General Information
------- -----------
Ethereal is a network traffic analyzer for Unix and Unix-like operating
systems. It uses GTK+, a graphical user interface library,
and libpcap, a packet capture and filtering library.
The official home of Ethereal is
http://ethereal.zing.org
The latest distribution can be found in the subdirectory
http://ethereal.zing.org/distribution
Interesting and exotic packet traces can be found at
http://ethereal.zing.org/~gram/sample.html
Installation
------------
Ethereal is known to compile and run on the following systems:
- Linux (2.0.x, 2.1.x, 2.2.x)
- Solaris (2.5.1, 2.6)
- FreeBSD (2.2.5, 2.2.6)
- Sequent PTX v4.4.5 (Nick Williams <njw@sequent.com>)
- Tru64 UNIX (formerly Digital UNIX) (3.2, 4.0)
It should run on other systems without too much trouble.
NOTE: the Makefile appears to depend on GNU "make"; it doesn't appear to
work with the "make" that comes with Solaris 7 nor the BSD "make".
In addition, ethereal requires "flex" - it cannot be built
with vanilla "lex" - and either "bison" or the Berkeley "yacc". Your flex
version must be 2.5.1 or greater. Check this with 'flex -V'.
You must therefore install GNU "make", "flex", and either "bison" or
Berkeley "yacc" on systems that lack them.
Full installation instructions can be found in the INSTALL file.
See also the appropriate README.<OS> files for OS-specific installation
instructions.
Usage
-----
In order to capture packets from the network, you need to be running
as root, or have access to the appropriate entry under /dev if your
system is so inclined (BSD-derived systems and Solaris typically fall
into this category. Although it might be tempting to make the
Ethereal executable setuid root, please don't - alpha code is by nature
not very robust, and liable to contain security holes.
Please consult the man page for a description of each command-line
option and interface feature.
Multiple File Types
-------------------
The wiretap library is a packet-capture library currently under
development parallel to ethereal. In the future it is hoped that
wiretap will have more features than libpcap, but wiretap is still in
its infancy. However, wiretap is used in ethereal for its ability
to read multiple file types. You can read the following file
formats, and create display filters for them as well:
libpcap, Sniffer (uncompresed), NetXray, Sniffer Pro, snoop,
Shomiti, LANalyzer, Network Monitor, iptrace 2.0 (AIX), and
RADCOM's WAN/LAN Analyzer
IPv6
----
If your operating system includes IPv6 support, ethereal will attempt to
use reverse name resolution capabilities when decoding IPv6 packets. If
you want to turn off name resolution while using ethereal, start ethereal
with the "-n" option. If you would like to compile ethereal without
support for IPv6 name resolution, use the "--disable-ipv6" option with
"./configure". If you compile ethereal without IPv6 name resolution,
you will still be able to decode IPv6 packets, but you'll only see IPv6
addresses, not host names.
The "Follow TCP Stream" feature only supports TCP over IPv4. Support for TCP
over IPv6 is planned.
SNMP
----
Ethereal can do some basic decoding of SNMP packets, but it relies on an
external SNMP library to do this. You can use either the UCD or the CMU
SNMP libraries. The configure script will automatically determine which
library you have on your system and will use it. If you have an SNMP
library but _do not_ want to have ethereal use it, you can run configure
with the "--disable-snmp" option. No SNMP support will be compiled into
ethereal with this option.
Disclaimer
----------
There is no warranty, expressed or implied, associated with this product.
Use at your own risk.
Gerald Combs <gerald@zing.org>
Gilbert Ramirez <gram@verdict.uthscsa.edu>
9e58014e7f