; Ethereal uses winsock2.h, but pre-2.3 versions
|
|
of the WinPcap developer's packet use winsock.h. (2.3 uses winsock2.h, so if
|
|
Ethereal were to use winsock.h, it would not be able to build with current
|
|
versions of the WinPcap developer's pack.)
|
|
|
|
Note that the installed version of the developer's pack should be the same
|
|
version as the version of WinPcap you have installed.
|
|
|
|
5. Using Ethereal
|
|
|
|
Q 5.1: When I use Ethereal to capture packets, I see only packets to and
|
|
from my machine, or I'm not seeing all the traffic I'm expecting to see from
|
|
or to the machine I'm trying to monitor.
|
|
|
|
A: This might be because the interface on which you're capturing is plugged
|
|
into an Ethernet or Token Ring switch; on a switched network, unicast
|
|
traffic between two ports will not necessarily appear on other ports - only
|
|
broadcast and multicast traffic will be sent to all ports.
|
|
|
|
Note that even if your machine is plugged into a hub, the "hub" may be a
|
|
switched hub, in which case you're still on a switched network.
|
|
|
|
Note also that on the Linksys Web site, they say that their auto-sensing
|
|
hubs "broadcast the 10Mb packets to the port that operate at 10Mb only and
|
|
broadcast the 100Mb packets to the ports that operate at 100Mb only", which
|
|
would indicate that if you sniff on a 10Mb port, you will not see traffic
|
|
coming sent to a 100Mb port, and vice versa. This problem has also been
|
|
reported for Netgear dual-speed hubs, and may exist for other "auto-sensing"
|
|
or "dual-speed" hubs.
|
|
|
|
Some switches have the ability to replicate all traffic on all ports to a
|
|
single port so that you can plug your analyzer into that single port to
|
|
sniff all traffic. You would have to check the documentation for the switch
|
|
to see if this is possible and, if so, to see how to do this. See the switch
|
|
reference page on the Ethereal Wiki for information on some switches. (Note
|
|
that it's a Wiki, so you can update or fix that information, or add
|
|
additional information on those switches or information on new switches,
|
|
yourself.)
|
|
|
|
Note also that many firewall/NAT boxes have a switch built into them; this
|
|
includes many of the "cable/DSL router" boxes. If you have a box of that
|
|
sort, that has a switch with some number of Ethernet ports into which you
|
|
plug machines on your network, and another Ethernet port used to connect to
|
|
a cable or DSL modem, you can, at least, sniff traffic between the machines
|
|
on your network and the Internet by plugging the Ethernet port on the router
|
|
going to the modem, the Ethernet port on the modem, and the machine on which
|
|
you're running Ethereal into a hub (make sure it's not a switching hub, and
|
|
that, if it's a dual-speed hub, all three of those ports are running at the
|
|
same speed.
|
|
|
|
If your machine is not plugged into a switched network or a dual-speed hub,
|
|
or it is plugged into a switched network but the port is set up to have all
|
|
traffic replicated to it, the problem might be that the network interface on
|
|
which you're capturing doesn't support "promiscuous" mode, or because your
|
|
OS can't put the interface into promiscuous mode. Normally, network
|
|
interfaces supply to the host only:
|
|
* packets sent to one of that host's link-layer addresses;
|
|
* broadcast packets;
|
|
* multicast packets sent to a multicast address that the host has
|
|
configured the interface to accept.
|
|
|
|
Most network interfaces can also be put in "promiscuous" mode, in which they
|
|
supply to the host all network packets they see. Ethereal will try to put
|
|
the interface on which it's capturing into promiscuous mode unless the
|
|
"Capture packets in promiscuous mode" option is turned off in the "Capture
|
|
Options" dialog box, and Tethereal will try to put the interface on which
|
|
it's capturing into promiscuous mode unless the -p option was specified.
|
|
However, some network interfaces don't support promiscuous mode, and some
|
|
OSes might not allow interfaces to be put into promiscuous mode.
|
|
|
|
If the interface is not running in promiscuous mode, it won't see any
|
|
traffic that isn't intended to be seen by your machine. It will see
|
|
broadcast packets, and multicast packets sent to a multicast MAC address the
|
|
interface is set up to receive.
|
|
|
|
You should ask the vendor of your network interface whether it supports
|
|
promiscuous mode. If it does, you should ask whoever supplied the driver for
|
|
the interface (the vendor, or the supplier of the OS you're running on your
|
|
machine) whether it supports promiscuous mode with that network interface.
|
|
|
|
In the case of token ring interfaces, the drivers for some of them, on
|
|
Windows, may require you to enable promiscuous mode in order to capture in
|
|
promiscuous mode. See the Ethereal Wiki item on Token Ring capturing for
|
|
details.
|
|
|
|
In the case of wireless LAN interfaces, it appears that, when those
|
|
interfaces are promiscuously sniffing, they're running in a significantly
|
|
different mode from the mode that they run in when they're just acting as
|
|
network interfaces (to the extent that it would be a significant effor for
|
|
those drivers to support for promiscuously sniffing and acting as regular
|
|
network interfaces at the same time), so it may be that Windows drivers for
|
|
those interfaces don't support promiscuous mode.
|
|
|
|
Q 5.2: I can't see any TCP packets other than packets to and from my
|
|
machine, even though another analyzer on the network sees those packets.
|
|
|
|
A: You're probably not seeing any packets other than unicast packets to or
|
|
from your machine, and broadcast and multicast packets; a switch will
|
|
normally send to a port only unicast traffic sent to the MAC address for the
|
|
interface on that port, and broadcast and multicast traffic - it won't send
|
|
to that port unicast traffic sent to a MAC address for some other interface
|
|
- and a network interface not in promiscuous mode will receive only unicast
|
|
traffic sent to the MAC address for that interface, broadcast traffic, and
|
|
multicast traffic sent to a multicast MAC address the interface is set up to
|
|
receive.
|
|
|
|
TCP doesn't use broadcast or multicast, so you will only see your own TCP
|
|
traffic, but UDP services may use broadcast or multicast so you'll see some
|
|
UDP traffic - however, this is not a problem with TCP traffic, it's a
|
|
problem with unicast traffic, as you also won't see all UDP traffic between
|
|
other machines.
|
|
|
|
I.e., this is probably the same question as this earlier one; see the
|
|
response to that question.
|
|
|
|
Q 5.3: I'm only seeing ARP packets when I try to capture traffic.
|
|
|
|
A: You're probably on a switched network, and running Ethereal on a machine
|
|
that's not sending traffic to the switch and not being sent any traffic from
|
|
other machines on the switch. ARP packets are often broadcast packets, which
|
|
are sent to all switch ports.
|
|
|
|
I.e., this is probably the same question as this earlier one; see the
|
|
response to that question.
|
|
|
|
Q 5.4: I'm running Ethereal on Windows; why does some network interface on
|
|
my machine not show up in the list of interfaces in the "Interface:" field
|
|
in the dialog box popped up by "Capture->Start", and/or why does Ethereal
|
|
give me an error if I try to capture on that interface?
|
|
|
|
A: If you are running Ethereal on Windows NT 4.0, Windows 2000, Windows XP,
|
|
or Windows Server 2003, and this is the first time you have run a
|
|
WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, or
|
|
Analyzer, or...) since the machine was rebooted, you need to run that
|
|
program from an account with administrator privileges; once you have run
|
|
such a program, you will not need administrator privileges to run any such
|
|
programs until you reboot.
|
|
|
|
If you are running on Windows 95/98/Me, or if you are running on Windows NT
|
|
4.0/Windows 2000/Windows XP/Windows Server 2003 and have administrator
|
|
privileges or a WinPcap-based program has been run with those privileges
|
|
since the machine rebooted, this problem might clear up if you completely
|
|
un-install WinPcap and then re-install it.
|
|
|
|
If that doesn't work, then note that Ethereal relies on the WinPcap library,
|
|
on the WinPcap device driver, and on the facilities that come with the OS on
|
|
which it's running in order to do captures.
|
|
|
|
Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
|
|
support capturing on a particular network interface device, Ethereal won't
|
|
be able to capture on that device.
|
|
|
|
Note that:
|
|
1. 2.02 and earlier versions of the WinPcap driver and library that
|
|
Ethereal uses for packet capture didn't support Token Ring interfaces;
|
|
versions 2.1 and later support Token Ring, and the current version of
|
|
Ethereal works with (and, in fact, requires) WinPcap 2.1 or later.
|
|
If you are having problems capturing on Token Ring interfaces, and you
|
|
have WinPcap 2.02 or an earlier version of WinPcap installed, you should
|
|
uninstall WinPcap, download and install the current version of WinPcap,
|
|
and then install the latest version of Ethereal.
|
|
2. On Windows 95, 98, or Me, sometimes more than one interface will be
|
|
given the same name; if that is the case, you will only be able to
|
|
capture on one of those interfaces - it's not clear to which one the
|
|
name, when used in a WinPcap-based application, will refer. For example,
|
|
if you have a PPP serial interface and a VPN interface, they might show
|
|
up with the same name, for example "ppp-mac", and if you try to capture
|
|
on "ppp-mac", it might not capture on the interface you're currently
|
|
using. In that case, you might, for example, have to remove the VPN
|
|
interface from the system in order to capture on the PPP serial
|
|
interface.
|
|
3. WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows NT
|
|
4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to avoid
|
|
those problems, support for PPP WAN interfaces on those versions of
|
|
Windows has been disabled in WinPcap 3.0. Regular dial-up lines, ISDN
|
|
lines, ADSL connections using PPPoE or PPPoA, and various other lines
|
|
such as T1/E1 lines are all PPP interfaces, so those interfaces might
|
|
not show up on the list of interfaces in the "Capture Options" dialog on
|
|
those OSes.
|
|
On Windows 2000 and later, installing the beta version of WinPcap 3.1
|
|
might help, although, as it's a beta version, that might cause some
|
|
other problems that don't occur with older versions of WinPcap; you
|
|
should report those problems to the WinPcap developers, so that they can
|
|
try to fix those problems before the final version of WinPcap 3.1 is
|
|
released. WinPcap 3.1 will not support PPP captures on Windows NT 4.0.
|
|
See the Ethereal Wiki item on PPP capturing for details.
|
|
4. WinPcap prior to 3.0 does not support multiprocessor machines (note that
|
|
machines with a single multi-threaded processor, such as Intel's new
|
|
multi-threaded x86 processors, are multiprocessor machines as far as the
|
|
OS and WinPcap are concerned), and recent 2.x versions of WinPcap refuse
|
|
to operate if they detect that they're running on a multiprocessor
|
|
machine, which means that they may not show any network interfaces. You
|
|
will need to use WinPcap 3.0 to capture on a multiprocessor machine.
|
|
|
|
If an interface doesn't show up in the list of interfaces in the
|
|
"Interface:" field, and you know the name of the interface, try entering
|
|
that name in the "Interface:" field and capturing on that device.
|
|
|
|
If the attempt to capture on it succeeds, the interface is somehow not being
|
|
reported by the mechanism Ethereal uses to get a list of interfaces. Try
|
|
listing the interfaces with WinDump; see the WinDump Web site or the local
|
|
mirror of the WinDump Web site for information on using WinDump.
|
|
|
|
You would run WinDump with the -D flag; if it lists the interface, please
|
|
report this to ethereal-dev@ethereal.com giving full details of the problem,
|
|
including
|
|
* the operating system you're using, and the version of that operating
|
|
system;
|
|
* the type of network device you're using;
|
|
* the output of WinDump.
|
|
|
|
If WinDump does not list the interface, this is almost certainly a problem
|
|
with one or more of:
|
|
* the operating system you're using;
|
|
* the device driver for the interface you're using;
|
|
* the WinPcap library and/or the WinPcap device driver;
|
|
|
|
so first check the WinPcap FAQ, the local mirror of that FAQ, or the
|
|
Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
|
|
there. If not, then see the WinPcap support page (or the local mirror of
|
|
that page) - check the "Submitting bugs" section.
|
|
|
|
If you are having trouble capturing on a particular network interface, first
|
|
try capturing on that device with WinDump; see the WinDump Web site or the
|
|
local mirror of the WinDump Web site for information on using WinDump.
|
|
|
|
If you can capture on the interface with WinDump, send mail to
|
|
ethereal-users@ethereal.com giving full details of the problem, including
|
|
* the operating system you're using, and the version of that operating
|
|
system;
|
|
* the type of network device you're using;
|
|
* the error message you get from Ethereal.
|
|
|
|
If you cannot capture on the interface with WinDump, this is almost
|
|
certainly a problem with one or more of:
|
|
* the operating system you're using;
|
|
* the device driver for the interface you're using;
|
|
* the WinPcap library and/or the WinPcap device driver;
|
|
|
|
so first check the WinPcap FAQ, the local mirror of that FAQ, or the
|
|
Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
|
|
there. If not, then see the WinPcap support page (or the local mirror of
|
|
that page) - check the "Submitting bugs" section.
|
|
|
|
You may also want to ask the ethereal-users@ethereal.com and the
|
|
winpcap-users@winpcap.org mailing lists to see if anybody happens to know
|
|
about the problem and know a workaround or fix for the problem. (Note that
|
|
you will have to subscribe to that list in order to be allowed to mail to
|
|
it; see the WinPcap support page, or the local mirror of that page, for
|
|
information on the mailing list.) In your mail, please give full details of
|
|
the problem, as described above, and also indicate that the problem occurs
|
|
with WinDump, not just with Ethereal.
|
|
|
|
Q 5.5: I'm running Ethereal on Windows; why do no network interfaces show up
|
|
in the list of interfaces in the "Interface:" field in the dialog box popped
|
|
up by "Capture->Start"?
|
|
|
|
A: This is really the same question as the previous one; see the response to
|
|
that question.
|
|
|
|
Q 5.6: I'm running Ethereal on Windows; why doesn't my serial port/ADSL
|
|
modem/ISDN modem show up in the list of interfaces in the "Interface:" field
|
|
in the dialog box popped up by "Capture->Start"?
|
|
|
|
A: Internet access on those devices is often done with the Point-to-Point
|
|
(PPP) protocol; WinPcap 2.3 has problems supporting PPP WAN interfaces on
|
|
Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to
|
|
avoid those problems, support for PPP WAN interfaces on those versions of
|
|
Windows has been disabled in WinPcap 3.0.
|
|
|
|
On Windows 2000 and later, installing the beta version of WinPcap 3.1 might
|
|
help, although, as it's a beta version, that might cause some other problems
|
|
that don't occur with older versions of WinPcap; you should report those
|
|
problems to the WinPcap developers, so that they can try to fix those
|
|
problems before the final version of WinPcap 3.1 is released. WinPcap 3.1
|
|
will not support PPP captures on Windows NT 4.0. See the Ethereal Wiki item
|
|
on PPP capturing for details.
|
|
|
|
Q 5.7: I'm running Ethereal on a UNIX-flavored OS; why does some network
|
|
interface on my machine not show up in the list of interfaces in the
|
|
"Interface:" field in the dialog box popped up by "Capture->Start", and/or
|
|
why does Ethereal give me an error if I try to capture on that interface?
|
|
|
|
A: You may need to run Ethereal from an account with sufficient privileges
|
|
to capture packets, such as the super-user account, or may need to give your
|
|
account sufficient privileges to capture packets. Only those interfaces that
|
|
Ethereal can open for capturing show up in that list; if you don't have
|
|
sufficient privileges to capture on any interfaces, no interfaces will show
|
|
up in the list. See the Ethereal Wiki item on capture privileges for details
|
|
on how to give a particular account or account group capture privileges on
|
|
platforms where that can be done.
|
|
|
|
If you are running Ethereal from an account with sufficient privileges, then
|
|
note that Ethereal relies on the libpcap library, and on the facilities that
|
|
come with the OS on which it's running in order to do captures. On some
|
|
OSes, those facilities aren't present by default; see the Ethereal Wiki item
|
|
on adding capture support for details.
|
|
|
|
And, even if you're running with an account that has sufficient privileges
|
|
to capture, and capture support is present in your OS, if the OS or the
|
|
libpcap library don't support capturing on a particular network interface
|
|
device or particular types of devices, Ethereal won't be able to capture on
|
|
that device.
|
|
|
|
On Solaris, note that libpcap 0.6.2 and earlier didn't support Token Ring
|
|
interfaces; the current version, 0.7.2, does support Token Ring, and the
|
|
current version of Ethereal works with libcap 0.7.2 and later.
|
|
|
|
If an interface doesn't show up in the list of interfaces in the
|
|
"Interface:" field, and you know the name of the interface, try entering
|
|
that name in the "Interface:" field and capturing on that device.
|
|
|
|
If the attempt to capture on it succeeds, the interface is somehow not being
|
|
reported by the mechanism Ethereal uses to get a list of interfaces; please
|
|
report this to ethereal-dev@ethereal.com giving full details of the problem,
|
|
including
|
|
* the operating system you're using, and the version of that operating
|
|
system (for Linux, give both the version number of the kernel and the
|
|
name and version number of the distribution you're using);
|
|
* the type of network device you're using.
|
|
|
|
If you are having trouble capturing on a particular network interface, and
|
|
you've made sure that (on platforms that require it) you've arranged that
|
|
packet capture support is present, as per the above, first try capturing on
|
|
that device with tcpdump.
|
|
|
|
If you can capture on the interface with tcpdump, send mail to
|
|
ethereal-users@ethereal.com giving full details of the problem, including
|
|
* the operating system you're using, and the version of that operating
|
|
system (for Linux, give both the version number of the kernel and the
|
|
name and version number of the distribution you're using);
|
|
* the type of network device you're using;
|
|
* the error message you get from Ethereal.
|
|
|
|
If you cannot capture on the interface with tcpdump, this is almost
|
|
certainly a problem with one or more of:
|
|
* the operating system you're using;
|
|
* the device driver for the interface you're using;
|
|
* the libpcap library;
|
|
|
|
so you should report the problem to the company or organization that
|
|
produces the OS (in the case of a Linux distribution, report the problem to
|
|
whoever produces the distribution).
|
|
|
|
You may also want to ask the ethereal-users@ethereal.com and the
|
|
tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to know
|
|
about the problem and know a workaround or fix for the problem. In your
|
|
mail, please give full details of the problem, as described above, and also
|
|
indicate that the problem occurs with tcpdump not just with Ethereal.
|
|
|
|
Q 5.8: I'm running Ethereal on a UNIX-flavored OS; why do no network
|
|
interfaces show up in the list of interfaces in the "Interface:" field in
|
|
the dialog box popped up by "Capture->Start"?
|
|
|
|
A: This is really the same question as the previous one; see the response to
|
|
that question.
|
|
|
|
Q 5.9: Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
|
|
|
|
A: Ethereal can only capture on devices supported by libpcap/WinPcap. On
|
|
most OSes, only devices that can act as network interfaces of the type that
|
|
support IP are supported as capture devices for libpcap/WinPcap, although
|
|
the device doesn't necessarily have to be running as an IP interface in
|
|
order to support traffic capture.
|
|
|
|
On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
|
|
Measurement Systems' DAG cards, so that a system with one of those cards,
|
|
and its driver and libraries, installed can capture traffic with those cards
|
|
with libpcap-based applications. You would either have to have a version of
|
|
Ethereal built with that version of libpcap, or a dynamically-linked version
|
|
of Ethereal and a shared libpcap library with DAG support, in order to do so
|
|
with Ethereal. You should ask Endace whether that could be used to capture
|
|
traffic on, for example, your T1/E1 link.
|
|
There is currently no hardware to support capturing on SS7 links with
|
|
libpcap. (Note that the fact that Ethereal includes dissectors for many SS7
|
|
protocols doesn't imply that it can capture traffic from SS7 links; those
|
|
protocols can be run over Internet protocols.)
|
|
|
|
Q 5.10: How do I put an interface into promiscuous mode?
|
|
|
|
A: By not disabling promiscuous mode when running Ethereal or Tethereal.
|
|
|
|
Note, however, that:
|
|
* the form of promiscuous mode that libpcap (the library that programs
|
|
such as tcpdump, Ethereal, etc. use to do packet capture) turns on will
|
|
not necessarily be shown if you run ifconfig on the interface on a UNIX
|
|
system;
|
|
* some network interfaces might not support promiscuous mode, and some
|
|
drivers might not allow promiscuous mode to be turned on - see this
|
|
earlier question for more information on that;
|
|
* the fact that you're not seeing any traffic, or are only seeing
|
|
broadcast traffic, or aren't seeing any non-broadcast traffic other than
|
|
traffic to or from the machine running Ethereal, does not mean that
|
|
promiscuous mode isn't on - see this earlier question for more
|
|
information on that.
|
|
|
|
I.e., this is probably the same question as this earlier one; see the
|
|
response to that question.
|
|
|
|
Q 5.11: I can set a display filter just fine, but capture filters don't
|
|
work.
|
|
|
|
A: Capture filters currently use a different syntax than display filters.
|
|
Here's the corresponding section from the ethereal(1) man page:
|
|
|
|
"Display filters in Ethereal are very powerful; more fields are filterable
|
|
in Ethereal than in other protocol analyzers, and the syntax you can use to
|
|
create your filters is richer. As Ethereal progresses, expect more and more
|
|
protocol fields to be allowed in display filters.
|
|
|
|
Packet capturing is performed with the pcap library. The capture filter
|
|
syntax follows the rules of the pcap library. This syntax is different from
|
|
the display filter syntax."
|
|
|
|
The capture filter syntax used by libpcap can be found in the tcpdump(8) man
|
|
page.
|
|
|
|
Q 5.12: I'm entering valid capture filters, but I still get "parse error"
|
|
errors.
|
|
|
|
A: There is a bug in some versions of libpcap/WinPcap that cause it to
|
|
report parse errors even for valid expressions if a previous filter
|
|
expression was invalid and got a parse error.
|
|
|
|
Try exiting and restarting Ethereal; if you are using a version of
|
|
libpcap/WinPcap with this bug, this will "erase" its memory of the previous
|
|
parse error. If the capture filter that got the "parse error" now works, the
|
|
earlier error with that filter was probably due to this bug.
|
|
|
|
The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of libpcap
|
|
have this bug, but 0.6[.x] and later versions don't.
|
|
|
|
Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of libpcap,
|
|
and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and doesn't have
|
|
this bug.
|
|
|
|
If you are running Ethereal on a UNIX-flavored platform, run "ethereal -v",
|
|
or select "About Ethereal..." from the "Help" menu in Ethereal, to see what
|
|
version of libpcap it's using. If it's not 0.6 or later, you will need
|
|
either to upgrade your OS to get a later version of libpcap, or will need to
|
|
build and install a later version of libpcap from the tcpdump.org Web site
|
|
and then recompile Ethereal from source with that later version of libpcap.
|
|
|
|
If you are running Ethereal on Windows with a pre-2.3 version of WinPcap,
|
|
you will need to un-install WinPcap and then download and install WinPcap
|
|
2.3.
|
|
|
|
Q 5.13: I saved a filter and tried to use its name to filter the display,
|
|
but I got an "Unexpected end of filter string" error.
|
|
|
|
A: You cannot use the name of a saved display filter as a filter. To filter
|
|
the display, you can enter a display filter expression - not the name of a
|
|
saved display filter - in the "Filter:" box at the bottom of the display,
|
|
and type the key or press the "Apply" button (that does not require you to
|
|
have a saved filter), or, if you want to use a saved filter, you can press
|
|
the "Filter:" button, select the filter in the dialog box that pops up, and
|
|
press the "OK" button.
|
|
|
|
Q 5.14: Why am I seeing lots of packets with incorrect TCP checksums?
|
|
|
|
A: If the packets that have incorrect TCP checksums are all being sent by
|
|
the machine on which Ethereal is running, this is probably because the
|
|
network interface on which you're capturing does TCP checksum offloading.
|
|
That means that the TCP checksum is added to the packet by the network
|
|
interface, not by the OS's TCP/IP stack; when capturing on an interface,
|
|
packets being sent by the host on which you're capturing are directly handed
|
|
to the capture interface by the OS, which means that they are handed to the
|
|
capture interface without a TCP checksum being added to them.
|
|
|
|
The only way to prevent this from happening would be to disable TCP checksum
|
|
offloading, but
|
|
1. that might not even be possible on some OSes;
|
|
2. that could reduce networking performance significantly.
|
|
|
|
However, you can disable the check that Ethereal does of the TCP checksum,
|
|
so that it won't report any packets as having TCP checksum errors, and so
|
|
that it won't refuse to do TCP reassembly due to a packet having an
|
|
incorrect TCP checksum. That can be set as an Ethereal preference by
|
|
selecting "Preferences" from the "Edit" menu, opening up the "Protocols"
|
|
list in the left-hand pane of the "Preferences" dialog box, selecting "TCP",
|
|
from that list, turning off the "Check the validity of the TCP checksum when
|
|
possible" option, clicking "Save" if you want to save that setting in your
|
|
preference file, and clicking "OK".
|
|
|
|
It can also be set on the Ethereal or Tethereal command line with a -o
|
|
tcp.check_checksum:false command-line flag, or manually set in your
|
|
preferences file by adding a tcp.check_checksum:false line.
|
|
|
|
Q 5.15: I've just installed Ethereal, and the traffic on my local LAN is
|
|
boring.
|
|
|
|
A: We have a collection of strange and exotic sample capture files at
|
|
http://wiki.ethereal.com/SampleCaptures
|
|
|
|
Q 5.16: When I run Ethereal on Solaris 8, it dies with a Bus Error when I
|
|
start it.
|
|
|
|
A: Some versions of the GTK+ library from www.sunfreeware.org appear to be
|
|
buggy, causing Ethereal to drop core with a Bus Error. Un-install those
|
|
packages, and try getting the 1.2.10 version from that site, or the version
|
|
from The Written Word, or the version from Sun's GNOME distribution, or the
|
|
version from the supplemental software CD that comes with the Solaris media
|
|
kit, or build it from source from the GTK Web site. Update the GLib library
|
|
to the 1.2.10 version, from the same source, as well. (If you get the 1.2.10
|
|
versions from www.sunfreeware.org, and the problem persists, un-install them
|
|
and try installing one of the other versions mentioned.)
|
|
|
|
Similar problems may exist with older versions of GTK+ for earlier versions
|
|
of Solaris.
|
|
|
|
Q 5.17: When I run Ethereal, I get an error
|
|
|
|
Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_resize):
|
|
assertion `height > 0' failed.
|
|
|
|
A: This is a bug in Ethereal 0.10.5 and 0.10.5a, which is fixed in Ethereal
|
|
0.10.6 and later releases.
|
|
|
|
Q 5.18: When I run Tethereal with the "-x" option, it crashes with an error
|
|
|
|
"** ERROR **: file print.c: line 691 (print_line): should not be reached.
|
|
|
|
A: This is a bug in Ethereal 0.10.0a, which is fixed in 0.10.1 and later
|
|
releases. To work around the bug, don't use "-x" unless you're also using
|
|
"-V"; note that "-V" produces a full dissection of each packet, so you might
|
|
not want to use it.
|
|
|
|
Q 5.19: When I run Ethereal on Windows NT, it dies with a Dr. Watson error,
|
|
reporting an "Integer division by zero" exception, when I start it.
|
|
|
|
A: In at least some case, this appears to be due to using the default VGA
|
|
driver; if that's not the correct driver for your video card, try running
|
|
the correct driver for your video card.
|
|
|
|
Q 5.20: When I try to run Ethereal, it complains about sprint_realloc_objid
|
|
being undefined.
|
|
|
|
A: Ethereal can only be linked with version 4.2.2 or later of UCD SNMP. Your
|
|
version of Ethereal was dynamically linked with such a version of UCD SNMP;
|
|
however, you have an older version of UCD SNMP installed, which means that
|
|
when Ethereal is run, it tries to link to the older version, and fails. You
|
|
will have to replace that version of UCD SNMP with version 4.2.2 or a later
|
|
version.
|
|
|
|
Q 5.21: I'm running Ethereal on Linux; why do my time stamps have only 100ms
|
|
resolution, rather than 1us resolution?
|
|
|
|
A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap get
|
|
them from the OS kernel, so Ethereal - and any other program using libpcap,
|
|
such as tcpdump - is at the mercy of the time stamping code in the OS for
|
|
time stamps.
|
|
|
|
At least on x86-based machines, Linux can get high-resolution time stamps on
|
|
newer processors with the Time Stamp Counter (TSC) register; for example,
|
|
Intel x86 processors, starting with the Pentium Pro, and including all x86
|
|
processors since then, have had a TSC, and other vendors probably added the
|
|
TSC at some point to their families of x86 processors.
|
|
|
|
The Linux kernel must be configured with the CONFIG_X86_TSC option enabled
|
|
in order to use the TSC. Make sure this option is enabled in your kernel.
|
|
|
|
In addition, some Linux distributions may have bugs in their versions of the
|
|
kernel that cause packets not to be given high-resolution time stamps even
|
|
if the TSC is enabled. See, for example, bug 61111 for Red Hat Linux 7.2. If
|
|
your distribution has a bug such as this, you may have to run a standard
|
|
kernel from kernel.org in order to get high-resolution time stamps.
|
|
|
|
Q 5.22: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; why
|
|
are the time stamps on packets wrong?
|
|
|
|
A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap 3.0.
|
|
|
|
Q 5.23: When I try to run Ethereal on Windows, it fails to run because it
|
|
can't find packet.dll.
|
|
|
|
A: In older versions of Ethereal, there were two binary distributions
|
|
available for Windows, one that supported capturing packets, and one that
|
|
didn't. The version that supported capturing packets required that you
|
|
install the WinPcap driver; if you didn't install it, it would fail to run
|
|
because it couldn't find packet.dll.
|
|
|
|
The current version of Ethereal has only one binary distribution for
|
|
Windows; that version will check whether WinPcap is installed and, if it's
|
|
not, will disable support for packet capture.
|
|
|
|
The WinPcap driver and libraries can be downloaded from the WinPcap Web
|
|
site, the local mirror of the WinPcap Web site, or the Wiretapped.net mirror
|
|
of the WinPcap site.
|
|
|
|
Q 5.24: I'm running Ethereal on Windows NT 4.0/Windows 2000/Windows
|
|
XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
|
|
interface, and it shows up in the "Interface" item in the "Capture Options"
|
|
dialog box. Why can no packets be sent on or received from that network
|
|
while I'm trying to capture traffic on that interface?
|
|
|
|
A: Some versions of WinPcap have problems with PPP WAN interfaces on Windows
|
|
NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; one symptom that
|
|
may be seen is that attempts to capture in promiscuous mode on the interface
|
|
cause the interface to be incapable of sending or receiving packets. You can
|
|
disable promiscuous mode using the -p command-line flag or the item in the
|
|
"Capture Preferences" dialog box, but this may mean that outgoing packets,
|
|
or incoming packets, won't be seen in the capture.
|
|
|
|
On Windows 2000 and later, installing the beta version of WinPcap 3.1 might
|
|
help, although, as it's a beta version, that might cause some other problems
|
|
that don't occur with older versions of WinPcap; you should report those
|
|
problems to the WinPcap developers, so that they can try to fix those
|
|
problems before the final version of WinPcap 3.1 is released. WinPcap 3.1
|
|
will not support PPP captures on Windows NT 4.0. See the Ethereal Wiki item
|
|
on PPP capturing for details.
|
|
|
|
Q 5.25: I'm running Ethereal on Windows 95/98/Me, on a machine with more
|
|
than one network adapter of the same type; Ethereal shows all of those
|
|
adapters with the same name, but I can't use any of those adapters other
|
|
than the first one.
|
|
|
|
A: Unfortunately, Windows 95/98/Me gives the same name to multiple instances
|
|
of the type of same network adapter. Therefore, WinPcap cannot distinguish
|
|
between them, so a WinPcap-based application can capture only on the first
|
|
such interface; Ethereal is a libpcap/WinPcap-based application.
|
|
|
|
Q 5.26: I'm running Ethereal on Windows, and I'm not seeing any traffic
|
|
being sent by the machine running Ethereal.
|
|
|
|
A: If you are running some form of VPN client software, it might be causing
|
|
this problem; people have seen this problem when they have Check Point's VPN
|
|
software installed on their machine. If that's the cause of the problem, you
|
|
will have to remove the VPN software in order to have Ethereal (or any other
|
|
application using WinPcap) see outgoing packets; unfortunately, neither we
|
|
nor the WinPcap developers know any way to make WinPcap and the VPN software
|
|
work well together.
|
|
|
|
Also, some drivers for Windows (especially some wireless network interface
|
|
drivers) apparently do not, when running in promiscuous mode, arrange that
|
|
outgoing packets are delivered to the software that requested that the
|
|
interface run promiscuously; try turning promiscuous mode off.
|
|
|
|
Q 5.27: I'm trying to capture traffic but I'm not seeing any.
|
|
|
|
A: Is the machine running Ethereal sending out any traffic on the network
|
|
interface on which you're capturing, or receiving any traffic on that
|
|
network, or is there any broadcast traffic on the network or multicast
|
|
traffic to a multicast group to which the machine running Ethereal belongs?
|
|
|
|
If not, this may just be a problem with promiscuous sniffing, either due to
|
|
running on a switched network or a dual-speed hub, or due to problems with
|
|
the interface not supporting promiscuous mode; see the response to this
|
|
earlier question.
|
|
|
|
Otherwise, on Windows, see the response to this question and, on a
|
|
UNIX-flavored OS, see the response to this question.
|
|
|
|
Q 5.28: I have an XXX network card on my machine; if I try to capture on it,
|
|
my machine crashes or resets itself.
|
|
|
|
A: This is almost certainly a problem with one or more of:
|
|
* the operating system you're using;
|
|
* the device driver for the interface you're using;
|
|
* the libpcap/WinPcap library and, if this is Windows, the WinPcap device
|
|
driver;
|
|
|
|
so:
|
|
* if you are using Windows, see the WinPcap support page (or the local
|
|
mirror of that page) - check the "Submitting bugs" section;
|
|
* if you are using some Linux distribution, some version of BSD, or some
|
|
other UNIX-flavored OS, you should report the problem to the company or
|
|
organization that produces the OS (in the case of a Linux distribution,
|
|
report the problem to whoever produces the distribution).
|
|
|
|
Q 5.29: My machine crashes or resets itself when I select "Start" from the
|
|
"Capture" menu or select "Preferences" from the "Edit" menu.
|
|
|
|
A: Both of those operations cause Ethereal to try to build a list of the
|
|
interfaces that it can open; it does so by getting a list of interfaces and
|
|
trying to open them. There is probably an OS, driver, or, for Windows,
|
|
WinPcap bug that causes the system to crash when this happens; see the
|
|
previous question.
|
|
|
|
Q 5.30: Does Ethereal work on Windows Me?
|
|
|
|
A: Yes, but if you want to capture packets, you will need to install the
|
|
latest version of WinPcap, as 2.02 and earlier versions of WinPcap didn't
|
|
support Windows Me. You should also install the latest version of Ethereal
|
|
as well.
|
|
|
|
Q 5.31: Does Ethereal work on Windows XP?
|
|
|
|
A: Yes, but if you want to capture packets, you will need to install the
|
|
latest version of WinPcap, as 2.2 and earlier versions of WinPcap didn't
|
|
support Windows XP.
|
|
|
|
Q 5.32: Why doesn't Ethereal correctly identify RTP packets? It shows them
|
|
only as UDP.
|
|
|
|
A: Ethereal can identify a UDP datagram as containing a packet of a
|
|
particular protocol running atop UDP only if
|
|
1. The protocol in question has a particular standard port number, and the
|
|
UDP source or destination port number is that port
|
|
2. Packets of that protocol can be identified by looking for a "signature"
|
|
of some type in the packet - i.e., some data that, if Ethereal finds it
|
|
in some particular part of a packet, means that the packet is almost
|
|
certainly a packet of that type.
|
|
3. Some other traffic earlier in the capture indicated that, for example,
|
|
UDP traffic between two particular addresses and ports will be RTP
|
|
traffic.
|
|
|
|
RTP doesn't have a standard port number, so 1) doesn't work; it doesn't, as
|
|
far as I know, have any "signature", so 2) doesn't work.
|
|
|
|
That leaves 3). If there's RTSP traffic that sets up an RTP session, then,
|
|
at least in some cases, the RTSP dissector will set things up so that
|
|
subsequent RTP traffic will be identified. Currently, that's the only place
|
|
we do that; there may be other places.
|
|
|
|
However, there will always be places where Ethereal is simply incapable of
|
|
deducing that a given UDP flow is RTP; a mechanism would be needed to allow
|
|
the user to specify that a given conversation should be treated as RTP. As
|
|
of Ethereal 0.8.16, such a mechanism exists; if you select a UDP or TCP
|
|
packet, the right mouse button menu will have a "Decode As..." menu item,
|
|
which will pop up a dialog box letting you specify that the source port, the
|
|
destination port, or both the source and destination ports of the packet
|
|
should be dissected as some particular protocol.
|
|
|
|
Q 5.33: Why doesn't Ethereal show Yahoo Messenger packets in captures that
|
|
contain Yahoo Messenger traffic?
|
|
|
|
A: Ethereal only recognizes as Yahoo Messenger traffic packets to or from
|
|
TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP segments that
|
|
start with the middle of a Yahoo Messenger packet that takes more than one
|
|
TCP segment will not be recognized as Yahoo Messenger packets (even if the
|
|
TCP segment also contains the beginning of another Yahoo Messenger packet).
|
|
|
|
Q 5.34: Why do I get the error
|
|
|
|
Gdk-ERROR **: Palettized display (256-colour) mode not supported on
|
|
Windows.
|
|
aborting....
|
|
|
|
when I try to run Ethereal on Windows?
|
|
|
|
A: Ethereal is built using the GTK+ toolkit, which supports most
|
|
UNIX-flavored OSes, and also supports Windows.
|
|
|
|
Windows versions of Ethereal before 0.9.14 were built with an older version
|
|
of that toolkit, which didn't support 256-color mode on Windows - it
|
|
required HiColor (16-bit colors) or more.
|
|
|
|
Windows versions of Ethereal 0.9.14 and later are built with a version of
|
|
that toolkit that supports 256-color mode; upgrade to the current version of
|
|
Ethereal if you want to run on a display in 256-color mode.
|
|
|
|
Q 5.35: When I capture on Windows in promiscuous mode, I can see packets
|
|
other than those sent to or from my machine; however, those packets show up
|
|
with a "Short Frame" indication, unlike packets to or from my machine. What
|
|
should I do to arrange that I see those packets in their entirety?
|
|
|
|
A: In at least some cases, this appears to be the result of PGPnet running
|
|
on the network interface on which you're capturing; turn it off on that
|
|
interface.
|
|
|
|
Q 5.36: I'm capturing packets on a machine on a VLAN; why don't the packets
|
|
I'm capturing have VLAN tags?
|
|
|
|
A: You might be capturing on what might be called a "VLAN interface" - the
|
|
way a particular OS makes VLANs plug into the networking stack might, for
|
|
example, be to have a network device object for the physical interface,
|
|
which takes VLAN packets, strips off the VLAN header and constructs an
|
|
Ethernet header, and passes that packet to an internal network device object
|
|
for the VLAN, which then passes the packets onto various higher-level
|
|
protocol implementations.
|
|
|
|
In order to see the raw Ethernet packets, rather than "de-VLANized" packets,
|
|
you would have to capture not on the virtual interface for the VLAN, but on
|
|
the interface corresponding to the physical network device, if possible. See
|
|
the Ethereal Wiki item on VLAN capturing for details.
|
|
|
|
Q 5.37: How can I capture raw 802.11 frames, including non-data (management,
|
|
beacon) frames?
|
|
|
|
A: That depends on the operating system on which you're running, and on the
|
|
802.11 interface on which you're capturing.
|
|
|
|
This would probably require that you capture in promiscuous mode or in the
|
|
mode called "monitor mode" or "RFMON mode". On some platforms, or with some
|
|
cards, this might require that you capture in monitor mode - promiscuous
|
|
mode might not be sufficient. If you want to capture traffic on networks
|
|
other than the one with which you're associated, you will have to capture in
|
|
monitor mode.
|
|
|
|
Not all operating systems support capturing non-data packets and, even on
|
|
operating systems that do support it, not all drivers, and thus not all
|
|
interfaces, support it. Even on those that do, monitor mode might not be
|
|
supported by the operating system or by the drivers for all interfaces.
|
|
|
|
NOTE: an interface running in monitor mode will, on most if not all
|
|
platforms, not be able to act as a regular network interface; putting it
|
|
into monitor mode will, in effect, take your machine off of whatever network
|
|
it's on as long as the interface is in monitor mode, allowing it only to
|
|
passively capture packets.
|
|
|
|
This means that you should disable name resolution when capturing in monitor
|
|
mode; otherwise, when Ethereal (or Tethereal, or tcpdump) tries to display
|
|
IP addresses as host names, it will probably block for a long time trying to
|
|
resolve the name because it will not be able to communicate with any DNS or
|
|
NIS servers.
|
|
|
|
See the Ethereal Wiki item on 802.11 capturing for details.
|
|
|
|
Q 5.38: How do I capture on an 802.11 device in monitor mode?
|
|
|
|
A: Whether you will be able to capture in monitor mode depends on the
|
|
operating system, adapter, and driver you're using. See the previous
|
|
question for information on monitor mode, including a link to the Ethereal
|
|
Wiki page that gives details on 802.11 capturing.
|
|
|
|
Q 5.39: I'm trying to capture 802.11 traffic on Windows; why am I not seeing
|
|
any packets?
|
|
|
|
A: At least some 802.11 card drivers on Windows appear not to see any
|
|
packets if they're running in promiscuous mode. Try turning promiscuous mode
|
|
off; you'll only be able to see packets sent by and received by your
|
|
machine, not third-party traffic, and it'll look like Ethernet traffic and
|
|
won't include any management or control frames, but that's a limitation of
|
|
the card drivers.
|
|
|
|
See MicroLogix's list of cards supported with WinPcap for information on
|
|
support of various adapters and drivers with WinPcap.
|
|
|
|
Q 5.40: I'm trying to capture 802.11 traffic on Windows; why am I seeing
|
|
packets received by the machine on which I'm capturing traffic, but not
|
|
packets sent by that machine?
|
|
|
|
A: This appears to be another problem with promiscuous mode; try turning it
|
|
off.
|
|
|
|
Q 5.41: How can I capture packets with CRC errors?
|
|
|
|
A: Ethereal can capture only the packets that the packet capture library -
|
|
libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of libpcap on
|
|
Windows - can capture, and libpcap/WinPcap can capture only the packets that
|
|
the OS's raw packet capture mechanism (or the WinPcap driver, and the
|
|
underlying OS networking code and network interface drivers, on Windows)
|
|
will allow it to capture.
|
|
|
|
Unless the OS always supplies packets with errors such as invalid CRCs to
|
|
the raw packet capture mechanism, or can be configured to do so, invalid
|
|
CRCs to the raw packet capture mechanism, Ethereal - and other programs that
|
|
capture raw packets, such as tcpdump - cannot capture those packets. You
|
|
will have to determine whether your OS needs to be so configured and, if so,
|
|
can be so configured, configure it if necessary and possible, and make
|
|
whatever changes to libpcap and the packet capture program you're using are
|
|
necessary, if any, to support capturing those packets.
|
|
|
|
Most OSes probably do not support capturing packets with invalid CRCs on
|
|
Ethernet, and probably do not support it on most other link-layer types.
|
|
Some drivers on some OSes do support it, such as some Ethernet drivers on
|
|
FreeBSD; in those OSes, you might always get those packets, or you might
|
|
only get them if you capture in promiscuous mode (you'd have to determine
|
|
which is the case).
|
|
|
|
Note that libpcap does not currently supply to programs that use it an
|
|
indication of whether the packet's CRC was invalid (because the drivers
|
|
themselves do not supply that information to the raw packet capture
|
|
mechanism); therefore, Ethereal will not indicate which packets had CRC
|
|
errors unless the FCS was captured (see the next question) and you're using
|
|
Ethereal 0.9.15 and later, in which case Ethereal will check the CRC and
|
|
indicate whether it's correct or not.
|
|
|
|
Q 5.42: How can I capture entire frames, including the FCS?
|
|
|
|
A: Ethereal can only capture data that the packet capture library - libpcap
|
|
on UNIX-flavored OSes, and the WinPcap port to Windows of libpcap on Windows
|
|
- can capture, and libpcap/WinPcap can capture only the data that the OS's
|
|
raw packet capture mechanism (or the WinPcap driver, and the underlying OS
|
|
networking code and network interface drivers, on Windows) will allow it to
|
|
capture.
|
|
|
|
For any particular link-layer network type, unless the OS supplies the FCS
|
|
of a frame as part of the frame, or can be configured to do so, Ethereal -
|
|
and other programs that capture raw packets, such as tcpdump - cannot
|
|
capture the FCS of a frame. You will have to determine whether your OS needs
|
|
to be so configured and, if so, can be so configured, configure it if
|
|
necessary and possible, and make whatever changes to libpcap and the packet
|
|
capture program you're using are necessary, if any, to support capturing the
|
|
FCS of a frame.
|
|
|
|
Most OSes do not support capturing the FCS of a frame on Ethernet, and
|
|
probably do not support it on most other link-layer types. Some drivres on
|
|
some OSes do support it, such as some (all?) Ethernet drivers on NetBSD and
|
|
possibly the driver for Apple's gigabit Ethernet interface in Mac OS X; in
|
|
those OSes, you might always get the FCS, or you might only get the FCS if
|
|
you capture in promiscuous mode (you'd have to determine which is the case).
|
|
|
|
Versions of Ethereal prior to 0.9.15 will not treat an Ethernet FCS in a
|
|
captured packet as an FCS. 0.9.15 and later will attempt to determine
|
|
whether there's an FCS at the end of the frame and, if it thinks there is,
|
|
will display it as such, and will check whether it's the correct CRC-32
|
|
value or not.
|
|
|
|
Q 5.43: Why does Ethereal hang after I stop a capture?
|
|
|
|
A: The most likely reason for this is that Ethereal is trying to look up an
|
|
IP address in the capture to convert it to a name (so that, for example, it
|
|
can display the name in the source address or destination address columns),
|
|
and that lookup process is taking a very long time.
|
|
|
|
Ethereal calls a routine in the OS of the machine on which it's running to
|
|
convert of IP addresses to the corresponding names. That routine probably
|
|
does one or more of:
|
|
* a search of a system file listing IP addresses and names;
|
|
* a lookup using DNS;
|
|
* on UNIX systems, a lookup using NIS;
|
|
* on Windows systems, a NetBIOS-over-TCP query.
|
|
|
|
If a DNS server that's used in an address lookup is not responding, the
|
|
lookup will fail, but will only fail after a timeout while the system
|
|
routine waits for a reply.
|
|
|
|
In addition, on Windows systems, if the DNS lookup of the address fails,
|
|
either because the server isn't responding or because there are no records
|
|
in the DNS that could be used to map the address to a name, a
|
|
NetBIOS-over-TCP query will be made. That query involves sending a message
|
|
to the NetBIOS-over-TCP name service on that machine, asking for the name
|
|
and other information about the machine. If the machine isn't running
|
|
software that responds to those queries - for example, many non-Windows
|
|
machines wouldn't be running that software - the lookup will only fail after
|
|
a timeout. Those timeouts can cause the lookup to take a long time.
|
|
|
|
If you disable network address-to-name translation - for example, by turning
|
|
off the "Enable network name resolution" option in the "Capture Options"
|
|
dialog box for starting a network capture - the lookups of the address won't
|
|
be done, which may speed up the process of reading the capture file after
|
|
the capture is stopped. You can make that setting the default by selecting
|
|
"Preferences" from the "Edit" menu, turning off the "Enable network name
|
|
resolution" option in the "Name resolution" options in the preferences
|
|
disalog box, and using the "Save" button in that dialog box; note that this
|
|
will save all your current preference settings.
|
|
|
|
If Ethereal hangs when reading a capture even with network name resolution
|
|
turned off, there might, for example, be a bug in one of Ethereal's
|
|
dissectors for a protocol causing it to loop infinitely. If you're not
|
|
running the most recent release of Ethereal, you should first upgrade to
|
|
that release, as, if there's a bug of that sort, it might've been fixed in a
|
|
release after the one you're running. If the hang occurs in the most recent
|
|
release of Ethereal, the bug should be reported to the Ethereal developers'
|
|
mailing list at ethereal-dev@ethereal.com.
|
|
|
|
On UNIX-flavored OSes, please try to force Ethereal to dump core, by sending
|
|
it a SIGABRT signal (usually signal 6) with the kill command, and then get a
|
|
stack trace if you have a debugger installed. A stack trace can be obtained
|
|
by using your debugger (gdb in this example), the Ethereal binary, and the
|
|
resulting core file. Here's an example of how to use the gdb command
|
|
backtrace to do so.
|
|
$ gdb ethereal core
|
|
(gdb) backtrace
|
|
..... prints the stack trace
|
|
(gdb) quit
|
|
$
|
|
|
|
The core dump file may be named "ethereal.core" rather than "core" on some
|
|
platforms (e.g., BSD systems).
|
|
|
|
Also, if at all possible, please send a copy of the capture file that caused
|
|
the problem; when capturing packets, Ethereal normally writes captured
|
|
packets to a temporary file, which will probably be in /tmp or /var/tmp on
|
|
UNIX-flavored OSes, \TEMP on the main system disk (normally C:) on Windows
|
|
9x/Me/NT 4.0, and \Documents and Settings\your login name\Local
|
|
Settings\Temp on the main system disk on Windows 2000/Windows XP/Windows
|
|
Server 2003, so the capture file will probably be there. It will have a name
|
|
beginning with ether, with some mixture of letters and numbers after that.
|
|
Please don't send a trace file greater than 1 MB when compressed; instead,
|
|
make it available via FTP or HTTP, or say it's available but leave it up to
|
|
a developer to ask for it. If the trace file contains sensitive information
|
|
(e.g., passwords), then please do not send it.
|
|
|
|
Q 5.44: How can I search for, or filter, packets that have a particular
|
|
string anywhere in them?
|
|
|
|
A: If you want to do this when capturing, you can't. That's a feature that
|
|
would be hard to implement in capture filters without changes to the capture
|
|
filter code, which, on many platforms, is in the OS kernel and, on other
|
|
platforms, is in the libpcap library.
|
|
|
|
In releases prior to 0.9.14, you also can't search for, or filter, packets
|
|
containing a particular string even after you've captured them.
|
|
|
|
In 0.9.14, you can search for, but not filter, packets that have a
|
|
particular string; this has been added to the "Find Frame" dialog ("Find
|
|
Frame" under the "Edit" menu, or control-F).
|
|
|
|
In 0.9.15 and later, you can search for those packets using either the
|
|
mechanism introduced in 0.9.14 or using the new "contains" operator in
|
|
filter expressions, which lets you search the entire packet or text string
|
|
or byte string fields in the packet; the "contains" operator can also be
|
|
used in expressions used to filter the display.
|
|
|
|
Q 5.45: How do I filter a capture to see traffic for virus XXX?
|
|
|
|
A: For some viruses/worms there might be a capture filter to recognize the
|
|
virus traffic. Check the CaptureFilters page on the Ethereal Wiki to see if
|
|
anybody's added such a filter.
|
|
|
|
Note that Ethereal was not designed to be an intrusion detection system; you
|
|
might be able to use it as an IDS, but in most cases software designed to be
|
|
an IDS, such as Snort or Prelude, will probably work better.
|
|
|
|
The Bleeding Edge of Snort has a collection of signatures for Snort to
|
|
detect various viruses, worms, and the like.
|
|
|
|
Please send support questions about Ethereal to the
|
|
ethereal-users[AT]ethereal.com mailing list.
|
|
For corrections/additions/suggestions for this web page (and not Ethereal
|
|
support questions), please send email to ethereal-web[AT]ethereal.com .
|
|
Last modified: Wed, May 25 2005.
|