4 Note: This is just an ASCII snapshot of the faq and may not be up to
5 date. Please go to http://www.ethereal.com/faq.html for the up
6 to date version. The version of this snapshot can be found at
7 the end of this document.
14 1.1 Where can I get help?
16 1.2 How much does Ethereal cost?
18 1.3 Can I use Ethereal commercially?
20 1.4 Can I use Ethereal as part of my commercial product?
22 1.5 What protocols are currently supported?
24 1.6 Are there any plans to support {your favorite protocol}?
26 1.7 Can Ethereal read capture files from {your favorite network analyzer}?
28 1.8 What devices can Ethereal use to capture packets?
30 1.9 How do you pronounce Ethereal? Where did the name come from?
32 2. Downloading Ethereal:
34 2.1 I downloaded the Win32 installer, but when I try to run it, I get an
37 2.2 When I try to download the WinPcap driver and library, I can't get to
40 3. Installing Ethereal:
42 3.1 I installed an Ethereal RPM, but Ethereal doesn't seem to be installed;
43 only Tethereal is installed.
47 4.1 The configure script can't find pcap.h or bpf.h, but I have libpcap
50 4.2 Why do I get the error
52 dftest_DEPENDENCIES was already defined in condition TRUE, which implies
53 condition HAVE_PLUGINS_TRUE
55 when I try to build Ethereal from SVN or a SVN snapshot?
57 4.3 The link fails with a number of "Output line too long." messages
58 followed by linker errors.
60 4.4 The link fails on Solaris because plugin_list is undefined.
62 4.5 The build fails on Windows because of conflicts between winsock.h and
67 5.1 When I use Ethereal to capture packets, I see only packets to and from
68 my machine, or I'm not seeing all the traffic I'm expecting to see from or
69 to the machine I'm trying to monitor.
71 5.2 I can't see any TCP packets other than packets to and from my machine,
72 even though another analyzer on the network sees those packets.
74 5.3 I'm only seeing ARP packets when I try to capture traffic.
76 5.4 I'm running Ethereal on Windows; why does some network interface on my
77 machine not show up in the list of interfaces in the "Interface:" field in
78 the dialog box popped up by "Capture->Start", and/or why does Ethereal give
79 me an error if I try to capture on that interface?
81 5.5 I'm running Ethereal on Windows; why do no network interfaces show up in
82 the list of interfaces in the "Interface:" field in the dialog box popped up
85 5.6 I'm running Ethereal on Windows; why doesn't my serial port/ADSL
86 modem/ISDN modem show up in the list of interfaces in the "Interface:" field
87 in the dialog box popped up by "Capture->Start"?
89 5.7 I'm running Ethereal on a UNIX-flavored OS; why does some network
90 interface on my machine not show up in the list of interfaces in the
91 "Interface:" field in the dialog box popped up by "Capture->Start", and/or
92 why does Ethereal give me an error if I try to capture on that interface?
94 5.8 I'm running Ethereal on a UNIX-flavored OS; why do no network interfaces
95 show up in the list of interfaces in the "Interface:" field in the dialog
96 box popped up by "Capture->Start"?
98 5.9 Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
100 5.10 How do I put an interface into promiscuous mode?
102 5.11 I can set a display filter just fine, but capture filters don't work.
104 5.12 I'm entering valid capture filters, but I still get "parse error"
107 5.13 I saved a filter and tried to use its name to filter the display, but I
108 got an "Unexpected end of filter string" error.
110 5.14 Why am I seeing lots of packets with incorrect TCP checksums?
112 5.15 I've just installed Ethereal, and the traffic on my local LAN is
115 5.16 When I run Ethereal on Solaris 8, it dies with a Bus Error when I start
118 5.17 When I run Ethereal, I get an error
120 Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_resize):
121 assertion `height > 0' failed.
123 5.18 When I run Tethereal with the "-x" option, it crashes with an error
125 "** ERROR **: file print.c: line 691 (print_line): should not be reached.
127 5.19 When I run Ethereal on Windows NT, it dies with a Dr. Watson error,
128 reporting an "Integer division by zero" exception, when I start it.
130 5.20 When I try to run Ethereal, it complains about sprint_realloc_objid
133 5.21 I'm running Ethereal on Linux; why do my time stamps have only 100ms
134 resolution, rather than 1us resolution?
136 5.22 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; why are
137 the time stamps on packets wrong?
139 5.23 When I try to run Ethereal on Windows, it fails to run because it can't
142 5.24 I'm running Ethereal on Windows NT 4.0/Windows 2000/Windows XP/Windows
143 Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.) interface, and
144 it shows up in the "Interface" item in the "Capture Options" dialog box. Why
145 can no packets be sent on or received from that network while I'm trying to
146 capture traffic on that interface?
148 5.25 I'm running Ethereal on Windows 95/98/Me, on a machine with more than
149 one network adapter of the same type; Ethereal shows all of those adapters
150 with the same name, but I can't use any of those adapters other than the
153 5.26 I'm running Ethereal on Windows, and I'm not seeing any traffic being
154 sent by the machine running Ethereal.
156 5.27 I'm trying to capture traffic but I'm not seeing any.
158 5.28 I have an XXX network card on my machine; if I try to capture on it, my
159 machine crashes or resets itself.
161 5.29 My machine crashes or resets itself when I select "Start" from the
162 "Capture" menu or select "Preferences" from the "Edit" menu.
164 5.30 Does Ethereal work on Windows Me?
166 5.31 Does Ethereal work on Windows XP?
168 5.32 Why doesn't Ethereal correctly identify RTP packets? It shows them only
171 5.33 Why doesn't Ethereal show Yahoo Messenger packets in captures that
172 contain Yahoo Messenger traffic?
174 5.34 Why do I get the error
176 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
180 when I try to run Ethereal on Windows?
182 5.35 When I capture on Windows in promiscuous mode, I can see packets other
183 than those sent to or from my machine; however, those packets show up with a
184 "Short Frame" indication, unlike packets to or from my machine. What should
185 I do to arrange that I see those packets in their entirety?
187 5.36 I'm capturing packets on a machine on a VLAN; why don't the packets I'm
188 capturing have VLAN tags?
190 5.37 How can I capture raw 802.11 frames, including non-data (management,
193 5.38 How do I capture on an 802.11 device in monitor mode?
195 5.39 I'm trying to capture 802.11 traffic on Windows; why am I not seeing
198 5.40 I'm trying to capture 802.11 traffic on Windows; why am I seeing
199 packets received by the machine on which I'm capturing traffic, but not
200 packets sent by that machine?
202 5.41 How can I capture packets with CRC errors?
204 5.42 How can I capture entire frames, including the FCS?
206 5.43 Why does Ethereal hang after I stop a capture?
208 5.44 How can I search for, or filter, packets that have a particular string
211 5.45 How do I filter a capture to see traffic for virus XXX?
215 Q 1.1: Where can I get help?
217 A: Community support is available on the ethereal-users mailing list.
218 Subscription information and archives for all of Ethereal's mailing lists
219 can be found at http://www.ethereal.com/lists. An IRC channel dedicated to
220 Ethereal can be found at irc://irc.freenode.net/ethereal.
222 Commercial support, training, and development services are available from
225 Q 1.2: How much does Ethereal cost?
227 A: Ethereal is "free software"; you can download it without paying any
228 license fee. The version of Ethereal you download isn't a "demo" version,
229 with limitations not present in a "full" version; it is the full version.
231 The license under which Ethereal is issued is the GNU General Public
232 License. See the GNU GPL FAQ for some more information.
234 Q 1.3: Can I use Ethereal commercially?
236 A: Yes, if, for example, you mean "I work for a commercial organization; can
237 I use Ethereal to capture and analyze network traffic in our company's
238 networks or in our customer's networks?"
240 If you mean "Can I use Ethereal as part of my commercial product?", see the
241 next entry in the FAQ.
243 Q 1.4: Can I use Ethereal as part of my commercial product?
245 A: As noted, Ethereal is licensed under the GNU General Public License. The
246 GPL imposes conditions on your use of GPL'ed code in your own products; you
247 cannot, for example, make a "derived work" from Ethereal, by making
248 modifications to it, and then sell the resulting derived work and not allow
249 recipients to give away the resulting work. You must also make the changes
250 you've made to the Ethereal source available to all recipients of your
251 modified version; those changes must also be licensed under the terms of the
252 GPL. See the GPL FAQ for more details; in particular, note the answer to the
253 question about modifying a GPLed program and selling it commercially, and
254 the question about linking GPLed code with other code to make a proprietary
257 You can combine a GPLed program such as Ethereal and a commercial program as
258 long as they communicate "at arm's length", as per this item in the GPL FAQ.
260 Q 1.5: What protocols are currently supported?
262 A: There are currently 724 supported protocols and media, listed below.
263 Descriptions can be found in the ethereal(1) man page.
265 3Com XNS Encapsulation
268 802.1X Authentication
269 AAL type 2 signalling protocol - Capability set 1 (Q.2630.1)
272 AFS (4.0) Replication Server call declarations
275 AIM Buddylist Service
282 AIM Invitation Service
287 AIM Privacy Management Service
289 AIM Server Side Themes
296 ANSI IS-637-A (SMS) Teleservice Layer
297 ANSI IS-637-A (SMS) Transport Layer
298 ANSI IS-683-A (OTA (Mobile))
299 ANSI IS-801 (Location Services (PLD))
300 ANSI Mobile Application Part
301 AOL Instant Messenger
310 AVS WLAN Capture header
312 Active Directory Setup
313 Ad hoc On-demand Distance Vector Routing Protocol
315 Address Resolution Protocol
317 Aggregate Server Access Protocol
319 Alteon - Transparent Proxy Cache Protocol
320 Andrew File System (AFS)
321 Apache JServ Protocol v1.3
322 Apple Filing Protocol
323 Apple IP-over-IEEE 1394
324 AppleTalk Session Protocol
325 AppleTalk Transaction Protocol packet
326 Appletalk Address Resolution Protocol
327 Application Configuration Access Protocol
329 Aruba - Aruba Discovery Protocol
330 Async data over ISDN (V.120)
331 Asynchronous Layered Coding
332 AudioCodes Trunk Trace
333 Authentication Header
334 BACnet Virtual Link Control
339 Banyan Vines Fragmentation Protocol
346 Base Station Subsystem GPRS Protocol
347 Basic Encoding Rules (ASN.1 X.690)
348 Bearer Independent Call Control
349 Bi-directional Fault Detection Control Message
351 Blocks Extensible Exchange Protocol
352 Blubster/Piolet MANOLITO Protocol
356 Border Gateway Protocol
357 Building Automation and Control Network APDU
358 Building Automation and Control Network NPDU
361 CDS Clerk Server Calls
364 Cast Client Control Protocol
365 Certificate Management Protocol
366 Certificate Request Message Format
367 Check Point High Availability Protocol
370 Cisco Discovery Protocol
371 Cisco Group Management Protocol
373 Cisco Hot Standby Router Protocol
375 Cisco Interior Gateway Routing Protocol
378 Cisco Session Management
379 Cisco Wireless Layer 2
381 CoSine IPNOS L2 debug output
382 Common Industrial Protocol
383 Common Open Policy Service
384 Common Unix Printing System (CUPS) Browsing Protocol
386 Computer Interface to Message Distribution
387 Configuration Test Protocol (loopback)
388 Connectionless Lightweight Directory Access Protocol
389 Coseventcomm Dissector Using GIOP API
390 Cosnaming Dissector Using GIOP API
391 Cross Point Frame Injector
392 Cryptographic Message Syntax
393 DCE Distributed Time Service Local Server
394 DCE Distributed Time Service Provider
397 DCE Security ID Mapper
401 DCE/RPC CDS Solicitation
402 DCE/RPC Conversation Manager
403 DCE/RPC Directory Acl Interface
404 DCE/RPC Endpoint Mapper
405 DCE/RPC Endpoint Mapper v4
407 DCE/RPC FLDB UBIK TRANSFER
408 DCE/RPC FLDB UBIKVOTE
411 DCE/RPC NCS 1.5.1 Local Location Broker
412 DCE/RPC Operations between registry server replicas
419 DCE/RPC Registry Password Management
420 DCE/RPC Registry Server Attributes Schema
421 DCE/RPC Registry server propagation interface - ACLs.
422 DCE/RPC Registry server propagation interface - PGO items
423 DCE/RPC Registry server propagation interface - properties and poli
425 DCE/RPC Remote Management
426 DCE/RPC Repserver Calls
427 DCE/RPC TokenServer Calls
431 DCOM IRemoteActivation
433 DEC DNA Routing Protocol
434 DEC Spanning Tree Protocol
444 DNS Control Program Server
446 DOCSIS Appendix C TLV's
447 DOCSIS Baseline Privacy Key Management Attributes
448 DOCSIS Baseline Privacy Key Management Request
449 DOCSIS Baseline Privacy Key Management Response
450 DOCSIS Dynamic Service Addition Acknowledge
451 DOCSIS Dynamic Service Addition Request
452 DOCSIS Dynamic Service Addition Response
453 DOCSIS Dynamic Service Change Acknowledgement
454 DOCSIS Dynamic Service Change Request
455 DOCSIS Dynamic Service Change Response
456 DOCSIS Dynamic Service Delete Request
457 DOCSIS Dynamic Service Delete Response
458 DOCSIS Initial Ranging Message
459 DOCSIS Mac Management
460 DOCSIS Range Request Message
461 DOCSIS Ranging Response
462 DOCSIS Registration Acknowledge
463 DOCSIS Registration Requests
464 DOCSIS Registration Responses
465 DOCSIS Upstream Bandwidth Allocation
466 DOCSIS Upstream Channel Change Request
467 DOCSIS Upstream Channel Change Response
468 DOCSIS Upstream Channel Descriptor
469 DOCSIS Upstream Channel Descriptor Type 29
470 DOCSIS Vendor Specific Endodings
471 DPNSS/DASS2-User Adaptation Layer
475 Data Stream Interface
476 Datagram Congestion Control Protocol
477 Datagram Delivery Protocol
478 Decompressed SigComp message as raw text
480 Digital Audio Access Protocol
481 Distance Vector Multicast Routing Protocol
482 Distcc Distributed Compiler
483 Distributed Checksum Clearinghouse Protocol
484 Distributed Interactive Simulation
485 Distributed Network Protocol 3.0
487 Dublin Core Metadata (DC)
488 Dynamic DNS Tools Protocol
489 Dynamic Trunking Protocol
492 Encapsulating Security Payload
493 Endpoint Name Resolution Protocol
494 Enhanced Interior Gateway Routing Protocol
495 EtherNet/IP (Industrial Protocol)
499 Extended Security Services
500 Extensible Authentication Protocol
501 Extreme Discovery Protocol
503 FC Fabric Configuration Server
507 Fiber Distributed Data Interface
509 Fibre Channel Common Transport
510 Fibre Channel Fabric Zone Server
511 Fibre Channel Name Server
512 Fibre Channel Protocol for SCSI
514 Fibre Channel Security Protocol
515 Fibre Channel Single Byte Command
516 File Transfer Protocol (FTP)
517 Financial Information eXchange Protocol
521 GARP Multicast Registration Protocol
522 GARP VLAN Registration Protocol
524 GPRS Tunneling Protocol
528 GSM Mobile Application
529 GSM SMS TPDU (GSM 03.40)
530 GSM Short Message Service User Data
532 GSS-API Generic Security Service Application Program Interface
533 General Inter-ORB Protocol
534 Generic Routing Encapsulation
538 H235-SECURITY-MESSAGES
540 HP Extended Local-Link Control
541 HP Remote Maintenance Protocol
543 HP-UX Network Tracing and Logging
544 Hummingbird NFS Daemon
546 Hypertext Transfer Protocol
566 ICBAPhysicalDevicePCEvent
574 IEEE 802.11 Radiotap Capture header
575 IEEE 802.11 wireless LAN
576 IEEE 802.11 wireless LAN management frame
577 IEEE802a OUI Extended Ethertype
580 IP Device Control (SS7 over IP)
582 IP Payload Compression
583 IP Virtual Services Sync Daemon
585 IPX Routing Information Protocol
590 ISDN Q.921-User Adaptation Layer
592 ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol
593 ISO 8073 COTP Connection-Oriented Transport Protocol
594 ISO 8327-1 OSI Session Protocol
595 ISO 8473 CLNP ConnectionLess Network Protocol
597 ISO 8602 CLTP ConnectionLess Transport Protocol
598 ISO 8823 OSI Presentation Protocol
599 ISO 9542 ESIS Routeing Information Exchange Protocol
601 ISystemActivator ISystemActivator Resolver
602 ITU M.3100 Generic Network Information Model
604 ITU-T Recommendation H.261
605 ITU-T Recommendation H.263
606 ITU-T Recommendation H.263 RTP Payload header (RFC2190)
608 Information Access Protocol
609 Init shutdown service
611 Intelligent Platform Management Interface
612 Inter-Access-Point Protocol
613 Inter-Asterisk eXchange v2
614 InterSwitch Message Protocol
616 Internet Cache Protocol
617 Internet Communications Engine Protocol
618 Internet Content Adaptation Protocol
619 Internet Control Message Protocol
620 Internet Control Message Protocol v6
621 Internet Group Management Protocol
622 Internet Group membership Authentication Protocol
623 Internet Message Access Protocol
624 Internet Printing Protocol
626 Internet Protocol Version 6
628 Internet Security Association and Key Management Protocol
629 Internetwork Datagram Protocol
630 Internetwork Packet eXchange
632 IrDA Link Access Protocol
633 IrDA Link Management Protocol
634 JPEG File Interchange Format
635 JXTA Connection Welcome Message
645 Kerberized Internet Negotiation of Key
647 Kerberos Administration
651 LWAPP Encapsulated Packet
653 Label Distribution Protocol
655 Layer 2 Tunneling Protocol
656 Light Weight DNS RESolver (BIND9)
657 Lightweight Directory Access Protocol
658 Line Printer Daemon Protocol
660 Link Access Procedure Balanced (LAPB)
661 Link Access Procedure Balanced Ethernet (LAPBETHER)
662 Link Access Procedure, Channel D (LAPD)
663 Link Layer Discovery Protocol
664 Link Management Protocol (LMP)
665 Linux cooked-mode capture
666 Local Management Interface
667 LocalTalk Link Access Protocol
669 Logical Link Control GPRS
671 Logotype Certificate Extensions
672 Lucent/Ascend debug output
677 MIME Multipart Media Encapsulation
679 MMS Message Encapsulation
682 MSN Messenger Service
683 MSNIP: Multicast Source Notification of Interest Protocol
684 MTP 2 Transparent Proxy
685 MTP 2 User Adaptation Layer
686 MTP 3 User Adaptation Layer
687 MTP2 Peer Adaptation Layer
688 MULTIMEDIA-SYSTEM-CONTROL
689 Media Gateway Control Protocol
691 Media Type: message/http
692 Message Session Relay Protocol
693 Message Transfer Part Level 2
694 Message Transfer Part Level 3
695 Message Transfer Part Level 3 Management
696 Meta Analysis Tracing Engine
697 Microsoft AT-Scheduler Service
698 Microsoft Distributed File System
699 Microsoft Distributed Link Tracking Server Service
700 Microsoft Encrypted File System Service
701 Microsoft Eventlog Service
702 Microsoft Exchange MAPI
703 Microsoft File Replication Service
704 Microsoft File Replication Service API
705 Microsoft Local Security Architecture
706 Microsoft Media Server
707 Microsoft Messenger Service
708 Microsoft Network Logon
709 Microsoft Plug and Play service
710 Microsoft Routing and Remote Access Service
711 Microsoft Security Account Manager
712 Microsoft Server Service
713 Microsoft Service Control
714 Microsoft Spool Subsystem
715 Microsoft Telephony API Service
716 Microsoft Windows Browser Protocol
717 Microsoft Windows Lanman Remote API Protocol
718 Microsoft Windows Logon Protocol (Old)
719 Microsoft Workstation Service
725 MultiProtocol Label Switching Header
726 Multicast Router DISCovery protocol
727 Multicast Source Discovery Protocol
728 Multiprotocol Label Switching Echo
735 NTLM Secure Service Provider
736 Name Binding Protocol
737 Name Management Protocol over IPX
738 Negative-acknowledgment Oriented Reliable Multicast
740 NetBIOS Datagram Service
742 NetBIOS Session Service
744 NetScape Certificate Extensions
745 NetWare Core Protocol
746 NetWare Link Services Protocol
747 NetWare Serialization Protocol
748 Network Data Management Protocol
750 Network Lock Manager Protocol
751 Network News Transfer Protocol
752 Network Service Over IP
753 Network Status Monitor CallBack Protocol
754 Network Status Monitor Protocol
755 Network Time Protocol
757 Novell Distributed Print System
758 Novell Modular Authentication Service
760 Online Certificate Status Protocol
761 Open Policy Service Interface
762 Open Shortest Path First
763 OpenBSD Encapsulating device
764 OpenBSD Packet Filter log file
765 OpenBSD Packet Filter log file, pre 3.4
766 Optimized Link State Routing Protocol
770 PKIX CERT File Format
772 PKIX Time Stamp Protocol
776 PPP Bandwidth Allocation Control Protocol
777 PPP Bandwidth Allocation Protocol
778 PPP CDP Control Protocol
779 PPP Callback Control Protocol
780 PPP Challenge Handshake Authentication Protocol
781 PPP Compressed Datagram
782 PPP Compression Control Protocol
783 PPP IP Control Protocol
784 PPP IPv6 Control Protocol
785 PPP In HDLC-Like Framing
786 PPP Link Control Protocol
787 PPP MPLS Control Protocol
788 PPP Multilink Protocol
790 PPP OSI Control Protocol
791 PPP Password Authentication Protocol
793 PPP-over-Ethernet Discovery
794 PPP-over-Ethernet Session
795 PPPMux Control Protocol
798 PROFINET Real-Time Protocol
799 Packed Encoding Rules (ASN.1 X.691)
800 Packet Cable Lawful Intercept
802 Parlay Dissector Using GIOP API
804 Point-to-Point Protocol
805 Point-to-Point Tunnelling Protocol
806 Port Aggregation Protocol
810 Pragmatic General Multicast
811 Precision Time Protocol (IEEE1588)
813 Privilege Server operations
814 Protocol Independent Multicast
818 Quake II Network Protocol
819 Quake III Arena Network Protocol
820 Quake Network Protocol
821 QuakeWorld Network Protocol
822 Qualified Logical Link Control
828 RS Interface properties
830 RSYNC File Synchroniser
833 Radio Access Network Application Part
837 Real Time Streaming Protocol
838 Real-Time Media Access Control
839 Real-Time Publish-Subscribe Wire Protocol
840 Real-Time Transport Protocol
841 Real-time Transport Control Protocol
843 Redundant Link Management Protocol
844 Registry Server Attributes Manipulation Interface
845 Registry server administration operations.
847 Remote Management Control Protocol
848 Remote Override interface
849 Remote Procedure Call
852 Remote Registry Service
855 Remote sec_login preauth interface.
856 Resource ReserVation Protocol (RSVP)
857 Retix Spanning Tree Protocol
859 Routing Information Protocol
860 Routing Table Maintenance Protocol
863 SEBEK - Kernel Data Capture
865 SMB (Server Message Block Protocol)
866 SMB MailSlot Protocol
869 SNMP Multiplex Protocol
872 SS7 SCCP-User Adaptation Layer
876 STANAG 4406 Military Message Extensions
878 Sequenced Packet Protocol
879 Sequenced Packet eXchange
881 Service Advertisement Protocol
882 Service Location Protocol
883 Session Announcement Protocol
884 Session Description Protocol
885 Session Initiation Protocol
886 Session Initiation Protocol (SIP as raw text)
887 Short Message Peer to Peer
888 Short Message Relaying Service
889 Signaling Compression
890 Signalling Connection Control Part
891 Signalling Connection Control Part Management
892 Simple Mail Transfer Protocol
893 Simple Network Management Protocol
894 Simple Protected Negotiation
895 Simple Traversal of UDP Through NAT
898 Skinny Client Control Protocol
899 SliMP3 Communication Protocol
903 Spanning Tree Protocol
904 Stream Control Transmission Protocol
905 Subnetwork Dependent Convergence Protocol
906 Symantec Enterprise Firewall
907 Synchronized Multimedia Integration Language
908 Synchronous Data Link Control (SDLC)
911 Systems Network Architecture
912 Systems Network Architecture XID
916 TDMA RTmac Discipline
917 TEI Management Procedure, Channel D (LAPD)
918 TPKT - ISO on TCP - RFC1006
920 Tango Dissector Using GIOP API
921 Tazmen Sniffer Protocol
923 Teredo IPv6 over UDP tunneling
924 The Armagetron Advanced OpenGL Tron clone
926 Time Synchronization Protocol
927 Tiny Transport Protocol
929 Token-Ring Media Access Control
930 Transaction Capabilities Application Part
931 Transmission Control Protocol
932 Transparent Network Substrate Protocol
933 Transport Adapter Layer Interface v1.0, RFC 3094
934 Trivial File Transfer Protocol
935 UDP Encapsulation of IPsec Packets
936 Universal Computer Protocol
937 Unlicensed Mobile Access
938 User Datagram Protocol
939 V5.2-User Adaptation Layer
940 Virtual Network Computing
941 Virtual Router Redundancy Protocol
942 Virtual Trunking Protocol
944 WAP Session Initiation Request
945 WINS (Windows Internet Name Service) Replication
946 Web Cache Coordination Protocol
948 WebSphere MQ Programmable Command Formats
949 Wellfleet Breath of Life
950 Wellfleet Compression
954 Wireless Session Protocol
955 Wireless Transaction Protocol
956 Wireless Transport Layer Security
957 Wlan Certificate Extension
958 X Display Manager Control Protocol
959 X.228 OSI Reliable Transfer Service
963 X.411 OSI Message Transfer Service
964 X.420 OSI Information Object
965 X.509 Authentication Framework
966 X.509 Certificate Extensions
967 X.509 Information Framework
968 X.509 Selected Attribute Types
969 X.880 OSI Remote Operations Service
973 Yahoo Messenger Protocol
974 Yahoo YMSG Messenger Protocol
978 Yellow Pages Transfer
980 Zone Information Protocol
982 eXtensible Markup Language
983 giFT Internet File Transfer
988 iTunes podCast rss elements
991 Q 1.6: Are there any plans to support {your favorite protocol}?
993 A: Support for particular protocols is added to Ethereal as a result of
994 people contributing that support; no formal plans for adding support for
995 particular protocols in particular future releases exist.
997 Q 1.7: Can Ethereal read capture files from {your favorite network
1000 A: Support for particular protocols is added to Ethereal as a result of
1001 people contributing that support; no formal plans for adding support for
1002 particular protocols in particular future releases exist.
1004 If a network analyzer writes out files in a format already supported by
1005 Ethereal (e.g., in libpcap format), Ethereal may already be able to read
1006 them, unless the analyzer has added its own proprietary extensions to that
1009 If a network analyzer writes out files in its own format, or has added
1010 proprietary extensions to another format, in order to make Ethereal read
1011 captures from that network analyzer, we would either have to have a
1012 specification for the file format, or the extensions, sufficient to give us
1013 enough information to read the parts of the file relevant to Ethereal, or
1014 would need at least one capture file in that format AND a detailed textual
1015 analysis of the packets in that capture file (showing packet time stamps,
1016 packet lengths, and the top-level packet header) in order to
1017 reverse-engineer the file format.
1019 Note that there is no guarantee that we will be able to reverse-engineer a
1020 capture file format.
1022 Q 1.8: What devices can Ethereal use to capture packets?
1024 A: Ethereal can read live data from Ethernet, Token-Ring, FDDI, serial (PPP
1025 and SLIP) (if the OS on which it's running allows Ethereal to do so), 802.11
1026 wireless LAN (if the OS on which it's running allows Ethereal to do so), ATM
1027 connections (if the OS on which it's running allows Ethereal to do so), and
1028 the "any" device supported on Linux by recent versions of libpcap. See the
1029 list of supported capture media on various OSes for details (several items
1030 in there say "Unknown", which doesn't mean "Ethereal can't capture on them",
1031 it means "we don't know whether it can capture on them"; we expect that it
1032 will be able to capture on many of them, but we haven't tried it ourselves -
1033 if you try one of those types and it works, please send an update to
1034 ethereal-web[AT]ethereal.com ).
1036 It can also read a variety of capture file formats, including:
1037 * AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
1039 * AIX's iptrace captures
1040 * Accellent's 5Views LAN agent output
1041 * Cinco Networks NetXRay captures
1042 * Cisco Secure Intrusion Detection System IPLog output
1043 * CoSine L2 debug output
1044 * DBS Etherwatch VMS text output
1045 * Endace Measurement Systems' ERF format captures
1046 * EyeSDN USB S0 traces
1047 * HP-UX nettl captures
1048 * ISDN4BSD project i4btrace captures
1049 * Linux Bluez Bluetooth stack hcidump -w traces
1050 * Lucent/Ascend router debug output
1051 * Microsoft Network Monitor captures
1052 * Network Associates Windows-based Sniffer captures
1053 * Network General/Network Associates DOS-based Sniffer (compressed or
1054 uncompressed) captures
1055 * Network Instruments Observer version 9 captures
1056 * Novell LANalyzer captures
1057 * RADCOM's WAN/LAN analyzer captures
1058 * Shomiti/Finisar Surveyor captures
1059 * Toshiba's ISDN routers dump output
1060 * VMS TCPIPtrace/TCPtrace/UCX$TRACE output
1061 * Visual Networks' Visual UpTime traffic capture
1062 * libpcap, tcpdump and various other tools using tcpdump's capture format
1063 * snoop and atmsnoop output
1065 so that it can read traces from various network types, as captured by other
1066 applications or equipment, even if it cannot itself capture on those network
1069 Q 1.9: How do you pronounce Ethereal? Where did the name come from?
1071 A: The English pronunciation can be found in Merriam-Webster's online
1073 http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=ethereal.
1075 According to the book "Computer Networks" by Andrew Tannenbaum, Ethernet was
1076 named after the "luminiferous ether" which was once thought to carry
1077 electromagnetic radiation. Taking that into consideration, Ethereal seemed
1078 like an appropriate name for something that started out as an Ethernet
1081 2. Downloading Ethereal
1083 Q 2.1: I downloaded the Win32 installer, but when I try to run it, I get an
1086 A: The program you used to download it may have downloaded it incorrectly.
1087 Web browsers sometimes may do this.
1089 Try downloading it with, for example:
1090 * Wget, for which Windows binaries are available on the SunSITE FTP server
1091 at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI offers a GUI
1092 interface that uses wget;
1093 * WS_FTP from Ipswitch,
1094 * the ftp command that comes with Windows.
1096 If you use the ftp command, make sure you do the transfer in binary mode
1097 rather than ASCII mode, by using the binary command before transferring the
1100 Q 2.2: When I try to download the WinPcap driver and library, I can't get to
1101 the WinPcap Web site.
1103 A: As is the case with all Web sites, that site won't necessarily always be
1104 accessible; the server may be down due to a problem or down for maintenance,
1105 or there may be a networking problem between you and the server. You should
1106 try again later, or try the local mirror or the Wiretapped.net mirror.
1108 3. Installing Ethereal
1110 Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be
1111 installed; only Tethereal is installed.
1113 A: Older versions of the Red Hat RPMs for Ethereal put only the non-GUI
1114 components into the ethereal RPM, the fact that Ethereal is a GUI program
1115 nonwithstanding; newer versions make it a bit clearer by giving that RPM a
1116 name starting with ethereal-base.
1118 In those older versions, there's a separate ethereal-gnome RPM that includes
1119 GUI components such as Ethereal itself, the fact that Ethereal doesn't use
1120 GNOME nonwithstanding; newer versions make it a bit clearer by giving that
1121 RPM a name starting with ethereal-gtk+.
1123 Find the ethereal-gnome or ethereal-gtk+ RPM, and install that also.
1125 4. Building Ethereal
1127 Q 4.1: The configure script can't find pcap.h or bpf.h, but I have libpcap
1130 A: Are you sure pcap.h and bpf.h are installed? The official distribution of
1131 libpcap only installs the libpcap.a library file when "make install" is run.
1132 To install pcap.h and bpf.h, you must run "make install-incl". If you're
1133 running Debian or Redhat, make sure you have the "libpcap-dev" or
1134 "libpcap-devel" packages installed.
1136 It's also possible that pcap.h and bpf.h have been installed in a strange
1137 location. If this is the case, you may have to tweak aclocal.m4.
1139 Q 4.2: Why do I get the error
1141 dftest_DEPENDENCIES was already defined in condition TRUE, which implies
1142 condition HAVE_PLUGINS_TRUE
1144 when I try to build Ethereal from SVN or a SVN snapshot?
1146 A: You probably have automake 1.5 installed on your machine (the command
1147 automake --version will report the version of automake on your machine).
1148 There is a bug in that version of automake that causes this problem; upgrade
1149 to a later version of automake (1.6 or later).
1151 Q 4.3: The link fails with a number of "Output line too long." messages
1152 followed by linker errors.
1154 A: The version of the sed command on your system is incapable of handling
1155 very long lines. On Solaris, for example, /usr/bin/sed has a line length
1156 limit too low to allow libtool to work; /usr/xpg4/bin/sed can handle it, as
1157 can GNU sed if you have it installed.
1159 On Solaris, changing your command search path to search /usr/xpg4/bin before
1160 /usr/bin should make the problem go away; on any platform on which you have
1161 this problem, installing GNU sed and changing your command path to search
1162 the directory in which it is installed before searching the directory with
1163 the version of sed that came with the OS should make the problem go away.
1165 Q 4.4: The link fails on Solaris because plugin_list is undefined.
1167 A: This appears to be due to a problem with some versions of the GTK+ and
1168 GLib packages from www.sunfreeware.org; un-install those packages, and try
1169 getting the 1.2.10 versions from that site, or the versions from The Written
1170 Word, or the versions from Sun's GNOME distribution, or the versions from
1171 the supplemental software CD that comes with the Solaris media kit, or build
1172 them from source from the GTK Web site. Then re-run the configuration
1173 script, and try rebuilding Ethereal. (If you get the 1.2.10 versions from
1174 www.sunfreeware.org, and the problem persists, un-install them and try
1175 installing one of the other versions mentioned.)
1177 Q 4.5: The build fails on Windows because of conflicts between winsock.h and
1180 A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and the
1181 corresponding version of the developer's pack, in order to be able to
1182 compile Ethereal; it will not compile with older versions of the developer's
1183 pack. The symptoms of this failure are conflicts between definitions in
1184 winsock.h and in winsock2.h; Ethereal uses winsock2.h, but pre-2.3 versions
1185 of the WinPcap developer's packet use winsock.h. (2.3 uses winsock2.h, so if
1186 Ethereal were to use winsock.h, it would not be able to build with current
1187 versions of the WinPcap developer's pack.)
1189 Note that the installed version of the developer's pack should be the same
1190 version as the version of WinPcap you have installed.
1194 Q 5.1: When I use Ethereal to capture packets, I see only packets to and
1195 from my machine, or I'm not seeing all the traffic I'm expecting to see from
1196 or to the machine I'm trying to monitor.
1198 A: This might be because the interface on which you're capturing is plugged
1199 into an Ethernet or Token Ring switch; on a switched network, unicast
1200 traffic between two ports will not necessarily appear on other ports - only
1201 broadcast and multicast traffic will be sent to all ports.
1203 Note that even if your machine is plugged into a hub, the "hub" may be a
1204 switched hub, in which case you're still on a switched network.
1206 Note also that on the Linksys Web site, they say that their auto-sensing
1207 hubs "broadcast the 10Mb packets to the port that operate at 10Mb only and
1208 broadcast the 100Mb packets to the ports that operate at 100Mb only", which
1209 would indicate that if you sniff on a 10Mb port, you will not see traffic
1210 coming sent to a 100Mb port, and vice versa. This problem has also been
1211 reported for Netgear dual-speed hubs, and may exist for other "auto-sensing"
1212 or "dual-speed" hubs.
1214 Some switches have the ability to replicate all traffic on all ports to a
1215 single port so that you can plug your analyzer into that single port to
1216 sniff all traffic. You would have to check the documentation for the switch
1217 to see if this is possible and, if so, to see how to do this. See the switch
1218 reference page on the Ethereal Wiki for information on some switches. (Note
1219 that it's a Wiki, so you can update or fix that information, or add
1220 additional information on those switches or information on new switches,
1223 Note also that many firewall/NAT boxes have a switch built into them; this
1224 includes many of the "cable/DSL router" boxes. If you have a box of that
1225 sort, that has a switch with some number of Ethernet ports into which you
1226 plug machines on your network, and another Ethernet port used to connect to
1227 a cable or DSL modem, you can, at least, sniff traffic between the machines
1228 on your network and the Internet by plugging the Ethernet port on the router
1229 going to the modem, the Ethernet port on the modem, and the machine on which
1230 you're running Ethereal into a hub (make sure it's not a switching hub, and
1231 that, if it's a dual-speed hub, all three of those ports are running at the
1234 If your machine is not plugged into a switched network or a dual-speed hub,
1235 or it is plugged into a switched network but the port is set up to have all
1236 traffic replicated to it, the problem might be that the network interface on
1237 which you're capturing doesn't support "promiscuous" mode, or because your
1238 OS can't put the interface into promiscuous mode. Normally, network
1239 interfaces supply to the host only:
1240 * packets sent to one of that host's link-layer addresses;
1241 * broadcast packets;
1242 * multicast packets sent to a multicast address that the host has
1243 configured the interface to accept.
1245 Most network interfaces can also be put in "promiscuous" mode, in which they
1246 supply to the host all network packets they see. Ethereal will try to put
1247 the interface on which it's capturing into promiscuous mode unless the
1248 "Capture packets in promiscuous mode" option is turned off in the "Capture
1249 Options" dialog box, and Tethereal will try to put the interface on which
1250 it's capturing into promiscuous mode unless the -p option was specified.
1251 However, some network interfaces don't support promiscuous mode, and some
1252 OSes might not allow interfaces to be put into promiscuous mode.
1254 If the interface is not running in promiscuous mode, it won't see any
1255 traffic that isn't intended to be seen by your machine. It will see
1256 broadcast packets, and multicast packets sent to a multicast MAC address the
1257 interface is set up to receive.
1259 You should ask the vendor of your network interface whether it supports
1260 promiscuous mode. If it does, you should ask whoever supplied the driver for
1261 the interface (the vendor, or the supplier of the OS you're running on your
1262 machine) whether it supports promiscuous mode with that network interface.
1264 In the case of token ring interfaces, the drivers for some of them, on
1265 Windows, may require you to enable promiscuous mode in order to capture in
1266 promiscuous mode. See the Ethereal Wiki item on Token Ring capturing for
1269 In the case of wireless LAN interfaces, it appears that, when those
1270 interfaces are promiscuously sniffing, they're running in a significantly
1271 different mode from the mode that they run in when they're just acting as
1272 network interfaces (to the extent that it would be a significant effor for
1273 those drivers to support for promiscuously sniffing and acting as regular
1274 network interfaces at the same time), so it may be that Windows drivers for
1275 those interfaces don't support promiscuous mode.
1277 Q 5.2: I can't see any TCP packets other than packets to and from my
1278 machine, even though another analyzer on the network sees those packets.
1280 A: You're probably not seeing any packets other than unicast packets to or
1281 from your machine, and broadcast and multicast packets; a switch will
1282 normally send to a port only unicast traffic sent to the MAC address for the
1283 interface on that port, and broadcast and multicast traffic - it won't send
1284 to that port unicast traffic sent to a MAC address for some other interface
1285 - and a network interface not in promiscuous mode will receive only unicast
1286 traffic sent to the MAC address for that interface, broadcast traffic, and
1287 multicast traffic sent to a multicast MAC address the interface is set up to
1290 TCP doesn't use broadcast or multicast, so you will only see your own TCP
1291 traffic, but UDP services may use broadcast or multicast so you'll see some
1292 UDP traffic - however, this is not a problem with TCP traffic, it's a
1293 problem with unicast traffic, as you also won't see all UDP traffic between
1296 I.e., this is probably the same question as this earlier one; see the
1297 response to that question.
1299 Q 5.3: I'm only seeing ARP packets when I try to capture traffic.
1301 A: You're probably on a switched network, and running Ethereal on a machine
1302 that's not sending traffic to the switch and not being sent any traffic from
1303 other machines on the switch. ARP packets are often broadcast packets, which
1304 are sent to all switch ports.
1306 I.e., this is probably the same question as this earlier one; see the
1307 response to that question.
1309 Q 5.4: I'm running Ethereal on Windows; why does some network interface on
1310 my machine not show up in the list of interfaces in the "Interface:" field
1311 in the dialog box popped up by "Capture->Start", and/or why does Ethereal
1312 give me an error if I try to capture on that interface?
1314 A: If you are running Ethereal on Windows NT 4.0, Windows 2000, Windows XP,
1315 or Windows Server 2003, and this is the first time you have run a
1316 WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, or
1317 Analyzer, or...) since the machine was rebooted, you need to run that
1318 program from an account with administrator privileges; once you have run
1319 such a program, you will not need administrator privileges to run any such
1320 programs until you reboot.
1322 If you are running on Windows 95/98/Me, or if you are running on Windows NT
1323 4.0/Windows 2000/Windows XP/Windows Server 2003 and have administrator
1324 privileges or a WinPcap-based program has been run with those privileges
1325 since the machine rebooted, this problem might clear up if you completely
1326 un-install WinPcap and then re-install it.
1328 If that doesn't work, then note that Ethereal relies on the WinPcap library,
1329 on the WinPcap device driver, and on the facilities that come with the OS on
1330 which it's running in order to do captures.
1332 Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
1333 support capturing on a particular network interface device, Ethereal won't
1334 be able to capture on that device.
1337 1. 2.02 and earlier versions of the WinPcap driver and library that
1338 Ethereal uses for packet capture didn't support Token Ring interfaces;
1339 versions 2.1 and later support Token Ring, and the current version of
1340 Ethereal works with (and, in fact, requires) WinPcap 2.1 or later.
1341 If you are having problems capturing on Token Ring interfaces, and you
1342 have WinPcap 2.02 or an earlier version of WinPcap installed, you should
1343 uninstall WinPcap, download and install the current version of WinPcap,
1344 and then install the latest version of Ethereal.
1345 2. On Windows 95, 98, or Me, sometimes more than one interface will be
1346 given the same name; if that is the case, you will only be able to
1347 capture on one of those interfaces - it's not clear to which one the
1348 name, when used in a WinPcap-based application, will refer. For example,
1349 if you have a PPP serial interface and a VPN interface, they might show
1350 up with the same name, for example "ppp-mac", and if you try to capture
1351 on "ppp-mac", it might not capture on the interface you're currently
1352 using. In that case, you might, for example, have to remove the VPN
1353 interface from the system in order to capture on the PPP serial
1355 3. WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows NT
1356 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to avoid
1357 those problems, support for PPP WAN interfaces on those versions of
1358 Windows has been disabled in WinPcap 3.0. Regular dial-up lines, ISDN
1359 lines, ADSL connections using PPPoE or PPPoA, and various other lines
1360 such as T1/E1 lines are all PPP interfaces, so those interfaces might
1361 not show up on the list of interfaces in the "Capture Options" dialog on
1363 On Windows 2000, Windows XP, and Windows Server 2003, but not Windows NT
1364 4.0 or Windows Vista Beta 1, you should be able to capture on the
1365 "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it
1366 the "NdisWanAdapter"; if you're using a 3.1 beta release, you should
1367 un-install it and install the final 3.1 release.) See the Ethereal Wiki
1368 item on PPP capturing for details.
1369 4. WinPcap prior to 3.0 does not support multiprocessor machines (note that
1370 machines with a single multi-threaded processor, such as Intel's new
1371 multi-threaded x86 processors, are multiprocessor machines as far as the
1372 OS and WinPcap are concerned), and recent 2.x versions of WinPcap refuse
1373 to operate if they detect that they're running on a multiprocessor
1374 machine, which means that they may not show any network interfaces. You
1375 will need to use WinPcap 3.0 to capture on a multiprocessor machine.
1377 If an interface doesn't show up in the list of interfaces in the
1378 "Interface:" field, and you know the name of the interface, try entering
1379 that name in the "Interface:" field and capturing on that device.
1381 If the attempt to capture on it succeeds, the interface is somehow not being
1382 reported by the mechanism Ethereal uses to get a list of interfaces. Try
1383 listing the interfaces with WinDump; see the WinDump Web site or the local
1384 mirror of the WinDump Web site for information on using WinDump.
1386 You would run WinDump with the -D flag; if it lists the interface, please
1387 report this to ethereal-dev@ethereal.com giving full details of the problem,
1389 * the operating system you're using, and the version of that operating
1391 * the type of network device you're using;
1392 * the output of WinDump.
1394 If WinDump does not list the interface, this is almost certainly a problem
1395 with one or more of:
1396 * the operating system you're using;
1397 * the device driver for the interface you're using;
1398 * the WinPcap library and/or the WinPcap device driver;
1400 so first check the WinPcap FAQ, the local mirror of that FAQ, or the
1401 Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
1402 there. If not, then see the WinPcap support page (or the local mirror of
1403 that page) - check the "Submitting bugs" section.
1405 If you are having trouble capturing on a particular network interface, first
1406 try capturing on that device with WinDump; see the WinDump Web site or the
1407 local mirror of the WinDump Web site for information on using WinDump.
1409 If you can capture on the interface with WinDump, send mail to
1410 ethereal-users@ethereal.com giving full details of the problem, including
1411 * the operating system you're using, and the version of that operating
1413 * the type of network device you're using;
1414 * the error message you get from Ethereal.
1416 If you cannot capture on the interface with WinDump, this is almost
1417 certainly a problem with one or more of:
1418 * the operating system you're using;
1419 * the device driver for the interface you're using;
1420 * the WinPcap library and/or the WinPcap device driver;
1422 so first check the WinPcap FAQ, the local mirror of that FAQ, or the
1423 Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
1424 there. If not, then see the WinPcap support page (or the local mirror of
1425 that page) - check the "Submitting bugs" section.
1427 You may also want to ask the ethereal-users@ethereal.com and the
1428 winpcap-users@winpcap.org mailing lists to see if anybody happens to know
1429 about the problem and know a workaround or fix for the problem. (Note that
1430 you will have to subscribe to that list in order to be allowed to mail to
1431 it; see the WinPcap support page, or the local mirror of that page, for
1432 information on the mailing list.) In your mail, please give full details of
1433 the problem, as described above, and also indicate that the problem occurs
1434 with WinDump, not just with Ethereal.
1436 Q 5.5: I'm running Ethereal on Windows; why do no network interfaces show up
1437 in the list of interfaces in the "Interface:" field in the dialog box popped
1438 up by "Capture->Start"?
1440 A: This is really the same question as the previous one; see the response to
1443 Q 5.6: I'm running Ethereal on Windows; why doesn't my serial port/ADSL
1444 modem/ISDN modem show up in the list of interfaces in the "Interface:" field
1445 in the dialog box popped up by "Capture->Start"?
1447 A: Internet access on those devices is often done with the Point-to-Point
1448 (PPP) protocol; WinPcap 2.3 has problems supporting PPP WAN interfaces on
1449 Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to
1450 avoid those problems, support for PPP WAN interfaces on those versions of
1451 Windows has been disabled in WinPcap 3.0.
1453 On Windows 2000, Windows XP, and Windows Server 2003, but not Windows NT 4.0
1454 or Windows Vista Beta 1, you should be able to capture on the
1455 "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it the
1456 "NdisWanAdapter"; if you're using a 3.1 beta release, you should un-install
1457 it and install the final 3.1 release.) See the Ethereal Wiki item on PPP
1458 capturing for details.
1460 Q 5.7: I'm running Ethereal on a UNIX-flavored OS; why does some network
1461 interface on my machine not show up in the list of interfaces in the
1462 "Interface:" field in the dialog box popped up by "Capture->Start", and/or
1463 why does Ethereal give me an error if I try to capture on that interface?
1465 A: You may need to run Ethereal from an account with sufficient privileges
1466 to capture packets, such as the super-user account, or may need to give your
1467 account sufficient privileges to capture packets. Only those interfaces that
1468 Ethereal can open for capturing show up in that list; if you don't have
1469 sufficient privileges to capture on any interfaces, no interfaces will show
1470 up in the list. See the Ethereal Wiki item on capture privileges for details
1471 on how to give a particular account or account group capture privileges on
1472 platforms where that can be done.
1474 If you are running Ethereal from an account with sufficient privileges, then
1475 note that Ethereal relies on the libpcap library, and on the facilities that
1476 come with the OS on which it's running in order to do captures. On some
1477 OSes, those facilities aren't present by default; see the Ethereal Wiki item
1478 on adding capture support for details.
1480 And, even if you're running with an account that has sufficient privileges
1481 to capture, and capture support is present in your OS, if the OS or the
1482 libpcap library don't support capturing on a particular network interface
1483 device or particular types of devices, Ethereal won't be able to capture on
1486 On Solaris, note that libpcap 0.6.2 and earlier didn't support Token Ring
1487 interfaces; the current version, 0.7.2, does support Token Ring, and the
1488 current version of Ethereal works with libcap 0.7.2 and later.
1490 If an interface doesn't show up in the list of interfaces in the
1491 "Interface:" field, and you know the name of the interface, try entering
1492 that name in the "Interface:" field and capturing on that device.
1494 If the attempt to capture on it succeeds, the interface is somehow not being
1495 reported by the mechanism Ethereal uses to get a list of interfaces; please
1496 report this to ethereal-dev@ethereal.com giving full details of the problem,
1498 * the operating system you're using, and the version of that operating
1499 system (for Linux, give both the version number of the kernel and the
1500 name and version number of the distribution you're using);
1501 * the type of network device you're using.
1503 If you are having trouble capturing on a particular network interface, and
1504 you've made sure that (on platforms that require it) you've arranged that
1505 packet capture support is present, as per the above, first try capturing on
1506 that device with tcpdump.
1508 If you can capture on the interface with tcpdump, send mail to
1509 ethereal-users@ethereal.com giving full details of the problem, including
1510 * the operating system you're using, and the version of that operating
1511 system (for Linux, give both the version number of the kernel and the
1512 name and version number of the distribution you're using);
1513 * the type of network device you're using;
1514 * the error message you get from Ethereal.
1516 If you cannot capture on the interface with tcpdump, this is almost
1517 certainly a problem with one or more of:
1518 * the operating system you're using;
1519 * the device driver for the interface you're using;
1520 * the libpcap library;
1522 so you should report the problem to the company or organization that
1523 produces the OS (in the case of a Linux distribution, report the problem to
1524 whoever produces the distribution).
1526 You may also want to ask the ethereal-users@ethereal.com and the
1527 tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to know
1528 about the problem and know a workaround or fix for the problem. In your
1529 mail, please give full details of the problem, as described above, and also
1530 indicate that the problem occurs with tcpdump not just with Ethereal.
1532 Q 5.8: I'm running Ethereal on a UNIX-flavored OS; why do no network
1533 interfaces show up in the list of interfaces in the "Interface:" field in
1534 the dialog box popped up by "Capture->Start"?
1536 A: This is really the same question as the previous one; see the response to
1539 Q 5.9: Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
1541 A: Ethereal can only capture on devices supported by libpcap/WinPcap. On
1542 most OSes, only devices that can act as network interfaces of the type that
1543 support IP are supported as capture devices for libpcap/WinPcap, although
1544 the device doesn't necessarily have to be running as an IP interface in
1545 order to support traffic capture.
1547 On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
1548 Measurement Systems' DAG cards, so that a system with one of those cards,
1549 and its driver and libraries, installed can capture traffic with those cards
1550 with libpcap-based applications. You would either have to have a version of
1551 Ethereal built with that version of libpcap, or a dynamically-linked version
1552 of Ethereal and a shared libpcap library with DAG support, in order to do so
1553 with Ethereal. You should ask Endace whether that could be used to capture
1554 traffic on, for example, your T1/E1 link.
1555 See the SS7 capture setup page on the Ethereal Wiki for current information
1556 on capturing SS7 traffic on TDM links.
1558 Q 5.10: How do I put an interface into promiscuous mode?
1560 A: By not disabling promiscuous mode when running Ethereal or Tethereal.
1562 Note, however, that:
1563 * the form of promiscuous mode that libpcap (the library that programs
1564 such as tcpdump, Ethereal, etc. use to do packet capture) turns on will
1565 not necessarily be shown if you run ifconfig on the interface on a UNIX
1567 * some network interfaces might not support promiscuous mode, and some
1568 drivers might not allow promiscuous mode to be turned on - see this
1569 earlier question for more information on that;
1570 * the fact that you're not seeing any traffic, or are only seeing
1571 broadcast traffic, or aren't seeing any non-broadcast traffic other than
1572 traffic to or from the machine running Ethereal, does not mean that
1573 promiscuous mode isn't on - see this earlier question for more
1574 information on that.
1576 I.e., this is probably the same question as this earlier one; see the
1577 response to that question.
1579 Q 5.11: I can set a display filter just fine, but capture filters don't
1582 A: Capture filters currently use a different syntax than display filters.
1583 Here's the corresponding section from the ethereal(1) man page:
1585 "Display filters in Ethereal are very powerful; more fields are filterable
1586 in Ethereal than in other protocol analyzers, and the syntax you can use to
1587 create your filters is richer. As Ethereal progresses, expect more and more
1588 protocol fields to be allowed in display filters.
1590 Packet capturing is performed with the pcap library. The capture filter
1591 syntax follows the rules of the pcap library. This syntax is different from
1592 the display filter syntax."
1594 The capture filter syntax used by libpcap can be found in the tcpdump(8) man
1597 Q 5.12: I'm entering valid capture filters, but I still get "parse error"
1600 A: There is a bug in some versions of libpcap/WinPcap that cause it to
1601 report parse errors even for valid expressions if a previous filter
1602 expression was invalid and got a parse error.
1604 Try exiting and restarting Ethereal; if you are using a version of
1605 libpcap/WinPcap with this bug, this will "erase" its memory of the previous
1606 parse error. If the capture filter that got the "parse error" now works, the
1607 earlier error with that filter was probably due to this bug.
1609 The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of libpcap
1610 have this bug, but 0.6[.x] and later versions don't.
1612 Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of libpcap,
1613 and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and doesn't have
1616 If you are running Ethereal on a UNIX-flavored platform, run "ethereal -v",
1617 or select "About Ethereal..." from the "Help" menu in Ethereal, to see what
1618 version of libpcap it's using. If it's not 0.6 or later, you will need
1619 either to upgrade your OS to get a later version of libpcap, or will need to
1620 build and install a later version of libpcap from the tcpdump.org Web site
1621 and then recompile Ethereal from source with that later version of libpcap.
1623 If you are running Ethereal on Windows with a pre-2.3 version of WinPcap,
1624 you will need to un-install WinPcap and then download and install WinPcap
1627 Q 5.13: I saved a filter and tried to use its name to filter the display,
1628 but I got an "Unexpected end of filter string" error.
1630 A: You cannot use the name of a saved display filter as a filter. To filter
1631 the display, you can enter a display filter expression - not the name of a
1632 saved display filter - in the "Filter:" box at the bottom of the display,
1633 and type the key or press the "Apply" button (that does not require you to
1634 have a saved filter), or, if you want to use a saved filter, you can press
1635 the "Filter:" button, select the filter in the dialog box that pops up, and
1636 press the "OK" button.
1638 Q 5.14: Why am I seeing lots of packets with incorrect TCP checksums?
1640 A: If the packets that have incorrect TCP checksums are all being sent by
1641 the machine on which Ethereal is running, this is probably because the
1642 network interface on which you're capturing does TCP checksum offloading.
1643 That means that the TCP checksum is added to the packet by the network
1644 interface, not by the OS's TCP/IP stack; when capturing on an interface,
1645 packets being sent by the host on which you're capturing are directly handed
1646 to the capture interface by the OS, which means that they are handed to the
1647 capture interface without a TCP checksum being added to them.
1649 The only way to prevent this from happening would be to disable TCP checksum
1651 1. that might not even be possible on some OSes;
1652 2. that could reduce networking performance significantly.
1654 However, you can disable the check that Ethereal does of the TCP checksum,
1655 so that it won't report any packets as having TCP checksum errors, and so
1656 that it won't refuse to do TCP reassembly due to a packet having an
1657 incorrect TCP checksum. That can be set as an Ethereal preference by
1658 selecting "Preferences" from the "Edit" menu, opening up the "Protocols"
1659 list in the left-hand pane of the "Preferences" dialog box, selecting "TCP",
1660 from that list, turning off the "Check the validity of the TCP checksum when
1661 possible" option, clicking "Save" if you want to save that setting in your
1662 preference file, and clicking "OK".
1664 It can also be set on the Ethereal or Tethereal command line with a -o
1665 tcp.check_checksum:false command-line flag, or manually set in your
1666 preferences file by adding a tcp.check_checksum:false line.
1668 Q 5.15: I've just installed Ethereal, and the traffic on my local LAN is
1671 A: We have a collection of strange and exotic sample capture files at
1672 http://wiki.ethereal.com/SampleCaptures
1674 Q 5.16: When I run Ethereal on Solaris 8, it dies with a Bus Error when I
1677 A: Some versions of the GTK+ library from www.sunfreeware.org appear to be
1678 buggy, causing Ethereal to drop core with a Bus Error. Un-install those
1679 packages, and try getting the 1.2.10 version from that site, or the version
1680 from The Written Word, or the version from Sun's GNOME distribution, or the
1681 version from the supplemental software CD that comes with the Solaris media
1682 kit, or build it from source from the GTK Web site. Update the GLib library
1683 to the 1.2.10 version, from the same source, as well. (If you get the 1.2.10
1684 versions from www.sunfreeware.org, and the problem persists, un-install them
1685 and try installing one of the other versions mentioned.)
1687 Similar problems may exist with older versions of GTK+ for earlier versions
1690 Q 5.17: When I run Ethereal, I get an error
1692 Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_resize):
1693 assertion `height > 0' failed.
1695 A: This is a bug in Ethereal 0.10.5 and 0.10.5a, which is fixed in Ethereal
1696 0.10.6 and later releases.
1698 Q 5.18: When I run Tethereal with the "-x" option, it crashes with an error
1700 "** ERROR **: file print.c: line 691 (print_line): should not be reached.
1702 A: This is a bug in Ethereal 0.10.0a, which is fixed in 0.10.1 and later
1703 releases. To work around the bug, don't use "-x" unless you're also using
1704 "-V"; note that "-V" produces a full dissection of each packet, so you might
1707 Q 5.19: When I run Ethereal on Windows NT, it dies with a Dr. Watson error,
1708 reporting an "Integer division by zero" exception, when I start it.
1710 A: In at least some case, this appears to be due to using the default VGA
1711 driver; if that's not the correct driver for your video card, try running
1712 the correct driver for your video card.
1714 Q 5.20: When I try to run Ethereal, it complains about sprint_realloc_objid
1717 A: Ethereal can only be linked with version 4.2.2 or later of UCD SNMP. Your
1718 version of Ethereal was dynamically linked with such a version of UCD SNMP;
1719 however, you have an older version of UCD SNMP installed, which means that
1720 when Ethereal is run, it tries to link to the older version, and fails. You
1721 will have to replace that version of UCD SNMP with version 4.2.2 or a later
1724 Q 5.21: I'm running Ethereal on Linux; why do my time stamps have only 100ms
1725 resolution, rather than 1us resolution?
1727 A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap get
1728 them from the OS kernel, so Ethereal - and any other program using libpcap,
1729 such as tcpdump - is at the mercy of the time stamping code in the OS for
1732 At least on x86-based machines, Linux can get high-resolution time stamps on
1733 newer processors with the Time Stamp Counter (TSC) register; for example,
1734 Intel x86 processors, starting with the Pentium Pro, and including all x86
1735 processors since then, have had a TSC, and other vendors probably added the
1736 TSC at some point to their families of x86 processors.
1738 The Linux kernel must be configured with the CONFIG_X86_TSC option enabled
1739 in order to use the TSC. Make sure this option is enabled in your kernel.
1741 In addition, some Linux distributions may have bugs in their versions of the
1742 kernel that cause packets not to be given high-resolution time stamps even
1743 if the TSC is enabled. See, for example, bug 61111 for Red Hat Linux 7.2. If
1744 your distribution has a bug such as this, you may have to run a standard
1745 kernel from kernel.org in order to get high-resolution time stamps.
1747 Q 5.22: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; why
1748 are the time stamps on packets wrong?
1750 A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap 3.0.
1752 Q 5.23: When I try to run Ethereal on Windows, it fails to run because it
1753 can't find packet.dll.
1755 A: In older versions of Ethereal, there were two binary distributions
1756 available for Windows, one that supported capturing packets, and one that
1757 didn't. The version that supported capturing packets required that you
1758 install the WinPcap driver; if you didn't install it, it would fail to run
1759 because it couldn't find packet.dll.
1761 The current version of Ethereal has only one binary distribution for
1762 Windows; that version will check whether WinPcap is installed and, if it's
1763 not, will disable support for packet capture.
1765 The WinPcap driver and libraries can be downloaded from the WinPcap Web
1766 site, the local mirror of the WinPcap Web site, or the Wiretapped.net mirror
1767 of the WinPcap site.
1769 Q 5.24: I'm running Ethereal on Windows NT 4.0/Windows 2000/Windows
1770 XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
1771 interface, and it shows up in the "Interface" item in the "Capture Options"
1772 dialog box. Why can no packets be sent on or received from that network
1773 while I'm trying to capture traffic on that interface?
1775 A: Some versions of WinPcap have problems with PPP WAN interfaces on Windows
1776 NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; one symptom that
1777 may be seen is that attempts to capture in promiscuous mode on the interface
1778 cause the interface to be incapable of sending or receiving packets. You can
1779 disable promiscuous mode using the -p command-line flag or the item in the
1780 "Capture Preferences" dialog box, but this may mean that outgoing packets,
1781 or incoming packets, won't be seen in the capture.
1783 On Windows 2000, Windows XP, and Windows Server 2003, but not Windows NT 4.0
1784 or Windows Vista Beta 1, you should be able to capture on the
1785 "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it the
1786 "NdisWanAdapter"; if you're using a 3.1 beta release, you should un-install
1787 it and install the final 3.1 release.) See the Ethereal Wiki item on PPP
1788 capturing for details.
1790 Q 5.25: I'm running Ethereal on Windows 95/98/Me, on a machine with more
1791 than one network adapter of the same type; Ethereal shows all of those
1792 adapters with the same name, but I can't use any of those adapters other
1795 A: Unfortunately, Windows 95/98/Me gives the same name to multiple instances
1796 of the type of same network adapter. Therefore, WinPcap cannot distinguish
1797 between them, so a WinPcap-based application can capture only on the first
1798 such interface; Ethereal is a libpcap/WinPcap-based application.
1800 Q 5.26: I'm running Ethereal on Windows, and I'm not seeing any traffic
1801 being sent by the machine running Ethereal.
1803 A: If you are running some form of VPN client software, it might be causing
1804 this problem; people have seen this problem when they have Check Point's VPN
1805 software installed on their machine. If that's the cause of the problem, you
1806 will have to remove the VPN software in order to have Ethereal (or any other
1807 application using WinPcap) see outgoing packets; unfortunately, neither we
1808 nor the WinPcap developers know any way to make WinPcap and the VPN software
1811 Also, some drivers for Windows (especially some wireless network interface
1812 drivers) apparently do not, when running in promiscuous mode, arrange that
1813 outgoing packets are delivered to the software that requested that the
1814 interface run promiscuously; try turning promiscuous mode off.
1816 Q 5.27: I'm trying to capture traffic but I'm not seeing any.
1818 A: Is the machine running Ethereal sending out any traffic on the network
1819 interface on which you're capturing, or receiving any traffic on that
1820 network, or is there any broadcast traffic on the network or multicast
1821 traffic to a multicast group to which the machine running Ethereal belongs?
1823 If not, this may just be a problem with promiscuous sniffing, either due to
1824 running on a switched network or a dual-speed hub, or due to problems with
1825 the interface not supporting promiscuous mode; see the response to this
1828 Otherwise, on Windows, see the response to this question and, on a
1829 UNIX-flavored OS, see the response to this question.
1831 Q 5.28: I have an XXX network card on my machine; if I try to capture on it,
1832 my machine crashes or resets itself.
1834 A: This is almost certainly a problem with one or more of:
1835 * the operating system you're using;
1836 * the device driver for the interface you're using;
1837 * the libpcap/WinPcap library and, if this is Windows, the WinPcap device
1841 * if you are using Windows, see the WinPcap support page (or the local
1842 mirror of that page) - check the "Submitting bugs" section;
1843 * if you are using some Linux distribution, some version of BSD, or some
1844 other UNIX-flavored OS, you should report the problem to the company or
1845 organization that produces the OS (in the case of a Linux distribution,
1846 report the problem to whoever produces the distribution).
1848 Q 5.29: My machine crashes or resets itself when I select "Start" from the
1849 "Capture" menu or select "Preferences" from the "Edit" menu.
1851 A: Both of those operations cause Ethereal to try to build a list of the
1852 interfaces that it can open; it does so by getting a list of interfaces and
1853 trying to open them. There is probably an OS, driver, or, for Windows,
1854 WinPcap bug that causes the system to crash when this happens; see the
1857 Q 5.30: Does Ethereal work on Windows Me?
1859 A: Yes, but if you want to capture packets, you will need to install the
1860 latest version of WinPcap, as 2.02 and earlier versions of WinPcap didn't
1861 support Windows Me. You should also install the latest version of Ethereal
1864 Q 5.31: Does Ethereal work on Windows XP?
1866 A: Yes, but if you want to capture packets, you will need to install the
1867 latest version of WinPcap, as 2.2 and earlier versions of WinPcap didn't
1870 Q 5.32: Why doesn't Ethereal correctly identify RTP packets? It shows them
1873 A: Ethereal can identify a UDP datagram as containing a packet of a
1874 particular protocol running atop UDP only if
1875 1. The protocol in question has a particular standard port number, and the
1876 UDP source or destination port number is that port
1877 2. Packets of that protocol can be identified by looking for a "signature"
1878 of some type in the packet - i.e., some data that, if Ethereal finds it
1879 in some particular part of a packet, means that the packet is almost
1880 certainly a packet of that type.
1881 3. Some other traffic earlier in the capture indicated that, for example,
1882 UDP traffic between two particular addresses and ports will be RTP
1885 RTP doesn't have a standard port number, so 1) doesn't work; it doesn't, as
1886 far as I know, have any "signature", so 2) doesn't work.
1888 That leaves 3). If there's RTSP traffic that sets up an RTP session, then,
1889 at least in some cases, the RTSP dissector will set things up so that
1890 subsequent RTP traffic will be identified. Currently, that's the only place
1891 we do that; there may be other places.
1893 However, there will always be places where Ethereal is simply incapable of
1894 deducing that a given UDP flow is RTP; a mechanism would be needed to allow
1895 the user to specify that a given conversation should be treated as RTP. As
1896 of Ethereal 0.8.16, such a mechanism exists; if you select a UDP or TCP
1897 packet, the right mouse button menu will have a "Decode As..." menu item,
1898 which will pop up a dialog box letting you specify that the source port, the
1899 destination port, or both the source and destination ports of the packet
1900 should be dissected as some particular protocol.
1902 Q 5.33: Why doesn't Ethereal show Yahoo Messenger packets in captures that
1903 contain Yahoo Messenger traffic?
1905 A: Ethereal only recognizes as Yahoo Messenger traffic packets to or from
1906 TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP segments that
1907 start with the middle of a Yahoo Messenger packet that takes more than one
1908 TCP segment will not be recognized as Yahoo Messenger packets (even if the
1909 TCP segment also contains the beginning of another Yahoo Messenger packet).
1911 Q 5.34: Why do I get the error
1913 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
1917 when I try to run Ethereal on Windows?
1919 A: Ethereal is built using the GTK+ toolkit, which supports most
1920 UNIX-flavored OSes, and also supports Windows.
1922 Windows versions of Ethereal before 0.9.14 were built with an older version
1923 of that toolkit, which didn't support 256-color mode on Windows - it
1924 required HiColor (16-bit colors) or more.
1926 Windows versions of Ethereal 0.9.14 and later are built with a version of
1927 that toolkit that supports 256-color mode; upgrade to the current version of
1928 Ethereal if you want to run on a display in 256-color mode.
1930 Q 5.35: When I capture on Windows in promiscuous mode, I can see packets
1931 other than those sent to or from my machine; however, those packets show up
1932 with a "Short Frame" indication, unlike packets to or from my machine. What
1933 should I do to arrange that I see those packets in their entirety?
1935 A: In at least some cases, this appears to be the result of PGPnet running
1936 on the network interface on which you're capturing; turn it off on that
1939 Q 5.36: I'm capturing packets on a machine on a VLAN; why don't the packets
1940 I'm capturing have VLAN tags?
1942 A: You might be capturing on what might be called a "VLAN interface" - the
1943 way a particular OS makes VLANs plug into the networking stack might, for
1944 example, be to have a network device object for the physical interface,
1945 which takes VLAN packets, strips off the VLAN header and constructs an
1946 Ethernet header, and passes that packet to an internal network device object
1947 for the VLAN, which then passes the packets onto various higher-level
1948 protocol implementations.
1950 In order to see the raw Ethernet packets, rather than "de-VLANized" packets,
1951 you would have to capture not on the virtual interface for the VLAN, but on
1952 the interface corresponding to the physical network device, if possible. See
1953 the Ethereal Wiki item on VLAN capturing for details.
1955 Q 5.37: How can I capture raw 802.11 frames, including non-data (management,
1958 A: That depends on the operating system on which you're running, and on the
1959 802.11 interface on which you're capturing.
1961 This would probably require that you capture in promiscuous mode or in the
1962 mode called "monitor mode" or "RFMON mode". On some platforms, or with some
1963 cards, this might require that you capture in monitor mode - promiscuous
1964 mode might not be sufficient. If you want to capture traffic on networks
1965 other than the one with which you're associated, you will have to capture in
1968 Not all operating systems support capturing non-data packets and, even on
1969 operating systems that do support it, not all drivers, and thus not all
1970 interfaces, support it. Even on those that do, monitor mode might not be
1971 supported by the operating system or by the drivers for all interfaces.
1973 NOTE: an interface running in monitor mode will, on most if not all
1974 platforms, not be able to act as a regular network interface; putting it
1975 into monitor mode will, in effect, take your machine off of whatever network
1976 it's on as long as the interface is in monitor mode, allowing it only to
1977 passively capture packets.
1979 This means that you should disable name resolution when capturing in monitor
1980 mode; otherwise, when Ethereal (or Tethereal, or tcpdump) tries to display
1981 IP addresses as host names, it will probably block for a long time trying to
1982 resolve the name because it will not be able to communicate with any DNS or
1985 See the Ethereal Wiki item on 802.11 capturing for details.
1987 Q 5.38: How do I capture on an 802.11 device in monitor mode?
1989 A: Whether you will be able to capture in monitor mode depends on the
1990 operating system, adapter, and driver you're using. See the previous
1991 question for information on monitor mode, including a link to the Ethereal
1992 Wiki page that gives details on 802.11 capturing.
1994 Q 5.39: I'm trying to capture 802.11 traffic on Windows; why am I not seeing
1997 A: At least some 802.11 card drivers on Windows appear not to see any
1998 packets if they're running in promiscuous mode. Try turning promiscuous mode
1999 off; you'll only be able to see packets sent by and received by your
2000 machine, not third-party traffic, and it'll look like Ethernet traffic and
2001 won't include any management or control frames, but that's a limitation of
2004 See MicroLogix's list of cards supported with WinPcap for information on
2005 support of various adapters and drivers with WinPcap.
2007 Q 5.40: I'm trying to capture 802.11 traffic on Windows; why am I seeing
2008 packets received by the machine on which I'm capturing traffic, but not
2009 packets sent by that machine?
2011 A: This appears to be another problem with promiscuous mode; try turning it
2014 Q 5.41: How can I capture packets with CRC errors?
2016 A: Ethereal can capture only the packets that the packet capture library -
2017 libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of libpcap on
2018 Windows - can capture, and libpcap/WinPcap can capture only the packets that
2019 the OS's raw packet capture mechanism (or the WinPcap driver, and the
2020 underlying OS networking code and network interface drivers, on Windows)
2021 will allow it to capture.
2023 Unless the OS always supplies packets with errors such as invalid CRCs to
2024 the raw packet capture mechanism, or can be configured to do so, invalid
2025 CRCs to the raw packet capture mechanism, Ethereal - and other programs that
2026 capture raw packets, such as tcpdump - cannot capture those packets. You
2027 will have to determine whether your OS needs to be so configured and, if so,
2028 can be so configured, configure it if necessary and possible, and make
2029 whatever changes to libpcap and the packet capture program you're using are
2030 necessary, if any, to support capturing those packets.
2032 Most OSes probably do not support capturing packets with invalid CRCs on
2033 Ethernet, and probably do not support it on most other link-layer types.
2034 Some drivers on some OSes do support it, such as some Ethernet drivers on
2035 FreeBSD; in those OSes, you might always get those packets, or you might
2036 only get them if you capture in promiscuous mode (you'd have to determine
2039 Note that libpcap does not currently supply to programs that use it an
2040 indication of whether the packet's CRC was invalid (because the drivers
2041 themselves do not supply that information to the raw packet capture
2042 mechanism); therefore, Ethereal will not indicate which packets had CRC
2043 errors unless the FCS was captured (see the next question) and you're using
2044 Ethereal 0.9.15 and later, in which case Ethereal will check the CRC and
2045 indicate whether it's correct or not.
2047 Q 5.42: How can I capture entire frames, including the FCS?
2049 A: Ethereal can only capture data that the packet capture library - libpcap
2050 on UNIX-flavored OSes, and the WinPcap port to Windows of libpcap on Windows
2051 - can capture, and libpcap/WinPcap can capture only the data that the OS's
2052 raw packet capture mechanism (or the WinPcap driver, and the underlying OS
2053 networking code and network interface drivers, on Windows) will allow it to
2056 For any particular link-layer network type, unless the OS supplies the FCS
2057 of a frame as part of the frame, or can be configured to do so, Ethereal -
2058 and other programs that capture raw packets, such as tcpdump - cannot
2059 capture the FCS of a frame. You will have to determine whether your OS needs
2060 to be so configured and, if so, can be so configured, configure it if
2061 necessary and possible, and make whatever changes to libpcap and the packet
2062 capture program you're using are necessary, if any, to support capturing the
2065 Most OSes do not support capturing the FCS of a frame on Ethernet, and
2066 probably do not support it on most other link-layer types. Some drivres on
2067 some OSes do support it, such as some (all?) Ethernet drivers on NetBSD and
2068 possibly the driver for Apple's gigabit Ethernet interface in Mac OS X; in
2069 those OSes, you might always get the FCS, or you might only get the FCS if
2070 you capture in promiscuous mode (you'd have to determine which is the case).
2072 Versions of Ethereal prior to 0.9.15 will not treat an Ethernet FCS in a
2073 captured packet as an FCS. 0.9.15 and later will attempt to determine
2074 whether there's an FCS at the end of the frame and, if it thinks there is,
2075 will display it as such, and will check whether it's the correct CRC-32
2078 Q 5.43: Why does Ethereal hang after I stop a capture?
2080 A: The most likely reason for this is that Ethereal is trying to look up an
2081 IP address in the capture to convert it to a name (so that, for example, it
2082 can display the name in the source address or destination address columns),
2083 and that lookup process is taking a very long time.
2085 Ethereal calls a routine in the OS of the machine on which it's running to
2086 convert of IP addresses to the corresponding names. That routine probably
2087 does one or more of:
2088 * a search of a system file listing IP addresses and names;
2089 * a lookup using DNS;
2090 * on UNIX systems, a lookup using NIS;
2091 * on Windows systems, a NetBIOS-over-TCP query.
2093 If a DNS server that's used in an address lookup is not responding, the
2094 lookup will fail, but will only fail after a timeout while the system
2095 routine waits for a reply.
2097 In addition, on Windows systems, if the DNS lookup of the address fails,
2098 either because the server isn't responding or because there are no records
2099 in the DNS that could be used to map the address to a name, a
2100 NetBIOS-over-TCP query will be made. That query involves sending a message
2101 to the NetBIOS-over-TCP name service on that machine, asking for the name
2102 and other information about the machine. If the machine isn't running
2103 software that responds to those queries - for example, many non-Windows
2104 machines wouldn't be running that software - the lookup will only fail after
2105 a timeout. Those timeouts can cause the lookup to take a long time.
2107 If you disable network address-to-name translation - for example, by turning
2108 off the "Enable network name resolution" option in the "Capture Options"
2109 dialog box for starting a network capture - the lookups of the address won't
2110 be done, which may speed up the process of reading the capture file after
2111 the capture is stopped. You can make that setting the default by selecting
2112 "Preferences" from the "Edit" menu, turning off the "Enable network name
2113 resolution" option in the "Name resolution" options in the preferences
2114 disalog box, and using the "Save" button in that dialog box; note that this
2115 will save all your current preference settings.
2117 If Ethereal hangs when reading a capture even with network name resolution
2118 turned off, there might, for example, be a bug in one of Ethereal's
2119 dissectors for a protocol causing it to loop infinitely. If you're not
2120 running the most recent release of Ethereal, you should first upgrade to
2121 that release, as, if there's a bug of that sort, it might've been fixed in a
2122 release after the one you're running. If the hang occurs in the most recent
2123 release of Ethereal, the bug should be reported to the Ethereal developers'
2124 mailing list at ethereal-dev@ethereal.com.
2126 On UNIX-flavored OSes, please try to force Ethereal to dump core, by sending
2127 it a SIGABRT signal (usually signal 6) with the kill command, and then get a
2128 stack trace if you have a debugger installed. A stack trace can be obtained
2129 by using your debugger (gdb in this example), the Ethereal binary, and the
2130 resulting core file. Here's an example of how to use the gdb command
2134 ..... prints the stack trace
2138 The core dump file may be named "ethereal.core" rather than "core" on some
2139 platforms (e.g., BSD systems).
2141 Also, if at all possible, please send a copy of the capture file that caused
2142 the problem; when capturing packets, Ethereal normally writes captured
2143 packets to a temporary file, which will probably be in /tmp or /var/tmp on
2144 UNIX-flavored OSes, \TEMP on the main system disk (normally C:) on Windows
2145 9x/Me/NT 4.0, and \Documents and Settings\your login name\Local
2146 Settings\Temp on the main system disk on Windows 2000/Windows XP/Windows
2147 Server 2003, so the capture file will probably be there. It will have a name
2148 beginning with ether, with some mixture of letters and numbers after that.
2149 Please don't send a trace file greater than 1 MB when compressed; instead,
2150 make it available via FTP or HTTP, or say it's available but leave it up to
2151 a developer to ask for it. If the trace file contains sensitive information
2152 (e.g., passwords), then please do not send it.
2154 Q 5.44: How can I search for, or filter, packets that have a particular
2155 string anywhere in them?
2157 A: If you want to do this when capturing, you can't. That's a feature that
2158 would be hard to implement in capture filters without changes to the capture
2159 filter code, which, on many platforms, is in the OS kernel and, on other
2160 platforms, is in the libpcap library.
2162 In releases prior to 0.9.14, you also can't search for, or filter, packets
2163 containing a particular string even after you've captured them.
2165 In 0.9.14, you can search for, but not filter, packets that have a
2166 particular string; this has been added to the "Find Frame" dialog ("Find
2167 Frame" under the "Edit" menu, or control-F).
2169 In 0.9.15 and later, you can search for those packets using either the
2170 mechanism introduced in 0.9.14 or using the new "contains" operator in
2171 filter expressions, which lets you search the entire packet or text string
2172 or byte string fields in the packet; the "contains" operator can also be
2173 used in expressions used to filter the display.
2175 Q 5.45: How do I filter a capture to see traffic for virus XXX?
2177 A: For some viruses/worms there might be a capture filter to recognize the
2178 virus traffic. Check the CaptureFilters page on the Ethereal Wiki to see if
2179 anybody's added such a filter.
2181 Note that Ethereal was not designed to be an intrusion detection system; you
2182 might be able to use it as an IDS, but in most cases software designed to be
2183 an IDS, such as Snort or Prelude, will probably work better.
2185 The Bleeding Edge of Snort has a collection of signatures for Snort to
2186 detect various viruses, worms, and the like.
2188 Please send support questions about Ethereal to the
2189 ethereal-users[AT]ethereal.com mailing list.
2190 For corrections/additions/suggestions for this web page (and not Ethereal
2191 support questions), please send email to ethereal-web[AT]ethereal.com .
2192 Last modified: Tue, December 06 2005.