126 lines
4.6 KiB
Plaintext
126 lines
4.6 KiB
Plaintext
General Information
|
|
------- -----------
|
|
|
|
Ethereal is a network traffic analyzer for Unix and Unix-like operating
|
|
systems. It is based on GTK+, a graphical user interface library,
|
|
and libpcap, a packet capture and filtering library.
|
|
|
|
The official home of Ethereal is
|
|
|
|
http://ethereal.zing.org
|
|
|
|
The latest distribution can be found in the subdirectory
|
|
|
|
http://ethereal.zing.org/distribution
|
|
|
|
Interesting and exotic packet traces can be found at
|
|
|
|
http://ethereal.zing.org/~gram/sample.html
|
|
|
|
|
|
Installation
|
|
------------
|
|
|
|
Ethereal is known to compile and run on the following systems:
|
|
|
|
- Linux (2.0.x, 2.1.x, 2.2.x)
|
|
- Solaris (2.5.1, 2.6)
|
|
- FreeBSD (2.2.5, 2.2.6)
|
|
- Sequent PTX v4.4.5 (Nick Williams <njw@sequent.com>)
|
|
- Tru64 UNIX (formerly Digital UNIX) (3.2, 4.0)
|
|
|
|
It should run on other systems without too much trouble.
|
|
|
|
NOTE: the Makefile appears to depend on GNU "make"; it doesn't appear to
|
|
work with the "make" that comes with Solaris 7 nor the BSD "make".
|
|
|
|
In addition, wiretap (see below) requires "flex" - it cannot be built
|
|
with vanilla "lex" - and either "bison" or the Berkeley "yacc"; whilst
|
|
the "yacc" that comes with Solaris 7 has a "-p" flag to replace "yy" in
|
|
various variable names with a specified prefix, to allow multiple
|
|
yacc-built parsers in the same program, it doesn't replace "yy" in the
|
|
"y.tab.h" file, so the lexical analyzer has no clue that "yylval" has
|
|
been renamed to "wtap_lval". (What *were* they thinking?)
|
|
|
|
You must therefore install GNU "make", "flex", and either "bison" or
|
|
Berkeley "yacc" on systems that lack them.
|
|
|
|
Full installation instructions can be found in the INSTALL file.
|
|
|
|
See also the appropriate README.<OS> files for OS-specific installation
|
|
instructions.
|
|
|
|
Usage
|
|
-----
|
|
|
|
In order to capture packets from the network, you need to be running
|
|
as root, or have access to the appropriate entry under /dev if your
|
|
system is so inclined (BSD-derived systems and Solaris typically fall
|
|
into this category. Although it might be tempting to make the
|
|
Ethereal executable setuid root, please don't - alpha code is by nature
|
|
not very robust, and liable to contain security holes.
|
|
|
|
Please consult the man page for a description of each command-line
|
|
option and interface feature.
|
|
|
|
|
|
Multiple File Types
|
|
-------------------
|
|
|
|
The wiretap library is a packet-capture library currently under
|
|
development parallel to ethereal. In the future it is hoped that
|
|
wiretap will have more features than libpcap, but wiretap is still in
|
|
its infancy. You can compile ethereal with the wiretap library by using
|
|
'./configure --with-wiretap'. Using wiretap will allow you to read
|
|
libpcap, Sniffer, NetXray (and Sniffer Pro), Sun "snoop", LANalyzer,
|
|
Microsoft Network Monitor, and AIX "iptrace" 2.0 trace files. Some minimal
|
|
display filters now work. But because "Follow TCP Stream" relies on IP and TCP
|
|
display filtering, and those aren't yet available in wiretap's display filter
|
|
system, "Follow TCP Stream" is turned off when you compile --with-wiretap.
|
|
|
|
You can still capture packets from within ethereal using libpcap, and therefore
|
|
use libpcap-style capture filters, however.
|
|
|
|
If you want to add support for other packet-capture file formats, please
|
|
look at the wiretap source code in the wiretap directory.
|
|
|
|
Please report any problems that are wiretap related to
|
|
Gilbert Ramirez <gram@verdict.uthscsa.edu>.
|
|
|
|
|
|
IPv6
|
|
----
|
|
If your operating system includes IPv6 support, ethereal will attempt to
|
|
use reverse name resolution capabilities when decoding IPv6 packets. If
|
|
you want to turn off name resolution while using ethereal, start ethereal
|
|
with the "-n" option. If you would like to compile ethereal without
|
|
support for IPv6 name resolution, use the "--disable-ipv6" option with
|
|
"./configure". If you compile ethereal without IPv6 name resolution,
|
|
you will still be able to decode IPv6 packets, but you'll only see IPv6
|
|
addresses, not host names.
|
|
|
|
The "Follow TCP Stream" feature only supports TCP over IPv4. Support for TCP
|
|
over IPv6 is planned.
|
|
|
|
|
|
SNMP
|
|
----
|
|
Ethereal can do some basic decoding of SNMP packets, but it relies on an
|
|
external SNMP library to do this. You can use either the UCD or the CMU
|
|
SNMP libraries. The configure script will automatically determine which
|
|
library you have on your system and will use it. If you have an SNMP
|
|
library but _do not_ want to have ethereal use it, you can run configure
|
|
with the "--disable-snmp" option. No SNMP support will be compiled into
|
|
ethereal with this option.
|
|
|
|
|
|
Disclaimer
|
|
----------
|
|
|
|
There is no warranty, expressed or implied, associated with this product.
|
|
Use at your own risk.
|
|
|
|
|
|
Gerald Combs <gerald@zing.org>
|
|
Gilbert Ramirez <gram@verdict.uthscsa.edu>
|