NOTE: this document applies to the Wireshark source releases and buildbot source tarballs. It does not apply to source code checked out directly from Git, as files such as the configuration script are not checked into Git, but need to be generated from the autoconf and automake files. See https://wiki.wireshark.org/Development if you would like to build the source code checked out directly from Git. Installation ============ These are installation instructions for Unix and Unix-like systems that can run the "configure" script in this same directory. These are not the installation instructions for Windows systems; see README.windows for those instructions. 0. This is software. Beware. 1. If you wish to build Wireshark, make sure you have GTK+ and GLib installed. Try running 'pkg-config glib-2.0 --modversion' to see if you have GLib 2.x installed. Then try running 'pkg-config gtk+-3.0 --modversion' to see if you have GTK+ 3.x installed and, if that fails, try running 'pkg-config gtk+-2.0 --modversion' to see if you have GTK+ 2.x installed. Wireshark needs version 3.0.0 or above of gtk+-3.0 or 2.12.0 or above of gtk+-2.0 and version 2.16.0 or above of glib-2.0. If you need to install or re-install GTK+ or GLIB, you can find the packages at: http://www.gtk.org If you installed GTK+ from a binary package, you may have to install a "development" package; there may be separate "user's" and "developer's" packages, with the former not including header files and the like. For example, Red Hat users will need to install a "gtk-devel" .rpm. Note also that Wireshark configuration defaults to using GTK+ 3.x; you need to configure with --disable-gtk3 to use GTK+ 2.x. 2. If you wish to build TShark, the line-mode version of Wireshark, make sure you have GLIB installed. See note #1 above for instructions on checking if you have GLIB installed. You can download GLIB from the same site as GTK. 3. If you want to capture packets, make sure you have libpcap installed. The latest "official" version can be found at http://www.tcpdump.org . If you installed libpcap from a binary package, you may have to install a "development" package; for example, there's apparently a "libpcap0" Debian package, but it just includes a shared library, a copyright notice, changelog files, and a README file - you also need to install a "libpcap-dev" package to get header files, a non-shared library, and the man page. Similarly, Red Hat users will need to install a "libpcap-devel" .rpm to go along with the "libpcap" .rpm. 4. Building Wireshark requires Perl (specifically the pod2man program) so that the documentation can be built. 5. Building Wireshark requires Python. 6. Run './configure' in the Wireshark distribution directory. Running './configure --help' displays a complete list of options. The file 'INSTALL.configure' contains general instructions for using 'configure' and 'make'. Some of the Wireshark non-generic configure options are as follows: --disable-usr-local By default 'configure' will look in /usr/local/{include,lib} for additional header files and libraries. Using this switch keeps 'configure' from looking there --disable-wireshark By default 'configure' tries to find the GTK+ libraries so Wireshark, the GUI packet analyzer, can be built. You can disable the build of the GUI version of Wireshark with this switch. --without-gtk3 Don't try to build a Gtk+ 3.x-based Wireshark. If given in conjunction with --disable-gtk2 then the Gtk+ GUI is disabled (and only the Qt GUI is built). --without-gtk2 Don't try to build a Gtk+ 2.x-based Wireshark. If given in conjunction with --disable-gtk3 then the Gtk+ GUI is disabled (and only the Qt GUI is built). --without-qt Don't try to build a Qt-based Wireshark. --disable-tshark By default the line-mode packet analyzer, TShark, is built. Use this switch to avoid building it. --disable-editcap By default the capture-file editing program is built. Use this switch to avoid building it. --disable-capinfos By default the capture-file statistics reporting pogram is built. Use this switch to avoid building it. --disable-captype By default the capture-type reporting pogram is built. Use this switch to avoid building it. --disable-mergecap By default the capture-file merging program is built. Use this switch to avoid building it. --disable-reordercap By default the capture-file reordering program is built. Use this switch to avoid building it. --disable-text2pcap By default the hex-dump-to-capture file conversion program is built. Use this switch to avoid building it. --disable-dftest By default the display-filter-compiler test program is built. Use this switch to avoid building it. --disable-randpkt By default the program which creates random packet-capture files is built. Use this switch to avoid building it. --disable-dumpcap By default the network traffic capture program is built. Use this switch to avoid building it. --disable-rawshark By default the program used to dump and analyze raw libpcap data is built. Use this switch to avoid building it. --disable-ipv6 If 'configure' finds support for IPv6 name resolution on your system, the packet analyzers will make use of it. To avoid using IPv6 name resolution if you have the support for it, use this switch. --enable-setuid-install Wireshark and TShark rely on dumpcap for packet capture. Setting this flag installs dumpcap with setuid root permissions, which lets any user on the system capture live traffic. If this is not desired, you can restrict dumpcap's permissions so that only a single user or group can run it. This can be used in conjunction with --with-libcap described below. Running Wireshark or TShark as root is not recommended. --without-libcap By default, if 'configure' finds libcap (the POSIX capabilities library) dumpcap will be built so that if it is installed setuid root, it will attempt to retain CAP_NET_RAW and CAP_NET_ADMIN before dropping root privileges. Use this option to disable this behavior. --with-libcap=DIR Use this option to tell 'configure' where libcap is installed, if it is installed in a non-standard location. Note that libcap (the POSIX capabilities library, sans "p") and libpcap (the packet capture library, avec "p") are two very different things. --without-pcap If you choose to build a packet analyzer that can analyze capture files but cannot capture packets on its own, but you *do* have libpcap installed, or if you are trying to build Wireshark on a system that doesn't have libpcap installed (in which case you have no choice but to build a version that can analyze capture files but cannot capture packets on its own), use --without-pcap to avoid using libpcap. --with-pcap=DIR Use this to tell Wireshark where you have libpcap installed, if it is installed in a non-standard location. --without-zlib By default, if 'configure' finds zlib (a.k.a, libz), the wiretap library will be built so that it can read compressed capture files. If you have zlib but do not wish to build it into the wiretap library, used by Wireshark, TShark, and the capture-file utilities that come in this package, use this switch. --with-zlib=DIR Use this to tell Wireshark where you have zlib installed, if it is installed in a non-standard location. --without-plugins By default, if your system can support run-time loadable modules, the packet analyzers are build with support for plugins. Use this switch to build packet analyzers without plugin support. --with-plugins=DIR By default, plugins are installed in ${LIBDIR}/wireshark/plugins/${VERSION} ${LIBDIR} can be set with --libdir, or defaults to ${EPREFIX/lib} ${EPREFIX} can be set with --exec-prefix, or defaults to ${PREFIX} ${VERSION} is the Wireshark version. Use this switch to change the location where plugins are installed. 7. After running './configure', you will see a summary of some of the options you chose. Ensure that the summary reflects what you want. If it doesn't, re-run './configure' with new options. 8. Run 'make'. Hopefully, you won't run into any problems. 9. Run './wireshark' or './tshark' or ./dumpcap, and make sure things are working. You must have root privileges in order to capture live data. 10./a. Run 'make install'. If you're running a system that supports the RPM, OSX, or System V Release 4 packaging systems, you can run one of make rpm-package # Builds a binary package using rpm make svr4-package # Builds a binary package using pkgmk make solaris-package # Same as "make svr4-package" make osx-package # Builds a binary package for OSX to make an installable package for your system. 10/b. If you 're running a system that supports APT (Debian/Ubuntu/etc.) run dpkg-buildpackage -us -uc -rfakeroot in the source directory right after extracting of checking out Wireshark's source code. (You don't have to run configure/make/etc. prior to running dpkg-buildpackage) If you have trouble with the build or installation process, you can find assistance on the wireshark-users and wireshark-dev mailing lists (see http://www.wireshark.org/lists/ for details) or the Wireshark Q&A site: https://ask.wireshark.org .