6 Wireshark is a network traffic analyzer, or "sniffer", for Unix and
7 Unix-like operating systems. It uses GTK+, a graphical user interface
8 library, and libpcap, a packet capture and filtering library.
10 The Wireshark distribution also comes with Tshark, which is a
11 line-oriented sniffer (similar to Sun's snoop, or tcpdump) that uses the
12 same dissection, capture-file reading and writing, and packet filtering
13 code as Wireshark, and with editcap, which is a program to read capture
14 files and write the packets from that capture file, possibly in a
15 different capture file format, and with some packets possibly removed
18 The official home of Wireshark is
20 http://www.wireshark.org
22 The latest distribution can be found in the subdirectory
24 http://www.wireshark.org/download
30 Wireshark is known to compile and run on the following systems:
32 - Linux (2.0 and later kernels, various distributions)
33 - Solaris (2.5.1 and later)
34 - FreeBSD (2.2.5 and later)
37 - Mac OS X (10.2 and later)
38 - HP-UX (10.20, 11.00, 11.11)
39 - Sequent PTX v4.4.5 (Nick Williams <njw@sequent.com>)
40 - Tru64 UNIX (formerly Digital UNIX) (3.2 and later)
42 - AIX (4.3.2, with a bit of work)
43 - Win32 (NT, 2000, 2003, XP, Vista)
45 and possibly on other versions of those OSes. It should run on other
46 Unix-ish systems without too much trouble.
48 NOTE: the Makefile appears to depend on GNU "make"; it doesn't appear to
49 work with the "make" that comes with Solaris 7 nor the BSD "make".
50 Perl is also needed to create the man page.
52 If you decide to modify the yacc grammar or lex scanner, then
53 you need "flex" - it cannot be built with vanilla "lex" -
54 and either "bison" or the Berkeley "yacc". Your flex
55 version must be 2.5.1 or greater. Check this with 'flex -V'.
57 If you decide to modify the NetWare Core Protocol dissector, you
58 will need python, as the data for packet types is stored in a python
61 You must therefore install Perl, GNU "make", "flex", and either "bison" or
62 Berkeley "yacc" on systems that lack them.
64 Full installation instructions can be found in the INSTALL file.
66 See also the appropriate README.<OS> files for OS-specific installation
72 In order to capture packets from the network, you need to be running as
73 root, or have access to the appropriate entry under /dev if your system
74 is so inclined (BSD-derived systems, and systems such as Solaris and
75 HP-UX that support DLPI, typically fall into this category). Although
76 it might be tempting to make the Wireshark executable setuid root, please
77 don't. The capture process has been isolated in dumpcap, which can be
78 installed setuid root. This simple program is less likely to contain
81 Please consult the man page for a description of each command-line
82 option and interface feature.
88 The wiretap library is a packet-capture library currently under
89 development parallel to wireshark. In the future it is hoped that
90 wiretap will have more features than libpcap, but wiretap is still in
91 its infancy. However, wiretap is used in wireshark for its ability
92 to read multiple file types. You can read the following file
95 libpcap (tcpdump -w, etc.) - this is Wireshark's native format
97 Shomiti/Finisar Surveyor
99 Network General/Network Associates DOS-based Sniffer (compressed and
101 Microsoft Network Monitor
103 Cinco Networks NetXRray
104 Network Associates Windows-based Sniffer
105 AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp
106 RADCOM's WAN/LAN Analyzer
107 Lucent/Ascend access products
109 Toshiba's ISDN routers
110 ISDN4BSD "i4btrace" utility
111 Cisco Secure Intrustion Detection System iplogging facility
112 pppd logs (pppdump-format files)
113 VMS's TCPIPtrace utility
114 DBS Etherwatch for VMS
115 Traffic captures from Visual Networks' Visual UpTime
116 CoSine L2 debug output
117 Output from Accellent's 5Views LAN agents
118 Endace Measurement Systems' ERF format
119 Linux Bluez Bluetooth stack "hcidump -w" traces
120 Network Instruments Observer version 9
121 Trace files for the EyeSDN USB S0
123 In addition, it can read gzipped versions of any of these files
124 automatically, if you have the zlib library available when compiling
125 Wireshark. Wireshark needs a modern version of zlib to be able to use
126 zlib to read gzipped files; version 1.1.3 is known to work. Versions
127 prior to 1.0.9 are missing some functions that Wireshark needs and won't
128 work. "./configure" should detect if you have the proper zlib version
129 available and, if you don't, should disable zlib support. You can always
130 use "./configure --disable-zlib" to explicitly disable zlib support.
132 Although Wireshark can read AIX iptrace files, the documentation on
133 AIX's iptrace packet-trace command is sparse. The 'iptrace' command
134 starts a daemon which you must kill in order to stop the trace. Through
135 experimentation it appears that sending a HUP signal to that iptrace
136 daemon causes a graceful shutdown and a complete packet is written
137 to the trace file. If a partial packet is saved at the end, Wireshark
138 will complain when reading that file, but you will be able to read all
139 other packets. If this occurs, please let the Wireshark developers know
140 at wireshark-dev@wireshark.org, and be sure to send us a copy of that trace
141 file if it's small and contains non-sensitive data.
143 Support for Lucent/Ascend products is limited to the debug trace output
144 generated by the MAX and Pipline series of products. Wireshark can read
145 the output of the "wandsession" "wandisplay", "wannext", and "wdd"
148 Wireshark can also read dump trace output from the Toshiba "Compact Router"
149 line of ISDN routers (TR-600 and TR-650). You can telnet to the router
150 and start a dump session with "snoop dump".
152 CoSine L2 debug output can also be read by Wireshark. To get the L2
153 debug output, get in the diags mode first and then use
154 "create-pkt-log-profile" and "apply-pkt-log-profile" commands under
155 layer-2 category. For more detail how to use these commands, you
156 should examine the help command by "layer-2 create ?" or "layer-2 apply ?".
158 To use the Lucent/Ascend, Toshiba and CoSine traces with Wireshark, you must
159 capture the trace output to a file on disk. The trace is happening inside
160 the router and the router has no way of saving the trace to a file for you.
161 An easy way of doing this under Unix is to run "telnet <ascend> | tee <outfile>".
162 Or, if your system has the "script" command installed, you can save
163 a shell session, including telnet to a file. For example, to a file named
166 $ script tracefile.out
167 Script started on <date/time>
169 ..... do your trace, then exit from the router's telnet session.
171 Script done on <date/time>
177 If your operating system includes IPv6 support, wireshark will attempt to
178 use reverse name resolution capabilities when decoding IPv6 packets.
180 If you want to turn off name resolution while using wireshark, start
181 wireshark with the "-n" option to turn off all name resolution (including
182 resolution of MAC addresses and TCP/UDP/SMTP port numbers to names), or
183 with the "-N mt" option to turn off name resolution for all
184 network-layer addresses (IPv4, IPv6, IPX).
186 You can make that the default setting by opening the Preferences dialog
187 box using the Preferences item in the Edit menu, selecting "Name
188 resolution", turning off the appropriate name resolution options,
189 clicking "Save", and clicking "OK".
191 If you would like to compile wireshark without support for IPv6 name
192 resolution, use the "--disable-ipv6" option with "./configure". If you
193 compile wireshark without IPv6 name resolution, you will still be able to
194 decode IPv6 packets, but you'll only see IPv6 addresses, not host names.
199 Wireshark can do some basic decoding of SNMP packets; it can also use
200 the libsmi library to do more sophisticated decoding, by reading MIB
201 files and using the information in those files to display OIDs and
202 variable binding values in a friendlier fashion. The configure script
203 will automatically determine whether you have the libsmi library on
204 your system. If you have the libsmi library but _do not_ want to have
205 Wireshark use it, you can run configure with the "--without-libsmi"
210 Wireshark is still under constant development, so it is possible that you will
211 encounter a bug while using it. Please report bugs to http://bugs.wireshark.org.
214 1) Operating System and version (the command 'uname -sr' may
215 tell you this, although on Linux systems it will probably
216 tell you only the version number of the Linux kernel, not of
217 the distribution as a whole; on Linux systems, please tell us
218 both the version number of the kernel, and which version of
219 which distribution you're running)
220 2) Version of GTK+ (the command 'gtk-config --version' will tell you)
221 3) Version of Wireshark (the command 'wireshark -v' will tell you,
222 unless the bug is so severe as to prevent that from working,
223 and should also tell you the versions of libraries with which
225 4) The command you used to invoke Wireshark, and the sequence of
226 operations you performed that caused the bug to appear
228 If the bug is produced by a particular trace file, please be sure to send
229 a trace file along with your bug description. Please don't send a trace file
230 greater than 1 MB when compressed. If the trace file contains sensitive
231 information (e.g., passwords), then please do not send it.
233 If Wireshark died on you with a 'segmentation violation', 'bus error',
234 'abort', or other error that produces a UNIX core dump file, you can
235 help the developers a lot if you have a debugger installed. A stack
236 trace can be obtained by using your debugger ('gdb' in this example),
237 the wireshark binary, and the resulting core file. Here's an example of
238 how to use the gdb command 'backtrace' to do so.
242 ..... prints the stack trace
246 The core dump file may be named "wireshark.core" rather than "core" on
247 some platforms (e.g., BSD systems). If you got a core dump with
248 Tshark rather than Wireshark, use "tshark" as the first argument to
249 the debugger; the core dump may be named "tshark.core".
254 There is no warranty, expressed or implied, associated with this product.
255 Use at your own risk.
258 Gerald Combs <gerald@wireshark.org>
259 Gilbert Ramirez <gram@alumni.rice.edu>
260 Guy Harris <guy@alum.mit.edu>