doesn't work like the read timeout in BPF - the timer doesn't start
until at least one packet has arrived.
I think that's the way read timeouts should work on *all* packet capture
mechanisms, but it does mean that Solaris will, on a quiet net, exhibit
the same symptoms that Linux used to exhibit before we put in a
"select()" call to wait until either packets arrive or a timer expires -
the "pcap_dispatch()" call blocks until a packet arrives, so the display
doesn't get updated and Ethereal doesn't respond to user input until a
packet arrives.
Furthermore, Linux isn't the only OS that lacks any read timeout
on its packet capture mechanism; the others will also have that problem.
We therefore do the "select()" on *all* platforms other than the BSDs
(where the timer starts when the read is done, and can be used for
polling); I don't know whether it's necessary on Digital UNIX, but I
suspect it's necessary on SunOS 4.x (as the 5.x "bufmod" is probably
derived from the 4.x one, and the 5.x one, as per the above, starts the
timer when a packet arrives), and it may even be necessary on 3.x, those
(BSD, SunOS including 5.x, and Digital UNIX) apparently being the only
UNIXes that appear to have such a read timeout.
svn path=/trunk/; revision=2790
$Id: README,v 1.45 2000/10/08 17:16:29 gerald Exp $
General Information
------- -----------
Ethereal is a network traffic analyzer, or "sniffer", for Unix and
Unix-like operating systems. It uses GTK+, a graphical user interface
library, and libpcap, a packet capture and filtering library.
The Ethereal distribution also comes with Tethereal, which is a
line-oriented sniffer (similar to Sun's snoop, or tcpdump) that uses the
same dissection, capture-file reading and writing, and packet filtering
code as Ethereal, and with editcap, which is a program to read capture
files and write the packets from that capture file, possibly in a
different capture file format, and with some packets possibly removed
from the capture.
The official home of Ethereal is
http://www.ethereal.com
The latest distribution can be found in the subdirectory
http://www.ethereal.com/distribution
Installation
------------
Ethereal is known to compile and run on the following systems:
- Linux (2.0.x, 2.1.x, 2.2.x, 2.3.x, 2.4.x)
- Solaris (2.5.1, 2.6, 7)
- FreeBSD (2.2.5, 2.2.6, 3.1, 3.2, 3.3)
- Sequent PTX v4.4.5 (Nick Williams <njw@sequent.com>)
- Tru64 UNIX (formerly Digital UNIX) (3.2, 4.0)
- Irix (6.5)
- AIX (4.3.2, with a bit of work)
- Win32 (NT, 98)
It should run on other Unix-ish systems without too much trouble.
NOTE: the Makefile appears to depend on GNU "make"; it doesn't appear to
work with the "make" that comes with Solaris 7 nor the BSD "make".
Perl is also needed to create the man page.
If you decide to modify the yacc grammar or lex scanner, then
you need "flex" - it cannot be built with vanilla "lex" -
and either "bison" or the Berkeley "yacc". Your flex
version must be 2.5.1 or greater. Check this with 'flex -V'.
If you decide to modify the NetWare Core Protocol dissector, you
will need python, as the data for packet types is stored in a python
script, ncp2222.py.
You must therefore install Perl, GNU "make", "flex", and either "bison" or
Berkeley "yacc" on systems that lack them.
Full installation instructions can be found in the INSTALL file.
See also the appropriate README.<OS> files for OS-specific installation
instructions.
Usage
-----
In order to capture packets from the network, you need to be running as
root, or have access to the appropriate entry under /dev if your system
is so inclined (BSD-derived systems, and systems such as Solaris and
HP-UX that support DLPI, typically fall into this category). Although
it might be tempting to make the Ethereal executable setuid root, please
don't - alpha code is by nature not very robust, and liable to contain
security holes.
Please consult the man page for a description of each command-line
option and interface feature.
Multiple File Types
-------------------
The wiretap library is a packet-capture library currently under
development parallel to ethereal. In the future it is hoped that
wiretap will have more features than libpcap, but wiretap is still in
its infancy. However, wiretap is used in ethereal for its ability
to read multiple file types. You can read the following file
formats:
libpcap (tcpdump -w, Ethereal)
Sniffer (compressed and uncompressed)
NetXray
Sniffer Pro
snoop
atmsnoop
Shomiti
LANalyzer
Microsoft Network Monitor
AIX's iptrace
RADCOM's WAN/LAN Analyzer
Lucent/Ascend access products
HP-UX's nettl
Toshiba's ISDN routers
ISDN4BSD "i4btrace" utility
Cisco Secure Intrustion Detection System iplogging facility
pppd logs (pppdump-format files)
In addition, it can read gzipped versions of any of these files
automatically, if you have the zlib library available when compiling
Ethereal. Ethereal needs a modern version of zlib to be able to use
zlib to read gzipped files; version 1.1.3 is known to work. Versions
prior to 1.0.9 are missing some functions that Ethereal needs and won't
work. "./configure" should detect if you have the proper zlib version
available and, if you don't, should disable zlib support. You can always
use "./configure --disable-zlib" to explicitly disable zlib support.
Although Ethereal can read AIX iptrace files, the documentation on
AIX's iptrace packet-trace command is sparse. The 'iptrace' command
starts a daemon which you must kill in order to stop the trace. Through
experimentation it appears that sending a HUP signal to that iptrace
daemon causes a graceful shutdown and a complete packet is written
to the trace file. If a partial packet is saved at the end, Ethereal
will complain when reading that file, but you will be able to read all
other packets. If this occurs, please let the Ethereal developers know
at ethereal-dev@zing.org, and be sure to send us a copy of that trace
file if it's small and contains non-sensitive data.
Support for Lucent/Ascend products is limited to the debug trace output
generated by the MAX and Pipline series of products. Ethereal can read
the output of the "wandsession" "wandisplay", "wannext", and "wdd"
commands. For detailed information on use of these commands, please refer
the following pages:
"wandsession", "wandisplay", and "wannext" on the Pipeline series:
http://aos.ascend.com/aos:/gennavviewer.html?doc_id=0900253d80006c79
"wandsession", "wandisplay", and "wannext" on the MAX series:
http://aos.ascend.com/aos:/gennavviewer.html?doc_id=0900253d80006972
"wdd" on the Pipeline series:
http://aos.ascend.com/aos:/gennavviewer.html?doc_id=0900253d80006877
Ethereal can also read dump trace output from the Toshiba "Compact Router"
line of ISDN routers (TR-600 and TR-650). You can telnet to the router
and start a dump session with "snoop dump".
To use the Lucent/Ascend and Toshiba traces with Ethereal, you must capture
the trace output to a file on disk. The trace is happening inside the router
and the router has no way of saving the trace to a file for you.
An easy way of doing this under Unix is to run "telnet <ascend> | tee <outfile>".
Or, if your system has the "script" command installed, you can save
a shell session, including telnet to a file. For example, to a file named
tracefile.out:
$ script tracefile.out
Script started on <date/time>
$ telnet router
..... do your trace, then exit from the router's telnet session.
$ exit
Script done on <date/time>
IPv6
----
If your operating system includes IPv6 support, ethereal will attempt to
use reverse name resolution capabilities when decoding IPv6 packets. If
you want to turn off name resolution while using ethereal, start ethereal
with the "-n" option. If you would like to compile ethereal without
support for IPv6 name resolution, use the "--disable-ipv6" option with
"./configure". If you compile ethereal without IPv6 name resolution,
you will still be able to decode IPv6 packets, but you'll only see IPv6
addresses, not host names.
NetWare Core Protocol
---------------------
There are over 400 different NCP packet types. The NCP dissector does
not understand all of these; support is being added little by little. If
you have some NCP packets that are not dissected by Ethereal, send
a trace file to ethereal-dev@zing.org and if possible, we will add support
for those packets types.
SNMP
----
Ethereal can do some basic decoding of SNMP packets; it can also use an
external SNMP library to do more sophisticated decoding.. The configure
script will automatically determine which library you have on your
system and will use it. If you have an SNMP library but _do not_ want
to have ethereal use it, you can run configure with the "--disable-snmp"
option.
How to Report a Bug
-------------------
Ethereal is still under constant development, so it is possible that you will
encounter a bug while using it. Please report bugs to ethereal-dev@zing.org.
Be sure you tell us:
1) Operating System and version (the command 'uname -sr' may
tell you this, although on Linux systems it will probably
tell you only the version number of the Linux kernel, not of
the distribution as a whole; on Linux systems, please tell us
both the version number of the kernel, and which version of
which distribution you're running)
2) Version of GTK+ (the command 'gtk-config --version' will tell you)
3) Version of Ethereal (the command 'ethereal -v' will tell you,
unless the bug is so severe as to prevent that from working,
and should also tell you the versions of libraries with which
it was built)
4) The command you used to invoke Ethereal, and the sequence of
operations you performed that caused the bug to appear
If the bug is produced by a particular trace file, please be sure to send
a trace file along with your bug description. Please don't send a trace file
greater than 1 MB when compressed. If the trace file contains sensitive
information (e.g., passwords), then please do not send it.
If Ethereal died on you with a 'segmentation violation', 'bus error',
'abort', or other error that produces a UNIX core dump file, you can
help the developers a lot if you have a debugger installed. A stack
trace can be obtained by using your debugger ('gdb' in this example),
the ethereal binary, and the resulting core file. Here's an example of
how to use the gdb command 'backtrace' to do so.
$ gdb ethereal core
(gdb) backtrace
..... prints the stack trace
(gdb) quit
$
The core dump file may be named "ethereal.core" rather than "core" on
some platforms (e.g., BSD systems). If you got a core dump with
Tethereal rather than Ethereal, use "tethereal" as the first argument to
the debugger; the core dump may be named "tethereal.core".
Disclaimer
----------
There is no warranty, expressed or implied, associated with this product.
Use at your own risk.
Gerald Combs <gerald@zing.org>
Gilbert Ramirez <gram@xiexie.org>
Guy Harris <guy@alum.mit.edu>
4f5e161fe2