4 Note: This is just an ASCII snapshot of the faq and may not be up to
5 date. Please go to http://www.ethereal.com/faq for the up to
6 date version. The version of the snapshot can be found at the
13 1.1 Where can I get help?
15 1.2 What protocols are currently supported?
17 1.3 Are there any plans to support {your favorite protocol}?
19 1.4 Can Ethereal read capture files from {your favorite network
22 1.5 What devices can Ethereal use to capture packets?
24 1.6 How do you pronounce Ethereal? Where did the name come from?
28 2.1 I downloaded the Win32 installer, but when I try to run it, I get
31 2.2 When I try to download the WinPcap driver and library, I can't get
32 to the WinPcap Web site.
36 3.1 I installed an Ethereal RPM, but Ethereal doesn't seem to be
37 installed; only Tethereal is installed.
41 4.1 The configure script can't find pcap.h or bpf.h, but I have
44 4.2 Why do I get the error
46 dftest_DEPENDENCIES was already defined in condition TRUE, which
47 implies condition HAVE_PLUGINS_TRUE
49 when I try to build Ethereal from CVS or a CVS snapshot?
51 4.3 The link failed because of an undefined reference to
54 4.4 The link fails with a number of "Output line too long." messages
55 followed by linker errors.
57 4.5 The link fails on Solaris because plugin_list is undefined.
59 4.6 The build fails on Windows because of conflicts between winsock.h
64 5.1 When I use Ethereal to capture packets, I see only packets to and
65 from my machine, or I'm not seeing all the traffic I'm expecting to
66 see from or to the machine I'm trying to monitor.
68 5.2 I can't see any TCP packets other than packets to and from my
69 machine, even though another sniffer on the network sees those
72 5.3 I can set a display filter just fine, but capture filters don't
75 5.4 I'm entering valid capture filters, but I still get "parse error"
78 5.5 I saved a filter and tried to use its name to filter the display,
79 but I got an "Unexpected end of filter string" error.
81 5.6 I've just installed Ethereal, and the traffic on my local LAN is
84 5.7 When I run Ethereal on Solaris 8, it dies with a Bus Error when I
87 5.8 I'm running Ethereal on Linux; why do my time stamps have only
88 100ms resolution, rather than 1us resolution?
90 5.9 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; why
91 are the time stamps on packets wrong?
93 5.10 When I try to run Ethereal on Windows, it fails to run because it
94 can't find packet.dll.
96 5.11 Why does some network interface on my machine not show up in the
97 list of interfaces in the "Interface:" field in the dialog box popped
98 up by "Capture->Start", and/or why does Ethereal give me an error if I
99 try to capture on that interface?
101 5.12 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has
102 a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
103 "Interface" item in the "Capture Options" dialog box. Why can no
104 packets be sent on or received from that network while I'm trying to
105 capture traffic on that interface?
107 5.13 I'm running Ethereal on Windows 95/98/Me, on a machine with more
108 than one network adapter of the same type; Ethereal shows all of those
109 adapters with the same name, but I can't use any of those adapters
110 other than the first one.
112 5.14 I have an XXX network card on my machine; if I try to capture on
113 it, my machine crashes or resets itself.
115 5.15 My machine crashes or resets itself when I select "Start" from
116 the "Capture" menu or select "Preferences" from the "Edit" menu.
118 5.16 Does Ethereal work on Windows ME?
120 5.17 Does Ethereal work on Windows XP?
122 5.18 Why doesn't Ethereal correctly identify RTP packets? It shows
125 5.19 Why doesn't Ethereal show Yahoo Messenger packets in captures
126 that contain Yahoo Messenger traffic?
128 5.20 Why do I get the error
130 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
134 when I try to run Ethereal on Windows?
136 5.21 When I capture on Windows in promiscuous mode, I can see packets
137 other than those sent to or from my machine; however, those packets
138 show up with a "Short Frame" indication, unlike packets to or from my
139 machine. What should I do to arrange that I see those packets in their
142 5.22 How can I capture raw 802.11 packets, including non-data
143 (management, beacon) packets?
145 5.23 How can I capture packets with CRC errors?
147 5.24 How can I capture entire frames, including the FCS?
149 5.25 Ethereal hangs after I stop a capture.
151 5.26 How can I search for, or filter, packets that have a particular
152 string anywhere in them?
155 Q 1.1: Where can I get help?
157 A: Support is available on the ethereal-users mailing list.
158 Subscription information and archives for all of Ethereal's mailing
159 lists can be found at http://www.ethereal.com/lists
161 Q 1.2: What protocols are currently supported?
163 A: There are currently 340 supported protocols and media, listed
164 below. Descriptions can be found in the ethereal(1) man page.
167 802.1x Authentication
168 AFS (4.0) Replication Server call declarations
169 AOL Instant Messenger
173 AVS WLAN Capture header
174 Ad hoc On-demand Distance Vector Routing Protocol
175 Ad hoc On-demand Distance Vector Routing Protocol v6
176 Address Resolution Protocol
177 Aggregate Server Access Protocol
178 Andrew File System (AFS)
179 Apache JServ Protocol v1.3
180 AppleTalk Filing Protocol
181 AppleTalk Session Protocol
182 AppleTalk Transaction Protocol packet
183 Appletalk Address Resolution Protocol
184 Async data over ISDN (V.120)
185 Authentication Header
186 BACnet Virtual Link Control
188 Banyan Vines Fragmentation Protocol
190 Blocks Extensible Exchange Protocol
193 Border Gateway Protocol
194 Building Automation and Control Network APDU
195 Building Automation and Control Network NPDU
196 CDS Clerk Server Calls
197 Check Point High Availability Protocol
200 Cisco Discovery Protocol
201 Cisco Group Management Protocol
203 Cisco Hot Standby Router Protocol
205 Cisco Interior Gateway Routing Protocol
209 CoSine IPNOS L2 debug output
210 Common Open Policy Service
211 Common Unix Printing System (CUPS) Browsing Protocol
213 DCE Distributed Time Service Local Server
214 DCE Distributed Time Service Provider
217 DCE Security ID Mapper
219 DCE/RPC CDS Solicitation
220 DCE/RPC Conversation Manager
221 DCE/RPC Endpoint Mapper
223 DCE/RPC FLDB UBIK TRANSFER
224 DCE/RPC FLDB UBIKVOTE
229 DCE/RPC Remote Management
230 DCE/RPC Repserver Calls
231 DCE/RPC TokenServer Calls
234 DCOM Remote Activation
235 DEC Spanning Tree Protocol
237 DNS Control Program Server
240 Data Stream Interface
241 Datagram Delivery Protocol
243 Distance Vector Multicast Routing Protocol
244 Distributed Checksum Clearinghouse Prototocl
247 Dynamic DNS Tools Protocol
248 Encapsulating Security Payload
249 Enhanced Interior Gateway Routing Protocol
251 Extensible Authentication Protocol
256 Fiber Distributed Data Interface
258 Fibre Channel Protocol for SCSI
260 File Transfer Protocol (FTP)
261 Financial Information eXchange Protocol
264 GARP Multicast Registration Protocol
265 GARP VLAN Registration Protocol
266 GPRS Tunneling Protocol
267 GPRS Tunnelling Protocol v0
268 GPRS Tunnelling Protocol v1
269 General Inter-ORB Protocol
270 Generic Routing Encapsulation
271 Generic Security Service Application Program Interface
273 Hummingbird NFS Daemon
275 Hypertext Transfer Protocol
277 IEEE 802.11 wireless LAN
278 IEEE 802.11 wireless LAN management frame
281 IP Payload Compression
283 IPX Routing Information Protocol
285 ISDN Q.921-User Adaptation Layer
287 ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol
288 ISO 8073 COTP Connection-Oriented Transport Protocol
289 ISO 8473 CLNP ConnectionLess Network Protocol
290 ISO 8602 CLTP ConnectionLess Transport Protocol
291 ISO 9542 ESIS Routeing Information Exchange Protocol
292 ITU-T Recommendation H.261
293 Inter-Access-Point Protocol
295 Internet Cache Protocol
296 Internet Content Adaptation Protocol
297 Internet Control Message Protocol
298 Internet Control Message Protocol v6
299 Internet Group Management Protocol
300 Internet Message Access Protocol
301 Internet Printing Protocol
303 Internet Protocol Version 6
305 Internet Security Association and Key Management Protocol
306 Internetwork Packet eXchange
311 Label Distribution Protocol
312 Layer 2 Tunneling Protocol
313 Lightweight Directory Access Protocol
314 Line Printer Daemon Protocol
315 Link Access Procedure Balanced (LAPB)
316 Link Access Procedure Balanced Ethernet (LAPBETHER)
317 Link Access Procedure, Channel D (LAPD)
318 Link Aggregation Control Protocol
319 Link Management Protocol (LMP)
320 Linux cooked-mode capture
321 Local Management Interface
322 LocalTalk Link Access Protocol
324 Lucent/Ascend debug output
325 MMS Message Encapsulation
327 MSNIP: Multicast Source Notification of Interest Protocol
328 MTP 2 Transparent Proxy
329 MTP 2 User Adaptation Layer
330 MTP 3 User Adaptation Layer
331 MTP2 Peer Adaptation Layer
332 Message Transfer Part Level 2
333 Message Transfer Part Level 3
334 Microsoft Distributed File System
335 Microsoft Exchange MAPI
336 Microsoft Local Security Architecture
337 Microsoft Local Security Architecture (Directory Services)
338 Microsoft Network Logon
340 Microsoft Security Account Manager
341 Microsoft Server Service
342 Microsoft Spool Subsystem
343 Microsoft Telephony API Service
344 Microsoft Windows Browser Protocol
345 Microsoft Windows Lanman Remote API Protocol
346 Microsoft Windows Logon Protocol
347 Microsoft Workstation Service
351 MultiProtocol Label Switching Header
352 Multicast Router DISCovery protocol
353 Multicast Source Discovery Protocol
359 NTLM Secure Service Provider
360 Name Binding Protocol
361 Name Management Protocol over IPX
363 NetBIOS Datagram Service
365 NetBIOS Session Service
367 NetWare Core Protocol
368 Network Data Management Protocol
370 Network Lock Manager Protocol
371 Network News Transfer Protocol
372 Network Status Monitor CallBack Protocol
373 Network Status Monitor Protocol
374 Network Time Protocol
375 Novell Distributed Print System
377 Open Shortest Path First
378 OpenBSD Packet Filter log file
380 PPP Bandwidth Allocation Control Protocol
381 PPP Bandwidth Allocation Protocol
382 PPP CDP Control Protocol
383 PPP Callback Control Protocol
384 PPP Challenge Handshake Authentication Protocol
385 PPP Compressed Datagram
386 PPP Compression Control Protocol
387 PPP IP Control Protocol
388 PPP IPv6 Control Protocol
389 PPP Link Control Protocol
390 PPP MPLS Control Protocol
391 PPP Multilink Protocol
393 PPP Password Authentication Protocol
395 PPP-over-Ethernet Discovery
396 PPP-over-Ethernet Session
397 PPPMux Control Protocol
398 Point-to-Point Protocol
399 Point-to-Point Tunnelling Protocol
402 Pragmatic General Multicast
404 Privilege Server operations
405 Protocol Independent Multicast
408 Quake II Network Protocol
409 Quake III Arena Network Protocol
410 Quake Network Protocol
411 QuakeWorld Network Protocol
412 Qualified Logical Link Control
418 Radio Access Network Application Part
421 Real Time Streaming Protocol
422 Real-Time Transport Protocol
423 Real-time Transport Control Protocol
424 Registry Server Attributes Manipulation Interface
425 Registry server administration operations.
426 Remote Override interface
427 Remote Procedure Call
432 Remote sec_login preauth interface.
433 Resource ReserVation Protocol (RSVP)
435 Routing Information Protocol
436 Routing Table Maintenance Protocol
440 SMB (Server Message Block Protocol)
441 SMB MailSlot Protocol
444 SNMP Multiplex Protocol
447 SS7 SCCP-User Adaptation Layer
450 Sequenced Packet eXchange
451 Service Advertisement Protocol
452 Service Location Protocol
453 Session Announcement Protocol
454 Session Description Protocol
455 Session Initiation Protocol
456 Short Message Peer to Peer
457 Signalling Connection Control Part
458 Signalling Connection Control Part Management
459 Simple Mail Transfer Protocol
460 Simple Network Management Protocol
462 Skinny Client Control Protocol
463 SliMP3 Communication Protocol
465 Spanning Tree Protocol
467 Stream Control Transmission Protocol
469 Systems Network Architecture
476 Time Synchronization Protocol
478 Token-Ring Media Access Control
479 Transmission Control Protocol
480 Transparent Network Substrate Protocol
481 Trivial File Transfer Protocol
482 Universal Computer Protocol
483 User Datagram Protocol
484 Virtual Router Redundancy Protocol
485 Virtual Trunking Protocol
486 Web Cache Coordination Protocol
487 Wellfleet Compression
490 Wireless Session Protocol
491 Wireless Transaction Protocol
492 Wireless Transport Layer Security
493 X Display Manager Control Protocol
498 Yahoo Messenger Protocol
502 Yellow Pages Transfer
504 Zone Information Protocol
507 Q 1.3: Are there any plans to support {your favorite protocol}?
509 A: Support for particular protocols is added to Ethereal as a result
510 of people contributing that support; no formal plans for adding
511 support for particular protocols in particular future releases exist.
513 Q 1.4: Can Ethereal read capture files from {your favorite network
516 A: Support for particular protocols is added to Ethereal as a result
517 of people contributing that support; no formal plans for adding
518 support for particular protocols in particular future releases exist.
520 If a network analyzer writes out files in a format already supported
521 by Ethereal (e.g., in libpcap format), Ethereal may already be able to
522 read them, unless the analyzer has added its own proprietary
523 extensions to that format.
525 If a network analyzer writes out files in its own format, or has added
526 proprietary extensions to another format, in order to make Ethereal
527 read captures from that network analyzer, we would either have to have
528 a specification for the file format, or the extensions, sufficient to
529 give us enough information to read the parts of the file relevant to
530 Ethereal, or would need at least one capture file in that format AND a
531 detailed textual analysis of the packets in that capture file (showing
532 packet time stamps, packet lengths, and the top-level packet header)
533 in order to reverse-engineer the file format.
535 Note that there is no guarantee that we will be able to
536 reverse-engineer a capture file format.
538 Q 1.5: What devices can Ethereal use to capture packets?
540 A: Ethereal can read live data from Ethernet, Token-Ring, FDDI, serial
541 (PPP and SLIP) (if the OS on which it's running allows Ethereal to do
542 so), 802.11 wireless LAN (if the OS on which it's running allows
543 Ethereal to do so), ATM connections (if the OS on which it's running
544 allows Ethereal to do so), and the "any" device supported on Linux by
545 recent versions of libpcap. See the list of supported capture media on
546 various OSes for details (several items in there say "Unknown", which
547 doesn't mean "Ethereal can't capture on them", it means "we don't know
548 whether it can capture on them"; we expect that it will be able to
549 capture on many of them, but we haven't tried it ourselves - if you
550 try one of those types and it works, please send an update to
551 ethereal-web[AT]ethereal.com).
553 It can also read a variety of capture file formats, including:
556 * Shomiti/Finisar Surveyor
558 * DOS-based Sniffer (compressed and uncompressed)
561 * NetXray and Windows-based Sniffer
562 * EtherPeek/TokenPeek/AiroPeek
563 * RADCOM WAN/LAN analyzer
564 * Lucent/Ascend debug output
565 * Toshiba ISDN router "snoop" output
567 * ISDN4BSD "i4btrace" utility.
569 * pppd log files (pppdump format)
572 * Visual Networks' Visual UpTime
575 so that it can read traces from various network types, as captured by
576 other applications or equipment, even if it cannot itself capture on
579 Q 1.6: How do you pronounce Ethereal? Where did the name come from?
581 A: The English pronunciation can be found in Merriam-Webster's online
583 http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=ethereal.
585 According to the book "Computer Networks" by Andrew Tannenbaum,
586 Ethernet was named after the "luminiferous ether" which was once
587 thought to carry electromagnetic radiation. Taking that into
588 consideration, Ethereal seemed like an appropriate name for an
592 Q 2.1: I downloaded the Win32 installer, but when I try to run it, I
595 A: The program you used to download it may have downloaded it
596 incorrectly. Web browsers sometimes may do this.
598 Try downloading it with, for example:
599 * Wget, for which Windows binaries are available on the SunSITE FTP
600 server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI
601 offers a GUI interface that uses wget;
602 * WS_FTP from Ipswitch,
603 * the ftp command that comes with Windows.
605 If you use the ftp command, make sure you do the transfer in binary
606 mode rather than ASCII mode, by using the binary command before
607 transferring the file.
609 Q 2.2: When I try to download the WinPcap driver and library, I can't
610 get to the WinPcap Web site.
612 A: As is the case with all Web sites, that site won't necessarily
613 always be accessible; the server may be down due to a problem or down
614 for maintenance, or there may be a networking problem between you and
615 the server. You should try again later, or try the local mirror or the
616 Wiretapped.net mirror.
619 Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be
620 installed; only Tethereal is installed.
622 A: Red Hat RPMs for Ethereal put only the non-GUI components into the
623 ethereal RPM, the fact that Ethereal is a GUI program nonwithstanding;
624 there's a separate ethereal-gnome RPM that includes GUI components
625 such as Ethereal itself, the fact that Ethereal doesn't use GNOME
626 nonwithstanding. Find the ethereal-gnome RPM, and install that also.
629 Q 4.1: The configure script can't find pcap.h or bpf.h, but I have
632 A: Are you sure pcap.h and bpf.h are installed? The official
633 distribution of libpcap only installs the libpcap.a library file when
634 "make install" is run. To install pcap.h and bpf.h, you must run "make
635 install-incl". If you're running Debian or Redhat, make sure you have
636 the "libpcap-dev" or "libpcap-devel" packages installed.
638 It's also possible that pcap.h and bpf.h have been installed in a
639 strange location. If this is the case, you may have to tweak
642 Q 4.2: Why do I get the error
644 dftest_DEPENDENCIES was already defined in condition TRUE, which
645 implies condition HAVE_PLUGINS_TRUE
647 when I try to build Ethereal from CVS or a CVS snapshot?
649 A: You probably have automake 1.5 installed on your machine (the
650 command automake --version will report the version of automake on your
651 machine). There is a bug in that version of automake that causes this
652 problem; upgrade to a later version of automake (1.6 or later).
654 Q 4.3: The link failed because of an undefined reference to
657 A: You probably have the shared library for UCD SNMP 4.1.1 installed
658 (so that snmp_set_full_objid is a macro, rather than a routine in the
659 SNMP shared library), but the `development' package for an earlier or
660 later UCD SNMP library (so that snmp_set_full_objid is not defined as
661 a macro, causing Ethereal to attempt to call it as a routine).
663 If you are on a Linux system that uses RPMs, and the UCD SNMP packages
664 are installed as RPMs, the command rpm -qa | grep snmp will report the
665 versions of the SNMP packages you have installed; they should all have
666 the same version number, such as 4.0.1 or 4.1.1 or 4.1.2. If they
667 don't, remove the RPM for the development package (which will probably
668 have a name beginning with ucd-snmp-devel) and install the version of
669 the development package with the same version number as the other
670 ucd-snmp packages have.
672 After installing the 4.1.1 version of the UCD SNMP header files, do a
673 make clean and then rebuild Ethereal.
675 Q 4.4: The link fails with a number of "Output line too long."
676 messages followed by linker errors.
678 A: The version of the sed command on your system is incapable of
679 handling very long lines. On Solaris, for example, /usr/bin/sed has a
680 line length limit too low to allow libtool to work; /usr/xpg4/bin/sed
681 can handle it, as can GNU sed if you have it installed.
683 On Solaris, changing your command search path to search /usr/xpg4/bin
684 before /usr/bin should make the problem go away; on any platform on
685 which you have this problem, installing GNU sed and changing your
686 command path to search the directory in which it is installed before
687 searching the directory with the version of sed that came with the OS
688 should make the problem go away.
690 Q 4.5: The link fails on Solaris because plugin_list is undefined.
692 A: This appears to be due to a problem with some versions of the GTK+
693 and GLib packages from www.sunfreeware.org; un-install those packages,
694 and try getting the 1.2.10 versions from that site, or the versions
695 from The Written Word, or the versions from Sun's GNOME distribution,
696 or the versions from the supplemental software CD that comes with the
697 Solaris media kit, or build them from source from the GTK Web site.
698 Then re-run the configuration script, and try rebuilding Ethereal. (If
699 you get the 1.2.10 versions from www.sunfreeware.org, and the problem
700 persists, un-install them and try installing one of the other versions
703 Q 4.6: The build fails on Windows because of conflicts between
704 winsock.h and winsock2.h.
706 A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and
707 the corresponding version of the developer's pack, in order to be able
708 to compile Ethereal; it will not compile with older versions of the
709 developer's pack. The symptoms of this failure are conflicts between
710 definitions in winsock.h and in winsock2.h; Ethereal uses winsock2.h,
711 but pre-2.3 versions of the WinPcap developer's packet use winsock.h.
712 (2.3 uses winsock2.h, so if Ethereal were to use winsock.h, it would
713 not be able to build with current versions of the WinPcap developer's
716 Note that the installed version of the developer's pack should be the
717 same version as the version of WinPcap you have installed.
720 Q 5.1: When I use Ethereal to capture packets, I see only packets to
721 and from my machine, or I'm not seeing all the traffic I'm expecting
722 to see from or to the machine I'm trying to monitor.
724 A: This might be because the interface on which you're capturing is
725 plugged into a switch; on a switched network, unicast traffic between
726 two ports will not necessarily appear on other ports - only broadcast
727 and multicast traffic will be sent to all ports.
729 Note that even if your machine is plugged into a hub, the "hub" may be
730 a switched hub, in which case you're still on a switched network.
732 Note also that on the Linksys Web site, they say that their
733 auto-sensing hubs "broadcast the 10Mb packets to the port that operate
734 at 10Mb only and broadcast the 100Mb packets to the ports that operate
735 at 100Mb only", which would indicate that if you sniff on a 10Mb port,
736 you will not see traffic coming sent to a 100Mb port, and vice versa.
737 This problem has also been reported for Netgear dual-speed hubs, and
738 may exist for other "auto-sensing" or "dual-speed" hubs.
740 Some switches have the ability to replicate all traffic on all ports
741 to a single port so that you can plug your sniffer into that single
742 port to sniff all traffic. You would have to check the documentation
743 for the switch to see if this is possible and, if so, to see how to do
744 this. See, for example, this documentation from Cisco on the Switched
745 Port Analyzer (SPAN) feature on Catalyst switches.
747 If your machine is not plugged into a switched network or a dual-speed
748 hub, or it is plugged into a switched network but the port is set up
749 to have all traffic replicated to it, the problem might be that the
750 network interface on which you're capturing doesn't support
751 "promiscuous" mode, or because your OS can't put the interface into
752 promiscuous mode. Normally, network interfaces supply to the host
754 * packets sent to one of that host's link-layer addresses;
756 * multicast packets sent to a multicast address that the host has
757 configured the interface to accept.
759 Most network interfaces can also be put in "promiscuous" mode, in
760 which they supply to the host all network packets they see. Ethereal
761 will try to put the interface on which it's capturing into promiscuous
762 mode unless the "Capture packets in promiscuous mode" option is turned
763 off in the "Capture Options" dialog box, and Tethereal will try to put
764 the interface on which it's capturing into promiscuous mode unless the
765 -p option was specified. However, some network interfaces don't
766 support promiscuous mode, and some OSes might not allow interfaces to
767 be put into promiscuous mode.
769 If the interface is not running in promiscuous mode, it won't see any
770 traffic that isn't intended to be seen by your machine. It will see
771 broadcast packets, and multicast packets sent to a multicast MAC
772 address the interface is set up to receive.
774 You should ask the vendor of your network interface whether it
775 supports promiscuous mode. If it does, you should ask whoever supplied
776 the driver for the interface (the vendor, or the supplier of the OS
777 you're running on your machine) whether it supports promiscuous mode
778 with that network interface.
780 In the case of token ring interfaces, the drivers for some of them, on
781 Windows, may require you to enable promiscuous mode in order to
782 capture in promiscuous mode. Ask the vendor of the card how to do
785 In the case of wireless LAN interfaces, it appears that, when those
786 interfaces are promiscuously sniffing, they're running in a
787 significantly different mode from the mode that they run in when
788 they're just acting as network interfaces (to the extent that it would
789 be a significant effor for those drivers to support for promiscuously
790 sniffing and acting as regular network interfaces at the same time),
791 so it may be that Windows drivers for those interfaces don't support
794 Q 5.2: I can't see any TCP packets other than packets to and from my
795 machine, even though another sniffer on the network sees those
798 A: You're probably not seeing any packets other than unicast packets
799 to or from your machine, and broadcast and multicast packets; a switch
800 will normally send to a port only unicast traffic sent to the MAC
801 address for the interface on that port, and broadcast and multicast
802 traffic - it won't send to that port unicast traffic sent to a MAC
803 address for some other interface - and a network interface not in
804 promiscuous mode will receive only unicast traffic sent to the MAC
805 address for that interface, broadcast traffic, and multicast traffic
806 sent to a multicast MAC address the interface is set up to receive.
808 TCP doesn't use broadcast or multicast, so you will only see your own
809 TCP traffic, but UDP services may use broadcast or multicast so you'll
810 see some UDP traffic - however, this is not a problem with TCP
811 traffic, it's a problem with unicast traffic, as you also won't see
812 all UDP traffic between other machines.
814 I.e., this is probably the same problem discussed in the previous
815 question; see the response to that question.
817 Q 5.3: I can set a display filter just fine, but capture filters don't
820 A: Capture filters currently use a different syntax than display
821 filters. Here's the corresponding section from the ethereal(1) man
824 "Display filters in Ethereal are very powerful; more fields are
825 filterable in Ethereal than in other protocol analyzers, and the
826 syntax you can use to create your filters is richer. As Ethereal
827 progresses, expect more and more protocol fields to be allowed in
830 Packet capturing is performed with the pcap library. The capture
831 filter syntax follows the rules of the pcap library. This syntax is
832 different from the display filter syntax."
834 The capture filter syntax used by libpcap can be found in the
837 Q 5.4: I'm entering valid capture filters, but I still get "parse
840 A: There is a bug in some versions of libpcap/WinPcap that cause it to
841 report parse errors even for valid expressions if a previous filter
842 expression was invalid and got a parse error.
844 Try exiting and restarting Ethereal; if you are using a version of
845 libpcap/WinPcap with this bug, this will "erase" its memory of the
846 previous parse error. If the capture filter that got the "parse error"
847 now works, the earlier error with that filter was probably due to this
848 bug. The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of
849 libpcap have this bug, but 0.6[.x] and later versions don't.
851 Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of
852 libpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and
853 doesn't have this bug.
855 If you are running Ethereal on a UNIX-flavored platform, run "ethereal
856 -v", or select "About Ethereal..." from the "Help" menu in Ethereal,
857 to see what version of libpcap it's using. If it's not 0.6 or later,
858 you will need either to upgrade your OS to get a later version of
859 libpcap, or will need to build and install a later version of libpcap
860 from the tcpdump.org Web site and then recompile Ethereal from source
861 with that later version of libpcap.
863 If you are running Ethereal on Windows with a pre-2.3 version of
864 WinPcap, you will need to un-install WinPcap and then download and
867 Q 5.5: I saved a filter and tried to use its name to filter the
868 display, but I got an "Unexpected end of filter string" error.
870 A: You cannot use the name of a saved display filter as a filter. To
871 filter the display, you can enter a display filter expression - not
872 the name of a saved display filter - in the "Filter:" box at the
873 bottom of the display, and type the key or press the "Apply" button
874 (that does not require you to have a saved filter), or, if you want to
875 use a saved filter, you can press the "Filter:" button, select the
876 filter in the dialog box that pops up, and press the "OK" button.
878 Q 5.6: I've just installed Ethereal, and the traffic on my local LAN
881 A: We have a collection of strange and exotic sample capture files at
882 http://www.ethereal.com/sample/
884 Q 5.7: When I run Ethereal on Solaris 8, it dies with a Bus Error when
887 A: Some versions of the GTK+ library from www.sunfreeware.org appear
888 to be buggy, causing Ethereal to drop core with a Bus Error.
889 Un-install those packages, and try getting the 1.2.10 version from
890 that site, or the version from The Written Word, or the version from
891 Sun's GNOME distribution, or the version from the supplemental
892 software CD that comes with the Solaris media kit, or build it from
893 source from the GTK Web site. Update the GLib library to the 1.2.10
894 version, from the same source, as well. (If you get the 1.2.10
895 versions from www.sunfreeware.org, and the problem persists,
896 un-install them and try installing one of the other versions
897 mentioned.) Similar problems may exist with older versions of GTK+ for
898 earlier versions of Solaris.
900 Q 5.8: I'm running Ethereal on Linux; why do my time stamps have only
901 100ms resolution, rather than 1us resolution?
903 A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap
904 get them from the OS kernel, so Ethereal - and any other program using
905 libpcap, such as tcpdump - is at the mercy of the time stamping code
906 in the OS for time stamps.
908 At least on x86-based machines, Linux can get high-resolution time
909 stamps on newer processors with the Time Stamp Counter (TSC) register;
910 for example, Intel x86 processors, starting with the Pentium Pro, and
911 including all x86 processors since then, have had a TSC, and other
912 vendors probably added the TSC at some point to their families of x86
915 The Linux kernel must be configured with the CONFIG_X86_TSC option
916 enabled in order to use the TSC. Make sure this option is enabled in
919 In addition, some Linux distributions may have bugs in their versions
920 of the kernel that cause packets not to be given high-resolution time
921 stamps even if the TSC is enabled. See, for example, bug 61111 for Red
922 Hat Linux 7.2. If your distribution has a bug such as this, you may
923 have to run a standard kernel from kernel.org in order to get
924 high-resolution time stamps.
926 Q 5.9: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
927 why are the time stamps on packets wrong?
929 A: This is due to a bug in WinPcap. The bug should be fixed in the
930 WinPcap 3.0 alpha release - note that it's an alpha release, so it may
931 be buggier than the current production release of WinPcap; please
932 report those bugs to the WinPcap developers, and help them try to
933 track down the problem, so that they can fix it for the final release.
935 Q 5.10: When I try to run Ethereal on Windows, it fails to run because
936 it can't find packet.dll.
938 A: In older versions of Ethereal, there were two binary distributions
939 available for Windows, one that supported capturing packets, and one
940 that didn't. The version that supported capturing packets required
941 that you install the WinPcap driver; if you didn't install it, it
942 would fail to run because it couldn't find packet.dll.
944 The current version of Ethereal has only one binary distribution for
945 Windows; that version will check whether WinPcap is installed and, if
946 it's not, will disable support for packet capture.
948 The WinPcap driver and libraries can be downloaded from the WinPcap
949 Web site, the local mirror of the WinPcap Web site, or the
950 Wiretapped.net mirror of the WinPcap site.
952 Q 5.11: Why does some network interface on my machine not show up in
953 the list of interfaces in the "Interface:" field in the dialog box
954 popped up by "Capture->Start", and/or why does Ethereal give me an
955 error if I try to capture on that interface?
957 A: If you are running Ethereal on a UNIX-flavored platform, you may
958 need to run Ethereal from an account with sufficient privileges to
959 capture packets, such as the super-user account. Only those interfaces
960 that Ethereal can open for capturing show up in that list; if you
961 don't have sufficient privileges to capture on any interfaces, no
962 interfaces will show up in the list.
964 If you are running Ethereal on Windows NT 4.0, Windows 2000, Windows
965 XP, or Windows Server, and this is the first time you have run a
966 WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, or
967 Analyzer, or...) since the machine was rebooted, you need to run that
968 program from an account with administrator privileges; once you have
969 run such a program, you will not need administrator privileges to run
970 any such programs until you reboot.
972 If you are running on a UNIX-flavored platform and have sufficient
973 privileges, or if you are running on Windows 95/98/Me, or if you are
974 running on Windows NT 4.0/2000/XP/Server and have administrator
975 privileges or a WinPcap program has been run with those privileges
976 since the machine rebooted, then note that Ethereal relies on the
977 libpcap library, and on the facilities that come with the OS on which
978 it's running in order to do captures; on Windows, it also relies on
979 the device driver that comes with WinPcap (which is a version of
980 libpcap for Windows).
982 Therefore, if the OS, the libpcap library, or the WinPcap driver don't
983 support capturing on a particular network interface device, Ethereal
984 won't be able to capture on that device.
986 On Linux, note that you need to have "packet socket" support enabled
987 in your kernel; see the "Packet socket" item in the Linux
988 "Configure.help" file.
990 On BSD, note that you need to have BPF support enabled in your kernel;
991 see the documentation for your system for information on how to enable
992 BPF support (if it's not enabled by default on your system).
994 On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have
995 packet filtering support in your kernel; the doconfig command will
996 allow you to configure and build a new kernel with that option.
998 On Windows, note that:
999 * 2.02 and earlier versions of the WinPcap driver and library that
1000 Ethereal uses for packet capture didn't support Token Ring
1001 interfaces; the current version, 2.3, does support Token Ring, and
1002 the current version of Ethereal works with (and, in fact,
1003 requires) WinPcap 2.1 or later.
1004 If you are having problems capturing on Token Ring interfaces, and
1005 you have WinPcap 2.02 or an earlier version of WinPcap installed,
1006 you should uninstall WinPcap, download and install the current
1007 version of WinPcap, and then install the latest version of
1009 * WinPcap doesn't support PPP WAN interfaces on Windows
1010 NT/2000/XP/Server, so Ethereal cannot capture packets on those
1011 devices when running on Windows NT/2000/XP/Server. Regular dial-up
1012 lines, ISDN lines, and various other lines such as T1/E1 lines are
1013 all PPP interfaces. This may cause the interface not to show up on
1014 the list of interfaces in the "Capture Options" dialog.
1015 * WinPcap currently does not support multiprocessor machines (note
1016 that machines with a single multi-threaded processor, such as
1017 Intel's new multi-threaded x86 processors, are multiprocessor
1018 machines as far as the OS and WinPcap are concerned), and recent
1019 versions refuse to operate if they detect that they're running on
1020 a multiprocessor machine, which means that they may not show any
1023 If you are having trouble capturing on a particular network interface,
1024 and you've made sure that (on platforms that require it) you've
1025 arranged that packet capture support is present, as per the above,
1026 first try capturing on that device with tcpdump - or, on Windows, the
1027 tcpdump port to Windows, named WinDump; see the WinDump Web site, the
1028 local mirror of the WinDump Web site, or the Wiretapped.net mirror of
1029 the WinDump site, for information on using WinDump.
1031 If you can capture on the interface with tcpdump/WinDump, send mail to
1032 ethereal-users@ethereal.com giving full details of the problem,
1034 * the operating system you're using, and the version of that
1035 operating system (for Linux, give both the version number of the
1036 kernel and the name and version number of the distribution you're
1038 * the type of network device you're using;
1039 * the error message you get from Ethereal.
1041 If you cannot capture on the interface with tcpdump/WinDump, this is
1042 almost certainly a problem with one or more of:
1043 * the operating system you're using;
1044 * the device driver for the interface you're using;
1045 * the libpcap/WinPcap library and, if this is Windows, the WinPcap
1049 * if you are using Windows, first check the WinPcap FAQ, the local
1050 mirror of that FAQ, or the Wiretapped.net mirror of that FAQ, to
1051 see if your problem is mentioned there. If not, then see the
1052 WinPcap support page (or the local mirror of that page) - check
1053 the "Submitting bugs" section;
1054 * if you are using some Linux distribution, some version of BSD, or
1055 some other UNIX-flavored OS, you should report the problem to the
1056 company or organization that produces the OS (in the case of a
1057 Linux distribution, report the problem to whoever produces the
1060 You may also want to ask the ethereal-users@ethereal.com and, if this
1061 is a UNIX-flavored platform, tcpdump-workers@tcpdump.org mailing lists
1062 to see if anybody happens to know about the problem and know a
1063 workaround or fix for the problem. In your mail, please give full
1064 details of the problem, as described above, and also indicate that the
1065 problem occurs with tcpdump/WinDump, not just with Ethereal.
1067 Q 5.12: I'm running Ethereal on Windows NT/2000/XP/Server; my machine
1068 has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
1069 "Interface" item in the "Capture Options" dialog box. Why can no
1070 packets be sent on or received from that network while I'm trying to
1071 capture traffic on that interface?
1073 A: WinPcap doesn't support PPP WAN interfaces on Windows
1074 NT/2000/XP/Server; one symptom that may be seen is that attempts to
1075 capture in promiscuous mode on the interface cause the interface to be
1076 incapable of sending or receiving packets. You can disable promiscuous
1077 mode using the -p command-line flag or the item in the "Capture
1078 Preferences" dialog box, but this may mean that outgoing packets, or
1079 incoming packets, won't be seen in the capture.
1081 Q 5.13: I'm running Ethereal on Windows 95/98/Me, on a machine with
1082 more than one network adapter of the same type; Ethereal shows all of
1083 those adapters with the same name, but I can't use any of those
1084 adapters other than the first one.
1086 A: Unfortunately, Windows 95/98/Me gives the same name to multiple
1087 instances of the type of same network adapter. Therefore, WinPcap
1088 cannot distinguish between them, so a WinPcap-based application can
1089 capture only on the first such interface; Ethereal is a
1090 libpcap/WinPcap-based application.
1092 Q 5.14: I have an XXX network card on my machine; if I try to capture
1093 on it, my machine crashes or resets itself.
1095 A: This is almost certainly a problem with one or more of:
1096 * the operating system you're using;
1097 * the device driver for the interface you're using;
1098 * the libpcap/WinPcap library and, if this is Windows, the WinPcap
1102 * if you are using Windows, see the WinPcap support page (or the
1103 local mirror of that page) - check the "Submitting bugs" section;
1104 * if you are using some Linux distribution, some version of BSD, or
1105 some other UNIX-flavored OS, you should report the problem to the
1106 company or organization that produces the OS (in the case of a
1107 Linux distribution, report the problem to whoever produces the
1110 Q 5.15: My machine crashes or resets itself when I select "Start" from
1111 the "Capture" menu or select "Preferences" from the "Edit" menu.
1113 A: Both of those operations cause Ethereal to try to build a list of
1114 the interfaces that it can open; it does so by getting a list of
1115 interfaces and trying to open them. There is probably an OS, driver,
1116 or, for Windows, WinPcap bug that causes the system to crash when this
1117 happens; see the previous question.
1119 Q 5.16: Does Ethereal work on Windows ME?
1121 A: Yes, but if you want to capture packets, you will need to install
1122 the latest version of WinPcap, as 2.02 and earlier versions of WinPcap
1123 didn't support Windows ME. You should also install the latest version
1124 of Ethereal as well.
1126 Q 5.17: Does Ethereal work on Windows XP?
1128 A: Yes, but if you want to capture packets, you will need to install
1129 the latest version of WinPcap, as 2.2 and earlier versions of WinPcap
1130 didn't support Windows XP.
1132 Q 5.18: Why doesn't Ethereal correctly identify RTP packets? It shows
1135 A: Ethereal can identify a UDP datagram as containing a packet of a
1136 particular protocol running atop UDP only if
1137 1. The protocol in question has a particular standard port number,
1138 and the UDP source or destination port number is that port
1139 2. Packets of that protocol can be identified by looking for a
1140 "signature" of some type in the packet - i.e., some data that, if
1141 Ethereal finds it in some particular part of a packet, means that
1142 the packet is almost certainly a packet of that type.
1143 3. Some other traffic earlier in the capture indicated that, for
1144 example, UDP traffic between two particular addresses and ports
1145 will be RTP traffic.
1147 RTP doesn't have a standard port number, so 1) doesn't work; it
1148 doesn't, as far as I know, have any "signature", so 2) doesn't work.
1150 That leaves 3). If there's RTSP traffic that sets up an RTP session,
1151 then, at least in some cases, the RTSP dissector will set things up so
1152 that subsequent RTP traffic will be identified. Currently, that's the
1153 only place we do that; there may be other places.
1155 However, there will always be places where Ethereal is simply
1156 incapable of deducing that a given UDP flow is RTP; a mechanism would
1157 be needed to allow the user to specify that a given conversation
1158 should be treated as RTP. As of Ethereal 0.8.16, such a mechanism
1159 exists; if you select a UDP or TCP packet, the right mouse button menu
1160 will have a "Decode As..." menu item, which will pop up a dialog box
1161 letting you specify that the source port, the destination port, or
1162 both the source and destination ports of the packet should be
1163 dissected as some particular protocol.
1165 Q 5.19: Why doesn't Ethereal show Yahoo Messenger packets in captures
1166 that contain Yahoo Messenger traffic?
1168 A: Ethereal only recognizes as Yahoo Messenger traffic packets to or
1169 from TCP port 3050 that begin with "YPNS" or "YHOO". This means that
1170 1. TCP segments that start with the middle of a Yahoo Messenger
1171 packet that takes more than one TCP segment will not be recognized
1172 as Yahoo Messenger packets (even if the TCP segment also contains
1173 the beginning of another Yahoo Messenger packet);
1174 2. Yahoo Messenger packets that begin with "YMSG", as packets for
1175 some versions of the protocol apparently do, will not be
1176 recognized as Yahoo Messenger packets.
1178 Q 5.20: Why do I get the error
1180 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
1184 when I try to run Ethereal on Windows?
1186 A: Ethereal is built using the GTK+ toolkit, which supports most
1187 UNIX-flavored OSes, and also supports Windows; that toolkit doesn't
1188 support 256-color mode on Windows - it requires HiColor (16-bit
1189 colors) or more. If your display supports more than 256 colors, switch
1190 to a display mode with more colors; if it doesn't support more than
1191 256 colors, you will be unable to run Ethereal.
1193 Q 5.21: When I capture on Windows in promiscuous mode, I can see
1194 packets other than those sent to or from my machine; however, those
1195 packets show up with a "Short Frame" indication, unlike packets to or
1196 from my machine. What should I do to arrange that I see those packets
1199 A: In at least some cases, this appears to be the result of PGPnet
1200 running on the network interface on which you're capturing; turn it
1201 off on that interface.
1203 Q 5.22: How can I capture raw 802.11 packets, including non-data
1204 (management, beacon) packets?
1206 A: The answer to this depends on the operating system on which you're
1207 running and the 802.11 interface you're using.
1209 Cisco Aironet cards:
1211 The only platforms that allow Ethereal to capture raw 802.11 packets
1212 on Cisco Aironet cards are:
1213 * Linux, with a 2.4.6 or later kernel;
1214 * FreeBSD 4.6 or later, as the driver in FreeBSD 4.5 has bugs that
1215 cause packets not to be captured correctly, and the driver in
1216 releases prior to 4.5 didn't support capturing raw packets.
1218 On FreeBSD, the ancontrol utility must be used; do not enable the full
1219 Aironet header via BPF, as Ethereal doesn't currently support that.
1221 On Linux, you will need to do
1223 echo "Mode: rfmon" >/proc/driver/aironet/ethN/Config
1225 if your Aironet card is ethN. To capture traffic from any BSS, do
1227 echo "Mode: y" >/proc/driver/aironet/ethN/Config
1229 and to return to the normal mode, do
1231 echo "Mode: ess" >/proc/driver/aironet/ethN/Config
1233 In either case, Ethereal would have to be linked with libpcap 0.7.1 or
1234 later; this means that most Ethereal binary packages won't work unless
1235 they're statically linked with libpcap 0.7.1 or later, or they're
1236 dynamically linked with libpcap and your system has a libpcap 0.7.1 or
1237 later shared library installed (note that libpcap source package from
1238 tcpdump.org does not build shared libraries).
1240 Cards using the Prism II chip set (see this page of Linux 802.11
1241 information for details on wireless cards, including information on
1242 the chips they use):
1244 You can capture raw 802.11 packets with Prism II cards on Linux
1245 systems with the 0.1.14-pre1 or later version of the linux-wlan-ng
1246 drivers (see the linux-wlan page, and the linux-wlan-ng tarball
1247 directory), or with Solomon Peachy's patches to the linux-wlan-ng
1248 0.1.13 drivers (see the `0132-packet-v71.diff' link on his software
1249 page; the patch speaks of 0.1.13-pre2, but appears to apply to 0.1.13
1250 as well). If you are using the 0.1.13 drivers, you might also want his
1251 `0132-promisc-v23.diff' patch as well; if you are using the
1252 0.1.14-pre1 drivers, you might also want his
1253 `014p1-promiscfixes-v1.diff' patches - both of those are already in
1256 Those require either Solomon's patch to libpcap 0.7.1 (see his
1257 `libpcap-0.7.1-prism.diff' file, or his RPMs of that version of
1258 libpcap), or the current CVS version of libpcap, which includes his
1259 patch (download it from the `Current Tar files' section of the
1260 tcpdump.org Web site).
1262 You may have to run a command to put the interface into monitor mode,
1263 or to change other interface settings.
1264 Earlier versions of the linux-wlan-ng drivers don't allow Ethereal to
1265 directly capture raw 802.11 packets on Prism II cards; however, on
1266 Linux systems with the linux-wlan-ng drivers version 0.1.6, the
1267 Prismdump utility can be used to capture packets; it saves packets in
1268 a form that Ethereal can read. Prismdump can be downloaded from this
1269 page on the developer.axis.com Web site.
1271 On other platforms, capturing raw 802.11 packets on Prism II cards is
1272 not currently supported.
1274 Orinoco Silver and Gold cards:
1276 On Linux systems, when using either the orinoco_cs-0.09b driver or the
1277 driver in at least some versions of the Linux kernel, the
1278 `orinoco-09b-packet-1.diff' patch on the Orinoco Monitor Mode Patch
1279 Page should allow you to do capture raw 802.11 packets.
1281 The patch appears to apply to the driver in the 2.4.18 kernel, but we
1282 don't know whether it works; the directions on that page are for the
1283 pcmcia-cs drivers, not for the driver in the kernel itself.
1284 Note that the page indicates that not all versions of the Orinoco
1285 firmware support this patch. The Orinoco patches require Solomon
1286 Peachy's libpcap patches.
1288 On other platforms, capturing raw 802.11 packets on Orinoco cards is
1289 not currently supported.
1291 Other 802.11 interfaces:
1293 With other 802.11 interfaces, no platform allows Ethereal to capture
1294 raw 802.11 packets, as far as we know. If you know of other 802.11
1295 interfaces that are supported (note that there are many `Prism II
1296 cards', so your card might be a Prism II card), please let us know,
1297 and include URLs for sites containing any necessary patches to add
1300 On platforms that don't allow Ethereal to capture raw 802.11 packets,
1301 the 802.11 network will appear like an Ethernet to Ethereal.
1303 Q 5.23: How can I capture packets with CRC errors?
1305 A: Ethereal can capture only the packets that the packet capture
1306 library - libpcap on UNIX-flavored OSes, and the WinPcap port to
1307 Windows of libpcap on Windows - can capture, and libpcap/WinPcap can
1308 capture only the packets that the OS's raw packet capture mechanism
1309 (or the WinPcap driver, and the underlying OS networking code and
1310 network interface drivers, on Windows) will allow it to capture.
1312 Unless the OS can be configured to supply packets with errors such as
1313 invalid CRCs to the raw packet capture mechanism, Ethereal - and other
1314 programs that capture raw packets, such as tcpdump - cannot capture
1315 those packets. You will have to determine whether your OS can be so
1316 configured, configure it if possible, and make whatever changes to
1317 libpcap and the packet capture program you're using are necessary to
1318 support capturing those packets.
1320 Q 5.24: How can I capture entire frames, including the FCS?
1322 A: Ethereal can't capture any data that the packet capture library -
1323 libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of
1324 libpcap on Windows - can capture, and libpcap/WinPcap can capture only
1325 the data that the OS's raw packet capture mechanism (or the WinPcap
1326 driver, and the underlying OS networking code and network interface
1327 drivers, on Windows) will allow it to capture.
1329 For any particular link-layer network type, unless the OS supplies the
1330 FCS of a frame as part of the frame, or can be configured to supply
1331 the FCS of a frame as part of the frame, Ethereal - and other programs
1332 that capture raw packets, such as tcpdump - cannot capture the FCS of
1333 a frame. You will have to determine whether your OS can be so
1334 configured, configure it if possible, and make whatever changes to
1335 libpcap and the packet capture program you're using are necessary to
1336 support capturing the FCS of a frame. Most if not all OSes probably do
1337 not support capturing the FCS of a frame on Ethernet, and probably do
1338 not support it on most other link-layer types.
1340 Q 5.25: Ethereal hangs after I stop a capture.
1342 A: The most likely reason for this is that Ethereal is trying to look
1343 up an IP address in the capture to convert it to a name (so that, for
1344 example, it can display the name in the source address or destination
1345 address columns), and that lookup process is taking a very long time.
1347 Ethereal calls a routine in the OS of the machine on which it's
1348 running to convert of IP addresses to the corresponding names. That
1349 routine probably does one or more of:
1350 * a search of a system file listing IP addresses and names;
1351 * a lookup using DNS;
1352 * on UNIX systems, a lookup using NIS;
1353 * on Windows systems, a NetBIOS-over-TCP query.
1355 If a DNS server that's used in an address lookup is not responding,
1356 the lookup will fail, but will only fail after a timeout while the
1357 system routine waits for a reply.
1359 In addition, on Windows systems, if the DNS lookup of the address
1360 fails, either because the server isn't responding or because there are
1361 no records in the DNS that could be used to map the address to a name,
1362 a NetBIOS-over-TCP query will be made. That query involves sending a
1363 message to the NetBIOS-over-TCP name service on that machine, asking
1364 for the name and other information about the machine. If the machine
1365 isn't running software that responds to those queries - for example,
1366 many non-Windows machines wouldn't be running that software - the
1367 lookup will only fail after a timeout. Those timeouts can cause the
1368 lookup to take a long time.
1370 If you disable network address-to-name translation - for example, by
1371 turning off the `Enable network name resolution' option in the `Name
1372 resolution' options in the dialog box you get by selecting
1373 `Preferences' from the `Edit' menu - the lookups of the address won't
1374 be done, which may speed up the process of reading the capture file
1375 after the capture is stopped. You can make that setting the default by
1376 using the `Save' button in that dialog box; note that this will save
1377 all your current preference settings.
1379 If Ethereal hangs when reading a capture even with network name
1380 resolution turned off, there might, for example, be a bug in one of
1381 Ethereal's dissectors for a protocol causing it to loop infinitely.
1382 The bug should be reported to the Ethereal developers' mailing list at
1383 ethereal-dev@ethereal.com.
1385 On UNIX-flavored OSes, please try to force Ethereal to dump core, by
1386 sending it a SIGABRT signal (usually signal 6) with the kill command,
1387 and then get a stack trace if you have a debugger installed. A stack
1388 trace can be obtained by using your debugger (gdb in this example),
1389 the Ethereal binary, and the resulting core file. Here's an example of
1390 how to use the gdb command backtrace to do so.
1393 ..... prints the stack trace
1397 The core dump file may be named "ethereal.core" rather than "core" on
1398 some platforms (e.g., BSD systems)
1400 Also, if at all possible, please send a copy of the capture file that
1401 caused the problem; when capturing packets, Ethereal normally writes
1402 captured packets to a temporary file, which will probably be in /tmp
1403 or /var/tmp on UNIX-flavored OSes and \TEMP on Windows, so the capture
1404 file will probably be there. It will have a name beginning with ether,
1405 with some mixture of letters and numbers after that. Please don't send
1406 a trace file greater than 1 MB when compressed. If the trace file
1407 contains sensitive information (e.g., passwords), then please do not
1410 Q 5.26: How can I search for, or filter, packets that have a
1411 particular string anywhere in them?
1413 A: Currently, you can't.
1415 That's a feature that would be hard to implement in capture filters
1416 without changes to the capture filter code, which, on many platforms,
1417 is in the OS kernel and, on other platforms, is in the libpcap
1420 It would be easier to implement in display filters, but it hasn't been
1421 implemented yet. It would be best implemented as a display filter
1422 "string match" operator, which would let you check not only the entire
1423 packet for a string, but check portions of the packet for a string. It
1424 should probably not use a naive string matching mechanism, as there
1425 are mechanisms much faster than the naive one.
1428 Support can be found on the ethereal-users[AT]ethereal.com mailing
1430 For corrections/additions/suggestions for this page, please send email
1431 to: ethereal-web[AT]ethereal.com
1432 Last modified: Thu, January 16 2003.