General Information
------- -----------
Ethereal is a network traffic analyzer, or "sniffer", for Unix and
Unix-like operating systems. It uses GTK+, a graphical user interface
library, and libpcap, a packet capture and filtering library.
The official home of Ethereal is
http://ethereal.zing.org
The latest distribution can be found in the subdirectory
http://ethereal.zing.org/distribution
Interesting and exotic packet traces can be found at
http://ethereal.zing.org/~gram/sample.html
Installation
------------
Ethereal is known to compile and run on the following systems:
- Linux (2.0.x, 2.1.x, 2.2.x)
- Solaris (2.5.1, 2.6)
- FreeBSD (2.2.5, 2.2.6)
- Sequent PTX v4.4.5 (Nick Williams <njw@sequent.com>)
- Tru64 UNIX (formerly Digital UNIX) (3.2, 4.0)
- Irix (version?)
It should run on other systems without too much trouble.
NOTE: the Makefile appears to depend on GNU "make"; it doesn't appear to
work with the "make" that comes with Solaris 7 nor the BSD "make".
Perl is also needed to create the man page.
If you decide to modify the yacc grammar or lex scanner, then
you need "flex" - it cannot be built with vanilla "lex" -
and either "bison" or the Berkeley "yacc". Your flex
version must be 2.5.1 or greater. Check this with 'flex -V'.
You must therefore install Perl, GNU "make", "flex", and either "bison" or
Berkeley "yacc" on systems that lack them.
Full installation instructions can be found in the INSTALL file.
See also the appropriate README.<OS> files for OS-specific installation
instructions.
Usage
-----
In order to capture packets from the network, you need to be running
as root, or have access to the appropriate entry under /dev if your
system is so inclined (BSD-derived systems and Solaris typically fall
into this category. Although it might be tempting to make the
Ethereal executable setuid root, please don't - alpha code is by nature
not very robust, and liable to contain security holes.
Please consult the man page for a description of each command-line
option and interface feature.
Multiple File Types
-------------------
The wiretap library is a packet-capture library currently under
development parallel to ethereal. In the future it is hoped that
wiretap will have more features than libpcap, but wiretap is still in
its infancy. However, wiretap is used in ethereal for its ability
to read multiple file types. You can read the following file
formats, and create display filters for them as well:
libpcap (tcpdump -w), Sniffer (uncompressed), NetXray, Sniffer Pro,
snoop, Shomiti, LANalyzer, Network Monitor, AIX's iptrace 2.0,
RADCOM's WAN/LAN Analyzer, Lucent/Ascend access products, HP-UX's nettl,
and Toshiba's ISDN routers.
Although Ethereal can read AIX iptrace files, the documentation on
AIX's iptrace packet-trace command is sparse. The 'iptrace' command
starts a daemon which you must kill in order to stop the trace. Through
experimentation it appears that sending a HUP signal to that iptrace
daemon causes a graceful shutdown and a complete packet is written
to the trace file. If a partial packet is saved at the end, Ethereal
will complain when reading that file, but you will be able to read all
other packets. If this occurs, please let the Ethereal developers know
at ethereal-dev@zing.org, and be sure to send us a copy of that trace
file if it's small and contains non-sensitive data.
Support for Lucent/Ascend products is limited to the debug trace output
generated by the MAX and Pipline series of products. Ethereal can read
the output of the "wandsession" "wandisplay", "wannext", and "wdd"
commands. For detailed information on use of these commands, please refer
the following pages:
"wandsession", "wandisplay", and "wannext" on the Pipeline series:
http://aos.ascend.com/aos:/gennavviewer.html?doc_id=0900253d80006c79
"wandsession", "wandisplay", and "wannext" on the MAX series:
http://aos.ascend.com/aos:/gennavviewer.html?doc_id=0900253d80006972
"wdd" on the Pipeline series:
http://aos.ascend.com/aos:/gennavviewer.html?doc_id=0900253d80006877
Ethereal can also read dump trace output from the Toshiba "Compact Router"
line of ISDN routers (TR-600 and TR-650). You can telnet to the router
and start a dump session with "snoop dump".
To use the Lucent/Ascend and Toshiba traces with Ethereal, you must capture
the trace output to a file on disk. The trace is happening inside the router
and the router has no way of saving the trace to a file for you.
An easy way of doing this under Unix is to run "telnet <ascend> | tee <outfile>".
Or, if your system has the "script" command installed, you can save
a shell session, including telnet to a file. For example, to a file named
tracefile.out:
$ script tracefile.out
Script started on <date/time>
$ telnet router
..... do your trace, then exit from the router's telnet session.
$ exit
Script done on <date/time>
IPv6
----
If your operating system includes IPv6 support, ethereal will attempt to
use reverse name resolution capabilities when decoding IPv6 packets. If
you want to turn off name resolution while using ethereal, start ethereal
with the "-n" option. If you would like to compile ethereal without
support for IPv6 name resolution, use the "--disable-ipv6" option with
"./configure". If you compile ethereal without IPv6 name resolution,
you will still be able to decode IPv6 packets, but you'll only see IPv6
addresses, not host names.
The "Follow TCP Stream" feature only supports TCP over IPv4. Support for TCP
over IPv6 is planned.
SNMP
----
Ethereal can do some basic decoding of SNMP packets, but it relies on an
external SNMP library to do this. You can use either the UCD or the CMU
SNMP libraries. The configure script will automatically determine which
library you have on your system and will use it. If you have an SNMP
library but _do not_ want to have ethereal use it, you can run configure
with the "--disable-snmp" option. No SNMP support will be compiled into
ethereal with this option.
How to Report a Bug
-------------------
Ethereal is still under constant development, so it is possible that you will
encounter a bug while using it. Please report bugs to ethereal-dev@zing.org.
Be sure you tell us:
1) Operating System and version
2) Version of GTK+ (the command 'gtk-config --version' will tell you)
3) The command you used to invoke Ethereal
If the bug is produced by a particular trace file, please be sure to send
a trace file along with your bug description. Please don't send a trace file
greather than 1 MB when compressed. If the trace file contains sensitive
information (e.g., passwords), then please do not send it.
If Ethereal died on you with a 'segmentation violation', you can help the
developers a lot if you have a debugger installed. A stack trace can be
obtained by using your debugger ('gdb' in this example), the ethereal binary,
and the resulting core file. Here's an example of how to use the gdb
command 'backtrace' to do so.
$ gdb ethereal core
(gdb) backtrace
..... prints the stack trace
(gdb) quit
$
Disclaimer
----------
There is no warranty, expressed or implied, associated with this product.
Use at your own risk.
Gerald Combs <gerald@zing.org>
Gilbert Ramirez <gram@xiexie.org>
2331fa34e1