4 Note: This is just an ASCII snapshot of the faq and may not be up to
5 date. Please go to http://www.ethereal.com/faq.html for the up
6 to date version. The version of this snapshot can be found at
7 the end of this document.
14 1.1 Where can I get help?
16 1.2 How much does Ethereal cost?
18 1.3 Can I use Ethereal commercially?
20 1.4 Can I use Ethereal as part of my commercial product?
22 1.5 What protocols are currently supported?
24 1.6 Are there any plans to support {your favorite protocol}?
26 1.7 Can Ethereal read capture files from {your favorite network
29 1.8 What devices can Ethereal use to capture packets?
31 1.9 How do you pronounce Ethereal? Where did the name come from?
35 2.1 I downloaded the Win32 installer, but when I try to run it, I get
38 2.2 When I try to download the WinPcap driver and library, I can't get
39 to the WinPcap Web site.
43 3.1 I installed an Ethereal RPM, but Ethereal doesn't seem to be
44 installed; only Tethereal is installed.
48 4.1 The configure script can't find pcap.h or bpf.h, but I have
51 4.2 Why do I get the error
53 dftest_DEPENDENCIES was already defined in condition TRUE, which
54 implies condition HAVE_PLUGINS_TRUE
56 when I try to build Ethereal from SVN or a SVN snapshot?
58 4.3 The link fails with a number of "Output line too long." messages
59 followed by linker errors.
61 4.4 The link fails on Solaris because plugin_list is undefined.
63 4.5 The build fails on Windows because of conflicts between winsock.h
68 5.1 When I use Ethereal to capture packets, I see only packets to and
69 from my machine, or I'm not seeing all the traffic I'm expecting to
70 see from or to the machine I'm trying to monitor.
72 5.2 I can't see any TCP packets other than packets to and from my
73 machine, even though another analyzer on the network sees those
76 5.3 I'm only seeing ARP packets when I try to capture traffic.
78 5.4 I'm running Ethereal on Windows; why does some network interface
79 on my machine not show up in the list of interfaces in the
80 "Interface:" field in the dialog box popped up by "Capture->Start",
81 and/or why does Ethereal give me an error if I try to capture on that
84 5.5 I'm running Ethereal on Windows; why do no network interfaces show
85 up in the list of interfaces in the "Interface:" field in the dialog
86 box popped up by "Capture->Start"?
88 5.6 I'm running Ethereal on Windows; why doesn't my serial port/ADSL
89 modem/ISDN modem show up in the list of interfaces in the "Interface:"
90 field in the dialog box popped up by "Capture->Start"?
92 5.7 I'm running Ethereal on a UNIX-flavored OS; why does some network
93 interface on my machine not show up in the list of interfaces in the
94 "Interface:" field in the dialog box popped up by "Capture->Start",
95 and/or why does Ethereal give me an error if I try to capture on that
98 5.8 I'm running Ethereal on a UNIX-flavored OS; why do no network
99 interfaces show up in the list of interfaces in the "Interface:" field
100 in the dialog box popped up by "Capture->Start"?
102 5.9 Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
104 5.10 How do I put an interface into promiscuous mode?
106 5.11 I can set a display filter just fine, but capture filters don't
109 5.12 I'm entering valid capture filters, but I still get "parse error"
112 5.13 I saved a filter and tried to use its name to filter the display,
113 but I got an "Unexpected end of filter string" error.
115 5.14 Why am I seeing lots of packets with incorrect TCP checksums?
117 5.15 I've just installed Ethereal, and the traffic on my local LAN is
120 5.16 When I run Ethereal on Solaris 8, it dies with a Bus Error when I
123 5.17 When I run Ethereal, I get an error
125 Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_resize):
126 assertion `height > 0' failed.
128 5.18 When I run Tethereal with the "-x" option, it crashes with an
131 "** ERROR **: file print.c: line 691 (print_line): should not be
134 5.19 When I run Ethereal on Windows NT, it dies with a Dr. Watson
135 error, reporting an "Integer division by zero" exception, when I start
138 5.20 When I try to run Ethereal, it complains about
139 sprint_realloc_objid being undefined.
141 5.21 I'm running Ethereal on Linux; why do my time stamps have only
142 100ms resolution, rather than 1us resolution?
144 5.22 I'm capturing packets on {Windows 95, Windows 98, Windows Me};
145 why are the time stamps on packets wrong?
147 5.23 When I try to run Ethereal on Windows, it fails to run because it
148 can't find packet.dll.
150 5.24 I'm running Ethereal on Windows NT 4.0/Windows 2000/Windows
151 XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN,
152 etc.) interface, and it shows up in the "Interface" item in the
153 "Capture Options" dialog box. Why can no packets be sent on or
154 received from that network while I'm trying to capture traffic on that
157 5.25 I'm running Ethereal on Windows 95/98/Me, on a machine with more
158 than one network adapter of the same type; Ethereal shows all of those
159 adapters with the same name, but I can't use any of those adapters
160 other than the first one.
162 5.26 I'm running Ethereal on Windows, and I'm not seeing any traffic
163 being sent by the machine running Ethereal.
165 5.27 I'm trying to capture traffic but I'm not seeing any.
167 5.28 I have an XXX network card on my machine; if I try to capture on
168 it, my machine crashes or resets itself.
170 5.29 My machine crashes or resets itself when I select "Start" from
171 the "Capture" menu or select "Preferences" from the "Edit" menu.
173 5.30 Does Ethereal work on Windows Me?
175 5.31 Does Ethereal work on Windows XP?
177 5.32 Why doesn't Ethereal correctly identify RTP packets? It shows
180 5.33 Why doesn't Ethereal show Yahoo Messenger packets in captures
181 that contain Yahoo Messenger traffic?
183 5.34 Why do I get the error
185 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
189 when I try to run Ethereal on Windows?
191 5.35 When I capture on Windows in promiscuous mode, I can see packets
192 other than those sent to or from my machine; however, those packets
193 show up with a "Short Frame" indication, unlike packets to or from my
194 machine. What should I do to arrange that I see those packets in their
197 5.36 I'm capturing packets on a machine on a VLAN; why don't the
198 packets I'm capturing have VLAN tags?
200 5.37 How can I capture raw 802.11 packets, including non-data
201 (management, beacon) packets?
203 5.38 How do I capture on an 802.11 device in monitor mode on Linux?
205 5.39 How do I capture on an 802.11 device in monitor mode on FreeBSD?
207 5.40 How do I capture on an 802.11 device in monitor mode on NetBSD?
209 5.41 I'm trying to capture 802.11 traffic on Windows; why am I not
212 5.42 I'm trying to capture 802.11 traffic on Windows; why am I seeing
213 packets received by the machine on which I'm capturing traffic, but
214 not packets sent by that machine?
216 5.43 How can I capture packets with CRC errors?
218 5.44 How can I capture entire frames, including the FCS?
220 5.45 Why does Ethereal hang after I stop a capture?
222 5.46 How can I search for, or filter, packets that have a particular
223 string anywhere in them?
225 5.47 How do I filter a capture to see traffic for virus XXX?
229 Q 1.1: Where can I get help?
231 A: Support is available on the ethereal-users mailing list.
232 Subscription information and archives for all of Ethereal's mailing
233 lists can be found at http://www.ethereal.com/lists
235 Q 1.2: How much does Ethereal cost?
237 A: Ethereal is "free software"; you can download it without paying any
238 license fee. The version of Ethereal you download isn't a "demo"
239 version, with limitations not present in a "full" version; it is the
242 The license under which Ethereal is issued is the GNU General Public
243 License. See the GNU GPL FAQ for some more information.
245 Q 1.3: Can I use Ethereal commercially?
247 A: Yes, if, for example, you mean "I work for a commercial
248 organization; can I use Ethereal to capture and analyze network
249 traffic in our company's networks or in our customer's networks?"
251 If you mean "Can I use Ethereal as part of my commercial product?",
252 see the next entry in the FAQ.
254 Q 1.4: Can I use Ethereal as part of my commercial product?
256 A: As noted, Ethereal is licensed under the GNU General Public
257 License. The GPL imposes conditions on your use of GPL'ed code in your
258 own products; you cannot, for example, make a "derived work" from
259 Ethereal, by making modifications to it, and then sell the resulting
260 derived work and not allow recipients to give away the resulting work.
261 You must also make the changes you've made to the Ethereal source
262 available to all recipients of your modified version; those changes
263 must also be licensed under the terms of the GPL. See the GPL FAQ for
264 more details; in particular, note the answer to the question about
265 modifying a GPLed program and selling it commercially, and the
266 question about linking GPLed code with other code to make a
269 You can combine a GPLed program such as Ethereal and a commercial
270 program as long as they communicate "at arm's length", as per this
273 Q 1.5: What protocols are currently supported?
275 A: There are currently 658 supported protocols and media, listed
276 below. Descriptions can be found in the ethereal(1) man page.
280 802.1x Authentication
281 AAL type 2 signalling protocol - Capability set 1 (Q.2630.1)
283 AFS (4.0) Replication Server call declarations
286 AIM Buddylist Service
293 AIM Invitation Service
298 AIM Privacy Management Service
300 AIM Server Side Themes
307 ANSI IS-637-A (SMS) Teleservice Layer
308 ANSI IS-637-A (SMS) Transport Layer
309 ANSI IS-683-A (OTA (Mobile))
310 ANSI IS-801 (Location Services (PLD))
311 ANSI Mobile Application Part
312 AOL Instant Messenger
321 AVS WLAN Capture header
323 Ad hoc On-demand Distance Vector Routing Protocol
325 Address Resolution Protocol
326 Aggregate Server Access Protocol
328 Alteon - Transparent Proxy Cache Protocol
329 Andrew File System (AFS)
330 Apache JServ Protocol v1.3
331 Apple IP-over-IEEE 1394
332 AppleTalk Filing Protocol
333 AppleTalk Session Protocol
334 AppleTalk Transaction Protocol packet
335 Appletalk Address Resolution Protocol
336 Application Configuration Access Protocol
338 Async data over ISDN (V.120)
339 Asynchronous Layered Coding
340 Authentication Header
341 BACnet Virtual Link Control
346 Banyan Vines Fragmentation Protocol
353 Base Station Subsystem GPRS Protocol
354 Basic Encoding Rules (ASN.1 X.690)
355 Bearer Independent Call Control
356 Bi-directional Fault Detection Control Message
358 Blocks Extensible Exchange Protocol
359 Blubster/Piolet MANOLITO Protocol
363 Border Gateway Protocol
364 Building Automation and Control Network APDU
365 Building Automation and Control Network NPDU
368 CDS Clerk Server Calls
369 Cast Client Control Protocol
370 Certificate Management Protocol
371 Certificate Request Message Format
372 Check Point High Availability Protocol
375 Cisco Discovery Protocol
376 Cisco Group Management Protocol
378 Cisco Hot Standby Router Protocol
380 Cisco Interior Gateway Routing Protocol
383 Cisco Session Management
385 CoSine IPNOS L2 debug output
386 Common Industrial Protocol
387 Common Open Policy Service
388 Common Unix Printing System (CUPS) Browsing Protocol
390 Configuration Test Protocol (loopback)
391 Connectionless Lightweight Directory Access Protocol
392 Coseventcomm Dissector Using GIOP API
393 Cosnaming Dissector Using GIOP API
394 Cross Point Frame Injector
395 Cryptographic Message Syntax
396 DCE Distributed Time Service Local Server
397 DCE Distributed Time Service Provider
400 DCE Security ID Mapper
404 DCE/RPC CDS Solicitation
405 DCE/RPC Conversation Manager
406 DCE/RPC Directory Acl Interface
407 DCE/RPC Endpoint Mapper
408 DCE/RPC Endpoint Mapper v4
410 DCE/RPC FLDB UBIK TRANSFER
411 DCE/RPC FLDB UBIKVOTE
414 DCE/RPC NCS 1.5.1 Local Location Broker
415 DCE/RPC Operations between registry server replicas
422 DCE/RPC Registry Password Management
423 DCE/RPC Registry Server Attributes Schema
424 DCE/RPC Registry server propagation interface - ACLs.
425 DCE/RPC Registry server propagation interface - PGO items
426 DCE/RPC Registry server propagation interface - properties and poli
428 DCE/RPC Remote Management
429 DCE/RPC Repserver Calls
430 DCE/RPC TokenServer Calls
434 DCOM IRemoteActivation
436 DEC Spanning Tree Protocol
442 DNS Control Program Server
444 DOCSIS Appendix C TLV's
445 DOCSIS Baseline Privacy Key Management Attributes
446 DOCSIS Baseline Privacy Key Management Request
447 DOCSIS Baseline Privacy Key Management Response
448 DOCSIS Dynamic Service Addition Acknowledge
449 DOCSIS Dynamic Service Addition Request
450 DOCSIS Dynamic Service Addition Response
451 DOCSIS Dynamic Service Change Acknowledgement
452 DOCSIS Dynamic Service Change Request
453 DOCSIS Dynamic Service Change Response
454 DOCSIS Dynamic Service Delete Request
455 DOCSIS Dynamic Service Delete Response
456 DOCSIS Initial Ranging Message
457 DOCSIS Mac Management
458 DOCSIS Range Request Message
459 DOCSIS Ranging Response
460 DOCSIS Registration Acknowledge
461 DOCSIS Registration Requests
462 DOCSIS Registration Responses
463 DOCSIS Upstream Bandwidth Allocation
464 DOCSIS Upstream Channel Change Request
465 DOCSIS Upstream Channel Change Response
466 DOCSIS Upstream Channel Descriptor
467 DOCSIS Upstream Channel Descriptor Type 29
468 DOCSIS Vendor Specific Endodings
471 Data Stream Interface
472 Datagram Delivery Protocol
473 Decompressed SigComp message as raw text
475 Digital Audio Access Protocol
476 Distance Vector Multicast Routing Protocol
477 Distcc Distributed Compiler
478 Distributed Checksum Clearinghouse Protocol
479 Distributed Network Protocol 3.0
481 Dynamic DNS Tools Protocol
484 Encapsulating Security Payload
485 Endpoint Name Resolution Protocol
486 Enhanced Interior Gateway Routing Protocol
487 EtherNet/IP (Industrial Protocol)
491 Extended Security Services
492 Extensible Authentication Protocol
494 FC Fabric Configuration Server
498 Fiber Distributed Data Interface
500 Fibre Channel Common Transport
501 Fibre Channel Fabric Zone Server
502 Fibre Channel Name Server
503 Fibre Channel Protocol for SCSI
505 Fibre Channel Security Protocol
506 Fibre Channel Single Byte Command
507 File Transfer Protocol (FTP)
508 Financial Information eXchange Protocol
511 GARP Multicast Registration Protocol
512 GARP VLAN Registration Protocol
514 GPRS Tunneling Protocol
518 GSM Mobile Application Part
519 GSM SMS TPDU (GSM 03.40)
520 GSM Short Message Service User Data
521 General Inter-ORB Protocol
522 Generic Routing Encapsulation
523 Generic Security Service Application Program Interface
526 H235-SECURITY-MESSAGES
527 HP Extended Local-Link Control
528 HP Remote Maintenance Protocol
529 Hummingbird NFS Daemon
531 Hypertext Transfer Protocol
551 ICBAPhysicalDevicePCEvent
559 IEEE 802.11 Radiotap Capture header
560 IEEE 802.11 wireless LAN
561 IEEE 802.11 wireless LAN management frame
562 IEEE802a OUI Extended Ethertype
564 IP Device Control (SS7 over IP)
566 IP Payload Compression
567 IP Virtual Services Sync Daemon
569 IPX Routing Information Protocol
574 ISDN Q.921-User Adaptation Layer
576 ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol
577 ISO 8073 COTP Connection-Oriented Transport Protocol
578 ISO 8327-1 OSI Session Protocol
579 ISO 8473 CLNP ConnectionLess Network Protocol
580 ISO 8602 CLTP ConnectionLess Transport Protocol
581 ISO 8823 OSI Presentation Protocol
582 ISO 9542 ESIS Routeing Information Exchange Protocol
583 ISystemActivator ISystemActivator Resolver
585 ITU-T Recommendation H.261
586 ITU-T Recommendation H.263 RTP Payload header (RFC2190)
588 Information Access Protocol
590 Intelligent Platform Management Interface
591 Inter-Access-Point Protocol
592 Inter-Asterisk eXchange v2
593 InterSwitch Message Protocol
595 Internet Cache Protocol
596 Internet Communications Engine Protocol
597 Internet Content Adaptation Protocol
598 Internet Control Message Protocol
599 Internet Control Message Protocol v6
600 Internet Group Management Protocol
601 Internet Group membership Authentication Protocol
602 Internet Message Access Protocol
603 Internet Printing Protocol
605 Internet Protocol Version 6
607 Internet Security Association and Key Management Protocol
608 Internetwork Packet eXchange
610 IrDA Link Access Protocol
611 IrDA Link Management Protocol
612 JPEG File Interchange Format
618 Kerberos Administration
622 LWAPP Encapsulated Packet
624 Label Distribution Protocol
626 Layer 2 Tunneling Protocol
627 Light Weight DNS RESolver (BIND9)
628 Lightweight Directory Access Protocol
629 Line Printer Daemon Protocol
631 Link Access Procedure Balanced (LAPB)
632 Link Access Procedure Balanced Ethernet (LAPBETHER)
633 Link Access Procedure, Channel D (LAPD)
634 Link Aggregation Control Protocol
635 Link Management Protocol (LMP)
636 Linux cooked-mode capture
637 Local Management Interface
638 LocalTalk Link Access Protocol
640 Logical Link Control GPRS
642 Logotype Certificate Extensions
643 Lucent/Ascend debug output
648 MIME Multipart Media Encapsulation
649 MMS Message Encapsulation
652 MSN Messenger Service
653 MSNIP: Multicast Source Notification of Interest Protocol
654 MTP 2 Transparent Proxy
655 MTP 2 User Adaptation Layer
656 MTP 3 User Adaptation Layer
657 MTP2 Peer Adaptation Layer
658 Media Gateway Control Protocol
660 Media Type: message/http
661 Message Transfer Part Level 2
662 Message Transfer Part Level 3
663 Message Transfer Part Level 3 Management
664 Meta Analysis Tracing Engine
665 Microsoft Directory Replication Service
666 Microsoft Distributed File System
667 Microsoft Distributed Link Tracking Server Service
668 Microsoft Encrypted File System Service
669 Microsoft Eventlog Service
670 Microsoft Exchange MAPI
671 Microsoft File Replication Service
672 Microsoft File Replication Service API
673 Microsoft Local Security Architecture
674 Microsoft Local Security Architecture (Directory Services)
675 Microsoft Messenger Service
676 Microsoft Network Logon
678 Microsoft Security Account Manager
679 Microsoft Server Service
680 Microsoft Service Control
681 Microsoft Spool Subsystem
682 Microsoft Task Scheduler Service
683 Microsoft Telephony API Service
684 Microsoft Windows Browser Protocol
685 Microsoft Windows Lanman Remote API Protocol
686 Microsoft Windows Logon Protocol
687 Microsoft Workstation Service
692 MultiProtocol Label Switching Header
693 Multicast Router DISCovery protocol
694 Multicast Source Discovery Protocol
695 Multiprotocol Label Switching Echo
702 NTLM Secure Service Provider
703 Name Binding Protocol
704 Name Management Protocol over IPX
705 Negative-acknowledgment Oriented Reliable Multicast
707 NetBIOS Datagram Service
709 NetBIOS Session Service
711 NetScape Certificate Extensions
712 NetWare Core Protocol
713 NetWare Link Services Protocol
714 NetWare Serialization Protocol
715 Network Data Management Protocol
717 Network Lock Manager Protocol
718 Network News Transfer Protocol
719 Network Service Over IP
720 Network Status Monitor CallBack Protocol
721 Network Status Monitor Protocol
722 Network Time Protocol
724 Novell Distributed Print System
725 Novell Modular Authentication Service
727 OSI ISO 8571 FTAM Protocol
728 OSI ISO/IEC 10035-1 ACSE Protocol
729 Online Certificate Status Protocol
730 Open Policy Service Interface
731 Open Shortest Path First
732 OpenBSD Encapsulating device
733 OpenBSD Packet Filter log file
734 OpenBSD Packet Filter log file, pre 3.4
735 Optimized Link State Routing Protocol
739 PKIX CERT File Format
741 PKIX Time Stamp Protocol
745 PPP Bandwidth Allocation Control Protocol
746 PPP Bandwidth Allocation Protocol
747 PPP CDP Control Protocol
748 PPP Callback Control Protocol
749 PPP Challenge Handshake Authentication Protocol
750 PPP Compressed Datagram
751 PPP Compression Control Protocol
752 PPP IP Control Protocol
753 PPP IPv6 Control Protocol
754 PPP In HDLC-Like Framing
755 PPP Link Control Protocol
756 PPP MPLS Control Protocol
757 PPP Multilink Protocol
759 PPP OSI Control Protocol
760 PPP Password Authentication Protocol
762 PPP-over-Ethernet Discovery
763 PPP-over-Ethernet Session
764 PPPMux Control Protocol
767 PROFINET Real-Time Protocol
768 Packed Encoding Rules (ASN.1 X.691)
769 Packet Cable Lawful Intercept
771 Point-to-Point Protocol
772 Point-to-Point Tunnelling Protocol
773 Port Aggregation Protocol
777 Pragmatic General Multicast
778 Precision Time Protocol (IEEE1588)
780 Privilege Server operations
781 Protocol Independent Multicast
785 Quake II Network Protocol
786 Quake III Arena Network Protocol
787 Quake Network Protocol
788 QuakeWorld Network Protocol
789 Qualified Logical Link Control
795 RS Interface properties
797 RSYNC File Synchroniser
800 Radio Access Network Application Part
803 Real Time Streaming Protocol
804 Real-Time Media Access Control
805 Real-Time Publish-Subscribe Wire Protocol
806 Real-Time Transport Protocol
807 Real-time Transport Control Protocol
808 Redundant Link Management Protocol
809 Registry Server Attributes Manipulation Interface
810 Registry server administration operations.
812 Remote Management Control Protocol
813 Remote Override interface
814 Remote Procedure Call
820 Remote sec_login preauth interface.
821 Resource ReserVation Protocol (RSVP)
823 Routing Information Protocol
824 Routing Table Maintenance Protocol
827 SEBEK - Kernel Data Capture
829 SMB (Server Message Block Protocol)
830 SMB MailSlot Protocol
833 SNMP Multiplex Protocol
836 SS7 SCCP-User Adaptation Layer
841 Sequenced Packet eXchange
843 Service Advertisement Protocol
844 Service Location Protocol
845 Session Announcement Protocol
846 Session Description Protocol
847 Session Initiation Protocol
848 Session Initiation Protocol (SIP as raw text)
849 Short Message Peer to Peer
850 Short Message Relaying Service
851 Signaling Compression
852 Signalling Connection Control Part
853 Signalling Connection Control Part Management
854 Simple Mail Transfer Protocol
855 Simple Network Management Protocol
856 Simple Traversal of UDP Through NAT
859 Skinny Client Control Protocol
860 SliMP3 Communication Protocol
863 Spanning Tree Protocol
865 Stream Control Transmission Protocol
866 Subnetwork Dependent Convergence Protocol
867 Symantec Enterprise Firewall
868 Synchronous Data Link Control (SDLC)
870 Systems Network Architecture
871 Systems Network Architecture XID
875 TDMA RTmac Discipline
876 TEI Management Procedure, Channel D (LAPD)
879 Tazmen Sniffer Protocol
881 Teredo IPv6 over UDP tunneling
883 Time Synchronization Protocol
884 Tiny Transport Protocol
886 Token-Ring Media Access Control
887 Transaction Capabilities Application Part
888 Transmission Control Protocol
889 Transparent Network Substrate Protocol
890 Transport Adapter Layer Interface v1.0, RFC 3094
891 Trivial File Transfer Protocol
892 UDP Encapsulation of IPsec Packets
893 Universal Computer Protocol
894 User Datagram Protocol
895 V5.2-User Adaptation Layer
896 Virtual Router Redundancy Protocol
897 Virtual Trunking Protocol
899 WAP Session Initiation Request
900 Web Cache Coordination Protocol
902 WebSphere MQ Programmable Command Formats
903 Wellfleet Breath of Life
904 Wellfleet Compression
908 Wireless Session Protocol
909 Wireless Transaction Protocol
910 Wireless Transport Layer Security
911 X Display Manager Control Protocol
915 X.509 Authentication Framework
916 X.509 Certificate Extensions
917 X.509 Information Framework
918 X.509 Selected Attribute Types
922 Yahoo Messenger Protocol
923 Yahoo YMSG Messenger Protocol
927 Yellow Pages Transfer
929 Zone Information Protocol
931 giFT Internet File Transfer
938 Q 1.6: Are there any plans to support {your favorite protocol}?
940 A: Support for particular protocols is added to Ethereal as a result
941 of people contributing that support; no formal plans for adding
942 support for particular protocols in particular future releases exist.
944 Q 1.7: Can Ethereal read capture files from {your favorite network
947 A: Support for particular protocols is added to Ethereal as a result
948 of people contributing that support; no formal plans for adding
949 support for particular protocols in particular future releases exist.
951 If a network analyzer writes out files in a format already supported
952 by Ethereal (e.g., in libpcap format), Ethereal may already be able to
953 read them, unless the analyzer has added its own proprietary
954 extensions to that format.
956 If a network analyzer writes out files in its own format, or has added
957 proprietary extensions to another format, in order to make Ethereal
958 read captures from that network analyzer, we would either have to have
959 a specification for the file format, or the extensions, sufficient to
960 give us enough information to read the parts of the file relevant to
961 Ethereal, or would need at least one capture file in that format AND a
962 detailed textual analysis of the packets in that capture file (showing
963 packet time stamps, packet lengths, and the top-level packet header)
964 in order to reverse-engineer the file format.
966 Note that there is no guarantee that we will be able to
967 reverse-engineer a capture file format.
969 Q 1.8: What devices can Ethereal use to capture packets?
971 A: Ethereal can read live data from Ethernet, Token-Ring, FDDI, serial
972 (PPP and SLIP) (if the OS on which it's running allows Ethereal to do
973 so), 802.11 wireless LAN (if the OS on which it's running allows
974 Ethereal to do so), ATM connections (if the OS on which it's running
975 allows Ethereal to do so), and the "any" device supported on Linux by
976 recent versions of libpcap. See the list of supported capture media on
977 various OSes for details (several items in there say "Unknown", which
978 doesn't mean "Ethereal can't capture on them", it means "we don't know
979 whether it can capture on them"; we expect that it will be able to
980 capture on many of them, but we haven't tried it ourselves - if you
981 try one of those types and it works, please send an update to
982 ethereal-web[AT]ethereal.com ).
984 It can also read a variety of capture file formats, including:
985 * AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
987 * AIX's iptrace captures
988 * Accellent's 5Views LAN agent output
989 * Cinco Networks NetXRay captures
990 * Cisco Secure Intrusion Detection System IPLog output
991 * CoSine L2 debug output
992 * DBS Etherwatch VMS text output
993 * Endace Measurement Systems' ERF format captures
994 * EyeSDN USB S0 traces
995 * HP-UX nettl captures
996 * ISDN4BSD project i4btrace captures
997 * Linux Bluez Bluetooth stack hcidump -w traces
998 * Lucent/Ascend router debug output
999 * Microsoft Network Monitor captures
1000 * Network Associates Windows-based Sniffer captures
1001 * Network General/Network Associates DOS-based Sniffer (compressed
1002 or uncompressed) captures
1003 * Network Instruments Observer version 9 captures
1004 * Novell LANalyzer captures
1005 * RADCOM's WAN/LAN analyzer captures
1006 * Shomiti/Finisar Surveyor captures
1007 * Toshiba's ISDN routers dump output
1008 * VMS TCPIPtrace/TCPtrace/UCX$TRACE output
1009 * Visual Networks' Visual UpTime traffic capture
1010 * libpcap, tcpdump and various other tools using tcpdump's capture
1012 * snoop and atmsnoop output
1014 so that it can read traces from various network types, as captured by
1015 other applications or equipment, even if it cannot itself capture on
1016 those network types.
1018 Q 1.9: How do you pronounce Ethereal? Where did the name come from?
1020 A: The English pronunciation can be found in Merriam-Webster's online
1022 http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=ethereal.
1024 According to the book "Computer Networks" by Andrew Tannenbaum,
1025 Ethernet was named after the "luminiferous ether" which was once
1026 thought to carry electromagnetic radiation. Taking that into
1027 consideration, Ethereal seemed like an appropriate name for something
1028 that started out as an Ethernet analyzer.
1030 Downloading Ethereal
1032 Q 2.1: I downloaded the Win32 installer, but when I try to run it, I
1035 A: The program you used to download it may have downloaded it
1036 incorrectly. Web browsers sometimes may do this.
1038 Try downloading it with, for example:
1039 * Wget, for which Windows binaries are available on the SunSITE FTP
1040 server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI
1041 offers a GUI interface that uses wget;
1042 * WS_FTP from Ipswitch,
1043 * the ftp command that comes with Windows.
1045 If you use the ftp command, make sure you do the transfer in binary
1046 mode rather than ASCII mode, by using the binary command before
1047 transferring the file.
1049 Q 2.2: When I try to download the WinPcap driver and library, I can't
1050 get to the WinPcap Web site.
1052 A: As is the case with all Web sites, that site won't necessarily
1053 always be accessible; the server may be down due to a problem or down
1054 for maintenance, or there may be a networking problem between you and
1055 the server. You should try again later, or try the local mirror or the
1056 Wiretapped.net mirror.
1060 Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be
1061 installed; only Tethereal is installed.
1063 A: Older versions of the Red Hat RPMs for Ethereal put only the
1064 non-GUI components into the ethereal RPM, the fact that Ethereal is a
1065 GUI program nonwithstanding; newer versions make it a bit clearer by
1066 giving that RPM a name starting with ethereal-base.
1068 In those older versions, there's a separate ethereal-gnome RPM that
1069 includes GUI components such as Ethereal itself, the fact that
1070 Ethereal doesn't use GNOME nonwithstanding; newer versions make it a
1071 bit clearer by giving that RPM a name starting with ethereal-gtk+.
1073 Find the ethereal-gnome or ethereal-gtk+ RPM, and install that also.
1077 Q 4.1: The configure script can't find pcap.h or bpf.h, but I have
1080 A: Are you sure pcap.h and bpf.h are installed? The official
1081 distribution of libpcap only installs the libpcap.a library file when
1082 "make install" is run. To install pcap.h and bpf.h, you must run "make
1083 install-incl". If you're running Debian or Redhat, make sure you have
1084 the "libpcap-dev" or "libpcap-devel" packages installed.
1086 It's also possible that pcap.h and bpf.h have been installed in a
1087 strange location. If this is the case, you may have to tweak
1090 Q 4.2: Why do I get the error
1092 dftest_DEPENDENCIES was already defined in condition TRUE, which
1093 implies condition HAVE_PLUGINS_TRUE
1095 when I try to build Ethereal from SVN or a SVN snapshot?
1097 A: You probably have automake 1.5 installed on your machine (the
1098 command automake --version will report the version of automake on your
1099 machine). There is a bug in that version of automake that causes this
1100 problem; upgrade to a later version of automake (1.6 or later).
1102 Q 4.3: The link fails with a number of "Output line too long."
1103 messages followed by linker errors.
1105 A: The version of the sed command on your system is incapable of
1106 handling very long lines. On Solaris, for example, /usr/bin/sed has a
1107 line length limit too low to allow libtool to work; /usr/xpg4/bin/sed
1108 can handle it, as can GNU sed if you have it installed.
1110 On Solaris, changing your command search path to search /usr/xpg4/bin
1111 before /usr/bin should make the problem go away; on any platform on
1112 which you have this problem, installing GNU sed and changing your
1113 command path to search the directory in which it is installed before
1114 searching the directory with the version of sed that came with the OS
1115 should make the problem go away.
1117 Q 4.4: The link fails on Solaris because plugin_list is undefined.
1119 A: This appears to be due to a problem with some versions of the GTK+
1120 and GLib packages from www.sunfreeware.org; un-install those packages,
1121 and try getting the 1.2.10 versions from that site, or the versions
1122 from The Written Word, or the versions from Sun's GNOME distribution,
1123 or the versions from the supplemental software CD that comes with the
1124 Solaris media kit, or build them from source from the GTK Web site.
1125 Then re-run the configuration script, and try rebuilding Ethereal. (If
1126 you get the 1.2.10 versions from www.sunfreeware.org, and the problem
1127 persists, un-install them and try installing one of the other versions
1130 Q 4.5: The build fails on Windows because of conflicts between
1131 winsock.h and winsock2.h.
1133 A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and
1134 the corresponding version of the developer's pack, in order to be able
1135 to compile Ethereal; it will not compile with older versions of the
1136 developer's pack. The symptoms of this failure are conflicts between
1137 definitions in winsock.h and in winsock2.h; Ethereal uses winsock2.h,
1138 but pre-2.3 versions of the WinPcap developer's packet use winsock.h.
1139 (2.3 uses winsock2.h, so if Ethereal were to use winsock.h, it would
1140 not be able to build with current versions of the WinPcap developer's
1143 Note that the installed version of the developer's pack should be the
1144 same version as the version of WinPcap you have installed.
1148 Q 5.1: When I use Ethereal to capture packets, I see only packets to
1149 and from my machine, or I'm not seeing all the traffic I'm expecting
1150 to see from or to the machine I'm trying to monitor.
1152 A: This might be because the interface on which you're capturing is
1153 plugged into an Ethernet or Token Ring switch; on a switched network,
1154 unicast traffic between two ports will not necessarily appear on other
1155 ports - only broadcast and multicast traffic will be sent to all
1158 Note that even if your machine is plugged into a hub, the "hub" may be
1159 a switched hub, in which case you're still on a switched network.
1161 Note also that on the Linksys Web site, they say that their
1162 auto-sensing hubs "broadcast the 10Mb packets to the port that operate
1163 at 10Mb only and broadcast the 100Mb packets to the ports that operate
1164 at 100Mb only", which would indicate that if you sniff on a 10Mb port,
1165 you will not see traffic coming sent to a 100Mb port, and vice versa.
1166 This problem has also been reported for Netgear dual-speed hubs, and
1167 may exist for other "auto-sensing" or "dual-speed" hubs.
1169 Some switches have the ability to replicate all traffic on all ports
1170 to a single port so that you can plug your analyzer into that single
1171 port to sniff all traffic. You would have to check the documentation
1172 for the switch to see if this is possible and, if so, to see how to do
1173 this. See the switch reference page on the Ethereal Wiki for
1174 information on some switches. (Note that it's a Wiki, so you can
1175 update or fix that information, or add additional information on those
1176 switches or information on new switches, yourself.)
1178 Note also that many firewall/NAT boxes have a switch built into them;
1179 this includes many of the "cable/DSL router" boxes. If you have a box
1180 of that sort, that has a switch with some number of Ethernet ports
1181 into which you plug machines on your network, and another Ethernet
1182 port used to connect to a cable or DSL modem, you can, at least, sniff
1183 traffic between the machines on your network and the Internet by
1184 plugging the Ethernet port on the router going to the modem, the
1185 Ethernet port on the modem, and the machine on which you're running
1186 Ethereal into a hub (make sure it's not a switching hub, and that, if
1187 it's a dual-speed hub, all three of those ports are running at the
1190 If your machine is not plugged into a switched network or a dual-speed
1191 hub, or it is plugged into a switched network but the port is set up
1192 to have all traffic replicated to it, the problem might be that the
1193 network interface on which you're capturing doesn't support
1194 "promiscuous" mode, or because your OS can't put the interface into
1195 promiscuous mode. Normally, network interfaces supply to the host
1197 * packets sent to one of that host's link-layer addresses;
1198 * broadcast packets;
1199 * multicast packets sent to a multicast address that the host has
1200 configured the interface to accept.
1202 Most network interfaces can also be put in "promiscuous" mode, in
1203 which they supply to the host all network packets they see. Ethereal
1204 will try to put the interface on which it's capturing into promiscuous
1205 mode unless the "Capture packets in promiscuous mode" option is turned
1206 off in the "Capture Options" dialog box, and Tethereal will try to put
1207 the interface on which it's capturing into promiscuous mode unless the
1208 -p option was specified. However, some network interfaces don't
1209 support promiscuous mode, and some OSes might not allow interfaces to
1210 be put into promiscuous mode.
1212 If the interface is not running in promiscuous mode, it won't see any
1213 traffic that isn't intended to be seen by your machine. It will see
1214 broadcast packets, and multicast packets sent to a multicast MAC
1215 address the interface is set up to receive.
1217 You should ask the vendor of your network interface whether it
1218 supports promiscuous mode. If it does, you should ask whoever supplied
1219 the driver for the interface (the vendor, or the supplier of the OS
1220 you're running on your machine) whether it supports promiscuous mode
1221 with that network interface.
1223 In the case of token ring interfaces, the drivers for some of them, on
1224 Windows, may require you to enable promiscuous mode in order to
1225 capture in promiscuous mode. See the Ethereal Wiki item on Token Ring
1226 capturing for details.
1228 In the case of wireless LAN interfaces, it appears that, when those
1229 interfaces are promiscuously sniffing, they're running in a
1230 significantly different mode from the mode that they run in when
1231 they're just acting as network interfaces (to the extent that it would
1232 be a significant effor for those drivers to support for promiscuously
1233 sniffing and acting as regular network interfaces at the same time),
1234 so it may be that Windows drivers for those interfaces don't support
1237 Q 5.2: I can't see any TCP packets other than packets to and from my
1238 machine, even though another analyzer on the network sees those
1241 A: You're probably not seeing any packets other than unicast packets
1242 to or from your machine, and broadcast and multicast packets; a switch
1243 will normally send to a port only unicast traffic sent to the MAC
1244 address for the interface on that port, and broadcast and multicast
1245 traffic - it won't send to that port unicast traffic sent to a MAC
1246 address for some other interface - and a network interface not in
1247 promiscuous mode will receive only unicast traffic sent to the MAC
1248 address for that interface, broadcast traffic, and multicast traffic
1249 sent to a multicast MAC address the interface is set up to receive.
1251 TCP doesn't use broadcast or multicast, so you will only see your own
1252 TCP traffic, but UDP services may use broadcast or multicast so you'll
1253 see some UDP traffic - however, this is not a problem with TCP
1254 traffic, it's a problem with unicast traffic, as you also won't see
1255 all UDP traffic between other machines.
1257 I.e., this is probably the same question as this earlier one; see the
1258 response to that question.
1260 Q 5.3: I'm only seeing ARP packets when I try to capture traffic.
1262 A: You're probably on a switched network, and running Ethereal on a
1263 machine that's not sending traffic to the switch and not being sent
1264 any traffic from other machines on the switch. ARP packets are often
1265 broadcast packets, which are sent to all switch ports.
1267 I.e., this is probably the same question as this earlier one; see the
1268 response to that question.
1270 Q 5.4: I'm running Ethereal on Windows; why does some network
1271 interface on my machine not show up in the list of interfaces in the
1272 "Interface:" field in the dialog box popped up by "Capture->Start",
1273 and/or why does Ethereal give me an error if I try to capture on that
1276 A: If you are running Ethereal on Windows NT 4.0, Windows 2000,
1277 Windows XP, or Windows Server 2003, and this is the first time you
1278 have run a WinPcap-based program (such as Ethereal, or Tethereal, or
1279 WinDump, or Analyzer, or...) since the machine was rebooted, you need
1280 to run that program from an account with administrator privileges;
1281 once you have run such a program, you will not need administrator
1282 privileges to run any such programs until you reboot.
1284 If you are running on Windows 95/98/Me, or if you are running on
1285 Windows NT 4.0/Windows 2000/Windows XP/Windows Server 2003 and have
1286 administrator privileges or a WinPcap-based program has been run with
1287 those privileges since the machine rebooted, then note that Ethereal
1288 relies on the WinPcap library, on the WinPcap device driver, and on
1289 the facilities that come with the OS on which it's running in order to
1292 Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
1293 support capturing on a particular network interface device, Ethereal
1294 won't be able to capture on that device.
1297 1. 2.02 and earlier versions of the WinPcap driver and library that
1298 Ethereal uses for packet capture didn't support Token Ring
1299 interfaces; versions 2.1 and later support Token Ring, and the
1300 current version of Ethereal works with (and, in fact, requires)
1301 WinPcap 2.1 or later.
1302 If you are having problems capturing on Token Ring interfaces, and
1303 you have WinPcap 2.02 or an earlier version of WinPcap installed,
1304 you should uninstall WinPcap, download and install the current
1305 version of WinPcap, and then install the latest version of
1307 2. On Windows 95, 98, or Me, sometimes more than one interface will
1308 be given the same name; if that is the case, you will only be able
1309 to capture on one of those interfaces - it's not clear to which
1310 one the name, when used in a WinPcap-based application, will
1311 refer. For example, if you have a PPP serial interface and a VPN
1312 interface, they might show up with the same name, for example
1313 "ppp-mac", and if you try to capture on "ppp-mac", it might not
1314 capture on the interface you're currently using. In that case, you
1315 might, for example, have to remove the VPN interface from the
1316 system in order to capture on the PPP serial interface.
1317 3. WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows
1318 NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to
1319 avoid those problems, support for PPP WAN interfaces on those
1320 versions of Windows has been disabled in WinPcap 3.0. Regular
1321 dial-up lines, ISDN lines, ADSL connections using PPPoE or PPPoA,
1322 and various other lines such as T1/E1 lines are all PPP
1323 interfaces, so those interfaces might not show up on the list of
1324 interfaces in the "Capture Options" dialog on those OSes.
1325 On Windows 2000 and later, installing the beta version of WinPcap
1326 3.1 might help, although, as it's a beta version, that might cause
1327 some other problems that don't occur with older versions of
1328 WinPcap; you should report those problems to the WinPcap
1329 developers, so that they can try to fix those problems before the
1330 final version of WinPcap 3.1 is released. WinPcap 3.1 will not
1331 support PPP captures on Windows NT 4.0. See the Ethereal Wiki item
1332 on PPP capturing for details.
1333 4. WinPcap prior to 3.0 does not support multiprocessor machines
1334 (note that machines with a single multi-threaded processor, such
1335 as Intel's new multi-threaded x86 processors, are multiprocessor
1336 machines as far as the OS and WinPcap are concerned), and recent
1337 2.x versions of WinPcap refuse to operate if they detect that
1338 they're running on a multiprocessor machine, which means that they
1339 may not show any network interfaces. You will need to use WinPcap
1340 3.0 to capture on a multiprocessor machine.
1342 If an interface doesn't show up in the list of interfaces in the
1343 "Interface:" field, and you know the name of the interface, try
1344 entering that name in the "Interface:" field and capturing on that
1347 If the attempt to capture on it succeeds, the interface is somehow not
1348 being reported by the mechanism Ethereal uses to get a list of
1349 interfaces. Try listing the interfaces with WinDump; see the WinDump
1350 Web site or the local mirror of the WinDump Web site for information
1353 You would run WinDump with the -D flag; if it lists the interface,
1354 please report this to ethereal-dev@ethereal.com giving full details of
1355 the problem, including
1356 * the operating system you're using, and the version of that
1358 * the type of network device you're using;
1359 * the output of WinDump.
1361 If WinDump does not list the interface, this is almost certainly a
1362 problem with one or more of:
1363 * the operating system you're using;
1364 * the device driver for the interface you're using;
1365 * the WinPcap library and/or the WinPcap device driver;
1367 so first check the WinPcap FAQ, the local mirror of that FAQ, or the
1368 Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
1369 there. If not, then see the WinPcap support page (or the local mirror
1370 of that page) - check the "Submitting bugs" section.
1372 If you are having trouble capturing on a particular network interface,
1373 first try capturing on that device with WinDump; see the WinDump Web
1374 site or the local mirror of the WinDump Web site for information on
1377 If you can capture on the interface with WinDump, send mail to
1378 ethereal-users@ethereal.com giving full details of the problem,
1380 * the operating system you're using, and the version of that
1382 * the type of network device you're using;
1383 * the error message you get from Ethereal.
1385 If you cannot capture on the interface with WinDump, this is almost
1386 certainly a problem with one or more of:
1387 * the operating system you're using;
1388 * the device driver for the interface you're using;
1389 * the WinPcap library and/or the WinPcap device driver;
1391 so first check the WinPcap FAQ, the local mirror of that FAQ, or the
1392 Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
1393 there. If not, then see the WinPcap support page (or the local mirror
1394 of that page) - check the "Submitting bugs" section.
1396 You may also want to ask the ethereal-users@ethereal.com and the
1397 winpcap-users@winpcap.polito.it mailing lists to see if anybody
1398 happens to know about the problem and know a workaround or fix for the
1399 problem. (Note that you will have to subscribe to that list in order
1400 to be allowed to mail to it; see the WinPcap support page, or the
1401 local mirror of that page, for information on the mailing list.) In
1402 your mail, please give full details of the problem, as described
1403 above, and also indicate that the problem occurs with WinDump, not
1406 Q 5.5: I'm running Ethereal on Windows; why do no network interfaces
1407 show up in the list of interfaces in the "Interface:" field in the
1408 dialog box popped up by "Capture->Start"?
1410 A: This is really the same question as the previous one; see the
1411 response to that question.
1413 Q 5.6: I'm running Ethereal on Windows; why doesn't my serial
1414 port/ADSL modem/ISDN modem show up in the list of interfaces in the
1415 "Interface:" field in the dialog box popped up by "Capture->Start"?
1417 A: Internet access on those devices is often done with the
1418 Point-to-Point (PPP) protocol; WinPcap 2.3 has problems supporting PPP
1419 WAN interfaces on Windows NT 4.0, Windows 2000, Windows XP, and
1420 Windows Server 2003, and, to avoid those problems, support for PPP WAN
1421 interfaces on those versions of Windows has been disabled in WinPcap
1424 On Windows 2000 and later, installing the beta version of WinPcap 3.1
1425 might help, although, as it's a beta version, that might cause some
1426 other problems that don't occur with older versions of WinPcap; you
1427 should report those problems to the WinPcap developers, so that they
1428 can try to fix those problems before the final version of WinPcap 3.1
1429 is released. WinPcap 3.1 will not support PPP captures on Windows NT
1430 4.0. See the Ethereal Wiki item on PPP capturing for details.
1432 Q 5.7: I'm running Ethereal on a UNIX-flavored OS; why does some
1433 network interface on my machine not show up in the list of interfaces
1434 in the "Interface:" field in the dialog box popped up by
1435 "Capture->Start", and/or why does Ethereal give me an error if I try
1436 to capture on that interface?
1438 A: You may need to run Ethereal from an account with sufficient
1439 privileges to capture packets, such as the super-user account, or may
1440 need to give your account sufficient privileges to capture packets.
1441 Only those interfaces that Ethereal can open for capturing show up in
1442 that list; if you don't have sufficient privileges to capture on any
1443 interfaces, no interfaces will show up in the list. See the Ethereal
1444 Wiki item on capture privileges for details on how to give a
1445 particular account or account group capture privileges on platforms
1446 where that can be done.
1448 If you are running Ethereal from an account with sufficient
1449 privileges, then note that Ethereal relies on the libpcap library, and
1450 on the facilities that come with the OS on which it's running in order
1451 to do captures. On some OSes, those facilities aren't present by
1452 default; see the Ethereal Wiki item on adding capture support for
1455 And, even if you're running with an account that has sufficient
1456 privileges to capture, and capture support is present in your OS, if
1457 the OS or the libpcap library don't support capturing on a particular
1458 network interface device or particular types of devices, Ethereal
1459 won't be able to capture on that device.
1461 On Solaris, note that libpcap 0.6.2 and earlier didn't support Token
1462 Ring interfaces; the current version, 0.7.2, does support Token Ring,
1463 and the current version of Ethereal works with libcap 0.7.2 and later.
1465 If an interface doesn't show up in the list of interfaces in the
1466 "Interface:" field, and you know the name of the interface, try
1467 entering that name in the "Interface:" field and capturing on that
1470 If the attempt to capture on it succeeds, the interface is somehow not
1471 being reported by the mechanism Ethereal uses to get a list of
1472 interfaces; please report this to ethereal-dev@ethereal.com giving
1473 full details of the problem, including
1474 * the operating system you're using, and the version of that
1475 operating system (for Linux, give both the version number of the
1476 kernel and the name and version number of the distribution you're
1478 * the type of network device you're using.
1480 If you are having trouble capturing on a particular network interface,
1481 and you've made sure that (on platforms that require it) you've
1482 arranged that packet capture support is present, as per the above,
1483 first try capturing on that device with tcpdump.
1485 If you can capture on the interface with tcpdump, send mail to
1486 ethereal-users@ethereal.com giving full details of the problem,
1488 * the operating system you're using, and the version of that
1489 operating system (for Linux, give both the version number of the
1490 kernel and the name and version number of the distribution you're
1492 * the type of network device you're using;
1493 * the error message you get from Ethereal.
1495 If you cannot capture on the interface with tcpdump, this is almost
1496 certainly a problem with one or more of:
1497 * the operating system you're using;
1498 * the device driver for the interface you're using;
1499 * the libpcap library;
1501 so you should report the problem to the company or organization that
1502 produces the OS (in the case of a Linux distribution, report the
1503 problem to whoever produces the distribution).
1505 You may also want to ask the ethereal-users@ethereal.com and the
1506 tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to
1507 know about the problem and know a workaround or fix for the problem.
1508 In your mail, please give full details of the problem, as described
1509 above, and also indicate that the problem occurs with tcpdump not just
1512 Q 5.8: I'm running Ethereal on a UNIX-flavored OS; why do no network
1513 interfaces show up in the list of interfaces in the "Interface:" field
1514 in the dialog box popped up by "Capture->Start"?
1516 A: This is really the same question as the previous one; see the
1517 response to that question.
1519 Q 5.9: Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
1521 A: Ethereal can only capture on devices supported by libpcap/WinPcap.
1522 On most OSes, only devices that can act as network interfaces of the
1523 type that support IP are supported as capture devices for
1524 libpcap/WinPcap, although the device doesn't necessarily have to be
1525 running as an IP interface in order to support traffic capture.
1527 On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
1528 Measurement Systems' DAG cards, so that a system with one of those
1529 cards, and its driver and libraries, installed can capture traffic
1530 with those cards with libpcap-based applications. You would either
1531 have to have a version of Ethereal built with that version of libpcap,
1532 or a dynamically-linked version of Ethereal and a shared libpcap
1533 library with DAG support, in order to do so with Ethereal. You should
1534 ask Endace whether that could be used to capture traffic on, for
1535 example, your T1/E1 link.
1536 There is currently no hardware to support capturing on SS7 links with
1537 libpcap. (Note that the fact that Ethereal includes dissectors for
1538 many SS7 protocols doesn't imply that it can capture traffic from SS7
1539 links; those protocols can be run over Internet protocols.)
1541 Q 5.10: How do I put an interface into promiscuous mode?
1543 A: By not disabling promiscuous mode when running Ethereal or
1546 Note, however, that:
1547 * the form of promiscuous mode that libpcap (the library that
1548 programs such as tcpdump, Ethereal, etc. use to do packet capture)
1549 turns on will not necessarily be shown if you run ifconfig on the
1550 interface on a UNIX system;
1551 * some network interfaces might not support promiscuous mode, and
1552 some drivers might not allow promiscuous mode to be turned on -
1553 see this earlier question for more information on that;
1554 * the fact that you're not seeing any traffic, or are only seeing
1555 broadcast traffic, or aren't seeing any non-broadcast traffic
1556 other than traffic to or from the machine running Ethereal, does
1557 not mean that promiscuous mode isn't on - see this earlier
1558 question for more information on that.
1560 I.e., this is probably the same question as this earlier one; see the
1561 response to that question.
1563 Q 5.11: I can set a display filter just fine, but capture filters
1566 A: Capture filters currently use a different syntax than display
1567 filters. Here's the corresponding section from the ethereal(1) man
1570 "Display filters in Ethereal are very powerful; more fields are
1571 filterable in Ethereal than in other protocol analyzers, and the
1572 syntax you can use to create your filters is richer. As Ethereal
1573 progresses, expect more and more protocol fields to be allowed in
1576 Packet capturing is performed with the pcap library. The capture
1577 filter syntax follows the rules of the pcap library. This syntax is
1578 different from the display filter syntax."
1580 The capture filter syntax used by libpcap can be found in the
1581 tcpdump(8) man page.
1583 Q 5.12: I'm entering valid capture filters, but I still get "parse
1586 A: There is a bug in some versions of libpcap/WinPcap that cause it to
1587 report parse errors even for valid expressions if a previous filter
1588 expression was invalid and got a parse error.
1590 Try exiting and restarting Ethereal; if you are using a version of
1591 libpcap/WinPcap with this bug, this will "erase" its memory of the
1592 previous parse error. If the capture filter that got the "parse error"
1593 now works, the earlier error with that filter was probably due to this
1596 The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of
1597 libpcap have this bug, but 0.6[.x] and later versions don't.
1599 Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of
1600 libpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and
1601 doesn't have this bug.
1603 If you are running Ethereal on a UNIX-flavored platform, run "ethereal
1604 -v", or select "About Ethereal..." from the "Help" menu in Ethereal,
1605 to see what version of libpcap it's using. If it's not 0.6 or later,
1606 you will need either to upgrade your OS to get a later version of
1607 libpcap, or will need to build and install a later version of libpcap
1608 from the tcpdump.org Web site and then recompile Ethereal from source
1609 with that later version of libpcap.
1611 If you are running Ethereal on Windows with a pre-2.3 version of
1612 WinPcap, you will need to un-install WinPcap and then download and
1613 install WinPcap 2.3.
1615 Q 5.13: I saved a filter and tried to use its name to filter the
1616 display, but I got an "Unexpected end of filter string" error.
1618 A: You cannot use the name of a saved display filter as a filter. To
1619 filter the display, you can enter a display filter expression - not
1620 the name of a saved display filter - in the "Filter:" box at the
1621 bottom of the display, and type the key or press the "Apply" button
1622 (that does not require you to have a saved filter), or, if you want to
1623 use a saved filter, you can press the "Filter:" button, select the
1624 filter in the dialog box that pops up, and press the "OK" button.
1626 Q 5.14: Why am I seeing lots of packets with incorrect TCP checksums?
1628 A: If the packets that have incorrect TCP checksums are all being sent
1629 by the machine on which Ethereal is running, this is probably because
1630 the network interface on which you're capturing does TCP checksum
1631 offloading. That means that the TCP checksum is added to the packet by
1632 the network interface, not by the OS's TCP/IP stack; when capturing on
1633 an interface, packets being sent by the host on which you're capturing
1634 are directly handed to the capture interface by the OS, which means
1635 that they are handed to the capture interface without a TCP checksum
1636 being added to them.
1638 The only way to prevent this from happening would be to disable TCP
1639 checksum offloading, but
1640 1. that might not even be possible on some OSes;
1641 2. that could reduce networking performance significantly.
1643 However, you can disable the check that Ethereal does of the TCP
1644 checksum, so that it won't report any packets as having TCP checksum
1645 errors, and so that it won't refuse to do TCP reassembly due to a
1646 packet having an incorrect TCP checksum. That can be set as an
1647 Ethereal preference by selecting "Preferences" from the "Edit" menu,
1648 opening up the "Protocols" list in the left-hand pane of the
1649 "Preferences" dialog box, selecting "TCP", from that list, turning off
1650 the "Check the validity of the TCP checksum when possible" option,
1651 clicking "Save" if you want to save that setting in your preference
1652 file, and clicking "OK".
1654 It can also be set on the Ethereal or Tethereal command line with a -o
1655 tcp.check_checksum:false command-line flag, or manually set in your
1656 preferences file by adding a tcp.check_checksum:false line.
1658 Q 5.15: I've just installed Ethereal, and the traffic on my local LAN
1661 A: We have a collection of strange and exotic sample capture files at
1662 http://wiki.ethereal.com/SampleCaptures
1664 Q 5.16: When I run Ethereal on Solaris 8, it dies with a Bus Error
1667 A: Some versions of the GTK+ library from www.sunfreeware.org appear
1668 to be buggy, causing Ethereal to drop core with a Bus Error.
1669 Un-install those packages, and try getting the 1.2.10 version from
1670 that site, or the version from The Written Word, or the version from
1671 Sun's GNOME distribution, or the version from the supplemental
1672 software CD that comes with the Solaris media kit, or build it from
1673 source from the GTK Web site. Update the GLib library to the 1.2.10
1674 version, from the same source, as well. (If you get the 1.2.10
1675 versions from www.sunfreeware.org, and the problem persists,
1676 un-install them and try installing one of the other versions
1679 Similar problems may exist with older versions of GTK+ for earlier
1680 versions of Solaris.
1682 Q 5.17: When I run Ethereal, I get an error
1684 Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_resize):
1685 assertion `height > 0' failed.
1687 A: This is a bug in Ethereal 0.10.5 and 0.10.5a, which is fixed in
1688 Ethereal 0.10.6 and later releases.
1690 Q 5.18: When I run Tethereal with the "-x" option, it crashes with an
1693 "** ERROR **: file print.c: line 691 (print_line): should not be
1696 A: This is a bug in Ethereal 0.10.0a, which is fixed in 0.10.1 and
1697 later releases. To work around the bug, don't use "-x" unless you're
1698 also using "-V"; note that "-V" produces a full dissection of each
1699 packet, so you might not want to use it.
1701 Q 5.19: When I run Ethereal on Windows NT, it dies with a Dr. Watson
1702 error, reporting an "Integer division by zero" exception, when I start
1705 A: In at least some case, this appears to be due to using the default
1706 VGA driver; if that's not the correct driver for your video card, try
1707 running the correct driver for your video card.
1709 Q 5.20: When I try to run Ethereal, it complains about
1710 sprint_realloc_objid being undefined.
1712 A: Ethereal can only be linked with version 4.2.2 or later of UCD
1713 SNMP. Your version of Ethereal was dynamically linked with such a
1714 version of UCD SNMP; however, you have an older version of UCD SNMP
1715 installed, which means that when Ethereal is run, it tries to link to
1716 the older version, and fails. You will have to replace that version of
1717 UCD SNMP with version 4.2.2 or a later version.
1719 Q 5.21: I'm running Ethereal on Linux; why do my time stamps have only
1720 100ms resolution, rather than 1us resolution?
1722 A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap
1723 get them from the OS kernel, so Ethereal - and any other program using
1724 libpcap, such as tcpdump - is at the mercy of the time stamping code
1725 in the OS for time stamps.
1727 At least on x86-based machines, Linux can get high-resolution time
1728 stamps on newer processors with the Time Stamp Counter (TSC) register;
1729 for example, Intel x86 processors, starting with the Pentium Pro, and
1730 including all x86 processors since then, have had a TSC, and other
1731 vendors probably added the TSC at some point to their families of x86
1734 The Linux kernel must be configured with the CONFIG_X86_TSC option
1735 enabled in order to use the TSC. Make sure this option is enabled in
1738 In addition, some Linux distributions may have bugs in their versions
1739 of the kernel that cause packets not to be given high-resolution time
1740 stamps even if the TSC is enabled. See, for example, bug 61111 for Red
1741 Hat Linux 7.2. If your distribution has a bug such as this, you may
1742 have to run a standard kernel from kernel.org in order to get
1743 high-resolution time stamps.
1745 Q 5.22: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
1746 why are the time stamps on packets wrong?
1748 A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap
1751 Q 5.23: When I try to run Ethereal on Windows, it fails to run because
1752 it can't find packet.dll.
1754 A: In older versions of Ethereal, there were two binary distributions
1755 available for Windows, one that supported capturing packets, and one
1756 that didn't. The version that supported capturing packets required
1757 that you install the WinPcap driver; if you didn't install it, it
1758 would fail to run because it couldn't find packet.dll.
1760 The current version of Ethereal has only one binary distribution for
1761 Windows; that version will check whether WinPcap is installed and, if
1762 it's not, will disable support for packet capture.
1764 The WinPcap driver and libraries can be downloaded from the WinPcap
1765 Web site, the local mirror of the WinPcap Web site, or the
1766 Wiretapped.net mirror of the WinPcap site.
1768 Q 5.24: I'm running Ethereal on Windows NT 4.0/Windows 2000/Windows
1769 XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN,
1770 etc.) interface, and it shows up in the "Interface" item in the
1771 "Capture Options" dialog box. Why can no packets be sent on or
1772 received from that network while I'm trying to capture traffic on that
1775 A: Some versions of WinPcap have problems with PPP WAN interfaces on
1776 Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; one
1777 symptom that may be seen is that attempts to capture in promiscuous
1778 mode on the interface cause the interface to be incapable of sending
1779 or receiving packets. You can disable promiscuous mode using the -p
1780 command-line flag or the item in the "Capture Preferences" dialog box,
1781 but this may mean that outgoing packets, or incoming packets, won't be
1782 seen in the capture.
1784 On Windows 2000 and later, installing the beta version of WinPcap 3.1
1785 might help, although, as it's a beta version, that might cause some
1786 other problems that don't occur with older versions of WinPcap; you
1787 should report those problems to the WinPcap developers, so that they
1788 can try to fix those problems before the final version of WinPcap 3.1
1789 is released. WinPcap 3.1 will not support PPP captures on Windows NT
1790 4.0. See the Ethereal Wiki item on PPP capturing for details.
1792 Q 5.25: I'm running Ethereal on Windows 95/98/Me, on a machine with
1793 more than one network adapter of the same type; Ethereal shows all of
1794 those adapters with the same name, but I can't use any of those
1795 adapters other than the first one.
1797 A: Unfortunately, Windows 95/98/Me gives the same name to multiple
1798 instances of the type of same network adapter. Therefore, WinPcap
1799 cannot distinguish between them, so a WinPcap-based application can
1800 capture only on the first such interface; Ethereal is a
1801 libpcap/WinPcap-based application.
1803 Q 5.26: I'm running Ethereal on Windows, and I'm not seeing any
1804 traffic being sent by the machine running Ethereal.
1806 A: If you are running some form of VPN client software, it might be
1807 causing this problem; people have seen this problem when they have
1808 Check Point's VPN software installed on their machine. If that's the
1809 cause of the problem, you will have to remove the VPN software in
1810 order to have Ethereal (or any other application using WinPcap) see
1811 outgoing packets; unfortunately, neither we nor the WinPcap developers
1812 know any way to make WinPcap and the VPN software work well together.
1814 Also, some drivers for Windows (especially some wireless network
1815 interface drivers) apparently do not, when running in promiscuous
1816 mode, arrange that outgoing packets are delivered to the software that
1817 requested that the interface run promiscuously; try turning
1818 promiscuous mode off.
1820 Q 5.27: I'm trying to capture traffic but I'm not seeing any.
1822 A: Is the machine running Ethereal sending out any traffic on the
1823 network interface on which you're capturing, or receiving any traffic
1824 on that network, or is there any broadcast traffic on the network or
1825 multicast traffic to a multicast group to which the machine running
1828 If not, this may just be a problem with promiscuous sniffing, either
1829 due to running on a switched network or a dual-speed hub, or due to
1830 problems with the interface not supporting promiscuous mode; see the
1831 response to this earlier question.
1833 Otherwise, on Windows, see the response to this question and, on a
1834 UNIX-flavored OS, see the response to this question.
1836 Q 5.28: I have an XXX network card on my machine; if I try to capture
1837 on it, my machine crashes or resets itself.
1839 A: This is almost certainly a problem with one or more of:
1840 * the operating system you're using;
1841 * the device driver for the interface you're using;
1842 * the libpcap/WinPcap library and, if this is Windows, the WinPcap
1846 * if you are using Windows, see the WinPcap support page (or the
1847 local mirror of that page) - check the "Submitting bugs" section;
1848 * if you are using some Linux distribution, some version of BSD, or
1849 some other UNIX-flavored OS, you should report the problem to the
1850 company or organization that produces the OS (in the case of a
1851 Linux distribution, report the problem to whoever produces the
1854 Q 5.29: My machine crashes or resets itself when I select "Start" from
1855 the "Capture" menu or select "Preferences" from the "Edit" menu.
1857 A: Both of those operations cause Ethereal to try to build a list of
1858 the interfaces that it can open; it does so by getting a list of
1859 interfaces and trying to open them. There is probably an OS, driver,
1860 or, for Windows, WinPcap bug that causes the system to crash when this
1861 happens; see the previous question.
1863 Q 5.30: Does Ethereal work on Windows Me?
1865 A: Yes, but if you want to capture packets, you will need to install
1866 the latest version of WinPcap, as 2.02 and earlier versions of WinPcap
1867 didn't support Windows Me. You should also install the latest version
1868 of Ethereal as well.
1870 Q 5.31: Does Ethereal work on Windows XP?
1872 A: Yes, but if you want to capture packets, you will need to install
1873 the latest version of WinPcap, as 2.2 and earlier versions of WinPcap
1874 didn't support Windows XP.
1876 Q 5.32: Why doesn't Ethereal correctly identify RTP packets? It shows
1879 A: Ethereal can identify a UDP datagram as containing a packet of a
1880 particular protocol running atop UDP only if
1881 1. The protocol in question has a particular standard port number,
1882 and the UDP source or destination port number is that port
1883 2. Packets of that protocol can be identified by looking for a
1884 "signature" of some type in the packet - i.e., some data that, if
1885 Ethereal finds it in some particular part of a packet, means that
1886 the packet is almost certainly a packet of that type.
1887 3. Some other traffic earlier in the capture indicated that, for
1888 example, UDP traffic between two particular addresses and ports
1889 will be RTP traffic.
1891 RTP doesn't have a standard port number, so 1) doesn't work; it
1892 doesn't, as far as I know, have any "signature", so 2) doesn't work.
1894 That leaves 3). If there's RTSP traffic that sets up an RTP session,
1895 then, at least in some cases, the RTSP dissector will set things up so
1896 that subsequent RTP traffic will be identified. Currently, that's the
1897 only place we do that; there may be other places.
1899 However, there will always be places where Ethereal is simply
1900 incapable of deducing that a given UDP flow is RTP; a mechanism would
1901 be needed to allow the user to specify that a given conversation
1902 should be treated as RTP. As of Ethereal 0.8.16, such a mechanism
1903 exists; if you select a UDP or TCP packet, the right mouse button menu
1904 will have a "Decode As..." menu item, which will pop up a dialog box
1905 letting you specify that the source port, the destination port, or
1906 both the source and destination ports of the packet should be
1907 dissected as some particular protocol.
1909 Q 5.33: Why doesn't Ethereal show Yahoo Messenger packets in captures
1910 that contain Yahoo Messenger traffic?
1912 A: Ethereal only recognizes as Yahoo Messenger traffic packets to or
1913 from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP
1914 segments that start with the middle of a Yahoo Messenger packet that
1915 takes more than one TCP segment will not be recognized as Yahoo
1916 Messenger packets (even if the TCP segment also contains the beginning
1917 of another Yahoo Messenger packet).
1919 Q 5.34: Why do I get the error
1921 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
1925 when I try to run Ethereal on Windows?
1927 A: Ethereal is built using the GTK+ toolkit, which supports most
1928 UNIX-flavored OSes, and also supports Windows.
1930 Windows versions of Ethereal before 0.9.14 were built with an older
1931 version of that toolkit, which didn't support 256-color mode on
1932 Windows - it required HiColor (16-bit colors) or more.
1934 Windows versions of Ethereal 0.9.14 and later are built with a version
1935 of that toolkit that supports 256-color mode; upgrade to the current
1936 version of Ethereal if you want to run on a display in 256-color mode.
1938 Q 5.35: When I capture on Windows in promiscuous mode, I can see
1939 packets other than those sent to or from my machine; however, those
1940 packets show up with a "Short Frame" indication, unlike packets to or
1941 from my machine. What should I do to arrange that I see those packets
1944 A: In at least some cases, this appears to be the result of PGPnet
1945 running on the network interface on which you're capturing; turn it
1946 off on that interface.
1948 Q 5.36: I'm capturing packets on a machine on a VLAN; why don't the
1949 packets I'm capturing have VLAN tags?
1951 A: You might be capturing on what might be called a "VLAN interface" -
1952 the way a particular OS makes VLANs plug into the networking stack
1953 might, for example, be to have a network device object for the
1954 physical interface, which takes VLAN packets, strips off the VLAN
1955 header and constructs an Ethernet header, and passes that packet to an
1956 internal network device object for the VLAN, which then passes the
1957 packets onto various higher-level protocol implementations.
1959 In order to see the raw Ethernet packets, rather than "de-VLANized"
1960 packets, you would have to capture not on the virtual interface for
1961 the VLAN, but on the interface corresponding to the physical network
1962 device, if possible. See the Ethereal Wiki item on VLAN capturing for
1965 Q 5.37: How can I capture raw 802.11 packets, including non-data
1966 (management, beacon) packets?
1968 A: That depends on the operating system on which you're running, and
1969 on the 802.11 interface on which you're capturing.
1971 This would probably require that you capture in promiscuous mode or in
1972 the mode called "monitor mode" or "RFMON mode". On some platforms, or
1973 with some cards, this might require that you capture in monitor mode -
1974 promiscuous mode might not be sufficient. If you want to capture
1975 traffic on networks other than the one with which you're associated,
1976 you will have to capture in monitor mode.
1978 Not all operating systems support capturing non-data packets and, even
1979 on operating systems that do support it, not all drivers, and thus not
1980 all interfaces, support it. Even on those that do, monitor mode might
1981 not be supported by the operating system or by the drivers for all
1984 NOTE: an interface running in monitor mode will, on most if not all
1985 platforms, not be able to act as a regular network interface; putting
1986 it into monitor mode will, in effect, take your machine off of
1987 whatever network it's on as long as the interface is in monitor mode,
1988 allowing it only to passively capture packets.
1990 This means that you should disable name resolution when capturing in
1991 monitor mode; otherwise, when Ethereal (or Tethereal, or tcpdump)
1992 tries to display IP addresses as host names, it will probably block
1993 for a long time trying to resolve the name because it will not be able
1994 to communicate with any DNS or NIS servers.
1996 There are FAQ items below with information on capturing in monitor
1997 mode on Linux, FreeBSD, and NetBSD.
1999 On Windows, you will not be able to capture in monitor mode on any
2000 interfaces, and you might not be able to capture in promiscuous mode,
2001 either. You might have some success in promiscuous mode with Centrino
2002 interfaces, although you will need Ethereal 0.10.6 or later in order
2003 to have the non-data packets recognized and properly dissected.
2005 You will not be able to capture in monitor mode on any other platforms
2006 (including Mac OS X). You might be able to capture in promiscuous
2007 mode, but this won't capture non-data packets.
2009 Q 5.38: How do I capture on an 802.11 device in monitor mode on Linux?
2011 A: Whether you will be able to capture in monitor mode depends on the
2012 card and driver you're using. See this page of Linux 802.11b
2013 information for details on 802.11b wireless cards, including
2014 information on the chips they use, and see this page of Linux
2015 802.11b+/a/g information for details on 802.11b+, 802.11a, and 802.11g
2016 wireless cards, including information on the chips they use.
2018 Cisco Aironet cards:
2020 On Linux with the driver in the 2.4.6 through 2.4.19 kernel:
2021 1. Put the card into monitor mode with the command echo "Mode: rfmon"
2022 >/proc/driver/aironet/interface/Config. If you want to capture
2023 traffic for any BSS rather than just the BSS with which the card
2024 is associated, use "Mode: y" rather than "Mode: rfmon".
2025 2. When the capture completes, turn off monitor mode with the command
2026 echo "Mode: ess" >/proc/driver/aironet/interface/Config.
2028 On Linux with the driver in the 2.4.20 or later kernel, or with the
2029 CVS drivers from the airo-linux SourceForge site, you will have to
2030 capture on the wifiN interface if your Aironet card is ethN, after
2031 running the commands listed above.
2033 In all of those cases, Ethereal would have to be linked with libpcap
2034 0.7.1 or later; this means that most Ethereal binary packages won't
2035 work unless they're statically linked with libpcap 0.7.1 or later, or
2036 they're dynamically linked with libpcap and your system has a libpcap
2037 0.7.1 or later shared library installed (note that libpcap source
2038 package from tcpdump.org does not build shared libraries). Some binary
2039 packaging mechanisms might make it difficult to install Ethereal
2040 binary packages built to depend on older libpcap binary packages if
2041 you have a newer libpcap binary package installed; the installer
2042 programs for those packaging mechanisms might support disabling
2043 dependency checking so that they will install Ethereal even though a
2044 newer version of libpcap is installed.
2046 Cards using the Prism II chip set:
2048 You can capture raw 802.11 packets with Prism II cards on Linux
2049 systems with the 0.1.14-pre6 or later version of the linux-wlan-ng
2050 drivers (see the linux-wlan page, and the linux-wlan-ng tarball
2051 directory), or with the hostap driver for Prism II/2.5/3.
2053 Those require either Solomon Peachy's patch to libpcap 0.7.1 (see his
2054 libpcap-0.7.1-prism.diff file, or his RPMs of that version of
2055 libpcap), or the current CVS version of libpcap, which includes his
2056 patch (download it from the "Current Tar files" section of the
2057 tcpdump.org Web site). If you apply his patches to libpcap 0.7.1 and
2058 rebuild and install libpcap, or if you build and install the current
2059 CVS version of libpcap, you would have to rebuild Ethereal from
2060 source, linking it with that new version of libpcap; an Ethereal
2061 binary package would not work. Ethereal binary packages might work if
2062 you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install
2063 a libpcap shared library in place of the one on your system.
2065 With the linux-wlan-ng driver, you should:
2066 1. Put the card into monitor mode with the command wlanctl-ng
2067 interface lnxreq_wlansniffer enable=true. You should request
2068 802.11 headers by adding to that command the option
2069 prismheader=true or, if supported, wlanheader=true; the latter
2070 might require libpcap 0.8.1 or later. You can also set the channel
2071 to monitor by adding the argument channel=channel_number to that
2073 2. When the capture completes, turn off monitor mode with the command
2074 wlanctl-ng interface enable=false. You might also have to turn
2075 802.11 headers off with prismheader=false or wlanheader=false.
2077 See the wlan-ng FAQ for additional information, although note that it
2078 does not appear to be up-to-date.
2080 With the hostap driver, you should:
2081 1. Put the card into monitor mode with the command iwpriv interface
2082 monitor mode, where mode is 2 or 3 (mode 3 would require libpcap
2084 2. When the capture completes, turn off monitor mode with the command
2085 iwpriv interface monitor 0.
2087 Orinoco Silver and Gold cards:
2089 On Linux systems, the current version of the SourceForge orinoco_cs
2090 driver should support monitor mode. There also exist patches to
2091 earlier versions of the Orinoco driver, on the Orinoco Monitor Mode
2092 Patch Page, to add support for monitor mode. You will have to
2093 determine which version of the driver you have, and select the
2094 appropriate patch, if one is necessary.
2096 Note that the page indicates that not all versions of the Orinoco
2097 firmware support this patch. It says, for some versions of the patch,
2098 "This patch should allow monitor mode with v8.10 firmware (untested w/
2099 8.42);" if you have version 8.10 or later firmware on your Orinoco
2100 cards, you might have to use those patches, with the corresponding
2101 versions of the Orinoco driver, in order to run in monitor mode.
2103 That patch is written for the drivers included with the pcmcia-cs
2104 drivers, but works equally well for the Orinoco drivers provided with
2105 Linux kernels up to 2.4.20. To apply a patch to your kernel drivers,
2106 simply copy the orinoco-09b-patch.diff file to the
2107 /usr/src/linux/drivers/net directory and patch according to the
2108 directions on the Orinoco Monitor Mode Patch Page. You can double-
2109 check the version of the Orinoco drivers that shipped with your kernel
2110 by examining the first few lines of the orinoco.c file.
2112 The Orinoco patches and SourceForge driver require either Solomon
2113 Peachy's patch to libpcap 0.7.1 (see his libpcap-0.7.1-prism.diff
2114 file, or his RPMs of that version of libpcap), or the current CVS
2115 version of libpcap, which includes his patch (download it from the
2116 "Current Tar files" section of the tcpdump.org Web site). If you apply
2117 his patches to libpcap 0.7.1 and rebuild and install libpcap, or if
2118 you build and install the current CVS version of libpcap, you would
2119 have to rebuild Ethereal from source, linking it with that new version
2120 of libpcap; an Ethereal binary package would not work. Ethereal binary
2121 packages might work if you install the libpcap-0.7.1-1prism.i386.rpm
2122 RPM, as it might install a libpcap shared library in place of the one
2125 With a driver that supports monitor mode, you should:
2126 1. Put the card into monitor mode with the command iwpriv interface
2127 monitor mode channel_number, where mode is 1 or 2, and
2128 channel_number is the number of the channel to monitor.
2129 2. When the capture completes, turn off monitor mode with the command
2130 iwpriv interface monitor 0.
2132 Cards with the Texas Instruments ACX100 chipset:
2134 You can capture raw 802.11 packets with ACX100 cards on Linux systems
2135 with the ACX100 OSS drivers available from the ACX100 wireless network
2136 driver project SourceForge site.
2140 1. Put the card into monitor mode with the command iwpriv interface
2141 monitor 2 channel_number, where channel_number is the number of
2142 the channel to monitor.
2143 2. When the capture completes, turn off monitor mode with the command
2144 iwpriv interface monitor 0.
2146 Cards with Atheros Communications chipsets:
2148 You can capture raw 802.11 packets with AR5K cards on Linux systems
2149 with the v5_ar5k or madwifi drivers. For the v5ar5k driver you will
2150 need the Linux wireless-tools version 25 or higher to put the card
2151 into monitor mode. If you're using the madwifi driver, you can put the
2152 card into monitor mode using iwconfig interface mode monitor, followed
2153 by iwconfig interface channel channel to select a channel (if needed).
2157 It might be possible to capture in monitor mode on other cards. If so,
2158 please supply us with information on how to do so, so that we can
2159 incorporate that information into this FAQ in the future.
2161 Q 5.39: How do I capture on an 802.11 device in monitor mode on
2164 A: On FreeBSD 5.2 and later, you should be able to capture in monitor
2165 mode on 802.11 interfaces supported by the wi and acx drivers, if
2166 Ethereal is linked with libpcap 0.8.1 or later, and on 802.11
2167 interfaces supported by the an driver, if Ethereal is linked with
2168 libpcap 0.7.1 or later.
2170 For cards supported by the wi and acx drivers, you should:
2171 1. Put the card into monitor mode with the command ifconfig interface
2172 monitor. You can also set the channel to monitor by adding the
2173 argument channel channel_number to that command.
2174 2. When you start the capture, in Ethereal select "802.11" as the
2175 "Link-layer header type", and in Tethereal add the command-line
2177 3. When the capture completes, turn off monitor mode with the command
2178 ifconfig interface -monitor.
2180 For cards supported by the an driver, you should:
2181 1. Put the card into monitor mode with the command ancontrol -i
2182 interface -M flag, where flag should be the sum of:
2183 + 1, to turn monitor mode on;
2184 + 2, if you want to capture traffic from any BSS rather than
2185 just the BSS with which the card is associated;
2186 + 4, if you want to see beacon packets (capturing beacon
2187 packets increases the CPU requirements of capturing).
2188 2. When the capture completes, turn off monitor mode with the command
2189 ancontrol -i interface -M 0.
2191 Don't add 8 in to flag; Ethereal currently doesn't support the full
2194 On FreeBSD 4.6 through 5.1, you should be able to capture in monitor
2195 mode on 802.11 interfaces supported by the an driver, but not on any
2196 other interfaces; see the instructions for FreeBSD 5.2 or later for
2199 In FreeBSD 4.5 and earlier, you will not be able to capture in monitor
2200 mode on 802.11 interfaces (no drivers supported it prior to 4.5, and
2201 in 4.5 the an driver had bugs that caused packets not to be captured
2204 Q 5.40: How do I capture on an 802.11 device in monitor mode on
2207 A: On NetBSD 2.0-beta and later, you should be able to capture in
2208 monitor mode on 802.11 interfaces supported by the wi and acx drivers,
2209 if Ethereal is linked with libpcap 0.8.1 or later. The instructions
2210 are the same as for FreeBSD 5.2 and later.
2212 Q 5.41: I'm trying to capture 802.11 traffic on Windows; why am I not
2215 A: At least some 802.11 card drivers on Windows appear not to see any
2216 packets if they're running in promiscuous mode. Try turning
2217 promiscuous mode off; you'll only be able to see packets sent by and
2218 received by your machine, not third-party traffic, and it'll look like
2219 Ethernet traffic and won't include any management or control frames,
2220 but that's a limitation of the card drivers.
2222 Q 5.42: I'm trying to capture 802.11 traffic on Windows; why am I
2223 seeing packets received by the machine on which I'm capturing traffic,
2224 but not packets sent by that machine?
2226 A: This appears to be another problem with promiscuous mode; try
2229 Q 5.43: How can I capture packets with CRC errors?
2231 A: Ethereal can capture only the packets that the packet capture
2232 library - libpcap on UNIX-flavored OSes, and the WinPcap port to
2233 Windows of libpcap on Windows - can capture, and libpcap/WinPcap can
2234 capture only the packets that the OS's raw packet capture mechanism
2235 (or the WinPcap driver, and the underlying OS networking code and
2236 network interface drivers, on Windows) will allow it to capture.
2238 Unless the OS always supplies packets with errors such as invalid CRCs
2239 to the raw packet capture mechanism, or can be configured to do so,
2240 invalid CRCs to the raw packet capture mechanism, Ethereal - and other
2241 programs that capture raw packets, such as tcpdump - cannot capture
2242 those packets. You will have to determine whether your OS needs to be
2243 so configured and, if so, can be so configured, configure it if
2244 necessary and possible, and make whatever changes to libpcap and the
2245 packet capture program you're using are necessary, if any, to support
2246 capturing those packets.
2248 Most OSes probably do not support capturing packets with invalid CRCs
2249 on Ethernet, and probably do not support it on most other link-layer
2250 types. Some drivers on some OSes do support it, such as some Ethernet
2251 drivers on FreeBSD; in those OSes, you might always get those packets,
2252 or you might only get them if you capture in promiscuous mode (you'd
2253 have to determine which is the case).
2255 Note that libpcap does not currently supply to programs that use it an
2256 indication of whether the packet's CRC was invalid (because the
2257 drivers themselves do not supply that information to the raw packet
2258 capture mechanism); therefore, Ethereal will not indicate which
2259 packets had CRC errors unless the FCS was captured (see the next
2260 question) and you're using Ethereal 0.9.15 and later, in which case
2261 Ethereal will check the CRC and indicate whether it's correct or not.
2263 Q 5.44: How can I capture entire frames, including the FCS?
2265 A: Ethereal can only capture data that the packet capture library -
2266 libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of
2267 libpcap on Windows - can capture, and libpcap/WinPcap can capture only
2268 the data that the OS's raw packet capture mechanism (or the WinPcap
2269 driver, and the underlying OS networking code and network interface
2270 drivers, on Windows) will allow it to capture.
2272 For any particular link-layer network type, unless the OS supplies the
2273 FCS of a frame as part of the frame, or can be configured to do so,
2274 Ethereal - and other programs that capture raw packets, such as
2275 tcpdump - cannot capture the FCS of a frame. You will have to
2276 determine whether your OS needs to be so configured and, if so, can be
2277 so configured, configure it if necessary and possible, and make
2278 whatever changes to libpcap and the packet capture program you're
2279 using are necessary, if any, to support capturing the FCS of a frame.
2281 Most OSes do not support capturing the FCS of a frame on Ethernet, and
2282 probably do not support it on most other link-layer types. Some
2283 drivres on some OSes do support it, such as some (all?) Ethernet
2284 drivers on NetBSD and possibly the driver for Apple's gigabit Ethernet
2285 interface in Mac OS X; in those OSes, you might always get the FCS, or
2286 you might only get the FCS if you capture in promiscuous mode (you'd
2287 have to determine which is the case).
2289 Versions of Ethereal prior to 0.9.15 will not treat an Ethernet FCS in
2290 a captured packet as an FCS. 0.9.15 and later will attempt to
2291 determine whether there's an FCS at the end of the frame and, if it
2292 thinks there is, will display it as such, and will check whether it's
2293 the correct CRC-32 value or not.
2295 Q 5.45: Why does Ethereal hang after I stop a capture?
2297 A: The most likely reason for this is that Ethereal is trying to look
2298 up an IP address in the capture to convert it to a name (so that, for
2299 example, it can display the name in the source address or destination
2300 address columns), and that lookup process is taking a very long time.
2302 Ethereal calls a routine in the OS of the machine on which it's
2303 running to convert of IP addresses to the corresponding names. That
2304 routine probably does one or more of:
2305 * a search of a system file listing IP addresses and names;
2306 * a lookup using DNS;
2307 * on UNIX systems, a lookup using NIS;
2308 * on Windows systems, a NetBIOS-over-TCP query.
2310 If a DNS server that's used in an address lookup is not responding,
2311 the lookup will fail, but will only fail after a timeout while the
2312 system routine waits for a reply.
2314 In addition, on Windows systems, if the DNS lookup of the address
2315 fails, either because the server isn't responding or because there are
2316 no records in the DNS that could be used to map the address to a name,
2317 a NetBIOS-over-TCP query will be made. That query involves sending a
2318 message to the NetBIOS-over-TCP name service on that machine, asking
2319 for the name and other information about the machine. If the machine
2320 isn't running software that responds to those queries - for example,
2321 many non-Windows machines wouldn't be running that software - the
2322 lookup will only fail after a timeout. Those timeouts can cause the
2323 lookup to take a long time.
2325 If you disable network address-to-name translation - for example, by
2326 turning off the "Enable network name resolution" option in the
2327 "Capture Options" dialog box for starting a network capture - the
2328 lookups of the address won't be done, which may speed up the process
2329 of reading the capture file after the capture is stopped. You can make
2330 that setting the default by selecting "Preferences" from the "Edit"
2331 menu, turning off the "Enable network name resolution" option in the
2332 "Name resolution" options in the preferences disalog box, and using
2333 the "Save" button in that dialog box; note that this will save all
2334 your current preference settings.
2336 If Ethereal hangs when reading a capture even with network name
2337 resolution turned off, there might, for example, be a bug in one of
2338 Ethereal's dissectors for a protocol causing it to loop infinitely. If
2339 you're not running the most recent release of Ethereal, you should
2340 first upgrade to that release, as, if there's a bug of that sort, it
2341 might've been fixed in a release after the one you're running. If the
2342 hang occurs in the most recent release of Ethereal, the bug should be
2343 reported to the Ethereal developers' mailing list at
2344 ethereal-dev@ethereal.com.
2346 On UNIX-flavored OSes, please try to force Ethereal to dump core, by
2347 sending it a SIGABRT signal (usually signal 6) with the kill command,
2348 and then get a stack trace if you have a debugger installed. A stack
2349 trace can be obtained by using your debugger (gdb in this example),
2350 the Ethereal binary, and the resulting core file. Here's an example of
2351 how to use the gdb command backtrace to do so.
2354 ..... prints the stack trace
2358 The core dump file may be named "ethereal.core" rather than "core" on
2359 some platforms (e.g., BSD systems).
2361 Also, if at all possible, please send a copy of the capture file that
2362 caused the problem; when capturing packets, Ethereal normally writes
2363 captured packets to a temporary file, which will probably be in /tmp
2364 or /var/tmp on UNIX-flavored OSes, \TEMP on the main system disk
2365 (normally C:) on Windows 9x/Me/NT 4.0, and \Documents and
2366 Settings\your login name\Local Settings\Temp on the main system disk
2367 on Windows 2000/Windows XP/Windows Server 2003, so the capture file
2368 will probably be there. It will have a name beginning with ether, with
2369 some mixture of letters and numbers after that. Please don't send a
2370 trace file greater than 1 MB when compressed; instead, make it
2371 available via FTP or HTTP, or say it's available but leave it up to a
2372 developer to ask for it. If the trace file contains sensitive
2373 information (e.g., passwords), then please do not send it.
2375 Q 5.46: How can I search for, or filter, packets that have a
2376 particular string anywhere in them?
2378 A: If you want to do this when capturing, you can't. That's a feature
2379 that would be hard to implement in capture filters without changes to
2380 the capture filter code, which, on many platforms, is in the OS kernel
2381 and, on other platforms, is in the libpcap library.
2383 In releases prior to 0.9.14, you also can't search for, or filter,
2384 packets containing a particular string even after you've captured
2387 In 0.9.14, you can search for, but not filter, packets that have a
2388 particular string; this has been added to the "Find Frame" dialog
2389 ("Find Frame" under the "Edit" menu, or control-F).
2391 In 0.9.15 and later, you can search for those packets using either the
2392 mechanism introduced in 0.9.14 or using the new "contains" operator in
2393 filter expressions, which lets you search the entire packet or text
2394 string or byte string fields in the packet; the "contains" operator
2395 can also be used in expressions used to filter the display.
2397 Q 5.47: How do I filter a capture to see traffic for virus XXX?
2399 A: For some viruses/worms there might be a capture filter to recognize
2400 the virus traffic. Check the CaptureFilters page on the Ethereal Wiki
2401 to see if anybody's added such a filter.
2403 Note that Ethereal was not designed to be an intrusion detection
2404 system; you might be able to use it as an IDS, but in most cases
2405 software designed to be an IDS, such as Snort or Prelude, will
2406 probably work better.
2408 The Bleeding Edge of Snort has a collection of signatures for Snort to
2409 detect various viruses, worms, and the like.
2411 Please send support questions about Ethereal to the
2412 ethereal-users[AT]ethereal.com mailing list.
2413 For corrections/additions/suggestions for this web page (and not
2414 Ethereal support questions), please send email to
2415 ethereal-web[AT]ethereal.com .
2416 Last modified: Sun, February 27 2005.