diff options
| author | Ulf Lamping <ulf.lamping@web.de> | 2003-11-18 23:11:49 +0000 |
|---|---|---|
| committer | Ulf Lamping <ulf.lamping@web.de> | 2003-11-18 23:11:49 +0000 |
| commit | 0c5731a50a18ffe7b68720371adbc723088c38b0 (patch) | |
| tree | 602f21f57508a7ecc9406939848864c6a5ec3c65 /help/faq.txt | |
| parent | 4b24ca41ff9231be570d1bb5308c51fd91c3a63f (diff) | |
| download | wireshark-0c5731a50a18ffe7b68720371adbc723088c38b0.tar.gz | |
"static content" and make environment of redesigned online help
svn path=/trunk/; revision=9016
Diffstat (limited to 'help/faq.txt')
| -rw-r--r-- | help/faq.txt | 1733 |
1 files changed, 1733 insertions, 0 deletions
diff --git a/help/faq.txt b/help/faq.txt new file mode 100644 index 0000000000..5a63b00468 --- /dev/null +++ b/help/faq.txt @@ -0,0 +1,1733 @@ + + The Ethereal FAQ + + Note: This is just an ASCII snapshot of the faq and may not be up to + date. Please go to http://www.ethereal.com/faq for the up to + date version. The version of this snapshot can be found at the + end of this document. + + INDEX + + General Questions: + + 1.1 Where can I get help? + + 1.2 What protocols are currently supported? + + 1.3 Are there any plans to support {your favorite protocol}? + + 1.4 Can Ethereal read capture files from {your favorite network + analyzer}? + + 1.5 What devices can Ethereal use to capture packets? + + 1.6 How do you pronounce Ethereal? Where did the name come from? + + Downloading Ethereal: + + 2.1 I downloaded the Win32 installer, but when I try to run it, I get + an error. + + 2.2 When I try to download the WinPcap driver and library, I can't get + to the WinPcap Web site. + + Installing Ethereal: + + 3.1 I installed an Ethereal RPM, but Ethereal doesn't seem to be + installed; only Tethereal is installed. + + Building Ethereal: + + 4.1 The configure script can't find pcap.h or bpf.h, but I have + libpcap installed. + + 4.2 Why do I get the error + + dftest_DEPENDENCIES was already defined in condition TRUE, which + implies condition HAVE_PLUGINS_TRUE + + when I try to build Ethereal from CVS or a CVS snapshot? + + 4.3 The link fails with a number of "Output line too long." messages + followed by linker errors. + + 4.4 The link fails on Solaris because plugin_list is undefined. + + 4.5 The build fails on Windows because of conflicts between winsock.h + and winsock2.h. + + Using Ethereal: + + 5.1 When I use Ethereal to capture packets, I see only packets to and + from my machine, or I'm not seeing all the traffic I'm expecting to + see from or to the machine I'm trying to monitor. + + 5.2 I can't see any TCP packets other than packets to and from my + machine, even though another analyzer on the network sees those + packets. + + 5.3 I'm only seeing ARP packets when I try to capture traffic. + + 5.4 How do I put an interface into promiscuous mode? + + 5.5 I can set a display filter just fine, but capture filters don't + work. + + 5.6 I'm entering valid capture filters, but I still get "parse error" + errors. + + 5.7 I saved a filter and tried to use its name to filter the display, + but I got an "Unexpected end of filter string" error. + + 5.8 Why am I seeing lots of packets with incorrect TCP checksums? + + 5.9 I've just installed Ethereal, and the traffic on my local LAN is + boring. + + 5.10 When I run Ethereal on Solaris 8, it dies with a Bus Error when I + start it. + + 5.11 When I run Ethereal on Windows NT, it dies with a Dr. Watson + error, reporting an "Integer division by zero" exception, when I start + it. + + 5.12 When I try to run Ethereal, it complains about + sprint_realloc_objid being undefined. + + 5.13 I'm running Ethereal on Linux; why do my time stamps have only + 100ms resolution, rather than 1us resolution? + + 5.14 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; + why are the time stamps on packets wrong? + + 5.15 When I try to run Ethereal on Windows, it fails to run because it + can't find packet.dll. + + 5.16 I'm running Ethereal on Windows; why does some network interface + on my machine not show up in the list of interfaces in the + "Interface:" field in the dialog box popped up by "Capture->Start", + and/or why does Ethereal give me an error if I try to capture on that + interface? + + 5.17 I'm running on a UNIX-flavored OS; why does some network + interface on my machine not show up in the list of interfaces in the + "Interface:" field in the dialog box popped up by "Capture->Start", + and/or why does Ethereal give me an error if I try to capture on that + interface? + + 5.18 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has + a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the + "Interface" item in the "Capture Options" dialog box. Why can no + packets be sent on or received from that network while I'm trying to + capture traffic on that interface? + + 5.19 I'm running Ethereal on Windows 95/98/Me, on a machine with more + than one network adapter of the same type; Ethereal shows all of those + adapters with the same name, but I can't use any of those adapters + other than the first one. + + 5.20 I'm running Ethereal on Windows, and I'm not seeing any traffic + being sent by the machine running Ethereal. + + 5.21 I'm trying to capture traffic but I'm not seeing any. + + 5.22 I have an XXX network card on my machine; if I try to capture on + it, my machine crashes or resets itself. + + 5.23 My machine crashes or resets itself when I select "Start" from + the "Capture" menu or select "Preferences" from the "Edit" menu. + + 5.24 Does Ethereal work on Windows ME? + + 5.25 Does Ethereal work on Windows XP? + + 5.26 Why doesn't Ethereal correctly identify RTP packets? It shows + them only as UDP. + + 5.27 Why doesn't Ethereal show Yahoo Messenger packets in captures + that contain Yahoo Messenger traffic? + + 5.28 Why do I get the error + + Gdk-ERROR **: Palettized display (256-colour) mode not supported on + Windows. + aborting.... + + when I try to run Ethereal on Windows? + + 5.29 When I capture on Windows in promiscuous mode, I can see packets + other than those sent to or from my machine; however, those packets + show up with a "Short Frame" indication, unlike packets to or from my + machine. What should I do to arrange that I see those packets in their + entirety? + + 5.30 How can I capture raw 802.11 packets, including non-data + (management, beacon) packets? + + 5.31 How can I capture packets with CRC errors? + + 5.32 How can I capture entire frames, including the FCS? + + 5.33 Ethereal hangs after I stop a capture. + + 5.34 How can I search for, or filter, packets that have a particular + string anywhere in them? + + GENERAL QUESTIONS + Q 1.1: Where can I get help? + + A: Support is available on the ethereal-users mailing list. + Subscription information and archives for all of Ethereal's mailing + lists can be found at http://www.ethereal.com/lists + + Q 1.2: What protocols are currently supported? + + A: There are currently 393 supported protocols and media, listed + below. Descriptions can be found in the ethereal(1) man page. + + 802.1q Virtual LAN + 802.1x Authentication + AFS (4.0) Replication Server call declarations + AOL Instant Messenger + ARCNET + ATM + ATM AAL1 + ATM AAL3/4 + ATM LAN Emulation + ATM OAM AAL + AVS WLAN Capture header + Ad hoc On-demand Distance Vector Routing Protocol + Address Resolution Protocol + Aggregate Server Access Protocol + Alert Standard Forum + Andrew File System (AFS) + Apache JServ Protocol v1.3 + AppleTalk Filing Protocol + AppleTalk Session Protocol + AppleTalk Transaction Protocol packet + Appletalk Address Resolution Protocol + Application Configuration Access Protocol + Async data over ISDN (V.120) + Authentication Header + BACnet Virtual Link Control + Banyan Vines ARP + Banyan Vines Echo + Banyan Vines Fragmentation Protocol + Banyan Vines ICP + Banyan Vines IP + Banyan Vines IPC + Banyan Vines LLC + Banyan Vines RTP + Banyan Vines SPP + Blocks Extensible Exchange Protocol + Boardwalk + Boot Parameters + Bootstrap Protocol + Border Gateway Protocol + Building Automation and Control Network APDU + Building Automation and Control Network NPDU + CDS Clerk Server Calls + Check Point High Availability Protocol + Checkpoint FW-1 + Cisco Auto-RP + Cisco Discovery Protocol + Cisco Group Management Protocol + Cisco HDLC + Cisco Hot Standby Router Protocol + Cisco ISL + Cisco Interior Gateway Routing Protocol + Cisco NetFlow + Cisco SLARP + Clearcase NFS + CoSine IPNOS L2 debug output + Common Open Policy Service + Common Unix Printing System (CUPS) Browsing Protocol + DCE DFS Calls + DCE Distributed Time Service Local Server + DCE Distributed Time Service Provider + DCE Name Service + DCE RPC + DCE Security ID Mapper + DCE/RPC BOS Server + DCE/RPC CDS Solicitation + DCE/RPC Conversation Manager + DCE/RPC Endpoint Mapper + DCE/RPC FLDB + DCE/RPC FLDB UBIK TRANSFER + DCE/RPC FLDB UBIKVOTE + DCE/RPC Kerberos V + DCE/RPC RS_ACCT + DCE/RPC RS_MISC + DCE/RPC RS_UNIX + DCE/RPC Remote Management + DCE/RPC Repserver Calls + DCE/RPC TokenServer Calls + DCE/RPC UpServer + DCOM OXID Resolver + DCOM Remote Activation + DEC Spanning Tree Protocol + DHCPv6 + DNS Control Program Server + Data + Data Link SWitching + Data Stream Interface + Datagram Delivery Protocol + Diameter Protocol + Distance Vector Multicast Routing Protocol + Distcc Distributed Compiler + Distributed Checksum Clearinghouse Prototocl + Domain Name Service + Dynamic DNS Tools Protocol + Echo + Encapsulating Security Payload + Enhanced Interior Gateway Routing Protocol + EtherNet/IP (Industrial Protocol) + Ethernet + Ethernet over IP + Extensible Authentication Protocol + FC Extended Link Svc + FC Fabric Configuration Server + FCIP + FTP Data + FTServer Operations + Fiber Distributed Data Interface + Fibre Channel + Fibre Channel Common Transport + Fibre Channel Fabric Zone Server + Fibre Channel Name Server + Fibre Channel Protocol for SCSI + Fibre Channel SW_ILS + File Transfer Protocol (FTP) + Financial Information eXchange Protocol + Frame + Frame Relay + GARP Multicast Registration Protocol + GARP VLAN Registration Protocol + GPRS Tunneling Protocol + GPRS Tunnelling Protocol v0 + GPRS Tunnelling Protocol v1 + General Inter-ORB Protocol + Generic Routing Encapsulation + Generic Security Service Application Program Interface + Gnutella Protocol + H245 + HP Extended Local-Link Control + HP Remote Maintenance Protocol + Hummingbird NFS Daemon + HyperSCSI + Hypertext Transfer Protocol + ICQ Protocol + IEEE 802.11 wireless LAN + IEEE 802.11 wireless LAN management frame + ILMI + IP Over FC + IP Payload Compression + IPX Message + IPX Routing Information Protocol + IPX WAN + ISDN + ISDN Q.921-User Adaptation Layer + ISDN User Part + ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol + ISO 8073 COTP Connection-Oriented Transport Protocol + ISO 8473 CLNP ConnectionLess Network Protocol + ISO 8602 CLTP ConnectionLess Transport Protocol + ISO 9542 ESIS Routeing Information Exchange Protocol + ITU-T Recommendation H.261 + InMon sFlow + Intel ANS probe + Intelligent Platform Management Interface + Inter-Access-Point Protocol + Interbase + Internet Cache Protocol + Internet Content Adaptation Protocol + Internet Control Message Protocol + Internet Control Message Protocol v6 + Internet Group Management Protocol + Internet Message Access Protocol + Internet Printing Protocol + Internet Protocol + Internet Protocol Version 6 + Internet Relay Chat + Internet Security Association and Key Management Protocol + Internetwork Packet eXchange + Jabber XML Messaging + Java RMI + Java Serialization + Kerberos + Kerberos Administration + Kernel Lock Manager + Label Distribution Protocol + Layer 2 Tunneling Protocol + Lightweight Directory Access Protocol + Line Printer Daemon Protocol + Link Access Procedure Balanced (LAPB) + Link Access Procedure Balanced Ethernet (LAPBETHER) + Link Access Procedure, Channel D (LAPD) + Link Aggregation Control Protocol + Link Management Protocol (LMP) + Linux cooked-mode capture + Local Management Interface + LocalTalk Link Access Protocol + Logical-Link Control + Lucent/Ascend debug output + MDS Header + MMS Message Encapsulation + MS Proxy Protocol + MSN Messenger Service + MSNIP: Multicast Source Notification of Interest Protocol + MTP 2 Transparent Proxy + MTP 2 User Adaptation Layer + MTP 3 User Adaptation Layer + MTP2 Peer Adaptation Layer + Message Transfer Part Level 2 + Message Transfer Part Level 3 + Message Transfer Part Level 3 Management + Microsoft Distributed File System + Microsoft Exchange MAPI + Microsoft Local Security Architecture + Microsoft Local Security Architecture (Directory Services) + Microsoft Messenger Service + Microsoft Network Logon + Microsoft Registry + Microsoft Security Account Manager + Microsoft Server Service + Microsoft Service Control + Microsoft Spool Subsystem + Microsoft Task Scheduler Service + Microsoft Telephony API Service + Microsoft Windows Browser Protocol + Microsoft Windows Lanman Remote API Protocol + Microsoft Windows Logon Protocol + Microsoft Workstation Service + Mobile IP + Mobile IPv6 + Modbus/TCP + Mount Service + MultiProtocol Label Switching Header + Multicast Router DISCovery protocol + Multicast Source Discovery Protocol + MySQL Protocol + NFSACL + NFSAUTH + NIS+ + NIS+ Callback + NSPI + NTLM Secure Service Provider + Name Binding Protocol + Name Management Protocol over IPX + NetBIOS + NetBIOS Datagram Service + NetBIOS Name Service + NetBIOS Session Service + NetBIOS over IPX + NetWare Core Protocol + NetWare Link Services Protocol + Network Data Management Protocol + Network File System + Network Lock Manager Protocol + Network News Transfer Protocol + Network Status Monitor CallBack Protocol + Network Status Monitor Protocol + Network Time Protocol + Novell Distributed Print System + Null/Loopback + Open Shortest Path First + OpenBSD Encapsulating device + OpenBSD Packet Filter log file + OpenBSD Packet Filter log file, pre 3.4 + PC NFS + PPP Bandwidth Allocation Control Protocol + PPP Bandwidth Allocation Protocol + PPP CDP Control Protocol + PPP Callback Control Protocol + PPP Challenge Handshake Authentication Protocol + PPP Compressed Datagram + PPP Compression Control Protocol + PPP IP Control Protocol + PPP IPv6 Control Protocol + PPP Link Control Protocol + PPP MPLS Control Protocol + PPP Multilink Protocol + PPP Multiplexing + PPP Password Authentication Protocol + PPP VJ Compression + PPP-over-Ethernet Discovery + PPP-over-Ethernet Session + PPPMux Control Protocol + Packet Encoding Rules (ASN.1 X.691) + Point-to-Point Protocol + Point-to-Point Tunnelling Protocol + Portmap + Post Office Protocol + Pragmatic General Multicast + Prism + Privilege Server operations + Protocol Independent Multicast + Q.2931 + Q.931 + Quake II Network Protocol + Quake III Arena Network Protocol + Quake Network Protocol + QuakeWorld Network Protocol + Qualified Logical Link Control + RFC 2250 MPEG1 + RIPng + RPC Browser + RSTAT + RSYNC File Synchroniser + RX Protocol + Radio Access Network Application Part + Radius Protocol + Raw packet data + Real Time Streaming Protocol + Real-Time Transport Protocol + Real-time Transport Control Protocol + Registry Server Attributes Manipulation Interface + Registry server administration operations. + Remote Management Control Protocol + Remote Override interface + Remote Procedure Call + Remote Program Load + Remote Quota + Remote Shell + Remote Wall protocol + Remote sec_login preauth interface. + Resource ReserVation Protocol (RSVP) + Rlogin Protocol + Routing Information Protocol + Routing Table Maintenance Protocol + SADMIND + SCSI + SGI Mount Service + SMB (Server Message Block Protocol) + SMB MailSlot Protocol + SMB Pipe Protocol + SNA-over-Ethernet + SNMP Multiplex Protocol + SPNEGO-KRB5 + SPRAY + SS7 SCCP-User Adaptation Layer + SSCOP + SSH Protocol + Secure Socket Layer + Sequenced Packet eXchange + Service Advertisement Protocol + Service Location Protocol + Session Announcement Protocol + Session Description Protocol + Session Initiation Protocol + Short Message Peer to Peer + Signalling Connection Control Part + Signalling Connection Control Part Management + Simple Mail Transfer Protocol + Simple Network Management Protocol + Sinec H1 Protocol + Skinny Client Control Protocol + SliMP3 Communication Protocol + Socks Protocol + Spanning Tree Protocol + Spnego + Stream Control Transmission Protocol + Synchronous Data Link Control (SDLC) + Syslog message + Systems Network Architecture + Systems Network Architecture XID + TACACS + TACACS+ + TPKT + Tabular Data Stream + Tazmen Sniffer Protocol + Telnet + Time Protocol + Time Synchronization Protocol + Token-Ring + Token-Ring Media Access Control + Transmission Control Protocol + Transparent Network Substrate Protocol + Trivial File Transfer Protocol + UDP Encapsulation of IPsec Packets + Universal Computer Protocol + User Datagram Protocol + Virtual Router Redundancy Protocol + Virtual Trunking Protocol + WAP Binary XML + Web Cache Coordination Protocol + Wellfleet Breath of Life + Wellfleet Compression + Wellfleet HDLC + Who + Windows 2000 DNS + Wireless Session Protocol + Wireless Transaction Protocol + Wireless Transport Layer Security + X Display Manager Control Protocol + X.25 + X.25 over TCP + X.29 + X11 + Xyplex + Yahoo Messenger Protocol + Yahoo YMSG Messenger Protocol + Yellow Pages Bind + Yellow Pages Passwd + Yellow Pages Service + Yellow Pages Transfer + Zebra Protocol + Zone Information Protocol + eDonkey Protocol + iSCSI + iSNS + + Q 1.3: Are there any plans to support {your favorite protocol}? + + A: Support for particular protocols is added to Ethereal as a result + of people contributing that support; no formal plans for adding + support for particular protocols in particular future releases exist. + + Q 1.4: Can Ethereal read capture files from {your favorite network + analyzer}? + + A: Support for particular protocols is added to Ethereal as a result + of people contributing that support; no formal plans for adding + support for particular protocols in particular future releases exist. + + If a network analyzer writes out files in a format already supported + by Ethereal (e.g., in libpcap format), Ethereal may already be able to + read them, unless the analyzer has added its own proprietary + extensions to that format. + + If a network analyzer writes out files in its own format, or has added + proprietary extensions to another format, in order to make Ethereal + read captures from that network analyzer, we would either have to have + a specification for the file format, or the extensions, sufficient to + give us enough information to read the parts of the file relevant to + Ethereal, or would need at least one capture file in that format AND a + detailed textual analysis of the packets in that capture file (showing + packet time stamps, packet lengths, and the top-level packet header) + in order to reverse-engineer the file format. + + Note that there is no guarantee that we will be able to + reverse-engineer a capture file format. + + Q 1.5: What devices can Ethereal use to capture packets? + + A: Ethereal can read live data from Ethernet, Token-Ring, FDDI, serial + (PPP and SLIP) (if the OS on which it's running allows Ethereal to do + so), 802.11 wireless LAN (if the OS on which it's running allows + Ethereal to do so), ATM connections (if the OS on which it's running + allows Ethereal to do so), and the "any" device supported on Linux by + recent versions of libpcap. See the list of supported capture media on + various OSes for details (several items in there say "Unknown", which + doesn't mean "Ethereal can't capture on them", it means "we don't know + whether it can capture on them"; we expect that it will be able to + capture on many of them, but we haven't tried it ourselves - if you + try one of those types and it works, please send an update to + ethereal-web[AT]ethereal.com). + + It can also read a variety of capture file formats, including: + * libpcap/tcpdump + * Sun snoop/atmsnoop + * Shomiti/Finisar Surveyor + * LanAlyzer + * DOS-based Sniffer (compressed and uncompressed) + * MS Network Monitor + * AIX iptrace + * NetXray and Windows-based Sniffer + * EtherPeek/TokenPeek/AiroPeek + * RADCOM WAN/LAN analyzer + * Lucent/Ascend debug output + * Toshiba ISDN router "snoop" output + * HPUX nettl + * ISDN4BSD "i4btrace" utility. + * Cisco Secure IDS + * pppd log files (pppdump format) + * VMS TCPIPtrace + * DBS Etherwatch + * Visual Networks' Visual UpTime + * CoSine L2 debug + + so that it can read traces from various network types, as captured by + other applications or equipment, even if it cannot itself capture on + those network types. + + Q 1.6: How do you pronounce Ethereal? Where did the name come from? + + A: The English pronunciation can be found in Merriam-Webster's online + dictionary at + http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=ethereal. + + According to the book "Computer Networks" by Andrew Tannenbaum, + Ethernet was named after the "luminiferous ether" which was once + thought to carry electromagnetic radiation. Taking that into + consideration, Ethereal seemed like an appropriate name for an + Ethernet analyzer. + + DOWNLOADING ETHEREAL + Q 2.1: I downloaded the Win32 installer, but when I try to run it, I + get an error. + + A: The program you used to download it may have downloaded it + incorrectly. Web browsers sometimes may do this. + + Try downloading it with, for example: + * Wget, for which Windows binaries are available on the SunSITE FTP + server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI + offers a GUI interface that uses wget; + * WS_FTP from Ipswitch, + * the ftp command that comes with Windows. + + If you use the ftp command, make sure you do the transfer in binary + mode rather than ASCII mode, by using the binary command before + transferring the file. + + Q 2.2: When I try to download the WinPcap driver and library, I can't + get to the WinPcap Web site. + + A: As is the case with all Web sites, that site won't necessarily + always be accessible; the server may be down due to a problem or down + for maintenance, or there may be a networking problem between you and + the server. You should try again later, or try the local mirror or the + Wiretapped.net mirror. + + INSTALLING ETHEREAL + Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be + installed; only Tethereal is installed. + + A: Red Hat RPMs for Ethereal put only the non-GUI components into the + ethereal RPM, the fact that Ethereal is a GUI program nonwithstanding; + there's a separate ethereal-gnome RPM that includes GUI components + such as Ethereal itself, the fact that Ethereal doesn't use GNOME + nonwithstanding. Find the ethereal-gnome RPM, and install that also. + + BUILDING ETHEREAL + Q 4.1: The configure script can't find pcap.h or bpf.h, but I have + libpcap installed. + + A: Are you sure pcap.h and bpf.h are installed? The official + distribution of libpcap only installs the libpcap.a library file when + "make install" is run. To install pcap.h and bpf.h, you must run "make + install-incl". If you're running Debian or Redhat, make sure you have + the "libpcap-dev" or "libpcap-devel" packages installed. + + It's also possible that pcap.h and bpf.h have been installed in a + strange location. If this is the case, you may have to tweak + aclocal.m4. + + Q 4.2: Why do I get the error + + dftest_DEPENDENCIES was already defined in condition TRUE, which + implies condition HAVE_PLUGINS_TRUE + + when I try to build Ethereal from CVS or a CVS snapshot? + + A: You probably have automake 1.5 installed on your machine (the + command automake --version will report the version of automake on your + machine). There is a bug in that version of automake that causes this + problem; upgrade to a later version of automake (1.6 or later). + + Q 4.3: The link fails with a number of "Output line too long." + messages followed by linker errors. + + A: The version of the sed command on your system is incapable of + handling very long lines. On Solaris, for example, /usr/bin/sed has a + line length limit too low to allow libtool to work; /usr/xpg4/bin/sed + can handle it, as can GNU sed if you have it installed. + + On Solaris, changing your command search path to search /usr/xpg4/bin + before /usr/bin should make the problem go away; on any platform on + which you have this problem, installing GNU sed and changing your + command path to search the directory in which it is installed before + searching the directory with the version of sed that came with the OS + should make the problem go away. + + Q 4.4: The link fails on Solaris because plugin_list is undefined. + + A: This appears to be due to a problem with some versions of the GTK+ + and GLib packages from www.sunfreeware.org; un-install those packages, + and try getting the 1.2.10 versions from that site, or the versions + from The Written Word, or the versions from Sun's GNOME distribution, + or the versions from the supplemental software CD that comes with the + Solaris media kit, or build them from source from the GTK Web site. + Then re-run the configuration script, and try rebuilding Ethereal. (If + you get the 1.2.10 versions from www.sunfreeware.org, and the problem + persists, un-install them and try installing one of the other versions + mentioned.) + + Q 4.5: The build fails on Windows because of conflicts between + winsock.h and winsock2.h. + + A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and + the corresponding version of the developer's pack, in order to be able + to compile Ethereal; it will not compile with older versions of the + developer's pack. The symptoms of this failure are conflicts between + definitions in winsock.h and in winsock2.h; Ethereal uses winsock2.h, + but pre-2.3 versions of the WinPcap developer's packet use winsock.h. + (2.3 uses winsock2.h, so if Ethereal were to use winsock.h, it would + not be able to build with current versions of the WinPcap developer's + pack.) + + Note that the installed version of the developer's pack should be the + same version as the version of WinPcap you have installed. + + USING ETHEREAL + Q 5.1: When I use Ethereal to capture packets, I see only packets to + and from my machine, or I'm not seeing all the traffic I'm expecting + to see from or to the machine I'm trying to monitor. + + A: This might be because the interface on which you're capturing is + plugged into a switch; on a switched network, unicast traffic between + two ports will not necessarily appear on other ports - only broadcast + and multicast traffic will be sent to all ports. + + Note that even if your machine is plugged into a hub, the "hub" may be + a switched hub, in which case you're still on a switched network. + + Note also that on the Linksys Web site, they say that their + auto-sensing hubs "broadcast the 10Mb packets to the port that operate + at 10Mb only and broadcast the 100Mb packets to the ports that operate + at 100Mb only", which would indicate that if you sniff on a 10Mb port, + you will not see traffic coming sent to a 100Mb port, and vice versa. + This problem has also been reported for Netgear dual-speed hubs, and + may exist for other "auto-sensing" or "dual-speed" hubs. + + Some switches have the ability to replicate all traffic on all ports + to a single port so that you can plug your analyzer into that single + port to sniff all traffic. You would have to check the documentation + for the switch to see if this is possible and, if so, to see how to do + this. See, for example: + * this documentation from Cisco on the Switched Port Analyzer (SPAN) + feature on Catalyst switches; + * documentation from HP on how to set "monitoring"/"mirroring" on + ports on the console for HP Advancestack Switch 208 and 224; + * the "Network Monitoring Port Features" section of chapter 6 of + documentation from HP for HP ProCurve Switches 1600M, 2424M, + 4000M, and 8000M. + + Note also that many firewall/NAT boxes have a switch built into them; + this includes many of the "cable/DSL router" boxes. If you have a box + of that sort, that has a switch with some number of Ethernet ports + into which you plug machines on your network, and another Ethernet + port used to connect to a cable or DSL modem, you can, at least, sniff + traffic between the machines on your network and the Internet by + plugging the Ethernet port on the router going to the modem, the + Ethernet port on the modem, and the machine on which you're running + Ethereal into a hub (make sure it's not a switching hub, and that, if + it's a dual-speed hub, all three of those ports are running at the + same speed. + + If your machine is not plugged into a switched network or a dual-speed + hub, or it is plugged into a switched network but the port is set up + to have all traffic replicated to it, the problem might be that the + network interface on which you're capturing doesn't support + "promiscuous" mode, or because your OS can't put the interface into + promiscuous mode. Normally, network interfaces supply to the host + only: + * packets sent to one of that host's link-layer addresses; + * broadcast packets; + * multicast packets sent to a multicast address that the host has + configured the interface to accept. + + Most network interfaces can also be put in "promiscuous" mode, in + which they supply to the host all network packets they see. Ethereal + will try to put the interface on which it's capturing into promiscuous + mode unless the "Capture packets in promiscuous mode" option is turned + off in the "Capture Options" dialog box, and Tethereal will try to put + the interface on which it's capturing into promiscuous mode unless the + -p option was specified. However, some network interfaces don't + support promiscuous mode, and some OSes might not allow interfaces to + be put into promiscuous mode. + + If the interface is not running in promiscuous mode, it won't see any + traffic that isn't intended to be seen by your machine. It will see + broadcast packets, and multicast packets sent to a multicast MAC + address the interface is set up to receive. + + You should ask the vendor of your network interface whether it + supports promiscuous mode. If it does, you should ask whoever supplied + the driver for the interface (the vendor, or the supplier of the OS + you're running on your machine) whether it supports promiscuous mode + with that network interface. + + In the case of token ring interfaces, the drivers for some of them, on + Windows, may require you to enable promiscuous mode in order to + capture in promiscuous mode. Ask the vendor of the card how to do + this, or see, for example, this information on promiscuous mode on + some Madge token ring adapters (note that those cards can have + promiscuous mode disabled permanently, in which case you can't enable + it). + + In the case of wireless LAN interfaces, it appears that, when those + interfaces are promiscuously sniffing, they're running in a + significantly different mode from the mode that they run in when + they're just acting as network interfaces (to the extent that it would + be a significant effor for those drivers to support for promiscuously + sniffing and acting as regular network interfaces at the same time), + so it may be that Windows drivers for those interfaces don't support + promiscuous mode. + + Q 5.2: I can't see any TCP packets other than packets to and from my + machine, even though another analyzer on the network sees those + packets. + + A: You're probably not seeing any packets other than unicast packets + to or from your machine, and broadcast and multicast packets; a switch + will normally send to a port only unicast traffic sent to the MAC + address for the interface on that port, and broadcast and multicast + traffic - it won't send to that port unicast traffic sent to a MAC + address for some other interface - and a network interface not in + promiscuous mode will receive only unicast traffic sent to the MAC + address for that interface, broadcast traffic, and multicast traffic + sent to a multicast MAC address the interface is set up to receive. + + TCP doesn't use broadcast or multicast, so you will only see your own + TCP traffic, but UDP services may use broadcast or multicast so you'll + see some UDP traffic - however, this is not a problem with TCP + traffic, it's a problem with unicast traffic, as you also won't see + all UDP traffic between other machines. + + I.e., this is probably the same question as this earlier one; see the + response to that question. + + Q 5.3: I'm only seeing ARP packets when I try to capture traffic. + + A: You're probably on a switched network, and running Ethereal on a + machine that's not sending traffic to the switch and not being sent + any traffic from other machines on the switch. ARP packets are often + broadcast packets, which are sent to all switch ports. + + I.e., this is probably the same question as this earlier one; see the + response to that question. + + Q 5.4: How do I put an interface into promiscuous mode? + + A: By not disabling promiscuous mode when running Ethereal or + Tethereal. + + Note, however, that: + * the form of promiscuous mode that libpcap (the library that + programs such as tcpdump, Ethereal, etc. use to do packet capture) + turns on will not necessarily be shown if you run ifconfig on the + interface on a UNIX system; + * some network interfaces might not support promiscuous mode, and + some drivers might not allow promiscuous mode to be turned on - + see this earlier question for more information on that; + * the fact that you're not seeing any traffic, or are only seeing + broadcast traffic, or aren't seeing any non-broadcast traffic + other than traffic to or from the machine running Ethereal, does + not mean that promiscuous mode isn't on - see this earlier + question for more information on that. + + I.e., this is probably the same question as this earlier one; see the + response to that question. + + Q 5.5: I can set a display filter just fine, but capture filters don't + work. + + A: Capture filters currently use a different syntax than display + filters. Here's the corresponding section from the ethereal(1) man + page: + + "Display filters in Ethereal are very powerful; more fields are + filterable in Ethereal than in other protocol analyzers, and the + syntax you can use to create your filters is richer. As Ethereal + progresses, expect more and more protocol fields to be allowed in + display filters. + + Packet capturing is performed with the pcap library. The capture + filter syntax follows the rules of the pcap library. This syntax is + different from the display filter syntax." + + The capture filter syntax used by libpcap can be found in the + tcpdump(8) man page. + + Q 5.6: I'm entering valid capture filters, but I still get "parse + error" errors. + + A: There is a bug in some versions of libpcap/WinPcap that cause it to + report parse errors even for valid expressions if a previous filter + expression was invalid and got a parse error. + + Try exiting and restarting Ethereal; if you are using a version of + libpcap/WinPcap with this bug, this will "erase" its memory of the + previous parse error. If the capture filter that got the "parse error" + now works, the earlier error with that filter was probably due to this + bug. + + The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of + libpcap have this bug, but 0.6[.x] and later versions don't. + + Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of + libpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and + doesn't have this bug. + + If you are running Ethereal on a UNIX-flavored platform, run "ethereal + -v", or select "About Ethereal..." from the "Help" menu in Ethereal, + to see what version of libpcap it's using. If it's not 0.6 or later, + you will need either to upgrade your OS to get a later version of + libpcap, or will need to build and install a later version of libpcap + from the tcpdump.org Web site and then recompile Ethereal from source + with that later version of libpcap. + + If you are running Ethereal on Windows with a pre-2.3 version of + WinPcap, you will need to un-install WinPcap and then download and + install WinPcap 2.3. + + Q 5.7: I saved a filter and tried to use its name to filter the + display, but I got an "Unexpected end of filter string" error. + + A: You cannot use the name of a saved display filter as a filter. To + filter the display, you can enter a display filter expression - not + the name of a saved display filter - in the "Filter:" box at the + bottom of the display, and type the key or press the "Apply" button + (that does not require you to have a saved filter), or, if you want to + use a saved filter, you can press the "Filter:" button, select the + filter in the dialog box that pops up, and press the "OK" button. + + Q 5.8: Why am I seeing lots of packets with incorrect TCP checksums? + + A: If the packets that have incorrect TCP checksums are all being sent + by the machine on which Ethereal is running, this is probably because + the network interface on which you're capturing does TCP checksum + offloading. That means that the TCP checksum is added to the packet by + the network interface, not by the OS's TCP/IP stack; when capturing on + an interface, packets being sent by the host on which you're capturing + are directly handed to the capture interface by the OS, which means + that they are handed to the capture interface without a TCP checksum + being added to them. + + The only way to prevent this from happening would be to disable TCP + checksum offloading, but + 1. that might not even be possible on some OSes; + 2. that could reduce networking performance significantly. + + However, you can disable the check that Ethereal does of the TCP + checksum, so that it won't report any packets as having TCP checksum + errors, and so that it won't refuse to do TCP reassembly due to a + packet having an incorrect TCP checksum. That can be set as an + Ethereal preference by selecting "Preferences" from the "Edit" menu, + opening up the "Protocols" list in the left-hand pane of the + "Preferences" dialog box, selecting "TCP", from that list, turning off + the "Check the validity of the TCP checksum when possible" option, + clicking "Save" if you want to save that setting in your preference + file, and clicking "OK". + + It can also be set on the Ethereal or Tethereal command line with a -o + tcp.check_checksum:false command-line flag, or manually set in your + preferences file by adding a tcp.check_checksum:false line. + + Q 5.9: I've just installed Ethereal, and the traffic on my local LAN + is boring. + + A: We have a collection of strange and exotic sample capture files at + http://www.ethereal.com/sample/ + + Q 5.10: When I run Ethereal on Solaris 8, it dies with a Bus Error + when I start it. + + A: Some versions of the GTK+ library from www.sunfreeware.org appear + to be buggy, causing Ethereal to drop core with a Bus Error. + Un-install those packages, and try getting the 1.2.10 version from + that site, or the version from The Written Word, or the version from + Sun's GNOME distribution, or the version from the supplemental + software CD that comes with the Solaris media kit, or build it from + source from the GTK Web site. Update the GLib library to the 1.2.10 + version, from the same source, as well. (If you get the 1.2.10 + versions from www.sunfreeware.org, and the problem persists, + un-install them and try installing one of the other versions + mentioned.) + + Similar problems may exist with older versions of GTK+ for earlier + versions of Solaris. + + Q 5.11: When I run Ethereal on Windows NT, it dies with a Dr. Watson + error, reporting an "Integer division by zero" exception, when I start + it. + + A: In at least some case, this appears to be due to using the default + VGA driver; if that's not the correct driver for your video card, try + running the correct driver for your video card. + + Q 5.12: When I try to run Ethereal, it complains about + sprint_realloc_objid being undefined. + + A: Ethereal can only be linked with version 4.2.2 or later of UCD + SNMP. Your version of Ethereal was dynamically linked with such a + version of UCD SNMP; however, you have an older version of UCD SNMP + installed, which means that when Ethereal is run, it tries to link to + the older version, and fails. You will have to replace that version of + UCD SNMP with version 4.2.2 or a later version. + + Q 5.13: I'm running Ethereal on Linux; why do my time stamps have only + 100ms resolution, rather than 1us resolution? + + A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap + get them from the OS kernel, so Ethereal - and any other program using + libpcap, such as tcpdump - is at the mercy of the time stamping code + in the OS for time stamps. + + At least on x86-based machines, Linux can get high-resolution time + stamps on newer processors with the Time Stamp Counter (TSC) register; + for example, Intel x86 processors, starting with the Pentium Pro, and + including all x86 processors since then, have had a TSC, and other + vendors probably added the TSC at some point to their families of x86 + processors. + + The Linux kernel must be configured with the CONFIG_X86_TSC option + enabled in order to use the TSC. Make sure this option is enabled in + your kernel. + + In addition, some Linux distributions may have bugs in their versions + of the kernel that cause packets not to be given high-resolution time + stamps even if the TSC is enabled. See, for example, bug 61111 for Red + Hat Linux 7.2. If your distribution has a bug such as this, you may + have to run a standard kernel from kernel.org in order to get + high-resolution time stamps. + + Q 5.14: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; + why are the time stamps on packets wrong? + + A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap + 3.0. + + Q 5.15: When I try to run Ethereal on Windows, it fails to run because + it can't find packet.dll. + + A: In older versions of Ethereal, there were two binary distributions + available for Windows, one that supported capturing packets, and one + that didn't. The version that supported capturing packets required + that you install the WinPcap driver; if you didn't install it, it + would fail to run because it couldn't find packet.dll. + + The current version of Ethereal has only one binary distribution for + Windows; that version will check whether WinPcap is installed and, if + it's not, will disable support for packet capture. + + The WinPcap driver and libraries can be downloaded from the WinPcap + Web site, the local mirror of the WinPcap Web site, or the + Wiretapped.net mirror of the WinPcap site. + + Q 5.16: I'm running Ethereal on Windows; why does some network + interface on my machine not show up in the list of interfaces in the + "Interface:" field in the dialog box popped up by "Capture->Start", + and/or why does Ethereal give me an error if I try to capture on that + interface? + + A: If you are running Ethereal on Windows NT 4.0, Windows 2000, + Windows XP, or Windows Server, and this is the first time you have run + a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, + or Analyzer, or...) since the machine was rebooted, you need to run + that program from an account with administrator privileges; once you + have run such a program, you will not need administrator privileges to + run any such programs until you reboot. + + If you are running on Windows 95/98/Me, or if you are running on + Windows NT 4.0/2000/XP/Server and have administrator privileges or a + WinPcap-based program has been run with those privileges since the + machine rebooted, then note that Ethereal relies on the WinPcap + library, on the WinPcap device driver, and on the facilities that come + with the OS on which it's running in order to do captures. + + Therefore, if the OS, the WinPcap library, or the WinPcap driver don't + support capturing on a particular network interface device, Ethereal + won't be able to capture on that device. + + Note that: + * 2.02 and earlier versions of the WinPcap driver and library that + Ethereal uses for packet capture didn't support Token Ring + interfaces; the current version, 2.3, does support Token Ring, and + the current version of Ethereal works with (and, in fact, + requires) WinPcap 2.1 or later. + If you are having problems capturing on Token Ring interfaces, and + you have WinPcap 2.02 or an earlier version of WinPcap installed, + you should uninstall WinPcap, download and install the current + version of WinPcap, and then install the latest version of + Ethereal. + * On Windows 95, 98, or Me, sometimes more than one interface will + be given the same name; if that is the case, you will only be able + to capture on one of those interfaces - it's not clear to which + one the name, when used in a WinPcap-based application, will + refer. For example, if you have a PPP serial interface and a VPN + interface, they might show up with the same name, for example + "ppp-mac", and if you try to capture on "ppp-mac", it might not + capture on the interface you're currently using. In that case, you + might, for example, have to remove the VPN interface from the + system in order to capture on the PPP serial interface. + * WinPcap doesn't support PPP WAN interfaces on Windows + NT/2000/XP/Server, so Ethereal cannot capture packets on those + devices when running on Windows NT/2000/XP/Server. Regular dial-up + lines, ISDN lines, and various other lines such as T1/E1 lines are + all PPP interfaces. This may cause the interface not to show up on + the list of interfaces in the "Capture Options" dialog. + * WinPcap prior to 3.0 does not support multiprocessor machines + (note that machines with a single multi-threaded processor, such + as Intel's new multi-threaded x86 processors, are multiprocessor + machines as far as the OS and WinPcap are concerned), and recent + 2.x versions of WinPcap refuse to operate if they detect that + they're running on a multiprocessor machine, which means that they + may not show any network interfaces. You will need to use WinPcap + 3.0 to capture on a multiprocessor machine. + + If an interface doesn't show up in the list of interfaces in the + "Interface:" field, and you know the name of the interface, try + entering that name in the "Interface:" field and capturing on that + device. + + If the attempt to capture on it succeeds, the interface is somehow not + being reported by the mechanism Ethereal uses to get a list of + interfaces; please report this to ethereal-dev@ethereal.com giving + full details of the problem, including + * the operating system you're using, and the version of that + operating system; + * the type of network device you're using. + + If you are having trouble capturing on a particular network interface, + and you've made sure that (on platforms that require it) you've + arranged that packet capture support is present, as per the above, + first try capturing on that device with WinDump; see the WinDump Web + site or the local mirror of the WinDump Web site for information on + using WinDump. + + If you can capture on the interface with WinDump, send mail to + ethereal-users@ethereal.com giving full details of the problem, + including + * the operating system you're using, and the version of that + operating system; + * the type of network device you're using; + * the error message you get from Ethereal. + + If you cannot capture on the interface with WinDump, this is almost + certainly a problem with one or more of: + * the operating system you're using; + * the device driver for the interface you're using; + * the WinPcap library and/or the WinPcap device driver; + + so first check the WinPcap FAQ, the local mirror of that FAQ, or the + Wiretapped.net mirror of that FAQ, to see if your problem is mentioned + there. If not, then see the WinPcap support page (or the local mirror + of that page) - check the "Submitting bugs" section. + + You may also want to ask the ethereal-users@ethereal.com and the + winpcap-users@winpcap.polito.it mailing lists to see if anybody + happens to know about the problem and know a workaround or fix for the + problem. (Note that you will have to subscribe to that list in order + to be allowed to mail to it; see the WinPcap support page, or the + local mirror of that page, for information on the mailing list.) In + your mail, please give full details of the problem, as described + above, and also indicate that the problem occurs with WinDump, not + just with Ethereal. + + Q 5.17: I'm running on a UNIX-flavored OS; why does some network + interface on my machine not show up in the list of interfaces in the + "Interface:" field in the dialog box popped up by "Capture->Start", + and/or why does Ethereal give me an error if I try to capture on that + interface? + + A: You may need to run Ethereal from an account with sufficient + privileges to capture packets, such as the super-user account. Only + those interfaces that Ethereal can open for capturing show up in that + list; if you don't have sufficient privileges to capture on any + interfaces, no interfaces will show up in the list. + + If you are running Ethereal from an account with sufficient + privileges, then note that Ethereal relies on the libpcap library, and + on the facilities that come with the OS on which it's running in order + to do captures. + + Therefore, if the OS or the libpcap library don't support capturing on + a particular network interface device, Ethereal won't be able to + capture on that device. + + On Linux, note that you need to have "packet socket" support enabled + in your kernel; see the "Packet socket" item in the Linux + "Configure.help" file. + + On BSD, note that you need to have BPF support enabled in your kernel; + see the documentation for your system for information on how to enable + BPF support (if it's not enabled by default on your system). + + On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have + packet filtering support in your kernel; the doconfig command will + allow you to configure and build a new kernel with that option. + + On Solaris, note that libpcap 0.6.2 and earlier didn't support Token + Ring interfaces; the current version, 0.7.2, does support Token Ring, + and the current version of Ethereal works with libcap 0.7.2 and later. + + If an interface doesn't show up in the list of interfaces in the + "Interface:" field, and you know the name of the interface, try + entering that name in the "Interface:" field and capturing on that + device. + + If the attempt to capture on it succeeds, the interface is somehow not + being reported by the mechanism Ethereal uses to get a list of + interfaces; please report this to ethereal-dev@ethereal.com giving + full details of the problem, including + * the operating system you're using, and the version of that + operating system (for Linux, give both the version number of the + kernel and the name and version number of the distribution you're + using); + * the type of network device you're using. + + If you are having trouble capturing on a particular network interface, + and you've made sure that (on platforms that require it) you've + arranged that packet capture support is present, as per the above, + first try capturing on that device with tcpdump. + + If you can capture on the interface with tcpdump, send mail to + ethereal-users@ethereal.com giving full details of the problem, + including + * the operating system you're using, and the version of that + operating system (for Linux, give both the version number of the + kernel and the name and version number of the distribution you're + using); + * the type of network device you're using; + * the error message you get from Ethereal. + + If you cannot capture on the interface with tcpdump, this is almost + certainly a problem with one or more of: + * the operating system you're using; + * the device driver for the interface you're using; + * the libpcap library; + + so you should report the problem to the company or organization that + produces the OS (in the case of a Linux distribution, report the + problem to whoever produces the distribution). + + You may also want to ask the ethereal-users@ethereal.com and the + tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to + know about the problem and know a workaround or fix for the problem. + In your mail, please give full details of the problem, as described + above, and also indicate that the problem occurs with tcpdump not just + with Ethereal. + + Q 5.18: I'm running Ethereal on Windows NT/2000/XP/Server; my machine + has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the + "Interface" item in the "Capture Options" dialog box. Why can no + packets be sent on or received from that network while I'm trying to + capture traffic on that interface? + + A: WinPcap doesn't support PPP WAN interfaces on Windows + NT/2000/XP/Server; one symptom that may be seen is that attempts to + capture in promiscuous mode on the interface cause the interface to be + incapable of sending or receiving packets. You can disable promiscuous + mode using the -p command-line flag or the item in the "Capture + Preferences" dialog box, but this may mean that outgoing packets, or + incoming packets, won't be seen in the capture. + + Q 5.19: I'm running Ethereal on Windows 95/98/Me, on a machine with + more than one network adapter of the same type; Ethereal shows all of + those adapters with the same name, but I can't use any of those + adapters other than the first one. + + A: Unfortunately, Windows 95/98/Me gives the same name to multiple + instances of the type of same network adapter. Therefore, WinPcap + cannot distinguish between them, so a WinPcap-based application can + capture only on the first such interface; Ethereal is a + libpcap/WinPcap-based application. + + Q 5.20: I'm running Ethereal on Windows, and I'm not seeing any + traffic being sent by the machine running Ethereal. + + A: If you are running some form of VPN client software, it might be + causing this problem; people have seen this problem when they have + Check Point's VPN software installed on their machine. If that's the + cause of the problem, you will have to remove the VPN software in + order to have Ethereal (or any other application using WinPcap) see + outgoing packets; unfortunately, neither we nor the WinPcap developers + know any way to make WinPcap and the VPN software work well together. + + Also, some drivers for Windows (especially some wireless network + interface drivers) apparently do not, when running in promiscuous + mode, arrange that outgoing packets are delivered to the software that + requested that the interface run promiscuously; try turning + promiscuous mode off. + + Q 5.21: I'm trying to capture traffic but I'm not seeing any. + + A: Is the machine running Ethereal sending out any traffic on the + network interface on which you're capturing, or receiving any traffic + on that network, or is there any broadcast traffic on the network or + multicast traffic to a multicast group to which the machine running + Ethereal belongs? + + If not, this may just be a problem with promiscuous sniffing, either + due to running on a switched network or a dual-speed hub, or due to + problems with the interface not supporting promiscuous mode; see the + response to this earlier question. + + Otherwise, on Windows, see the response to this question and, on a + UNIX-flavored OS, see the response to this question. + + Q 5.22: I have an XXX network card on my machine; if I try to capture + on it, my machine crashes or resets itself. + + A: This is almost certainly a problem with one or more of: + * the operating system you're using; + * the device driver for the interface you're using; + * the libpcap/WinPcap library and, if this is Windows, the WinPcap + device driver; + + so: + * if you are using Windows, see the WinPcap support page (or the + local mirror of that page) - check the "Submitting bugs" section; + * if you are using some Linux distribution, some version of BSD, or + some other UNIX-flavored OS, you should report the problem to the + company or organization that produces the OS (in the case of a + Linux distribution, report the problem to whoever produces the + distribution). + + Q 5.23: My machine crashes or resets itself when I select "Start" from + the "Capture" menu or select "Preferences" from the "Edit" menu. + + A: Both of those operations cause Ethereal to try to build a list of + the interfaces that it can open; it does so by getting a list of + interfaces and trying to open them. There is probably an OS, driver, + or, for Windows, WinPcap bug that causes the system to crash when this + happens; see the previous question. + + Q 5.24: Does Ethereal work on Windows ME? + + A: Yes, but if you want to capture packets, you will need to install + the latest version of WinPcap, as 2.02 and earlier versions of WinPcap + didn't support Windows ME. You should also install the latest version + of Ethereal as well. + + Q 5.25: Does Ethereal work on Windows XP? + + A: Yes, but if you want to capture packets, you will need to install + the latest version of WinPcap, as 2.2 and earlier versions of WinPcap + didn't support Windows XP. + + Q 5.26: Why doesn't Ethereal correctly identify RTP packets? It shows + them only as UDP. + + A: Ethereal can identify a UDP datagram as containing a packet of a + particular protocol running atop UDP only if + 1. The protocol in question has a particular standard port number, + and the UDP source or destination port number is that port + 2. Packets of that protocol can be identified by looking for a + "signature" of some type in the packet - i.e., some data that, if + Ethereal finds it in some particular part of a packet, means that + the packet is almost certainly a packet of that type. + 3. Some other traffic earlier in the capture indicated that, for + example, UDP traffic between two particular addresses and ports + will be RTP traffic. + + RTP doesn't have a standard port number, so 1) doesn't work; it + doesn't, as far as I know, have any "signature", so 2) doesn't work. + + That leaves 3). If there's RTSP traffic that sets up an RTP session, + then, at least in some cases, the RTSP dissector will set things up so + that subsequent RTP traffic will be identified. Currently, that's the + only place we do that; there may be other places. + + However, there will always be places where Ethereal is simply + incapable of deducing that a given UDP flow is RTP; a mechanism would + be needed to allow the user to specify that a given conversation + should be treated as RTP. As of Ethereal 0.8.16, such a mechanism + exists; if you select a UDP or TCP packet, the right mouse button menu + will have a "Decode As..." menu item, which will pop up a dialog box + letting you specify that the source port, the destination port, or + both the source and destination ports of the packet should be + dissected as some particular protocol. + + Q 5.27: Why doesn't Ethereal show Yahoo Messenger packets in captures + that contain Yahoo Messenger traffic? + + A: Ethereal only recognizes as Yahoo Messenger traffic packets to or + from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP + segments that start with the middle of a Yahoo Messenger packet that + takes more than one TCP segment will not be recognized as Yahoo + Messenger packets (even if the TCP segment also contains the beginning + of another Yahoo Messenger packet). + + Q 5.28: Why do I get the error + + Gdk-ERROR **: Palettized display (256-colour) mode not supported on + Windows. + aborting.... + + when I try to run Ethereal on Windows? + + A: Ethereal is built using the GTK+ toolkit, which supports most + UNIX-flavored OSes, and also supports Windows. + + Windows versions of Ethereal before 0.9.14 were built with an older + version of that toolkit, which didn't support 256-color mode on + Windows - it required HiColor (16-bit colors) or more. + + Windows versions of Ethereal 0.9.14 and later are built with a version + of that toolkit that supports 256-color mode; upgrade to the current + version of Ethereal if you want to run on a display in 256-color mode. + + Q 5.29: When I capture on Windows in promiscuous mode, I can see + packets other than those sent to or from my machine; however, those + packets show up with a "Short Frame" indication, unlike packets to or + from my machine. What should I do to arrange that I see those packets + in their entirety? + + A: In at least some cases, this appears to be the result of PGPnet + running on the network interface on which you're capturing; turn it + off on that interface. + + Q 5.30: How can I capture raw 802.11 packets, including non-data + (management, beacon) packets? + + A: That would require that your 802.11 interface run in the mode + called "monitor mode" or "RFMON mode". Not all operating systems + support that and, even on operating systems that do support it, not + all drivers, and thus not all cards, support it. + + Cisco Aironet cards: + + The only platforms that allow Ethereal to capture raw 802.11 packets + on Cisco Aironet cards are: + * Linux, with a 2.4.6 or later kernel; + * FreeBSD 4.6 or later, as the driver in FreeBSD 4.5 has bugs that + cause packets not to be captured correctly, and the driver in + releases prior to 4.5 didn't support capturing raw packets. + + On FreeBSD, the ancontrol utility must be used; do not enable the full + Aironet header via BPF, as Ethereal doesn't currently support that. + + On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will + need to do + +echo "Mode: rfmon" >/proc/driver/aironet/ethN/Config + + if your Aironet card is ethN. To capture traffic from any BSS, do + +echo "Mode: y" >/proc/driver/aironet/ethN/Config + + and to return to the normal mode, do + +echo "Mode: ess" >/proc/driver/aironet/ethN/Config + + On Linux with the driver in the 2.4.20 kernel, or with the CVS drivers + from the airo-linux SourceForge site, you will have to capture on the + wifiN interface if your Aironet card is ethN, after running the + commands listed above. + + In all of those cases, Ethereal would have to be linked with libpcap + 0.7.1 or later; this means that most Ethereal binary packages won't + work unless they're statically linked with libpcap 0.7.1 or later, or + they're dynamically linked with libpcap and your system has a libpcap + 0.7.1 or later shared library installed (note that libpcap source + package from tcpdump.org does not build shared libraries). Some binary + packaging mechanisms might make it difficult to install Ethereal + binary packages built to depend on older libpcap binary packages if + you have a newer libpcap binary package installed; the installer + programs for those packaging mechanisms might support disabling + dependency checking so that they will install Ethereal even though a + newer version of libpcap is installed. + + Cards using the Prism II chip set (see this page of Linux 802.11 + information for details on wireless cards, including information on + the chips they use): + + You can capture raw 802.11 packets with Prism II cards on Linux + systems with the 0.1.14-pre6 or later version of the linux-wlan-ng + drivers (see the linux-wlan page, and the linux-wlan-ng tarball + directory). + + Those require either Solomon Peachy's patch to libpcap 0.7.1 (see his + libpcap-0.7.1-prism.diff file, or his RPMs of that version of + libpcap), or the current CVS version of libpcap, which includes his + patch (download it from the "Current Tar files" section of the + tcpdump.org Web site). If you apply his patches to libpcap 0.7.1 and + rebuild and install libpcap, or if you build and install the current + CVS version of libpcap, you would have to rebuild Ethereal from + source, linking it with that new version of libpcap; an Ethereal + binary package would not work. Ethereal binary packages might work if + you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install + a libpcap shared library in place of the one on your system. + + You may have to run a command to put the interface into monitor mode, + or to change other interface settings, and you might have to capture + on a wlanN interface rather than a ethN interface, in order to capture + raw 802.11 packets. The interface settings are available in your + wlan-ng.conf file. See the wlan-ng FAQ for additional information. + + On other platforms, capturing raw 802.11 packets on Prism II cards is + not currently supported. + + Orinoco Silver and Gold cards: + + On Linux systems, there are patches on the Orinoco Monitor Mode Patch + Page that should allow you to do capture raw 802.11 packets. You will + have to determine which version of the driver you have, and select the + appropriate patch. + + Note that the page indicates that not all versions of the Orinoco + firmware support this patch. It says, for some versions of the patch, + "This patch should allow monitor mode with v8.10 firmware (untested w/ + 8.42);" if you have version 8.10 or later firmware on your Orinoco + cards, you might have to use those patches, with the corresponding + versions of the Orinoco driver, in order to run in monitor mode. + + That patch is written for the drivers included with the pcmcia-cs + drivers, but works equally well for the Orinoco drivers provided with + Linux kernels up to 2.4.20. To apply a patch to your kernel drivers, + simply copy the orinoco-09b-patch.diff file to the + /usr/src/linux/drivers/net directory and patch according to the + directions on the Orinoco Monitor Mode Patch Page. You can double- + check the version of the Orinoco drivers that shipped with your kernel + by examining the first few lines of the orinoco.c file. + + Te Orinoco patches require either Solomon Peachy's patch to libpcap + 0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that + version of libpcap), or the current CVS version of libpcap, which + includes his patch (download it from the "Current Tar files" section + of the tcpdump.org Web site). If you apply his patches to libpcap + 0.7.1 and rebuild and install libpcap, or if you build and install the + current CVS version of libpcap, you would have to rebuild Ethereal + from source, linking it with that new version of libpcap; an Ethereal + binary package would not work. Ethereal binary packages might work if + you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install + a libpcap shared library in place of the one on your system. + + On other platforms, capturing raw 802.11 packets on Orinoco cards is + not currently supported. + + Other 802.11 interfaces: + + With other 802.11 interfaces, no platform allows Ethereal to capture + raw 802.11 packets, as far as we know. If you know of other 802.11 + interfaces that are supported (note that there are many "Prism II + cards", so your card might be a Prism II card), please let us know, + and include URLs for sites containing any necessary patches to add + this support. + + On platforms that don't allow Ethereal to capture raw 802.11 packets, + the 802.11 network will appear like an Ethernet to Ethereal. + + Q 5.31: How can I capture packets with CRC errors? + + A: Ethereal can capture only the packets that the packet capture + library - libpcap on UNIX-flavored OSes, and the WinPcap port to + Windows of libpcap on Windows - can capture, and libpcap/WinPcap can + capture only the packets that the OS's raw packet capture mechanism + (or the WinPcap driver, and the underlying OS networking code and + network interface drivers, on Windows) will allow it to capture. + + Unless the OS can be configured to supply packets with errors such as + invalid CRCs to the raw packet capture mechanism, Ethereal - and other + programs that capture raw packets, such as tcpdump - cannot capture + those packets. You will have to determine whether your OS can be so + configured, configure it if possible, and make whatever changes to + libpcap and the packet capture program you're using are necessary to + support capturing those packets. + + Q 5.32: How can I capture entire frames, including the FCS? + + A: Ethereal can't capture any data that the packet capture library - + libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of + libpcap on Windows - can capture, and libpcap/WinPcap can capture only + the data that the OS's raw packet capture mechanism (or the WinPcap + driver, and the underlying OS networking code and network interface + drivers, on Windows) will allow it to capture. + + For any particular link-layer network type, unless the OS supplies the + FCS of a frame as part of the frame, or can be configured to supply + the FCS of a frame as part of the frame, Ethereal - and other programs + that capture raw packets, such as tcpdump - cannot capture the FCS of + a frame. You will have to determine whether your OS can be so + configured, configure it if possible, and make whatever changes to + libpcap and the packet capture program you're using are necessary to + support capturing the FCS of a frame. Most if not all OSes probably do + not support capturing the FCS of a frame on Ethernet, and probably do + not support it on most other link-layer types. + + Q 5.33: Ethereal hangs after I stop a capture. + + A: The most likely reason for this is that Ethereal is trying to look + up an IP address in the capture to convert it to a name (so that, for + example, it can display the name in the source address or destination + address columns), and that lookup process is taking a very long time. + + Ethereal calls a routine in the OS of the machine on which it's + running to convert of IP addresses to the corresponding names. That + routine probably does one or more of: + * a search of a system file listing IP addresses and names; + * a lookup using DNS; + * on UNIX systems, a lookup using NIS; + * on Windows systems, a NetBIOS-over-TCP query. + + If a DNS server that's used in an address lookup is not responding, + the lookup will fail, but will only fail after a timeout while the + system routine waits for a reply. + + In addition, on Windows systems, if the DNS lookup of the address + fails, either because the server isn't responding or because there are + no records in the DNS that could be used to map the address to a name, + a NetBIOS-over-TCP query will be made. That query involves sending a + message to the NetBIOS-over-TCP name service on that machine, asking + for the name and other information about the machine. If the machine + isn't running software that responds to those queries - for example, + many non-Windows machines wouldn't be running that software - the + lookup will only fail after a timeout. Those timeouts can cause the + lookup to take a long time. + + If you disable network address-to-name translation - for example, by + turning off the "Enable network name resolution" option in the "Name + resolution" options in the dialog box you get by selecting + "Preferences" from the "Edit" menu - the lookups of the address won't + be done, which may speed up the process of reading the capture file + after the capture is stopped. You can make that setting the default by + using the "Save" button in that dialog box; note that this will save + all your current preference settings. + + If Ethereal hangs when reading a capture even with network name + resolution turned off, there might, for example, be a bug in one of + Ethereal's dissectors for a protocol causing it to loop infinitely. + The bug should be reported to the Ethereal developers' mailing list at + ethereal-dev@ethereal.com. + + On UNIX-flavored OSes, please try to force Ethereal to dump core, by + sending it a SIGABRT signal (usually signal 6) with the kill command, + and then get a stack trace if you have a debugger installed. A stack + trace can be obtained by using your debugger (gdb in this example), + the Ethereal binary, and the resulting core file. Here's an example of + how to use the gdb command backtrace to do so. + $ gdb ethereal core + (gdb) backtrace + ..... prints the stack trace + (gdb) quit + $ + + The core dump file may be named "ethereal.core" rather than "core" on + some platforms (e.g., BSD systems) + + Also, if at all possible, please send a copy of the capture file that + caused the problem; when capturing packets, Ethereal normally writes + captured packets to a temporary file, which will probably be in /tmp + or /var/tmp on UNIX-flavored OSes and \TEMP on Windows, so the capture + file will probably be there. It will have a name beginning with ether, + with some mixture of letters and numbers after that. Please don't send + a trace file greater than 1 MB when compressed. If the trace file + contains sensitive information (e.g., passwords), then please do not + send it. + + Q 5.34: How can I search for, or filter, packets that have a + particular string anywhere in them? + + A: If you want to do this when capturing, you can't. That's a feature + that would be hard to implement in capture filters without changes to + the capture filter code, which, on many platforms, is in the OS kernel + and, on other platforms, is in the libpcap library. + + In releases prior to 0.9.14, you also can't search for, or filter, + packets containing a particular string even after you've captured + them. + + In 0.9.14, you can search for, but not filter, packets that have a + particular string; this has been added to the "Find Frame" dialog + ("Find Frame" under the "Edit" menu, or control-F). + + + Support can be found on the ethereal-users[AT]ethereal.com mailing + list. + For corrections/additions/suggestions for this page, please send email + to: ethereal-web[AT]ethereal.com + Last modified: Tue, August 19 2003. |