1 const char *faq_part[] = {
5 " Note: This is just an ASCII snapshot of the faq and may not be up to\n"
6 " date. Please go to http://www.ethereal.com/faq for the up to\n"
7 " date version. The version of this snapshot can be found at the\n"
8 " end of this document.\n"
12 " General Questions:\n"
14 " 1.1 Where can I get help?\n"
16 " 1.2 What protocols are currently supported?\n"
18 " 1.3 Are there any plans to support {your favorite protocol}?\n"
20 " 1.4 Can Ethereal read capture files from {your favorite network\n"
23 " 1.5 What devices can Ethereal use to capture packets?\n"
25 " 1.6 How do you pronounce Ethereal? Where did the name come from?\n"
27 " Downloading Ethereal:\n"
29 " 2.1 I downloaded the Win32 installer, but when I try to run it, I get\n"
32 " 2.2 When I try to download the WinPcap driver and library, I can't get\n"
33 " to the WinPcap Web site.\n"
35 " Installing Ethereal:\n"
37 " 3.1 I installed an Ethereal RPM, but Ethereal doesn't seem to be\n"
38 " installed; only Tethereal is installed.\n"
40 " Building Ethereal:\n"
42 " 4.1 The configure script can't find pcap.h or bpf.h, but I have\n"
43 " libpcap installed.\n"
45 " 4.2 Why do I get the error \n"
47 " dftest_DEPENDENCIES was already defined in condition TRUE, which\n"
48 " implies condition HAVE_PLUGINS_TRUE\n"
50 " when I try to build Ethereal from CVS or a CVS snapshot?\n"
52 " 4.3 The link fails with a number of \"Output line too long.\" messages\n"
53 " followed by linker errors. \n"
55 " 4.4 The link fails on Solaris because plugin_list is undefined. \n"
57 " 4.5 The build fails on Windows because of conflicts between winsock.h\n"
62 " 5.1 When I use Ethereal to capture packets, I see only packets to and\n"
63 " from my machine, or I'm not seeing all the traffic I'm expecting to\n"
64 " see from or to the machine I'm trying to monitor.\n"
66 " 5.2 I can't see any TCP packets other than packets to and from my\n"
67 " machine, even though another analyzer on the network sees those\n"
70 " 5.3 I'm only seeing ARP packets when I try to capture traffic.\n"
72 " 5.4 How do I put an interface into promiscuous mode?\n"
74 " 5.5 I can set a display filter just fine, but capture filters don't\n"
77 " 5.6 I'm entering valid capture filters, but I still get \"parse error\"\n"
80 " 5.7 I saved a filter and tried to use its name to filter the display,\n"
81 " but I got an \"Unexpected end of filter string\" error.\n"
83 " 5.8 Why am I seeing lots of packets with incorrect TCP checksums?\n"
85 " 5.9 I've just installed Ethereal, and the traffic on my local LAN is\n"
88 " 5.10 When I run Ethereal on Solaris 8, it dies with a Bus Error when I\n"
91 " 5.11 When I run Ethereal on Windows NT, it dies with a Dr. Watson\n"
92 " error, reporting an \"Integer division by zero\" exception, when I start\n"
95 " 5.12 When I try to run Ethereal, it complains about\n"
96 " sprint_realloc_objid being undefined.\n"
98 " 5.13 I'm running Ethereal on Linux; why do my time stamps have only\n"
99 " 100ms resolution, rather than 1us resolution?\n"
101 " 5.14 I'm capturing packets on {Windows 95, Windows 98, Windows Me};\n"
102 " why are the time stamps on packets wrong? \n"
104 " 5.15 When I try to run Ethereal on Windows, it fails to run because it\n"
105 " can't find packet.dll.\n"
107 " 5.16 I'm running Ethereal on Windows; why does some network interface\n"
108 " on my machine not show up in the list of interfaces in the\n"
109 " \"Interface:\" field in the dialog box popped up by \"Capture->Start\",\n"
110 " and/or why does Ethereal give me an error if I try to capture on that\n"
113 " 5.17 I'm running on a UNIX-flavored OS; why does some network\n"
114 " interface on my machine not show up in the list of interfaces in the\n"
115 " \"Interface:\" field in the dialog box popped up by \"Capture->Start\",\n"
116 " and/or why does Ethereal give me an error if I try to capture on that\n"
119 " 5.18 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has\n"
120 " a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the\n"
121 " \"Interface\" item in the \"Capture Options\" dialog box. Why can no\n"
122 " packets be sent on or received from that network while I'm trying to\n"
123 " capture traffic on that interface?\n"
125 " 5.19 I'm running Ethereal on Windows 95/98/Me, on a machine with more\n"
126 " than one network adapter of the same type; Ethereal shows all of those\n"
127 " adapters with the same name, but I can't use any of those adapters\n"
128 " other than the first one.\n"
130 " 5.20 I'm running Ethereal on Windows, and I'm not seeing any traffic\n"
131 " being sent by the machine running Ethereal.\n"
133 " 5.21 I'm trying to capture traffic but I'm not seeing any.\n"
135 " 5.22 I have an XXX network card on my machine; if I try to capture on\n"
136 " it, my machine crashes or resets itself. \n"
138 " 5.23 My machine crashes or resets itself when I select \"Start\" from\n"
139 " the \"Capture\" menu or select \"Preferences\" from the \"Edit\" menu. \n"
141 " 5.24 Does Ethereal work on Windows ME? \n"
143 " 5.25 Does Ethereal work on Windows XP? \n"
145 " 5.26 Why doesn't Ethereal correctly identify RTP packets? It shows\n"
146 " them only as UDP.\n"
148 " 5.27 Why doesn't Ethereal show Yahoo Messenger packets in captures\n"
149 " that contain Yahoo Messenger traffic?\n"
151 " 5.28 Why do I get the error \n"
153 " Gdk-ERROR **: Palettized display (256-colour) mode not supported on\n"
157 " when I try to run Ethereal on Windows?\n"
159 " 5.29 When I capture on Windows in promiscuous mode, I can see packets\n"
160 " other than those sent to or from my machine; however, those packets\n"
161 " show up with a \"Short Frame\" indication, unlike packets to or from my\n"
162 " machine. What should I do to arrange that I see those packets in their\n"
165 " 5.30 How can I capture raw 802.11 packets, including non-data\n"
166 " (management, beacon) packets? \n"
168 " 5.31 How can I capture packets with CRC errors? \n"
170 " 5.32 How can I capture entire frames, including the FCS? \n"
172 " 5.33 Ethereal hangs after I stop a capture. \n"
174 " 5.34 How can I search for, or filter, packets that have a particular\n"
175 " string anywhere in them? \n"
177 " GENERAL QUESTIONS \n"
178 " Q 1.1: Where can I get help?\n"
180 " A: Support is available on the ethereal-users mailing list.\n"
181 " Subscription information and archives for all of Ethereal's mailing\n"
182 " lists can be found at http://www.ethereal.com/lists\n"
184 " Q 1.2: What protocols are currently supported?\n"
186 " A: There are currently 385 supported protocols and media, listed\n"
187 " below. Descriptions can be found in the ethereal(1) man page.\n"
189 " 802.1q Virtual LAN\n"
190 " 802.1x Authentication\n"
191 " AFS (4.0) Replication Server call declarations\n"
192 " AOL Instant Messenger\n"
197 " ATM LAN Emulation\n"
199 " AVS WLAN Capture header\n"
200 " Ad hoc On-demand Distance Vector Routing Protocol\n"
201 " Address Resolution Protocol\n"
202 " Aggregate Server Access Protocol\n"
203 " Alert Standard Forum\n"
204 " Andrew File System (AFS)\n"
205 " Apache JServ Protocol v1.3\n"
206 " AppleTalk Filing Protocol\n"
207 " AppleTalk Session Protocol\n"
208 " AppleTalk Transaction Protocol packet\n"
209 " Appletalk Address Resolution Protocol\n"
210 " Application Configuration Access Protocol\n"
211 " Async data over ISDN (V.120)\n"
212 " Authentication Header\n"
213 " BACnet Virtual Link Control\n"
214 " Banyan Vines ARP\n"
215 " Banyan Vines Echo\n"
216 " Banyan Vines Fragmentation Protocol\n"
217 " Banyan Vines ICP\n"
219 " Banyan Vines IPC\n"
220 " Banyan Vines LLC\n"
221 " Banyan Vines RTP\n"
222 " Banyan Vines SPP\n"
223 " Blocks Extensible Exchange Protocol\n"
226 " Bootstrap Protocol\n"
227 " Border Gateway Protocol\n"
228 " Building Automation and Control Network APDU\n"
229 " Building Automation and Control Network NPDU\n"
230 " CDS Clerk Server Calls\n"
231 " Check Point High Availability Protocol\n"
234 " Cisco Discovery Protocol\n"
235 " Cisco Group Management Protocol\n"
237 " Cisco Hot Standby Router Protocol\n"
239 " Cisco Interior Gateway Routing Protocol\n"
243 " CoSine IPNOS L2 debug output\n"
244 " Common Open Policy Service\n"
245 " Common Unix Printing System (CUPS) Browsing Protocol\n"
247 " DCE Distributed Time Service Local Server\n"
248 " DCE Distributed Time Service Provider\n"
249 " DCE Name Service\n"
251 " DCE Security ID Mapper\n"
252 " DCE/RPC BOS Server\n"
253 " DCE/RPC CDS Solicitation\n"
254 " DCE/RPC Conversation Manager\n"
255 " DCE/RPC Endpoint Mapper\n"
257 " DCE/RPC FLDB UBIK TRANSFER\n"
258 " DCE/RPC FLDB UBIKVOTE\n"
259 " DCE/RPC Kerberos V\n"
263 " DCE/RPC Remote Management\n"
264 " DCE/RPC Repserver Calls\n"
265 " DCE/RPC TokenServer Calls\n"
266 " DCE/RPC UpServer\n"
267 " DCOM OXID Resolver\n"
268 " DCOM Remote Activation\n"
269 " DEC Spanning Tree Protocol\n"
271 " DNS Control Program Server\n"
273 " Data Link SWitching\n"
274 " Data Stream Interface\n"
275 " Datagram Delivery Protocol\n"
276 " Diameter Protocol\n"
277 " Distance Vector Multicast Routing Protocol\n"
278 " Distcc Distributed Compiler\n"
279 " Distributed Checksum Clearinghouse Prototocl\n"
280 " Domain Name Service\n"
281 " Dynamic DNS Tools Protocol\n"
282 " Encapsulating Security Payload\n"
283 " Enhanced Interior Gateway Routing Protocol\n"
284 " EtherNet/IP (Industrial Protocol)\n"
286 " Ethernet over IP\n"
287 " Extensible Authentication Protocol\n"
288 " FC Extended Link Svc\n"
289 " FC Fabric Configuration Server\n"
292 " FTServer Operations\n"
293 " Fiber Distributed Data Interface\n"
295 " Fibre Channel Common Transport\n"
296 " Fibre Channel Fabric Zone Server\n"
297 " Fibre Channel Name Server\n"
298 " Fibre Channel Protocol for SCSI\n"
299 " Fibre Channel SW_ILS\n"
300 " File Transfer Protocol (FTP)\n"
301 " Financial Information eXchange Protocol\n"
304 " GARP Multicast Registration Protocol\n"
305 " GARP VLAN Registration Protocol\n"
306 " GPRS Tunneling Protocol\n"
307 " GPRS Tunnelling Protocol v0\n"
308 " GPRS Tunnelling Protocol v1\n"
309 " General Inter-ORB Protocol\n"
310 " Generic Routing Encapsulation\n"
311 " Generic Security Service Application Program Interface\n"
312 " Gnutella Protocol\n"
313 " HP Extended Local-Link Control\n"
314 " HP Remote Maintenance Protocol\n"
315 " Hummingbird NFS Daemon\n"
317 " Hypertext Transfer Protocol\n"
319 " IEEE 802.11 wireless LAN\n"
320 " IEEE 802.11 wireless LAN management frame\n"
323 " IP Payload Compression\n"
325 " IPX Routing Information Protocol\n"
328 " ISDN Q.921-User Adaptation Layer\n"
330 " ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol\n"
331 " ISO 8073 COTP Connection-Oriented Transport Protocol\n"
332 " ISO 8473 CLNP ConnectionLess Network Protocol\n"
333 " ISO 8602 CLTP ConnectionLess Transport Protocol\n"
334 " ISO 9542 ESIS Routeing Information Exchange Protocol\n"
335 " ITU-T Recommendation H.261\n"
337 " Intelligent Platform Management Interface\n"
338 " Inter-Access-Point Protocol\n"
340 " Internet Cache Protocol\n"
341 " Internet Content Adaptation Protocol\n"
342 " Internet Control Message Protocol\n"
343 " Internet Control Message Protocol v6\n"
344 " Internet Group Management Protocol\n"
345 " Internet Message Access Protocol\n"
346 " Internet Printing Protocol\n"
347 " Internet Protocol\n"
348 " Internet Protocol Version 6\n"
349 " Internet Relay Chat\n"
350 " Internet Security Association and Key Management Protocol\n"
351 " Internetwork Packet eXchange\n"
353 " Java Serialization\n"
355 " Kerberos Administration\n"
356 " Kernel Lock Manager\n"
357 " Label Distribution Protocol\n"
358 " Layer 2 Tunneling Protocol\n"
359 " Lightweight Directory Access Protocol\n"
360 " Line Printer Daemon Protocol\n"
361 " Link Access Procedure Balanced (LAPB)\n"
362 " Link Access Procedure Balanced Ethernet (LAPBETHER)\n"
363 " Link Access Procedure, Channel D (LAPD)\n"
364 " Link Aggregation Control Protocol\n"
365 " Link Management Protocol (LMP)\n"
366 " Linux cooked-mode capture\n"
367 " Local Management Interface\n"
368 " LocalTalk Link Access Protocol\n"
369 " Logical-Link Control\n"
370 " Lucent/Ascend debug output\n"
372 " MMS Message Encapsulation\n"
373 " MS Proxy Protocol\n"
374 " MSN Messenger Service\n"
375 " MSNIP: Multicast Source Notification of Interest Protocol\n"
376 " MTP 2 Transparent Proxy\n"
377 " MTP 2 User Adaptation Layer\n"
378 " MTP 3 User Adaptation Layer\n"
379 " MTP2 Peer Adaptation Layer\n"
380 " Message Transfer Part Level 2\n"
381 " Message Transfer Part Level 3\n"
382 " Message Transfer Part Level 3 Management\n"
383 " Microsoft Distributed File System\n"
384 " Microsoft Exchange MAPI\n"
385 " Microsoft Local Security Architecture\n"
386 " Microsoft Local Security Architecture (Directory Services)\n"
387 " Microsoft Network Logon\n"
388 " Microsoft Registry\n"
389 " Microsoft Security Account Manager\n"
390 " Microsoft Server Service\n"
391 " Microsoft Service Control\n"
392 " Microsoft Spool Subsystem\n"
393 " Microsoft Task Scheduler Service\n"
394 " Microsoft Telephony API Service\n"
395 " Microsoft Windows Browser Protocol\n"
396 " Microsoft Windows Lanman Remote API Protocol\n"
397 " Microsoft Windows Logon Protocol\n"
398 " Microsoft Workstation Service\n"
405 " MultiProtocol Label Switching Header\n"
406 " Multicast Router DISCovery protocol\n"
407 " Multicast Source Discovery Protocol\n"
414 " NTLM Secure Service Provider\n"
415 " Name Binding Protocol\n"
416 " Name Management Protocol over IPX\n"
418 " NetBIOS Datagram Service\n"
419 " NetBIOS Name Service\n"
420 " NetBIOS Session Service\n"
421 " NetBIOS over IPX\n"
422 " NetWare Core Protocol\n"
423 " NetWare Link Services Protocol\n"
424 " Network Data Management Protocol\n"
425 " Network File System\n"
426 " Network Lock Manager Protocol\n"
427 " Network News Transfer Protocol\n"
428 " Network Status Monitor CallBack Protocol\n"
429 " Network Status Monitor Protocol\n"
430 " Network Time Protocol\n"
431 " Novell Distributed Print System\n"
433 " Open Shortest Path First\n"
434 " OpenBSD Encapsulating device\n"
435 " OpenBSD Packet Filter log file\n"
436 " OpenBSD Packet Filter log file, pre 3.4\n"
438 " PPP Bandwidth Allocation Control Protocol\n"
439 " PPP Bandwidth Allocation Protocol\n"
440 " PPP CDP Control Protocol\n"
441 " PPP Callback Control Protocol\n"
442 " PPP Challenge Handshake Authentication Protocol\n"
443 " PPP Compressed Datagram\n"
444 " PPP Compression Control Protocol\n"
445 " PPP IP Control Protocol\n"
446 " PPP IPv6 Control Protocol\n"
447 " PPP Link Control Protocol\n"
448 " PPP MPLS Control Protocol\n"
449 " PPP Multilink Protocol\n"
450 " PPP Multiplexing\n"
451 " PPP Password Authentication Protocol\n"
452 " PPP VJ Compression\n"
453 " PPP-over-Ethernet Discovery\n"
454 " PPP-over-Ethernet Session\n"
455 " PPPMux Control Protocol\n"
456 " Point-to-Point Protocol\n"
457 " Point-to-Point Tunnelling Protocol\n"
459 " Post Office Protocol\n"
460 " Pragmatic General Multicast\n"
462 " Privilege Server operations\n"
463 " Protocol Independent Multicast\n"
466 " Quake II Network Protocol\n"
467 " Quake III Arena Network Protocol\n"
468 " Quake Network Protocol\n"
469 " QuakeWorld Network Protocol\n"
470 " Qualified Logical Link Control\n"
475 " RSYNC File Synchroniser\n"
477 " Radio Access Network Application Part\n"
480 " Real Time Streaming Protocol\n"
481 " Real-Time Transport Protocol\n"
482 " Real-time Transport Control Protocol\n"
483 " Registry Server Attributes Manipulation Interface\n"
484 " Registry server administration operations.\n"
485 " Remote Management Control Protocol\n"
486 " Remote Override interface\n"
487 " Remote Procedure Call\n"
488 " Remote Program Load\n"
491 " Remote Wall protocol\n"
492 " Remote sec_login preauth interface.\n"
493 " Resource ReserVation Protocol (RSVP)\n"
495 " Routing Information Protocol\n"
496 " Routing Table Maintenance Protocol\n"
499 " SGI Mount Service\n"
500 " SMB (Server Message Block Protocol)\n"
501 " SMB MailSlot Protocol\n"
502 " SMB Pipe Protocol\n"
503 " SNA-over-Ethernet\n"
504 " SNMP Multiplex Protocol\n"
507 " SS7 SCCP-User Adaptation Layer\n"
510 " Secure Socket Layer\n"
511 " Sequenced Packet eXchange\n"
512 " Service Advertisement Protocol\n"
513 " Service Location Protocol\n"
514 " Session Announcement Protocol\n"
515 " Session Description Protocol\n"
516 " Session Initiation Protocol\n"
517 " Short Message Peer to Peer\n"
518 " Signalling Connection Control Part\n"
519 " Signalling Connection Control Part Management\n"
520 " Simple Mail Transfer Protocol\n"
521 " Simple Network Management Protocol\n"
522 " Sinec H1 Protocol\n"
523 " Skinny Client Control Protocol\n"
524 " SliMP3 Communication Protocol\n"
526 " Spanning Tree Protocol\n"
528 " Stream Control Transmission Protocol\n"
529 " Synchronous Data Link Control (SDLC)\n"
531 " Systems Network Architecture\n"
532 " Systems Network Architecture XID\n"
536 " Tabular Data Stream\n"
537 " Tazmen Sniffer Protocol\n"
540 " Time Synchronization Protocol\n"
542 " Token-Ring Media Access Control\n"
543 " Transmission Control Protocol\n"
544 " Transparent Network Substrate Protocol\n"
545 " Trivial File Transfer Protocol\n"
546 " Universal Computer Protocol\n"
547 " User Datagram Protocol\n"
548 " Virtual Router Redundancy Protocol\n"
549 " Virtual Trunking Protocol\n"
551 " Web Cache Coordination Protocol\n"
552 " Wellfleet Breath of Life\n"
553 " Wellfleet Compression\n"
556 " Windows 2000 DNS\n"
557 " Wireless Session Protocol\n"
558 " Wireless Transaction Protocol\n"
559 " Wireless Transport Layer Security\n"
560 " X Display Manager Control Protocol\n"
566 " Yahoo Messenger Protocol\n"
567 " Yahoo YMSG Messenger Protocol\n"
568 " Yellow Pages Bind\n"
569 " Yellow Pages Passwd\n"
570 " Yellow Pages Service\n"
571 " Yellow Pages Transfer\n"
573 " Zone Information Protocol\n"
577 " Q 1.3: Are there any plans to support {your favorite protocol}?\n"
579 " A: Support for particular protocols is added to Ethereal as a result\n"
580 " of people contributing that support; no formal plans for adding\n"
581 " support for particular protocols in particular future releases exist.\n"
583 " Q 1.4: Can Ethereal read capture files from {your favorite network\n"
586 " A: Support for particular protocols is added to Ethereal as a result\n"
587 " of people contributing that support; no formal plans for adding\n"
588 " support for particular protocols in particular future releases exist.\n"
590 " If a network analyzer writes out files in a format already supported\n"
591 " by Ethereal (e.g., in libpcap format), Ethereal may already be able to\n"
592 " read them, unless the analyzer has added its own proprietary\n"
593 " extensions to that format.\n"
595 " If a network analyzer writes out files in its own format, or has added\n"
596 " proprietary extensions to another format, in order to make Ethereal\n"
597 " read captures from that network analyzer, we would either have to have\n"
598 " a specification for the file format, or the extensions, sufficient to\n"
599 " give us enough information to read the parts of the file relevant to\n"
600 " Ethereal, or would need at least one capture file in that format AND a\n"
601 " detailed textual analysis of the packets in that capture file (showing\n"
602 " packet time stamps, packet lengths, and the top-level packet header)\n"
603 " in order to reverse-engineer the file format.\n"
605 " Note that there is no guarantee that we will be able to\n"
606 " reverse-engineer a capture file format.\n"
608 " Q 1.5: What devices can Ethereal use to capture packets?\n"
610 " A: Ethereal can read live data from Ethernet, Token-Ring, FDDI, serial\n"
611 " (PPP and SLIP) (if the OS on which it's running allows Ethereal to do\n"
612 " so), 802.11 wireless LAN (if the OS on which it's running allows\n"
613 " Ethereal to do so), ATM connections (if the OS on which it's running\n"
614 " allows Ethereal to do so), and the \"any\" device supported on Linux by\n"
615 " recent versions of libpcap. See the list of supported capture media on\n"
616 " various OSes for details (several items in there say \"Unknown\", which\n"
617 " doesn't mean \"Ethereal can't capture on them\", it means \"we don't know\n"
618 " whether it can capture on them\"; we expect that it will be able to\n"
619 " capture on many of them, but we haven't tried it ourselves - if you\n"
620 " try one of those types and it works, please send an update to\n"
621 " ethereal-web[AT]ethereal.com).\n"
623 " It can also read a variety of capture file formats, including:\n"
624 " * libpcap/tcpdump\n"
625 " * Sun snoop/atmsnoop\n"
626 " * Shomiti/Finisar Surveyor\n"
628 " * DOS-based Sniffer (compressed and uncompressed)\n"
629 " * MS Network Monitor\n"
631 " * NetXray and Windows-based Sniffer\n"
632 " * EtherPeek/TokenPeek/AiroPeek\n"
633 " * RADCOM WAN/LAN analyzer\n"
634 " * Lucent/Ascend debug output\n"
635 " * Toshiba ISDN router \"snoop\" output\n"
637 " * ISDN4BSD \"i4btrace\" utility.\n"
638 " * Cisco Secure IDS\n"
639 " * pppd log files (pppdump format)\n"
640 " * VMS TCPIPtrace\n"
641 " * DBS Etherwatch\n"
642 " * Visual Networks' Visual UpTime\n"
643 " * CoSine L2 debug\n"
645 " so that it can read traces from various network types, as captured by\n"
646 " other applications or equipment, even if it cannot itself capture on\n"
647 " those network types.\n"
649 " Q 1.6: How do you pronounce Ethereal? Where did the name come from?\n"
651 " A: The English pronunciation can be found in Merriam-Webster's online\n"
653 " http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=ethereal.\n"
655 " According to the book \"Computer Networks\" by Andrew Tannenbaum,\n"
656 " Ethernet was named after the \"luminiferous ether\" which was once\n"
657 " thought to carry electromagnetic radiation. Taking that into\n"
658 " consideration, Ethereal seemed like an appropriate name for an\n"
659 " Ethernet analyzer.\n"
661 " DOWNLOADING ETHEREAL \n"
662 " Q 2.1: I downloaded the Win32 installer, but when I try to run it, I\n"
665 " A: The program you used to download it may have downloaded it\n"
666 " incorrectly. Web browsers sometimes may do this.\n"
668 " Try downloading it with, for example:\n"
669 " * Wget, for which Windows binaries are available on the SunSITE FTP\n"
670 " server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI\n"
671 " offers a GUI interface that uses wget;\n"
672 " * WS_FTP from Ipswitch,\n"
673 " * the ftp command that comes with Windows.\n"
675 " If you use the ftp command, make sure you do the transfer in binary\n"
676 " mode rather than ASCII mode, by using the binary command before\n"
677 " transferring the file.\n"
679 " Q 2.2: When I try to download the WinPcap driver and library, I can't\n"
680 " get to the WinPcap Web site.\n"
682 " A: As is the case with all Web sites, that site won't necessarily\n"
683 " always be accessible; the server may be down due to a problem or down\n"
684 " for maintenance, or there may be a networking problem between you and\n"
685 " the server. You should try again later, or try the local mirror or the\n"
686 " Wiretapped.net mirror.\n"
688 " INSTALLING ETHEREAL \n"
689 " Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be\n"
690 " installed; only Tethereal is installed.\n"
692 " A: Red Hat RPMs for Ethereal put only the non-GUI components into the\n"
693 " ethereal RPM, the fact that Ethereal is a GUI program nonwithstanding;\n"
694 " there's a separate ethereal-gnome RPM that includes GUI components\n"
695 " such as Ethereal itself, the fact that Ethereal doesn't use GNOME\n"
696 " nonwithstanding. Find the ethereal-gnome RPM, and install that also.\n"
698 " BUILDING ETHEREAL \n"
699 " Q 4.1: The configure script can't find pcap.h or bpf.h, but I have\n"
700 " libpcap installed.\n"
702 " A: Are you sure pcap.h and bpf.h are installed? The official\n"
703 " distribution of libpcap only installs the libpcap.a library file when\n"
704 " \"make install\" is run. To install pcap.h and bpf.h, you must run \"make\n"
705 " install-incl\". If you're running Debian or Redhat, make sure you have\n"
706 " the \"libpcap-dev\" or \"libpcap-devel\" packages installed.\n"
708 " It's also possible that pcap.h and bpf.h have been installed in a\n"
709 " strange location. If this is the case, you may have to tweak\n"
712 " Q 4.2: Why do I get the error \n"
714 " dftest_DEPENDENCIES was already defined in condition TRUE, which\n"
715 " implies condition HAVE_PLUGINS_TRUE\n"
717 " when I try to build Ethereal from CVS or a CVS snapshot?\n"
719 " A: You probably have automake 1.5 installed on your machine (the\n"
720 " command automake --version will report the version of automake on your\n"
721 " machine). There is a bug in that version of automake that causes this\n"
722 " problem; upgrade to a later version of automake (1.6 or later).\n"
724 " Q 4.3: The link fails with a number of \"Output line too long.\"\n"
725 " messages followed by linker errors. \n"
727 " A: The version of the sed command on your system is incapable of\n"
728 " handling very long lines. On Solaris, for example, /usr/bin/sed has a\n"
729 " line length limit too low to allow libtool to work; /usr/xpg4/bin/sed\n"
730 " can handle it, as can GNU sed if you have it installed.\n"
732 " On Solaris, changing your command search path to search /usr/xpg4/bin\n"
733 " before /usr/bin should make the problem go away; on any platform on\n"
734 " which you have this problem, installing GNU sed and changing your\n"
735 " command path to search the directory in which it is installed before\n"
736 " searching the directory with the version of sed that came with the OS\n"
737 " should make the problem go away.\n"
739 " Q 4.4: The link fails on Solaris because plugin_list is undefined. \n"
741 " A: This appears to be due to a problem with some versions of the GTK+\n"
742 " and GLib packages from www.sunfreeware.org; un-install those packages,\n"
743 " and try getting the 1.2.10 versions from that site, or the versions\n"
744 " from The Written Word, or the versions from Sun's GNOME distribution,\n"
745 " or the versions from the supplemental software CD that comes with the\n"
746 " Solaris media kit, or build them from source from the GTK Web site.\n"
747 " Then re-run the configuration script, and try rebuilding Ethereal. (If\n"
748 " you get the 1.2.10 versions from www.sunfreeware.org, and the problem\n"
749 " persists, un-install them and try installing one of the other versions\n"
752 " Q 4.5: The build fails on Windows because of conflicts between\n"
753 " winsock.h and winsock2.h. \n"
755 " A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and\n"
756 " the corresponding version of the developer's pack, in order to be able\n"
757 " to compile Ethereal; it will not compile with older versions of the\n"
758 " developer's pack. The symptoms of this failure are conflicts between\n"
759 " definitions in winsock.h and in winsock2.h; Ethereal uses winsock2.h,\n"
760 " but pre-2.3 versions of the WinPcap developer's packet use winsock.h.\n"
761 " (2.3 uses winsock2.h, so if Ethereal were to use winsock.h, it would\n"
762 " not be able to build with current versions of the WinPcap developer's\n"
765 " Note that the installed version of the developer's pack should be the\n"
766 " same version as the version of WinPcap you have installed.\n"
769 " Q 5.1: When I use Ethereal to capture packets, I see only packets to\n"
770 " and from my machine, or I'm not seeing all the traffic I'm expecting\n"
771 " to see from or to the machine I'm trying to monitor.\n"
773 " A: This might be because the interface on which you're capturing is\n"
774 " plugged into a switch; on a switched network, unicast traffic between\n"
775 " two ports will not necessarily appear on other ports - only broadcast\n"
776 " and multicast traffic will be sent to all ports.\n"
778 " Note that even if your machine is plugged into a hub, the \"hub\" may be\n"
779 " a switched hub, in which case you're still on a switched network.\n"
781 " Note also that on the Linksys Web site, they say that their\n"
782 " auto-sensing hubs \"broadcast the 10Mb packets to the port that operate\n"
783 " at 10Mb only and broadcast the 100Mb packets to the ports that operate\n"
784 " at 100Mb only\", which would indicate that if you sniff on a 10Mb port,\n"
785 " you will not see traffic coming sent to a 100Mb port, and vice versa.\n"
786 " This problem has also been reported for Netgear dual-speed hubs, and\n"
787 " may exist for other \"auto-sensing\" or \"dual-speed\" hubs.\n"
789 " Some switches have the ability to replicate all traffic on all ports\n"
790 " to a single port so that you can plug your analyzer into that single\n"
791 " port to sniff all traffic. You would have to check the documentation\n"
792 " for the switch to see if this is possible and, if so, to see how to do\n"
793 " this. See, for example:\n"
794 " * this documentation from Cisco on the Switched Port Analyzer (SPAN)\n"
795 " feature on Catalyst switches;\n"
796 " * documentation from HP on how to set \"monitoring\"/\"mirroring\" on\n"
797 " ports on the console for HP Advancestack Switch 208 and 224;\n"
798 " * the \"Network Monitoring Port Features\" section of chapter 6 of\n"
799 " documentation from HP for HP ProCurve Switches 1600M, 2424M,\n"
800 " 4000M, and 8000M.\n"
802 " Note also that many firewall/NAT boxes have a switch built into them;\n"
803 " this includes many of the \"cable/DSL router\" boxes. If you have a box\n"
806 " of that sort, that has a switch with some number of Ethernet ports\n"
807 " into which you plug machines on your network, and another Ethernet\n"
808 " port used to connect to a cable or DSL modem, you can, at least, sniff\n"
809 " traffic between the machines on your network and the Internet by\n"
810 " plugging the Ethernet port on the router going to the modem, the\n"
811 " Ethernet port on the modem, and the machine on which you're running\n"
812 " Ethereal into a hub (make sure it's not a switching hub, and that, if\n"
813 " it's a dual-speed hub, all three of those ports are running at the\n"
816 " If your machine is not plugged into a switched network or a dual-speed\n"
817 " hub, or it is plugged into a switched network but the port is set up\n"
818 " to have all traffic replicated to it, the problem might be that the\n"
819 " network interface on which you're capturing doesn't support\n"
820 " \"promiscuous\" mode, or because your OS can't put the interface into\n"
821 " promiscuous mode. Normally, network interfaces supply to the host\n"
823 " * packets sent to one of that host's link-layer addresses;\n"
824 " * broadcast packets;\n"
825 " * multicast packets sent to a multicast address that the host has\n"
826 " configured the interface to accept.\n"
828 " Most network interfaces can also be put in \"promiscuous\" mode, in\n"
829 " which they supply to the host all network packets they see. Ethereal\n"
830 " will try to put the interface on which it's capturing into promiscuous\n"
831 " mode unless the \"Capture packets in promiscuous mode\" option is turned\n"
832 " off in the \"Capture Options\" dialog box, and Tethereal will try to put\n"
833 " the interface on which it's capturing into promiscuous mode unless the\n"
834 " -p option was specified. However, some network interfaces don't\n"
835 " support promiscuous mode, and some OSes might not allow interfaces to\n"
836 " be put into promiscuous mode.\n"
838 " If the interface is not running in promiscuous mode, it won't see any\n"
839 " traffic that isn't intended to be seen by your machine. It will see\n"
840 " broadcast packets, and multicast packets sent to a multicast MAC\n"
841 " address the interface is set up to receive.\n"
843 " You should ask the vendor of your network interface whether it\n"
844 " supports promiscuous mode. If it does, you should ask whoever supplied\n"
845 " the driver for the interface (the vendor, or the supplier of the OS\n"
846 " you're running on your machine) whether it supports promiscuous mode\n"
847 " with that network interface.\n"
849 " In the case of token ring interfaces, the drivers for some of them, on\n"
850 " Windows, may require you to enable promiscuous mode in order to\n"
851 " capture in promiscuous mode. Ask the vendor of the card how to do\n"
852 " this, or see, for example, this information on promiscuous mode on\n"
853 " some Madge token ring adapters (note that those cards can have\n"
854 " promiscuous mode disabled permanently, in which case you can't enable\n"
857 " In the case of wireless LAN interfaces, it appears that, when those\n"
858 " interfaces are promiscuously sniffing, they're running in a\n"
859 " significantly different mode from the mode that they run in when\n"
860 " they're just acting as network interfaces (to the extent that it would\n"
861 " be a significant effor for those drivers to support for promiscuously\n"
862 " sniffing and acting as regular network interfaces at the same time),\n"
863 " so it may be that Windows drivers for those interfaces don't support\n"
864 " promiscuous mode.\n"
866 " Q 5.2: I can't see any TCP packets other than packets to and from my\n"
867 " machine, even though another analyzer on the network sees those\n"
870 " A: You're probably not seeing any packets other than unicast packets\n"
871 " to or from your machine, and broadcast and multicast packets; a switch\n"
872 " will normally send to a port only unicast traffic sent to the MAC\n"
873 " address for the interface on that port, and broadcast and multicast\n"
874 " traffic - it won't send to that port unicast traffic sent to a MAC\n"
875 " address for some other interface - and a network interface not in\n"
876 " promiscuous mode will receive only unicast traffic sent to the MAC\n"
877 " address for that interface, broadcast traffic, and multicast traffic\n"
878 " sent to a multicast MAC address the interface is set up to receive.\n"
880 " TCP doesn't use broadcast or multicast, so you will only see your own\n"
881 " TCP traffic, but UDP services may use broadcast or multicast so you'll\n"
882 " see some UDP traffic - however, this is not a problem with TCP\n"
883 " traffic, it's a problem with unicast traffic, as you also won't see\n"
884 " all UDP traffic between other machines.\n"
886 " I.e., this is probably the same question as this earlier one; see the\n"
887 " response to that question.\n"
889 " Q 5.3: I'm only seeing ARP packets when I try to capture traffic.\n"
891 " A: You're probably on a switched network, and running Ethereal on a\n"
892 " machine that's not sending traffic to the switch and not being sent\n"
893 " any traffic from other machines on the switch. ARP packets are often\n"
894 " broadcast packets, which are sent to all switch ports.\n"
896 " I.e., this is probably the same question as this earlier one; see the\n"
897 " response to that question.\n"
899 " Q 5.4: How do I put an interface into promiscuous mode?\n"
901 " A: By not disabling promiscuous mode when running Ethereal or\n"
904 " Note, however, that:\n"
905 " * the form of promiscuous mode that libpcap (the library that\n"
906 " programs such as tcpdump, Ethereal, etc. use to do packet capture)\n"
907 " turns on will not necessarily be shown if you run ifconfig on the\n"
908 " interface on a UNIX system;\n"
909 " * some network interfaces might not support promiscuous mode, and\n"
910 " some drivers might not allow promiscuous mode to be turned on -\n"
911 " see this earlier question for more information on that;\n"
912 " * the fact that you're not seeing any traffic, or are only seeing\n"
913 " broadcast traffic, or aren't seeing any non-broadcast traffic\n"
914 " other than traffic to or from the machine running Ethereal, does\n"
915 " not mean that promiscuous mode isn't on - see this earlier\n"
916 " question for more information on that.\n"
918 " I.e., this is probably the same question as this earlier one; see the\n"
919 " response to that question.\n"
921 " Q 5.5: I can set a display filter just fine, but capture filters don't\n"
924 " A: Capture filters currently use a different syntax than display\n"
925 " filters. Here's the corresponding section from the ethereal(1) man\n"
928 " \"Display filters in Ethereal are very powerful; more fields are\n"
929 " filterable in Ethereal than in other protocol analyzers, and the\n"
930 " syntax you can use to create your filters is richer. As Ethereal\n"
931 " progresses, expect more and more protocol fields to be allowed in\n"
932 " display filters.\n"
934 " Packet capturing is performed with the pcap library. The capture\n"
935 " filter syntax follows the rules of the pcap library. This syntax is\n"
936 " different from the display filter syntax.\"\n"
938 " The capture filter syntax used by libpcap can be found in the\n"
939 " tcpdump(8) man page.\n"
941 " Q 5.6: I'm entering valid capture filters, but I still get \"parse\n"
944 " A: There is a bug in some versions of libpcap/WinPcap that cause it to\n"
945 " report parse errors even for valid expressions if a previous filter\n"
946 " expression was invalid and got a parse error.\n"
948 " Try exiting and restarting Ethereal; if you are using a version of\n"
949 " libpcap/WinPcap with this bug, this will \"erase\" its memory of the\n"
950 " previous parse error. If the capture filter that got the \"parse error\"\n"
951 " now works, the earlier error with that filter was probably due to this\n"
954 " The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of\n"
955 " libpcap have this bug, but 0.6[.x] and later versions don't.\n"
957 " Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of\n"
958 " libpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and\n"
959 " doesn't have this bug.\n"
961 " If you are running Ethereal on a UNIX-flavored platform, run \"ethereal\n"
962 " -v\", or select \"About Ethereal...\" from the \"Help\" menu in Ethereal,\n"
963 " to see what version of libpcap it's using. If it's not 0.6 or later,\n"
964 " you will need either to upgrade your OS to get a later version of\n"
965 " libpcap, or will need to build and install a later version of libpcap\n"
966 " from the tcpdump.org Web site and then recompile Ethereal from source\n"
967 " with that later version of libpcap.\n"
969 " If you are running Ethereal on Windows with a pre-2.3 version of\n"
970 " WinPcap, you will need to un-install WinPcap and then download and\n"
971 " install WinPcap 2.3.\n"
973 " Q 5.7: I saved a filter and tried to use its name to filter the\n"
974 " display, but I got an \"Unexpected end of filter string\" error.\n"
976 " A: You cannot use the name of a saved display filter as a filter. To\n"
977 " filter the display, you can enter a display filter expression - not\n"
978 " the name of a saved display filter - in the \"Filter:\" box at the\n"
979 " bottom of the display, and type the key or press the \"Apply\" button\n"
980 " (that does not require you to have a saved filter), or, if you want to\n"
981 " use a saved filter, you can press the \"Filter:\" button, select the\n"
982 " filter in the dialog box that pops up, and press the \"OK\" button.\n"
984 " Q 5.8: Why am I seeing lots of packets with incorrect TCP checksums?\n"
986 " A: If the packets that have incorrect TCP checksums are all being sent\n"
987 " by the machine on which Ethereal is running, this is probably because\n"
988 " the network interface on which you're capturing does TCP checksum\n"
989 " offloading. That means that the TCP checksum is added to the packet by\n"
990 " the network interface, not by the OS's TCP/IP stack; when capturing on\n"
991 " an interface, packets being sent by the host on which you're capturing\n"
992 " are directly handed to the capture interface by the OS, which means\n"
993 " that they are handed to the capture interface without a TCP checksum\n"
994 " being added to them.\n"
996 " The only way to prevent this from happening would be to disable TCP\n"
997 " checksum offloading, but\n"
998 " 1. that might not even be possible on some OSes;\n"
999 " 2. that could reduce networking performance significantly.\n"
1001 " However, you can disable the check that Ethereal does of the TCP\n"
1002 " checksum, so that it won't report any packets as having TCP checksum\n"
1003 " errors, and so that it won't refuse to do TCP reassembly due to a\n"
1004 " packet having an incorrect TCP checksum. That can be set as an\n"
1005 " Ethereal preference by selecting \"Preferences\" from the \"Edit\" menu,\n"
1006 " opening up the \"Protocols\" list in the left-hand pane of the\n"
1007 " \"Preferences\" dialog box, selecting \"TCP\", from that list, turning off\n"
1008 " the \"Check the validity of the TCP checksum when possible\" option,\n"
1009 " clicking \"Save\" if you want to save that setting in your preference\n"
1010 " file, and clicking \"OK\".\n"
1012 " It can also be set on the Ethereal or Tethereal command line with a -o\n"
1013 " tcp.check_checksum:false command-line flag, or manually set in your\n"
1014 " preferences file by adding a tcp.check_checksum:false line.\n"
1016 " Q 5.9: I've just installed Ethereal, and the traffic on my local LAN\n"
1019 " A: We have a collection of strange and exotic sample capture files at\n"
1020 " http://www.ethereal.com/sample/\n"
1022 " Q 5.10: When I run Ethereal on Solaris 8, it dies with a Bus Error\n"
1023 " when I start it.\n"
1025 " A: Some versions of the GTK+ library from www.sunfreeware.org appear\n"
1026 " to be buggy, causing Ethereal to drop core with a Bus Error.\n"
1027 " Un-install those packages, and try getting the 1.2.10 version from\n"
1028 " that site, or the version from The Written Word, or the version from\n"
1029 " Sun's GNOME distribution, or the version from the supplemental\n"
1030 " software CD that comes with the Solaris media kit, or build it from\n"
1031 " source from the GTK Web site. Update the GLib library to the 1.2.10\n"
1032 " version, from the same source, as well. (If you get the 1.2.10\n"
1033 " versions from www.sunfreeware.org, and the problem persists,\n"
1034 " un-install them and try installing one of the other versions\n"
1037 " Similar problems may exist with older versions of GTK+ for earlier\n"
1038 " versions of Solaris.\n"
1040 " Q 5.11: When I run Ethereal on Windows NT, it dies with a Dr. Watson\n"
1041 " error, reporting an \"Integer division by zero\" exception, when I start\n"
1044 " A: In at least some case, this appears to be due to using the default\n"
1045 " VGA driver; if that's not the correct driver for your video card, try\n"
1046 " running the correct driver for your video card.\n"
1048 " Q 5.12: When I try to run Ethereal, it complains about\n"
1049 " sprint_realloc_objid being undefined.\n"
1051 " A: Ethereal can only be linked with version 4.2.2 or later of UCD\n"
1052 " SNMP. Your version of Ethereal was dynamically linked with such a\n"
1053 " version of UCD SNMP; however, you have an older version of UCD SNMP\n"
1054 " installed, which means that when Ethereal is run, it tries to link to\n"
1055 " the older version, and fails. You will have to replace that version of\n"
1056 " UCD SNMP with version 4.2.2 or a later version.\n"
1058 " Q 5.13: I'm running Ethereal on Linux; why do my time stamps have only\n"
1059 " 100ms resolution, rather than 1us resolution?\n"
1061 " A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap\n"
1062 " get them from the OS kernel, so Ethereal - and any other program using\n"
1063 " libpcap, such as tcpdump - is at the mercy of the time stamping code\n"
1064 " in the OS for time stamps.\n"
1066 " At least on x86-based machines, Linux can get high-resolution time\n"
1067 " stamps on newer processors with the Time Stamp Counter (TSC) register;\n"
1068 " for example, Intel x86 processors, starting with the Pentium Pro, and\n"
1069 " including all x86 processors since then, have had a TSC, and other\n"
1070 " vendors probably added the TSC at some point to their families of x86\n"
1073 " The Linux kernel must be configured with the CONFIG_X86_TSC option\n"
1074 " enabled in order to use the TSC. Make sure this option is enabled in\n"
1077 " In addition, some Linux distributions may have bugs in their versions\n"
1078 " of the kernel that cause packets not to be given high-resolution time\n"
1079 " stamps even if the TSC is enabled. See, for example, bug 61111 for Red\n"
1080 " Hat Linux 7.2. If your distribution has a bug such as this, you may\n"
1081 " have to run a standard kernel from kernel.org in order to get\n"
1082 " high-resolution time stamps.\n"
1084 " Q 5.14: I'm capturing packets on {Windows 95, Windows 98, Windows Me};\n"
1085 " why are the time stamps on packets wrong? \n"
1087 " A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap\n"
1090 " Q 5.15: When I try to run Ethereal on Windows, it fails to run because\n"
1091 " it can't find packet.dll.\n"
1093 " A: In older versions of Ethereal, there were two binary distributions\n"
1094 " available for Windows, one that supported capturing packets, and one\n"
1095 " that didn't. The version that supported capturing packets required\n"
1096 " that you install the WinPcap driver; if you didn't install it, it\n"
1097 " would fail to run because it couldn't find packet.dll.\n"
1099 " The current version of Ethereal has only one binary distribution for\n"
1100 " Windows; that version will check whether WinPcap is installed and, if\n"
1101 " it's not, will disable support for packet capture.\n"
1103 " The WinPcap driver and libraries can be downloaded from the WinPcap\n"
1104 " Web site, the local mirror of the WinPcap Web site, or the\n"
1105 " Wiretapped.net mirror of the WinPcap site.\n"
1107 " Q 5.16: I'm running Ethereal on Windows; why does some network\n"
1108 " interface on my machine not show up in the list of interfaces in the\n"
1109 " \"Interface:\" field in the dialog box popped up by \"Capture->Start\",\n"
1110 " and/or why does Ethereal give me an error if I try to capture on that\n"
1113 " A: If you are running Ethereal on Windows NT 4.0, Windows 2000,\n"
1114 " Windows XP, or Windows Server, and this is the first time you have run\n"
1115 " a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump,\n"
1116 " or Analyzer, or...) since the machine was rebooted, you need to run\n"
1117 " that program from an account with administrator privileges; once you\n"
1118 " have run such a program, you will not need administrator privileges to\n"
1119 " run any such programs until you reboot.\n"
1121 " If you are running on Windows 95/98/Me, or if you are running on\n"
1122 " Windows NT 4.0/2000/XP/Server and have administrator privileges or a\n"
1123 " WinPcap-based program has been run with those privileges since the\n"
1124 " machine rebooted, then note that Ethereal relies on the WinPcap\n"
1125 " library, on the WinPcap device driver, and on the facilities that come\n"
1126 " with the OS on which it's running in order to do captures.\n"
1128 " Therefore, if the OS, the WinPcap library, or the WinPcap driver don't\n"
1129 " support capturing on a particular network interface device, Ethereal\n"
1130 " won't be able to capture on that device.\n"
1133 " * 2.02 and earlier versions of the WinPcap driver and library that\n"
1134 " Ethereal uses for packet capture didn't support Token Ring\n"
1135 " interfaces; the current version, 2.3, does support Token Ring, and\n"
1136 " the current version of Ethereal works with (and, in fact,\n"
1137 " requires) WinPcap 2.1 or later.\n"
1138 " If you are having problems capturing on Token Ring interfaces, and\n"
1139 " you have WinPcap 2.02 or an earlier version of WinPcap installed,\n"
1140 " you should uninstall WinPcap, download and install the current\n"
1141 " version of WinPcap, and then install the latest version of\n"
1143 " * On Windows 95, 98, or Me, sometimes more than one interface will\n"
1144 " be given the same name; if that is the case, you will only be able\n"
1145 " to capture on one of those interfaces - it's not clear to which\n"
1146 " one the name, when used in a WinPcap-based application, will\n"
1147 " refer. For example, if you have a PPP serial interface and a VPN\n"
1148 " interface, they might show up with the same name, for example\n"
1149 " \"ppp-mac\", and if you try to capture on \"ppp-mac\", it might not\n"
1150 " capture on the interface you're currently using. In that case, you\n"
1151 " might, for example, have to remove the VPN interface from the\n"
1152 " system in order to capture on the PPP serial interface.\n"
1153 " * WinPcap doesn't support PPP WAN interfaces on Windows\n"
1154 " NT/2000/XP/Server, so Ethereal cannot capture packets on those\n"
1155 " devices when running on Windows NT/2000/XP/Server. Regular dial-up\n"
1156 " lines, ISDN lines, and various other lines such as T1/E1 lines are\n"
1157 " all PPP interfaces. This may cause the interface not to show up on\n"
1158 " the list of interfaces in the \"Capture Options\" dialog.\n"
1159 " * WinPcap prior to 3.0 does not support multiprocessor machines\n"
1160 " (note that machines with a single multi-threaded processor, such\n"
1161 " as Intel's new multi-threaded x86 processors, are multiprocessor\n"
1162 " machines as far as the OS and WinPcap are concerned), and recent\n"
1163 " 2.x versions of WinPcap refuse to operate if they detect that\n"
1164 " they're running on a multiprocessor machine, which means that they\n"
1165 " may not show any network interfaces. You will need to use WinPcap\n"
1166 " 3.0 to capture on a multiprocessor machine.\n"
1168 " If an interface doesn't show up in the list of interfaces in the\n"
1169 " \"Interface:\" field, and you know the name of the interface, try\n"
1170 " entering that name in the \"Interface:\" field and capturing on that\n"
1173 " If the attempt to capture on it succeeds, the interface is somehow not\n"
1174 " being reported by the mechanism Ethereal uses to get a list of\n"
1175 " interfaces; please report this to ethereal-dev@ethereal.com giving\n"
1176 " full details of the problem, including\n"
1177 " * the operating system you're using, and the version of that\n"
1178 " operating system;\n"
1179 " * the type of network device you're using.\n"
1181 " If you are having trouble capturing on a particular network interface,\n"
1182 " and you've made sure that (on platforms that require it) you've\n"
1183 " arranged that packet capture support is present, as per the above,\n"
1184 " first try capturing on that device with WinDump; see the WinDump Web\n"
1185 " site or the local mirror of the WinDump Web site for information on\n"
1188 " If you can capture on the interface with WinDump, send mail to\n"
1189 " ethereal-users@ethereal.com giving full details of the problem,\n"
1191 " * the operating system you're using, and the version of that\n"
1192 " operating system;\n"
1193 " * the type of network device you're using;\n"
1194 " * the error message you get from Ethereal.\n"
1196 " If you cannot capture on the interface with WinDump, this is almost\n"
1197 " certainly a problem with one or more of:\n"
1198 " * the operating system you're using;\n"
1199 " * the device driver for the interface you're using;\n"
1200 " * the WinPcap library and/or the WinPcap device driver;\n"
1202 " so first check the WinPcap FAQ, the local mirror of that FAQ, or the\n"
1203 " Wiretapped.net mirror of that FAQ, to see if your problem is mentioned\n"
1204 " there. If not, then see the WinPcap support page (or the local mirror\n"
1205 " of that page) - check the \"Submitting bugs\" section.\n"
1209 " You may also want to ask the ethereal-users@ethereal.com and the\n"
1210 " winpcap-users@winpcap.polito.it mailing lists to see if anybody\n"
1211 " happens to know about the problem and know a workaround or fix for the\n"
1212 " problem. (Note that you will have to subscribe to that list in order\n"
1213 " to be allowed to mail to it; see the WinPcap support page, or the\n"
1214 " local mirror of that page, for information on the mailing list.) In\n"
1215 " your mail, please give full details of the problem, as described\n"
1216 " above, and also indicate that the problem occurs with WinDump, not\n"
1217 " just with Ethereal.\n"
1219 " Q 5.17: I'm running on a UNIX-flavored OS; why does some network\n"
1220 " interface on my machine not show up in the list of interfaces in the\n"
1221 " \"Interface:\" field in the dialog box popped up by \"Capture->Start\",\n"
1222 " and/or why does Ethereal give me an error if I try to capture on that\n"
1225 " A: You may need to run Ethereal from an account with sufficient\n"
1226 " privileges to capture packets, such as the super-user account. Only\n"
1227 " those interfaces that Ethereal can open for capturing show up in that\n"
1228 " list; if you don't have sufficient privileges to capture on any\n"
1229 " interfaces, no interfaces will show up in the list.\n"
1231 " If you are running Ethereal from an account with sufficient\n"
1232 " privileges, then note that Ethereal relies on the libpcap library, and\n"
1233 " on the facilities that come with the OS on which it's running in order\n"
1234 " to do captures.\n"
1236 " Therefore, if the OS or the libpcap library don't support capturing on\n"
1237 " a particular network interface device, Ethereal won't be able to\n"
1238 " capture on that device.\n"
1240 " On Linux, note that you need to have \"packet socket\" support enabled\n"
1241 " in your kernel; see the \"Packet socket\" item in the Linux\n"
1242 " \"Configure.help\" file.\n"
1244 " On BSD, note that you need to have BPF support enabled in your kernel;\n"
1245 " see the documentation for your system for information on how to enable\n"
1246 " BPF support (if it's not enabled by default on your system).\n"
1248 " On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have\n"
1249 " packet filtering support in your kernel; the doconfig command will\n"
1250 " allow you to configure and build a new kernel with that option.\n"
1252 " On Solaris, note that libpcap 0.6.2 and earlier didn't support Token\n"
1253 " Ring interfaces; the current version, 0.7.2, does support Token Ring,\n"
1254 " and the current version of Ethereal works with libcap 0.7.2 and later.\n"
1256 " If an interface doesn't show up in the list of interfaces in the\n"
1257 " \"Interface:\" field, and you know the name of the interface, try\n"
1258 " entering that name in the \"Interface:\" field and capturing on that\n"
1261 " If the attempt to capture on it succeeds, the interface is somehow not\n"
1262 " being reported by the mechanism Ethereal uses to get a list of\n"
1263 " interfaces; please report this to ethereal-dev@ethereal.com giving\n"
1264 " full details of the problem, including\n"
1265 " * the operating system you're using, and the version of that\n"
1266 " operating system (for Linux, give both the version number of the\n"
1267 " kernel and the name and version number of the distribution you're\n"
1269 " * the type of network device you're using.\n"
1271 " If you are having trouble capturing on a particular network interface,\n"
1272 " and you've made sure that (on platforms that require it) you've\n"
1273 " arranged that packet capture support is present, as per the above,\n"
1274 " first try capturing on that device with tcpdump.\n"
1276 " If you can capture on the interface with tcpdump, send mail to\n"
1277 " ethereal-users@ethereal.com giving full details of the problem,\n"
1279 " * the operating system you're using, and the version of that\n"
1280 " operating system (for Linux, give both the version number of the\n"
1281 " kernel and the name and version number of the distribution you're\n"
1283 " * the type of network device you're using;\n"
1284 " * the error message you get from Ethereal.\n"
1286 " If you cannot capture on the interface with tcpdump, this is almost\n"
1287 " certainly a problem with one or more of:\n"
1288 " * the operating system you're using;\n"
1289 " * the device driver for the interface you're using;\n"
1290 " * the libpcap library;\n"
1292 " so you should report the problem to the company or organization that\n"
1293 " produces the OS (in the case of a Linux distribution, report the\n"
1294 " problem to whoever produces the distribution).\n"
1296 " You may also want to ask the ethereal-users@ethereal.com and the\n"
1297 " tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to\n"
1298 " know about the problem and know a workaround or fix for the problem.\n"
1299 " In your mail, please give full details of the problem, as described\n"
1300 " above, and also indicate that the problem occurs with tcpdump not just\n"
1303 " Q 5.18: I'm running Ethereal on Windows NT/2000/XP/Server; my machine\n"
1304 " has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the\n"
1305 " \"Interface\" item in the \"Capture Options\" dialog box. Why can no\n"
1306 " packets be sent on or received from that network while I'm trying to\n"
1307 " capture traffic on that interface?\n"
1309 " A: WinPcap doesn't support PPP WAN interfaces on Windows\n"
1310 " NT/2000/XP/Server; one symptom that may be seen is that attempts to\n"
1311 " capture in promiscuous mode on the interface cause the interface to be\n"
1312 " incapable of sending or receiving packets. You can disable promiscuous\n"
1313 " mode using the -p command-line flag or the item in the \"Capture\n"
1314 " Preferences\" dialog box, but this may mean that outgoing packets, or\n"
1315 " incoming packets, won't be seen in the capture.\n"
1317 " Q 5.19: I'm running Ethereal on Windows 95/98/Me, on a machine with\n"
1318 " more than one network adapter of the same type; Ethereal shows all of\n"
1319 " those adapters with the same name, but I can't use any of those\n"
1320 " adapters other than the first one.\n"
1322 " A: Unfortunately, Windows 95/98/Me gives the same name to multiple\n"
1323 " instances of the type of same network adapter. Therefore, WinPcap\n"
1324 " cannot distinguish between them, so a WinPcap-based application can\n"
1325 " capture only on the first such interface; Ethereal is a\n"
1326 " libpcap/WinPcap-based application.\n"
1328 " Q 5.20: I'm running Ethereal on Windows, and I'm not seeing any\n"
1329 " traffic being sent by the machine running Ethereal.\n"
1331 " A: If you are running some form of VPN client software, it might be\n"
1332 " causing this problem; people have seen this problem when they have\n"
1333 " Check Point's VPN software installed on their machine. If that's the\n"
1334 " cause of the problem, you will have to remove the VPN software in\n"
1335 " order to have Ethereal (or any other application using WinPcap) see\n"
1336 " outgoing packets; unfortunately, neither we nor the WinPcap developers\n"
1337 " know any way to make WinPcap and the VPN software work well together.\n"
1339 " Q 5.21: I'm trying to capture traffic but I'm not seeing any.\n"
1341 " A: Is the machine running Ethereal sending out any traffic on the\n"
1342 " network interface on which you're capturing, or receiving any traffic\n"
1343 " on that network, or is there any broadcast traffic on the network or\n"
1344 " multicast traffic to a multicast group to which the machine running\n"
1345 " Ethereal belongs?\n"
1347 " If not, this may just be a problem with promiscuous sniffing, either\n"
1348 " due to running on a switched network or a dual-speed hub, or due to\n"
1349 " problems with the interface not supporting promiscuous mode; see the\n"
1350 " response to this earlier question.\n"
1352 " Otherwise, on Windows, see the response to this question and, on a\n"
1353 " UNIX-flavored OS, see the response to this question.\n"
1355 " Q 5.22: I have an XXX network card on my machine; if I try to capture\n"
1356 " on it, my machine crashes or resets itself. \n"
1358 " A: This is almost certainly a problem with one or more of:\n"
1359 " * the operating system you're using;\n"
1360 " * the device driver for the interface you're using;\n"
1361 " * the libpcap/WinPcap library and, if this is Windows, the WinPcap\n"
1365 " * if you are using Windows, see the WinPcap support page (or the\n"
1366 " local mirror of that page) - check the \"Submitting bugs\" section;\n"
1367 " * if you are using some Linux distribution, some version of BSD, or\n"
1368 " some other UNIX-flavored OS, you should report the problem to the\n"
1369 " company or organization that produces the OS (in the case of a\n"
1370 " Linux distribution, report the problem to whoever produces the\n"
1373 " Q 5.23: My machine crashes or resets itself when I select \"Start\" from\n"
1374 " the \"Capture\" menu or select \"Preferences\" from the \"Edit\" menu. \n"
1376 " A: Both of those operations cause Ethereal to try to build a list of\n"
1377 " the interfaces that it can open; it does so by getting a list of\n"
1378 " interfaces and trying to open them. There is probably an OS, driver,\n"
1379 " or, for Windows, WinPcap bug that causes the system to crash when this\n"
1380 " happens; see the previous question.\n"
1382 " Q 5.24: Does Ethereal work on Windows ME? \n"
1384 " A: Yes, but if you want to capture packets, you will need to install\n"
1385 " the latest version of WinPcap, as 2.02 and earlier versions of WinPcap\n"
1386 " didn't support Windows ME. You should also install the latest version\n"
1387 " of Ethereal as well.\n"
1389 " Q 5.25: Does Ethereal work on Windows XP? \n"
1391 " A: Yes, but if you want to capture packets, you will need to install\n"
1392 " the latest version of WinPcap, as 2.2 and earlier versions of WinPcap\n"
1393 " didn't support Windows XP.\n"
1395 " Q 5.26: Why doesn't Ethereal correctly identify RTP packets? It shows\n"
1396 " them only as UDP.\n"
1398 " A: Ethereal can identify a UDP datagram as containing a packet of a\n"
1399 " particular protocol running atop UDP only if\n"
1400 " 1. The protocol in question has a particular standard port number,\n"
1401 " and the UDP source or destination port number is that port\n"
1402 " 2. Packets of that protocol can be identified by looking for a\n"
1403 " \"signature\" of some type in the packet - i.e., some data that, if\n"
1404 " Ethereal finds it in some particular part of a packet, means that\n"
1405 " the packet is almost certainly a packet of that type.\n"
1406 " 3. Some other traffic earlier in the capture indicated that, for\n"
1407 " example, UDP traffic between two particular addresses and ports\n"
1408 " will be RTP traffic.\n"
1410 " RTP doesn't have a standard port number, so 1) doesn't work; it\n"
1411 " doesn't, as far as I know, have any \"signature\", so 2) doesn't work.\n"
1413 " That leaves 3). If there's RTSP traffic that sets up an RTP session,\n"
1414 " then, at least in some cases, the RTSP dissector will set things up so\n"
1415 " that subsequent RTP traffic will be identified. Currently, that's the\n"
1416 " only place we do that; there may be other places.\n"
1418 " However, there will always be places where Ethereal is simply\n"
1419 " incapable of deducing that a given UDP flow is RTP; a mechanism would\n"
1420 " be needed to allow the user to specify that a given conversation\n"
1421 " should be treated as RTP. As of Ethereal 0.8.16, such a mechanism\n"
1422 " exists; if you select a UDP or TCP packet, the right mouse button menu\n"
1423 " will have a \"Decode As...\" menu item, which will pop up a dialog box\n"
1424 " letting you specify that the source port, the destination port, or\n"
1425 " both the source and destination ports of the packet should be\n"
1426 " dissected as some particular protocol.\n"
1428 " Q 5.27: Why doesn't Ethereal show Yahoo Messenger packets in captures\n"
1429 " that contain Yahoo Messenger traffic?\n"
1431 " A: Ethereal only recognizes as Yahoo Messenger traffic packets to or\n"
1432 " from TCP port 3050 that begin with \"YPNS\", \"YHOO\", or \"YMSG\". TCP\n"
1433 " segments that start with the middle of a Yahoo Messenger packet that\n"
1434 " takes more than one TCP segment will not be recognized as Yahoo\n"
1435 " Messenger packets (even if the TCP segment also contains the beginning\n"
1436 " of another Yahoo Messenger packet).\n"
1438 " Q 5.28: Why do I get the error \n"
1440 " Gdk-ERROR **: Palettized display (256-colour) mode not supported on\n"
1444 " when I try to run Ethereal on Windows?\n"
1446 " A: Ethereal is built using the GTK+ toolkit, which supports most\n"
1447 " UNIX-flavored OSes, and also supports Windows; that toolkit doesn't\n"
1448 " support 256-color mode on Windows - it requires HiColor (16-bit\n"
1449 " colors) or more. If your display supports more than 256 colors, switch\n"
1450 " to a display mode with more colors; if it doesn't support more than\n"
1451 " 256 colors, you will be unable to run Ethereal.\n"
1453 " Q 5.29: When I capture on Windows in promiscuous mode, I can see\n"
1454 " packets other than those sent to or from my machine; however, those\n"
1455 " packets show up with a \"Short Frame\" indication, unlike packets to or\n"
1456 " from my machine. What should I do to arrange that I see those packets\n"
1457 " in their entirety? \n"
1459 " A: In at least some cases, this appears to be the result of PGPnet\n"
1460 " running on the network interface on which you're capturing; turn it\n"
1461 " off on that interface.\n"
1463 " Q 5.30: How can I capture raw 802.11 packets, including non-data\n"
1464 " (management, beacon) packets? \n"
1466 " A: That would require that your 802.11 interface run in the mode\n"
1467 " called \"monitor mode\" or \"RFMON mode\". Not all operating systems\n"
1468 " support that and, even on operating systems that do support it, not\n"
1469 " all drivers, and thus not all cards, support it.\n"
1471 " Cisco Aironet cards:\n"
1473 " The only platforms that allow Ethereal to capture raw 802.11 packets\n"
1474 " on Cisco Aironet cards are:\n"
1475 " * Linux, with a 2.4.6 or later kernel;\n"
1476 " * FreeBSD 4.6 or later, as the driver in FreeBSD 4.5 has bugs that\n"
1477 " cause packets not to be captured correctly, and the driver in\n"
1478 " releases prior to 4.5 didn't support capturing raw packets.\n"
1480 " On FreeBSD, the ancontrol utility must be used; do not enable the full\n"
1481 " Aironet header via BPF, as Ethereal doesn't currently support that.\n"
1483 " On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will\n"
1486 "echo \"Mode: rfmon\" >/proc/driver/aironet/ethN/Config\n"
1488 " if your Aironet card is ethN. To capture traffic from any BSS, do\n"
1490 "echo \"Mode: y\" >/proc/driver/aironet/ethN/Config\n"
1492 " and to return to the normal mode, do\n"
1494 "echo \"Mode: ess\" >/proc/driver/aironet/ethN/Config\n"
1496 " On Linux with the driver in the 2.4.20 kernel, or with the CVS drivers\n"
1497 " from the airo-linux SourceForge site, you will have to capture on the\n"
1498 " wifiN interface if your Aironet card is ethN, after running the\n"
1499 " commands listed above.\n"
1501 " In all of those cases, Ethereal would have to be linked with libpcap\n"
1502 " 0.7.1 or later; this means that most Ethereal binary packages won't\n"
1503 " work unless they're statically linked with libpcap 0.7.1 or later, or\n"
1504 " they're dynamically linked with libpcap and your system has a libpcap\n"
1505 " 0.7.1 or later shared library installed (note that libpcap source\n"
1506 " package from tcpdump.org does not build shared libraries). Some binary\n"
1507 " packaging mechanisms might make it difficult to install Ethereal\n"
1508 " binary packages built to depend on older libpcap binary packages if\n"
1509 " you have a newer libpcap binary package installed; the installer\n"
1510 " programs for those packaging mechanisms might support disabling\n"
1511 " dependency checking so that they will install Ethereal even though a\n"
1512 " newer version of libpcap is installed.\n"
1514 " Cards using the Prism II chip set (see this page of Linux 802.11\n"
1515 " information for details on wireless cards, including information on\n"
1516 " the chips they use):\n"
1518 " You can capture raw 802.11 packets with Prism II cards on Linux\n"
1519 " systems with the 0.1.14-pre6 or later version of the linux-wlan-ng\n"
1520 " drivers (see the linux-wlan page, and the linux-wlan-ng tarball\n"
1523 " Those require either Solomon Peachy's patch to libpcap 0.7.1 (see his\n"
1524 " libpcap-0.7.1-prism.diff file, or his RPMs of that version of\n"
1525 " libpcap), or the current CVS version of libpcap, which includes his\n"
1526 " patch (download it from the \"Current Tar files\" section of the\n"
1527 " tcpdump.org Web site). If you apply his patches to libpcap 0.7.1 and\n"
1528 " rebuild and install libpcap, or if you build and install the current\n"
1529 " CVS version of libpcap, you would have to rebuild Ethereal from\n"
1530 " source, linking it with that new version of libpcap; an Ethereal\n"
1531 " binary package would not work. Ethereal binary packages might work if\n"
1532 " you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install\n"
1533 " a libpcap shared library in place of the one on your system.\n"
1535 " You may have to run a command to put the interface into monitor mode,\n"
1536 " or to change other interface settings, and you might have to capture\n"
1537 " on a wlanN interface rather than a ethN interface, in order to capture\n"
1538 " raw 802.11 packets. The interface settings are available in your\n"
1539 " wlan-ng.conf file. See the wlan-ng FAQ for additional information.\n"
1541 " On other platforms, capturing raw 802.11 packets on Prism II cards is\n"
1542 " not currently supported.\n"
1544 " Orinoco Silver and Gold cards:\n"
1546 " On Linux systems, there are patches on the Orinoco Monitor Mode Patch\n"
1547 " Page that should allow you to do capture raw 802.11 packets. You will\n"
1548 " have to determine which version of the driver you have, and select the\n"
1549 " appropriate patch.\n"
1551 " Note that the page indicates that not all versions of the Orinoco\n"
1552 " firmware support this patch. It says, for some versions of the patch,\n"
1553 " \"This patch should allow monitor mode with v8.10 firmware (untested w/\n"
1554 " 8.42);\" if you have version 8.10 or later firmware on your Orinoco\n"
1555 " cards, you might have to use those patches, with the corresponding\n"
1556 " versions of the Orinoco driver, in order to run in monitor mode.\n"
1558 " That patch is written for the drivers included with the pcmcia-cs\n"
1559 " drivers, but works equally well for the Orinoco drivers provided with\n"
1560 " Linux kernels up to 2.4.20. To apply a patch to your kernel drivers,\n"
1561 " simply copy the orinoco-09b-patch.diff file to the\n"
1562 " /usr/src/linux/drivers/net directory and patch according to the\n"
1563 " directions on the Orinoco Monitor Mode Patch Page. You can double-\n"
1564 " check the version of the Orinoco drivers that shipped with your kernel\n"
1565 " by examining the first few lines of the orinoco.c file.\n"
1567 " Te Orinoco patches require either Solomon Peachy's patch to libpcap\n"
1568 " 0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that\n"
1569 " version of libpcap), or the current CVS version of libpcap, which\n"
1570 " includes his patch (download it from the \"Current Tar files\" section\n"
1571 " of the tcpdump.org Web site). If you apply his patches to libpcap\n"
1572 " 0.7.1 and rebuild and install libpcap, or if you build and install the\n"
1573 " current CVS version of libpcap, you would have to rebuild Ethereal\n"
1574 " from source, linking it with that new version of libpcap; an Ethereal\n"
1575 " binary package would not work. Ethereal binary packages might work if\n"
1576 " you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install\n"
1577 " a libpcap shared library in place of the one on your system.\n"
1579 " On other platforms, capturing raw 802.11 packets on Orinoco cards is\n"
1580 " not currently supported.\n"
1582 " Other 802.11 interfaces:\n"
1584 " With other 802.11 interfaces, no platform allows Ethereal to capture\n"
1585 " raw 802.11 packets, as far as we know. If you know of other 802.11\n"
1586 " interfaces that are supported (note that there are many \"Prism II\n"
1587 " cards\", so your card might be a Prism II card), please let us know,\n"
1588 " and include URLs for sites containing any necessary patches to add\n"
1591 " On platforms that don't allow Ethereal to capture raw 802.11 packets,\n"
1592 " the 802.11 network will appear like an Ethernet to Ethereal.\n"
1594 " Q 5.31: How can I capture packets with CRC errors? \n"
1596 " A: Ethereal can capture only the packets that the packet capture\n"
1597 " library - libpcap on UNIX-flavored OSes, and the WinPcap port to\n"
1598 " Windows of libpcap on Windows - can capture, and libpcap/WinPcap can\n"
1599 " capture only the packets that the OS's raw packet capture mechanism\n"
1600 " (or the WinPcap driver, and the underlying OS networking code and\n"
1601 " network interface drivers, on Windows) will allow it to capture.\n"
1603 " Unless the OS can be configured to supply packets with errors such as\n"
1604 " invalid CRCs to the raw packet capture mechanism, Ethereal - and other\n"
1605 " programs that capture raw packets, such as tcpdump - cannot capture\n"
1606 " those packets. You will have to determine whether your OS can be so\n"
1607 " configured, configure it if possible, and make whatever changes to\n"
1610 " libpcap and the packet capture program you're using are necessary to\n"
1611 " support capturing those packets.\n"
1613 " Q 5.32: How can I capture entire frames, including the FCS? \n"
1615 " A: Ethereal can't capture any data that the packet capture library -\n"
1616 " libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of\n"
1617 " libpcap on Windows - can capture, and libpcap/WinPcap can capture only\n"
1618 " the data that the OS's raw packet capture mechanism (or the WinPcap\n"
1619 " driver, and the underlying OS networking code and network interface\n"
1620 " drivers, on Windows) will allow it to capture.\n"
1622 " For any particular link-layer network type, unless the OS supplies the\n"
1623 " FCS of a frame as part of the frame, or can be configured to supply\n"
1624 " the FCS of a frame as part of the frame, Ethereal - and other programs\n"
1625 " that capture raw packets, such as tcpdump - cannot capture the FCS of\n"
1626 " a frame. You will have to determine whether your OS can be so\n"
1627 " configured, configure it if possible, and make whatever changes to\n"
1628 " libpcap and the packet capture program you're using are necessary to\n"
1629 " support capturing the FCS of a frame. Most if not all OSes probably do\n"
1630 " not support capturing the FCS of a frame on Ethernet, and probably do\n"
1631 " not support it on most other link-layer types.\n"
1633 " Q 5.33: Ethereal hangs after I stop a capture. \n"
1635 " A: The most likely reason for this is that Ethereal is trying to look\n"
1636 " up an IP address in the capture to convert it to a name (so that, for\n"
1637 " example, it can display the name in the source address or destination\n"
1638 " address columns), and that lookup process is taking a very long time.\n"
1640 " Ethereal calls a routine in the OS of the machine on which it's\n"
1641 " running to convert of IP addresses to the corresponding names. That\n"
1642 " routine probably does one or more of:\n"
1643 " * a search of a system file listing IP addresses and names;\n"
1644 " * a lookup using DNS;\n"
1645 " * on UNIX systems, a lookup using NIS;\n"
1646 " * on Windows systems, a NetBIOS-over-TCP query.\n"
1648 " If a DNS server that's used in an address lookup is not responding,\n"
1649 " the lookup will fail, but will only fail after a timeout while the\n"
1650 " system routine waits for a reply.\n"
1652 " In addition, on Windows systems, if the DNS lookup of the address\n"
1653 " fails, either because the server isn't responding or because there are\n"
1654 " no records in the DNS that could be used to map the address to a name,\n"
1655 " a NetBIOS-over-TCP query will be made. That query involves sending a\n"
1656 " message to the NetBIOS-over-TCP name service on that machine, asking\n"
1657 " for the name and other information about the machine. If the machine\n"
1658 " isn't running software that responds to those queries - for example,\n"
1659 " many non-Windows machines wouldn't be running that software - the\n"
1660 " lookup will only fail after a timeout. Those timeouts can cause the\n"
1661 " lookup to take a long time.\n"
1663 " If you disable network address-to-name translation - for example, by\n"
1664 " turning off the \"Enable network name resolution\" option in the \"Name\n"
1665 " resolution\" options in the dialog box you get by selecting\n"
1666 " \"Preferences\" from the \"Edit\" menu - the lookups of the address won't\n"
1667 " be done, which may speed up the process of reading the capture file\n"
1668 " after the capture is stopped. You can make that setting the default by\n"
1669 " using the \"Save\" button in that dialog box; note that this will save\n"
1670 " all your current preference settings.\n"
1672 " If Ethereal hangs when reading a capture even with network name\n"
1673 " resolution turned off, there might, for example, be a bug in one of\n"
1674 " Ethereal's dissectors for a protocol causing it to loop infinitely.\n"
1675 " The bug should be reported to the Ethereal developers' mailing list at\n"
1676 " ethereal-dev@ethereal.com.\n"
1678 " On UNIX-flavored OSes, please try to force Ethereal to dump core, by\n"
1679 " sending it a SIGABRT signal (usually signal 6) with the kill command,\n"
1680 " and then get a stack trace if you have a debugger installed. A stack\n"
1681 " trace can be obtained by using your debugger (gdb in this example),\n"
1682 " the Ethereal binary, and the resulting core file. Here's an example of\n"
1683 " how to use the gdb command backtrace to do so.\n"
1684 " $ gdb ethereal core\n"
1685 " (gdb) backtrace\n"
1686 " ..... prints the stack trace\n"
1690 " The core dump file may be named \"ethereal.core\" rather than \"core\" on\n"
1691 " some platforms (e.g., BSD systems)\n"
1693 " Also, if at all possible, please send a copy of the capture file that\n"
1694 " caused the problem; when capturing packets, Ethereal normally writes\n"
1695 " captured packets to a temporary file, which will probably be in /tmp\n"
1696 " or /var/tmp on UNIX-flavored OSes and \\TEMP on Windows, so the capture\n"
1697 " file will probably be there. It will have a name beginning with ether,\n"
1698 " with some mixture of letters and numbers after that. Please don't send\n"
1699 " a trace file greater than 1 MB when compressed. If the trace file\n"
1700 " contains sensitive information (e.g., passwords), then please do not\n"
1703 " Q 5.34: How can I search for, or filter, packets that have a\n"
1704 " particular string anywhere in them? \n"
1706 " A: Currently, you can't.\n"
1708 " That's a feature that would be hard to implement in capture filters\n"
1709 " without changes to the capture filter code, which, on many platforms,\n"
1710 " is in the OS kernel and, on other platforms, is in the libpcap\n"
1713 " It would be easier to implement in display filters, but it hasn't been\n"
1714 " implemented yet. It would be best implemented as a display filter\n"
1715 " \"string match\" operator, which would let you check not only the entire\n"
1716 " packet for a string, but check portions of the packet for a string. It\n"
1717 " should probably not use a naive string matching mechanism, as there\n"
1718 " are mechanisms much faster than the naive one.\n"
1721 " Support can be found on the ethereal-users[AT]ethereal.com mailing\n"
1723 " For corrections/additions/suggestions for this page, please send email\n"
1724 " to: ethereal-web[AT]ethereal.com\n"
1725 " Last modified: Sat, July 19 2003.\n"
1728 #define FAQ_SIZE 78005