--- /dev/null
+#!/usr/bin/env python
+#
+# faq.py
+#
+# Routines to assemble a FAQ list for the Wireshark web site.
+# Reduces the amount of HTML and WML formatting that the person
+# who wanted to add to the FAQ has to deal with.
+# It numbers the sections and questions automatically, too.
+#
+# $Id$
+
+import string
+
+class faq_section:
+ def __init__(self, name, secnum):
+ self.name = name
+ self.secnum = secnum
+ self.qa = []
+ self.subsecs = []
+
+ def add_qa(self, question, answer, tag):
+ q_num = len(self.qa) + 1
+ q_id = "%s.%d" % (self.get_num_string(), q_num)
+ self.qa.append( (q_id, question, answer, tag) )
+
+ def get_all_qa(self):
+ return self.qa
+
+ def add_subsec(self, subsec):
+ self.subsecs.append(subsec)
+
+ def get_all_subsecs(self):
+ return self.subsecs
+
+ def get_num_string(self):
+ return "%d" % (self.secnum)
+
+ def get_name(self):
+ return self.name
+
+ def get_num_name(self):
+ return "%s. %s" % (self.get_num_string(), self.name)
+
+ def get_header_level(self):
+ return 3
+
+ def print_index(self):
+ print "<a href=#sec%s><h%d>%s:</h%d></a>\n" % (self.get_num_string(), self.get_header_level(), self.get_num_name(), self.get_header_level())
+ for qa in self.qa:
+ id = qa[0]
+ question = qa[1]
+ print '<p class="faq_q">'
+ print '<a class="faq_qnum" href=#q%s>%s %s</a>\n' % (id, id, question)
+ print '</p>'
+ for subsec in self.subsecs:
+ subsec.print_index()
+
+ def print_contents(self):
+ # Table header
+ print """
+ <a name="sec%s">
+ <h%d>%s</h%d>
+ </a>
+""" % (self.get_num_string(), self.get_header_level(), self.get_num_name(), self.get_header_level())
+
+ # Questions and Answers
+ for qa in self.qa:
+ id = qa[0]
+ question = qa[1]
+ answer = qa[2]
+ tag = qa[3]
+
+ print '<p class="faq_q">'
+ print '<a class="faq_qnum" name=q%s>Q %s:</a>' % (id, id)
+ if tag is not None:
+ print '<a name=%s>' % tag
+ print '<span>%s</span>' % (question)
+ if tag is not None:
+ print '</a>'
+ print '</p>'
+
+ print '<p class="faq_a">'
+ print '<span class="faq_anum">A:</span>\n'
+ print answer
+ print '</p>'
+
+ # Subsections
+ for subsec in self.subsecs:
+ subsec.print_contents()
+
+ # Table footer
+ print ""
+
+class faq_subsection(faq_section):
+ def __init__(self, name, secnum, subsecnum):
+ self.name = name
+ self.secnum = secnum
+ self.subsecnum = subsecnum
+ self.qa = []
+ self.subsecs = []
+
+ def get_num_string(self):
+ return "%d.%d" % (self.secnum, self.subsecnum)
+
+ def get_header_level(self):
+ return 2
+
+class faq_subsubsection(faq_section):
+ def __init__(self, name, secnum, subsecnum, subsubsecnum):
+ self.name = name
+ self.secnum = secnum
+ self.subsecnum = subsecnum
+ self.subsubsecnum = subsubsecnum
+ self.qa = []
+ self.subsecs = []
+
+ def get_num_string(self):
+ return "%d.%d.%d" % (self.secnum, self.subsecnum, self.subsubsecnum)
+
+ def get_header_level(self):
+ return 2
+
+sec_num = 0
+subsec_num = 0
+subsubsec_num = 0
+sections = []
+current_section = None
+parent_section = None
+grandparent_section = None
+current_question = None
+current_tag = None
+
+# Make a URL of itself
+def selflink(text):
+ return "<a href=\"%s\">%s</a>" % (text, text)
+
+# Add a section
+def section(name):
+ global sec_num
+ global subsec_num
+ global subsubsec_num
+ global current_section
+ global grandparent_section
+ assert not current_question
+ sec_num = sec_num + 1
+ subsec_num = 0
+ subsubsec_num = 0
+ sec = faq_section(name, sec_num)
+ sections.append(sec)
+ current_section = sec
+ grandparent_section = sec
+
+# Add a subsection
+def subsection(name):
+ global subsec_num
+ global subsubsec_num
+ global current_section
+ global parent_section
+ global grandparent_section
+ assert not current_question
+ subsec_num = subsec_num + 1
+ subsubsec_num = 0
+ sec = faq_subsection(name, sec_num, subsec_num)
+ grandparent_section.add_subsec(sec)
+ current_section = sec
+ parent_section = sec
+
+# Add a subsubsection
+def subsubsection(name):
+ global subsubsec_num
+ global current_section
+ global parent_section
+ assert not current_question
+ subsubsec_num = subsubsec_num + 1
+ sec = faq_subsubsection(name, sec_num, subsec_num, subsubsec_num)
+ parent_section.add_subsec(sec)
+ current_section = sec
+
+# Add a question
+def question(text, tag=None):
+ global current_question
+ global current_tag
+ assert current_section
+ assert not current_question
+ assert not current_tag
+ current_question = text
+ current_tag = tag
+
+# Add an answer
+def answer(text):
+ global current_question
+ global current_tag
+ assert current_section
+ assert current_question
+ current_section.add_qa(current_question, text, current_tag)
+ current_question = None
+ current_tag = None
+
+
+# Create the index
+def create_index():
+ print """
+ <a name="index">
+ <h1>Index</h1>
+ </a>
+"""
+ for sec in sections:
+ sec.print_index()
+
+ print """
+"""
+
+
+# Print result
+def create_output():
+
+ create_index()
+
+ for sec in sections:
+ sec.print_contents()
+
+
+#################################################################
+section("General Questions")
+#################################################################
+
+question("What is Wireshark?")
+answer("""
+Wireshark® is the world's most popular network protocol analyzer. It has a
+rich and powerful feature set and runs on most computing platforms including
+Windows, OS X, Linux, and UNIX. Network professionals, security experts,
+developers, and educators around the world use it regularly. It is freely
+available as open source, and is released under the GNU General Public
+License version 2.
+
+<br />
+
+It is developed and maintained by a global team of protocol experts, and
+it is an example of a
+<a href="http://en.wikipedia.org/wiki/Disruptive_technology">disruptive
+technology</a>.
+
+<br />
+
+Wireshark used to be known as Ethereal®. See the next question
+for details about the name change. If you're still using Ethereal, it
+is <a href="http://www.ethereal.com/appnotes/enpa-sa-00024.html">strongly
+recommended that you upgrade to Wireshark</a>.
+
+<br />
+
+For more information, please see the
+<a href="/about.html">About Wireshark</a>
+page.
+""")
+
+
+question("What's up with the name change? Is Wireshark a fork?")
+answer("""
+In May of 2006, Gerald Combs (the original author of Ethereal)
+went to work for CACE Technologies (best known for WinPcap).
+Unfortunately, he had to leave the Ethereal trademarks behind.
+
+<br />
+
+This left the project in an awkward position. The only reasonable way
+to ensure the continued success of the project was to change the name.
+This is how Wireshark was born.
+
+<br />
+
+Wireshark is almost (but not quite) a fork. Normally a "fork" of an open source
+project results in two names, web sites, development teams, support
+infrastructures, etc. This is the case with Wireshark except for one notable
+exception -- every member of the core development team is now working on
+Wireshark. There has been no active development on Ethereal since the name
+change. Several parts of the Ethereal web site (such as the mailing lists,
+source code repository, and build farm) have gone offline.
+
+<br />
+
+More information on the name change can be found here:
+
+<ul class="item_list">
+
+ <li><href url="http://www.prweb.com/releases/2006/6/prweb396098.htm" name="Original press release">
+ <li><href url="http://trends.newsforge.com/article.pl?sid=06/06/09/1349255&from=rss" name="NewsForge article">
+ <li>Many other articles in <href url="bibliography.html" name="our bibliography">
+</ul>
+""")
+
+
+question("Where can I get help?")
+answer("""
+Community support is available on the wireshark-users mailing list.
+Subscription information and archives for all of Wireshark's mailing
+lists can be found at %s. An IRC channel dedicated to Wireshark can
+be found at %s.
+
+<br />
+
+Self-paced and instructor-led training is available at
+<a href="http://www.wiresharku.com">Wireshark University</a>. A
+certification program will be announced in Q3 2007.
+
+<br />
+
+Commercial support and development services are available
+from <a href="http://www.cacetech.com/">CACE Technologies</a>.
+""" % (selflink("https://www.wireshark.org/mailman/listinfo"),
+ selflink("irc://irc.freenode.net/wireshark")
+ ))
+
+
+question("What kind of shark is Wireshark?")
+answer("""
+<i>carcharodon photoshopia</i>.
+""")
+
+
+question("How is Wireshark pronounced, spelled and capitalized?")
+answer("""
+Wireshark is pronounced as the word <i>wire</i> followed immediately by
+the word <i>shark</i>. Exact pronunciation and emphasis may vary
+depending on your locale (e.g. Arkansas).
+
+<br />
+
+It's spelled with a capital <i>W</i>, followed by a lower-case
+<i>ireshark</i>. It is not a CamelCase word, i.e., <i>WireShark</i>
+is incorrect.
+""")
+
+
+question("How much does Wireshark cost?", "but_thats_not_all")
+answer("""
+Wireshark is "free software"; you can download it without paying any
+license fee. The version of Wireshark you download isn't a "demo"
+version, with limitations not present in a "full" version; it
+<em>is</em> the full version.
+
+<br />
+
+The license under which Wireshark is issued is <a
+href="http://www.gnu.org/licenses/gpl.html">the GNU General Public
+License</a>. See <a href="http://www.gnu.org/licenses/gpl-faq.html">the
+GNU GPL FAQ</a> for some more information.
+""")
+
+question("But I just paid someone on eBay for a copy of Wireshark! Did I get ripped off?")
+answer("""
+That depends. Did they provide any sort of value-added product or service, such
+as installation support, installation media, training, trace file analysis, or
+funky-colored shark-themed socks? Probably not.
+
+<br />
+
+Wireshark is <a href="/download.html">available for anyone to download,
+absolutely free, at any time</a>. Paying for a copy implies that you should
+get something for your money.
+""")
+
+question("Can I use Wireshark commercially?")
+answer("""
+Yes, if, for example, you mean "I work for a commercial organization;
+can I use Wireshark to capture and analyze network traffic in our
+company's networks or in our customer's networks?"
+
+<br />
+
+If you mean "Can I use Wireshark as part of my commercial product?", see
+<a href="#derived_work_gpl">the next entry in the FAQ</a>.
+""")
+
+
+question("Can I use Wireshark as part of my commercial product?",
+"derived_work_gpl")
+
+answer("""
+As noted, Wireshark is licensed under <a
+href="http://www.gnu.org/licenses/gpl.html">the GNU General Public
+License</a>. The GPL imposes conditions on your use of GPL'ed code in
+your own products; you cannot, for example, make a "derived work" from
+Wireshark, by making modifications to it, and then sell the resulting
+derived work and not allow recipients to give away the resulting work.
+You must also make the changes you've made to the Wireshark source
+available to all recipients of your modified version; those changes
+must also be licensed under the terms of the GPL. See the <a
+href="http://www.gnu.org/licenses/gpl-faq.html">GPL FAQ</a> for more
+details; in particular, note the answer to <a
+href="http://www.gnu.org/licenses/gpl-faq.html#GPLCommercially">the
+question about modifying a GPLed program and selling it
+commercially</a>, and <a
+href="http://www.gnu.org/licenses/gpl-faq.html#LinkingWithGPL">the
+question about linking GPLed code with other code to make a proprietary
+program</a>.
+
+<br />
+
+You can combine a GPLed program such as Wireshark and a commercial
+program as long as they communicate "at arm's length", as per <a
+href="http://www.gnu.org/licenses/gpl-faq.html#GPLInProprietarySystem">this
+item in the GPL FAQ</a>.
+
+<br />
+
+We recommend keeping Wireshark and your product completely separate,
+communicating over sockets or pipes. If you're loading any part of
+Wireshark as a DLL, you're probably doing it wrong.
+""")
+
+question("What protocols are currently supported?")
+answer("""
+There are currently hundreds of supported
+protocols and media. Details can be found in the
+<a href="/docs/man-pages/wireshark.html">wireshark(1)</a> man page.
+""")
+
+
+question("Are there any plans to support {your favorite protocol}?")
+answer("""
+Support for particular protocols is added to Wireshark as a result of
+people contributing that support; no formal plans for adding support for
+particular protocols in particular future releases exist.
+""")
+
+
+question("""Can Wireshark read capture files from {your favorite network
+analyzer}?""")
+
+answer("""
+Support for particular protocols is added to Wireshark as a result of
+people contributing that support; no formal plans for adding support for
+particular protocols in particular future releases exist.
+
+<br />
+
+If a network analyzer writes out files in a format already supported by
+Wireshark (e.g., in libpcap format), Wireshark may already be able to read
+them, unless the analyzer has added its own proprietary extensions to
+that format.
+
+<br />
+
+If a network analyzer writes out files in its own format, or has added
+proprietary extensions to another format, in order to make Wireshark read
+captures from that network analyzer, we would either have to have a
+specification for the file format, or the extensions, sufficient to give
+us enough information to read the parts of the file relevant to
+Wireshark, or would need at least one capture file in that format
+<strong>AND</strong> a detailed textual analysis of the packets in that
+capture file (showing packet time stamps, packet lengths, and the
+top-level packet header) in order to reverse-engineer the file
+format.
+
+<br />
+
+Note that there is no guarantee that we will be able to reverse-engineer
+a capture file format.
+""")
+
+
+question("What devices can Wireshark use to capture packets?")
+answer("""
+Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial (PPP
+and SLIP) (if the OS on which it's running allows Wireshark to do so),
+802.11 wireless LAN (if the OS on which it's running allows Wireshark to
+do so), ATM connections (if the OS on which it's running allows Wireshark
+to do so), and the "any" device supported on Linux by recent versions of
+libpcap.
+
+<br />
+
+See <a href="http://wiki.wireshark.org/CaptureSetup/NetworkMedia">the list of
+supported capture media on various OSes</a> for details (several items
+in there say "Unknown", which doesn't mean "Wireshark can't capture on
+them", it means "we don't know whether it can capture on them"; we
+expect that it will be able to capture on many of them, but we haven't
+tried it ourselves - if you try one of those types and it works, please
+update the wiki page accordingly.
+
+<br />
+
+It can also read a variety of capture file formats, including:
+
+<ul>
+
+<li> AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet Grabber captures
+<li> AIX's iptrace captures
+<li> Accellent's 5Views LAN agent output
+<li> Cinco Networks NetXRay captures
+<li> Cisco Secure Intrusion Detection System IPLog output
+<li> CoSine L2 debug output
+<li> DBS Etherwatch VMS text output
+<li> Endace Measurement Systems' ERF format captures
+<li> EyeSDN USB S0 traces
+<li> HP-UX nettl captures
+<li> ISDN4BSD project i4btrace captures
+<li> Linux Bluez Bluetooth stack hcidump -w traces
+<li> Lucent/Ascend router debug output
+<li> Microsoft Network Monitor captures
+<li> Network Associates Windows-based Sniffer captures
+<li> Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures
+<li> Network Instruments Observer version 9 captures
+<li> Novell LANalyzer captures
+<li> RADCOM's WAN/LAN analyzer captures
+<li> Shomiti/Finisar Surveyor captures
+<li> Toshiba's ISDN routers dump output
+<li> VMS TCPIPtrace/TCPtrace/UCX$TRACE output
+<li> Visual Networks' Visual UpTime traffic capture
+<li> libpcap, tcpdump and various other tools using tcpdump's capture format
+<li> snoop and atmsnoop output
+
+</ul>
+
+so that it can read traces from various network types, as captured by
+other applications or equipment, even if it cannot itself capture on
+those network types.
+""")
+
+question("""
+Does Wireshark work on Windows Vista or Windows Server 2008?
+""")
+
+answer("""
+Yes, but if you want to capture packets as a normal user, you must make sure
+npf.sys is loaded. Wireshark's installer enables this by default. This is not a
+concern if you run Wireshark as Administrator, but this is discouraged. See the
+<a
+href="http://wiki.wireshark.org/CaptureSetup/CapturePrivileges#windows">CapturePrivileges</a>
+page on the wiki for more details.
+""")
+
+#################################################################
+section("Downloading Wireshark")
+#################################################################
+
+
+question("""Why do I get an error when I try to run the Win32 installer?""")
+
+answer("""
+The program you used to download it may have downloaded it incorrectly.
+Web browsers and download accelerators sometimes may do this.
+
+<br />
+
+Try downloading it with, for example:
+<ul>
+<li>Wget, for which Windows binaries are available from <a
+href="http://www.christopherlewis.com/WGet/WGetFiles.htm">Christopher Lewis</a>
+or
+<a href="http://www.jensroesner.de/wgetgui/">wGetGUI</a>, which offers a GUI
+interface that uses wget;
+
+<li>WS_FTP from <a href="http://www.ipswitch.com/">Ipswitch</a>,
+
+<li>the <tt>ftp</tt> command that comes with Windows.
+
+</ul>
+
+If you use the <tt>ftp</tt> command, make sure you do the transfer in
+binary mode rather than ASCII mode, by using the <tt>binary</tt> command
+before transferring the file.
+""")
+
+
+
+#################################################################
+section("Installing Wireshark")
+#################################################################
+
+
+question("""I installed the Wireshark RPM (or other package); why did
+it install TShark but not Wireshark?""")
+
+answer("""
+Many distributions have separate Wireshark packages, one for non-GUI
+components such as TShark, editcap, dumpcap, etc. and one for the GUI.
+If this is the case on your system, there's probably a separate package
+named <tt>wireshark-gnome</tt> or <tt>wireshark-gtk+</tt>. Find it and
+install it.
+""")
+
+
+#################################################################
+section("Building Wireshark")
+#################################################################
+
+
+question("""I have libpcap installed; why did the configure script not
+find pcap.h or bpf.h?""")
+
+answer("""
+Are you sure pcap.h and bpf.h are installed? The official distribution
+of libpcap only installs the libpcap.a library file when "make install"
+is run. To install pcap.h and bpf.h, you must run "make install-incl".
+If you're running Debian or Redhat, make sure you have the "libpcap-dev"
+or "libpcap-devel" packages installed.
+
+<br />
+
+It's also possible that pcap.h and bpf.h have been installed in a strange
+location. If this is the case, you may have to tweak aclocal.m4.
+""")
+
+
+question("""
+Why do I get the error
+
+<blockquote><samp>dftest_DEPENDENCIES was already defined in condition TRUE,
+which implies condition HAVE_PLUGINS_TRUE</samp></blockquote>
+
+when I try to build Wireshark from SVN or a SVN snapshot?
+""")
+
+answer("""
+You probably have automake 1.5 installed on your machine (the command
+<kbd>automake --version</kbd> will report the version of automake on
+your machine). There is a bug in that version of automake that causes
+this problem; upgrade to a later version of automake (1.6 or later).
+""")
+
+question("""
+Why does the linker fail with a number of "Output line too long." messages
+followed by linker errors when I try to buil Wireshark?
+""")
+
+answer("""
+The version of the <tt>sed</tt> command on your system is incapable of
+handling very long lines. On Solaris, for example,
+<tt>/usr/bin/sed</tt> has a line length limit too low to allow
+<tt>libtool</tt> to work; <tt>/usr/xpg4/bin/sed</tt> can handle it, as
+can GNU <tt>sed</tt> if you have it installed.
+
+<br />
+
+On Solaris, changing your command search path to search
+<tt>/usr/xpg4/bin</tt> before <tt>/usr/bin</tt> should make the problem
+go away; on any platform on which you have this problem, installing GNU
+<tt>sed</tt> and changing your command path to search the directory in
+which it is installed before searching the directory with the version of
+<tt>sed</tt> that came with the OS should make the problem go away.
+""")
+
+question("""
+When I try to build Wireshark on Solaris, why does the link fail
+complaining that <tt>plugin_list</tt> is undefined?
+""")
+
+answer("""
+This appears to be due to a problem with some versions of the GTK+ and
+GLib packages from www.sunfreeware.org; un-install those packages, and
+try getting the 1.2.10 versions from that site, or the versions from <a
+href="http://www.thewrittenword.com">The Written Word</a>, or the
+versions from Sun's GNOME distribution, or the versions from the
+supplemental software CD that comes with the Solaris media kit, or build
+them from source from <a href="http://www.gtk.org/">the GTK Web
+site</a>. Then re-run the configuration script, and try rebuilding
+Wireshark. (If you get the 1.2.10 versions from www.sunfreeware.org, and
+the problem persists, un-install them and try installing one of the
+other versions mentioned.)
+""")
+
+question("""
+When I try to build Wireshark on Windows, why does the build fail because
+of conflicts between <tt>winsock.h</tt> and <tt>winsock2.h</tt>?
+""")
+
+answer("""
+As of Wireshark 0.9.5, you must install WinPcap 2.3 or later, and the
+corresponding version of the developer's pack, in order to be able to
+compile Wireshark; it will not compile with older versions of the
+developer's pack. The symptoms of this failure are conflicts between
+definitions in <tt>winsock.h</tt> and in <tt>winsock2.h</tt>; Wireshark
+uses <tt>winsock2.h</tt>, but pre-2.3 versions of the WinPcap
+developer's packet use <tt>winsock.h</tt>. (2.3 uses
+<tt>winsock2.h</tt>, so if Wireshark were to use <tt>winsock.h</tt>, it
+would not be able to build with current versions of the WinPcap
+developer's pack.)
+
+<br />
+
+Note that the installed version of the developer's pack should be the
+same version as the version of WinPcap you have installed.
+""")
+
+#################################################################
+section("Starting Wireshark")
+#################################################################
+
+
+question("""Why does Wireshark crash with a Bus Error when I try to run
+it on Solaris 8?""")
+
+answer("""
+Some versions of the GTK+ library from www.sunfreeware.org appear to be
+buggy, causing Wireshark to drop core with a Bus Error. Un-install those
+packages, and try getting the 1.2.10 version from that site, or the
+version from <a href="http://www.thewrittenword.com">The Written
+Word</a>, or the version from Sun's GNOME distribution, or the version
+from the supplemental software CD that comes with the Solaris media kit,
+or build it from source from <a href="http://www.gtk.org/">the GTK Web
+site</a>. Update the GLib library to the 1.2.10 version, from the same
+source, as well. (If you get the 1.2.10 versions from
+www.sunfreeware.org, and the problem persists, un-install them and try
+installing one of the other versions mentioned.)
+
+<br />
+
+Similar problems may exist with older versions of GTK+ for earlier
+versions of Solaris.
+""")
+
+question("""When I run Wireshark on Windows NT, why does it die with a Dr.
+Watson error, reporting an "Integer division by zero" exception, when I
+start it?""")
+
+answer("""
+In at least some case, this appears to be due to using the
+default VGA driver; if that's not the correct driver for your video
+card, try running the correct driver for your video card.
+""")
+
+question("""When I try to run Wireshark, why does it complain about
+<tt>sprint_realloc_objid</tt> being undefined?""")
+
+answer("""
+Wireshark can only be linked with version 4.2.2 or later of UCD SNMP.
+Your version of Wireshark was dynamically linked with such a version of
+UCD SNMP; however, you have an older version of UCD SNMP installed,
+which means that when Wireshark is run, it tries to link to the older
+version, and fails. You will have to replace that version of UCD SNMP
+with version 4.2.2 or a later version.
+""")
+
+question("""
+I've installed Wireshark from Fink on Mac OS X; why is it very slow to
+start up?
+""")
+
+answer("""
+When an application is installed on OS X, prior to 10.4, it is usually
+"prebound" to speed up launching the application. (That's what the
+"Optimizing" phase of installation is.)
+
+<br />
+
+Fink normally performs prebinding automatically when you install a
+package. However, in some rare cases, for whatever reason the prebinding
+caches get corrupt, and then not only does prebinding fail, but startup
+actually becomes much slower, because the system tries in vain to
+perform prebinding "on the fly" as you launch the application. This
+fails, causing sometimes huge delays.
+
+<br />
+
+To fix the prebinding caches, run the command
+
+<pre>
+ sudo /sw/var/lib/fink/prebound/update-package-prebinding.pl -f
+</pre>
+""")
+
+#################################################################
+section("Crashes and other fatal errors")
+#################################################################
+
+
+question("""
+I have an XXX network card on my machine; if I try to capture on it, why
+does my machine crash or reset itself?
+""")
+
+answer("""
+This is almost certainly a problem with one or more of:
+
+<ul>
+<li>the operating system you're using;
+<li>the device driver for the interface you're using;
+<li>the libpcap/WinPcap library and, if this is Windows, the WinPcap
+device driver;
+</ul>
+
+so:
+
+<ul>
+<li>if you are using Windows, see <a
+href="http://www.winpcap.org/contact.htm">the WinPcap support
+page</a> - check the "Submitting bugs" section;
+<li>if you are using some Linux distribution, some version of BSD, or
+some other UNIX-flavored OS, you should report the problem to the
+company or organization that produces the OS (in the case of a Linux
+distribution, report the problem to whoever produces the distribution).
+</ul>
+""")
+
+question("""
+Why does my machine crash or reset itself when I select "Start" from the
+"Capture" menu or select "Preferences" from the "Edit" menu?
+""")
+
+answer("""
+Both of those operations cause Wireshark to try to build a list of the
+interfaces that it can open; it does so by getting a list of interfaces
+and trying to open them. There is probably an OS, driver, or, for
+Windows, WinPcap bug that causes the system to crash when this happens;
+see the previous question.
+""")
+
+#################################################################
+section("Capturing packets")
+#################################################################
+
+
+question("""When I use Wireshark to capture packets, why do I see only
+packets to and from my machine, or not see all the traffic I'm expecting
+to see from or to the machine I'm trying to monitor?""", "promiscsniff")
+
+answer("""
+This might be because the interface on which you're capturing is plugged
+into an Ethernet or Token Ring switch; on a switched network, unicast
+traffic between two ports will not necessarily appear on other ports -
+only broadcast and multicast traffic will be sent to all ports.
+
+<br />
+
+Note that even if your machine is plugged into a hub, the "hub" may be
+a switched hub, in which case you're still on a switched network.
+
+<br />
+
+Note also that on the Linksys Web site, they say that their
+auto-sensing hubs "broadcast the 10Mb packets to the port that operate
+at 10Mb only and broadcast the 100Mb packets to the ports that operate
+at 100Mb only", which would indicate that if you sniff on a 10Mb port,
+you will not see traffic coming sent to a 100Mb port, and <i>vice
+versa</i>. This problem has also been reported for Netgear dual-speed
+hubs, and may exist for other "auto-sensing" or "dual-speed" hubs.
+
+<br />
+
+Some switches have the ability to replicate all traffic on all ports to
+a single port so that you can plug your analyzer into that single port to
+sniff all traffic. You would have to check the documentation for the
+switch to see if this is possible and, if so, to see how to do this.
+See <a href="http://wiki.wireshark.org/SwitchReference">the switch
+reference page</a> on <a href="http://wiki.wireshark.org/">the Wireshark
+Wiki</a> for information on some switches. (Note that it's a Wiki, so
+you can update or fix that information, or add additional information on
+those switches or information on new switches, yourself.)
+
+<br />
+
+Note also that many firewall/NAT boxes have a switch built into them;
+this includes many of the "cable/DSL router" boxes. If you have a box
+of that sort, that has a switch with some number of Ethernet ports into
+which you plug machines on your network, and another Ethernet port used
+to connect to a cable or DSL modem, you can, at least, sniff traffic
+between the machines on your network and the Internet by plugging
+the Ethernet port on the router going to the modem, the Ethernet port on
+the modem, and the machine on which you're running Wireshark into a hub
+(make sure it's not a switching hub, and that, if it's a dual-speed hub,
+all three of those ports are running at the same speed.
+
+<br />
+
+If your machine is <em>not</em> plugged into a switched network or a
+dual-speed hub, or it is plugged into a switched network but the port is
+set up to have all traffic replicated to it, the problem might be that
+the network interface on which you're capturing doesn't support
+"promiscuous" mode, or because your OS can't put the interface into
+promiscuous mode. Normally, network interfaces supply to the host only:
+
+<ul>
+<li>packets sent to one of that host's link-layer addresses;
+<li>broadcast packets;
+<li>multicast packets sent to a multicast address that the host has
+ configured the interface to accept.
+</ul>
+
+Most network interfaces can also be put in "promiscuous" mode, in which
+they supply to the host all network packets they see. Wireshark will try
+to put the interface on which it's capturing into promiscuous mode
+unless the "Capture packets in promiscuous mode" option is turned off in
+the "Capture Options" dialog box, and TShark will try to put the
+interface on which it's capturing into promiscuous mode unless the
+<tt>-p</tt> option was specified. However, some network interfaces
+don't support promiscuous mode, and some OSes might not allow interfaces
+to be put into promiscuous mode.
+
+<br />
+
+If the interface is not running in promiscuous mode, it won't see any
+traffic that isn't intended to be seen by your machine. It
+<strong>will</strong> see broadcast packets, and multicast packets sent
+to a multicast MAC address the interface is set up to receive.
+
+<br />
+
+You should ask the vendor of your network interface whether it supports
+promiscuous mode. If it does, you should ask whoever supplied the
+driver for the interface (the vendor, or the supplier of the OS you're
+running on your machine) whether it supports promiscuous mode with that
+network interface.
+
+<br />
+
+In the case of token ring interfaces, the drivers for some of them, on
+Windows, may require you to enable promiscuous mode in order to capture
+in promiscuous mode. See <a
+href="http://wiki.wireshark.org/CaptureSetup/TokenRing">the Wireshark
+Wiki item on Token Ring capturing</a> for details.
+
+<br />
+
+In the case of wireless LAN interfaces, it appears that, when those
+interfaces are promiscuously sniffing, they're running in a
+significantly different mode from the mode that they run in when they're
+just acting as network interfaces (to the extent that it would be a
+significant effor for those drivers to support for promiscuously
+sniffing <em>and</em> acting as regular network interfaces at the same
+time), so it may be that Windows drivers for those interfaces don't
+support promiscuous mode.
+""")
+
+question("""When I capture with Wireshark, why can't I see any TCP
+packets other than packets to and from my machine, even though another
+analyzer on the network sees those packets?""")
+
+answer("""
+You're probably not seeing <em>any</em> packets other than unicast
+packets to or from your machine, and broadcast and multicast packets; a
+switch will normally send to a port only unicast traffic sent to the MAC
+address for the interface on that port, and broadcast and multicast
+traffic - it won't send to that port unicast traffic sent to a MAC
+address for some other interface - and a network interface not in
+promiscuous mode will receive only unicast traffic sent to the MAC
+address for that interface, broadcast traffic, and multicast traffic
+sent to a multicast MAC address the interface is set up to receive.
+
+<br />
+
+TCP doesn't use broadcast or multicast, so you will only see your own
+TCP traffic, but UDP services may use broadcast or multicast so you'll
+see some UDP traffic - however, this is not a problem with TCP traffic,
+it's a problem with unicast traffic, as you also won't see all UDP
+traffic between other machines.
+
+<br />
+
+I.e., this is probably <a href="#promiscsniff">the same question
+as this earlier one</a>; see the response to that question.
+""")
+
+question("""Why am I only seeing ARP packets when I try to capture
+traffic?""")
+
+answer("""
+You're probably on a switched network, and running Wireshark on a machine
+that's not sending traffic to the switch and not being sent any traffic
+from other machines on the switch. ARP packets are often broadcast
+packets, which are sent to all switch ports.
+
+<br />
+
+I.e., this is probably <a href="#promiscsniff">the same question
+as this earlier one</a>; see the response to that question.
+""")
+
+question("""
+Why am I not seeing any traffic when I try to capture traffic?""")
+
+answer("""
+Is the machine running Wireshark sending out any traffic on the network
+interface on which you're capturing, or receiving any traffic on that
+network, or is there any broadcast traffic on the network or multicast
+traffic to a multicast group to which the machine running Wireshark
+belongs?
+
+<br />
+
+If not, this may just be a problem with promiscuous sniffing, either due
+to running on a switched network or a dual-speed hub, or due to problems
+with the interface not supporting promiscuous mode; see the response to
+<a href="#promiscsniff">this earlier question</a>.
+
+<br />
+
+Otherwise, on Windows, see the response to <a href="#capprobwin">this
+question</a> and, on a UNIX-flavored OS, see the response to <a
+href="#capprobunix">this question</a>.
+""")
+
+question("""
+Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?
+""")
+
+answer("""
+Wireshark can only capture on devices supported by libpcap/WinPcap. On
+most OSes, only devices that can act as network interfaces of the type
+that support IP are supported as capture devices for libpcap/WinPcap,
+although the device doesn't necessarily have to be running as an IP
+interface in order to support traffic capture.
+
+<br />
+
+On Linux and FreeBSD, libpcap 0.8 and later support the API for <a
+href="http://www.endace.com/products.htm">Endace Measurement Systems'
+DAG cards</a>, so that a system with one of those cards, and its driver
+and libraries, installed can capture traffic with those cards with
+libpcap-based applications. You would either have to have a version of
+Wireshark built with that version of libpcap, or a dynamically-linked
+version of Wireshark and a shared libpcap library with DAG support, in
+order to do so with Wireshark. You should ask Endace whether that could
+be used to capture traffic on, for example, your T1/E1 link.
+
+<br />
+
+See <a href="http://wiki.wireshark.org/CaptureSetup/SS7">the SS7 capture
+setup page</a> on <a href="http://wiki.wireshark.org/">the Wireshark
+Wiki</a> for current information on capturing SS7 traffic on TDM
+links.
+""")
+
+question("""How do I put an interface into promiscuous mode?""")
+
+answer("""
+By not disabling promiscuous mode when running Wireshark or TShark.
+
+<br />
+
+Note, however, that:
+<ul>
+<li>the form of promiscuous mode that libpcap (the library that
+programs such as tcpdump, Wireshark, etc. use to do packet capture)
+turns on will <strong>not</strong> necessarily be shown if you run
+<tt>ifconfig</tt> on the interface on a UNIX system;
+<li>some network interfaces might not support promiscuous mode, and some
+drivers might not allow promiscuous mode to be turned on - see <a
+href="#promiscsniff">this earlier question</a> for more information on
+that;
+<li>the fact that you're not seeing any traffic, or are only seeing
+broadcast traffic, or aren't seeing any non-broadcast traffic other than
+traffic to or from the machine running Wireshark, does not mean that
+promiscuous mode isn't on - see <a href="#promiscsniff">this earlier
+question</a> for more information on that.
+</ul>
+
+I.e., this is probably <a href="#promiscsniff">the same question
+as this earlier one</a>; see the response to that question.
+""")
+
+question("""
+I can set a display filter just fine; why don't capture filters work?
+""")
+
+answer("""
+Capture filters currently use a different syntax than display filters. Here's
+the corresponding section from the
+<a href="/docs/man-pages/wireshark.html">wireshark(1)</a>
+ man page:
+
+<br />
+
+"Display filters in Wireshark are very powerful; more fields are filterable
+in Wireshark than in other protocol analyzers, and the syntax you can
+use to create your filters is richer. As Wireshark progresses, expect
+more and more protocol fields to be allowed in display filters.
+
+<br />
+
+Packet capturing is performed with the pcap library. The capture filter
+syntax follows the rules of the pcap library. This syntax is different
+from the display filter syntax."
+
+<br />
+
+The capture filter syntax used by libpcap can be found in the
+<a href="http://www.tcpdump.org/tcpdump_man.html">tcpdump(8)</a>
+man page.
+""")
+
+
+question("""I'm entering valid capture filters; why do I still get
+"parse error" errors?""")
+
+answer("""
+There is a bug in some versions of libpcap/WinPcap that cause it to
+report parse errors even for valid expressions if a previous filter
+expression was invalid and got a parse error.
+
+<br />
+
+Try exiting and restarting Wireshark; if you are using a version of
+libpcap/WinPcap with this bug, this will "erase" its memory of the
+previous parse error. If the capture filter that got the "parse error"
+now works, the earlier error with that filter was probably due to this
+bug.
+
+<br />
+
+The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of
+libpcap have this bug, but 0.6[.x] and later versions don't.
+
+<br />
+
+Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of
+libpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and
+doesn't have this bug.
+
+<br />
+
+If you are running Wireshark on a UNIX-flavored platform, run "wireshark
+-v", or select "About Wireshark..." from the "Help" menu in Wireshark, to
+see what version of libpcap it's using. If it's not 0.6 or later, you
+will need either to upgrade your OS to get a later version of libpcap,
+or will need to build and install a later version of libpcap from <a
+href="http://www.tcpdump.org/">the tcpdump.org Web site</a> and then
+recompile Wireshark from source with that later version of libpcap.
+
+<br />
+
+If you are running Wireshark on Windows with a pre-2.3 version of
+WinPcap, you will need to un-install WinPcap and then download and
+install WinPcap 2.3.
+""")
+
+question("""
+How can I capture packets with CRC errors?
+""")
+
+answer("""
+Wireshark can capture only the packets that the packet capture library -
+libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of libpcap
+on Windows - can capture, and libpcap/WinPcap can capture only the
+packets that the OS's raw packet capture mechanism (or the WinPcap
+driver, and the underlying OS networking code and network interface
+drivers, on Windows) will allow it to capture.
+
+<br />
+
+Unless the OS always supplies packets with errors such as invalid CRCs
+to the raw packet capture mechanism, or can be configured to do so,
+invalid CRCs to the raw packet capture mechanism, Wireshark - and other
+programs that capture raw packets, such as tcpdump - cannot capture
+those packets. You will have to determine whether your OS needs to be
+so configured and, if so, can be so configured, configure it if
+necessary and possible, and make whatever changes to libpcap and the
+packet capture program you're using are necessary, if any, to support
+capturing those packets.
+
+<br />
+
+Most OSes probably do <strong>not</strong> support capturing packets
+with invalid CRCs on Ethernet, and probably do not support it on most
+other link-layer types. Some drivers on some OSes do support it, such
+as some Ethernet drivers on FreeBSD; in those OSes, you might always get
+those packets, or you might only get them if you capture in promiscuous
+mode (you'd have to determine which is the case).
+
+<br />
+
+Note that libpcap does not currently supply to programs that use it an
+indication of whether the packet's CRC was invalid (because the drivers
+themselves do not supply that information to the raw packet capture
+mechanism); therefore, Wireshark will not indicate which packets had CRC
+errors unless the FCS was captured (see the next question) and you're
+using Wireshark 0.9.15 and later, in which case Wireshark will check the
+CRC and indicate whether it's correct or not.
+""")
+
+question("""
+How can I capture entire frames, including the FCS?
+""")
+
+answer("""
+Wireshark can only capture data that the packet capture library -
+libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of
+libpcap on Windows - can capture, and libpcap/WinPcap can capture only
+the data that the OS's raw packet capture mechanism (or the WinPcap
+driver, and the underlying OS networking code and network interface
+drivers, on Windows) will allow it to capture.
+
+<br />
+
+For any particular link-layer network type, unless the OS supplies the
+FCS of a frame as part of the frame, or can be configured to do so,
+Wireshark - and other programs that capture raw packets, such as tcpdump
+- cannot capture the FCS of a frame. You will have to determine whether
+your OS needs to be so configured and, if so, can be so configured,
+configure it if necessary and possible, and make whatever changes to
+libpcap and the packet capture program you're using are necessary, if
+any, to support capturing the FCS of a frame.
+
+<br />
+
+Most OSes do <strong>not</strong> support capturing the FCS of a frame
+on Ethernet, and probably do not support it on most other link-layer
+types. Some drivres on some OSes do support it, such as some (all?)
+Ethernet drivers on NetBSD and possibly the driver for Apple's gigabit
+Ethernet interface in Mac OS X; in those OSes, you might always get the
+FCS, or you might only get the FCS if you capture in promiscuous mode
+(you'd have to determine which is the case).
+
+<br />
+
+Versions of Wireshark prior to 0.9.15 will not treat an Ethernet FCS in a
+captured packet as an FCS. 0.9.15 and later will attempt to determine
+whether there's an FCS at the end of the frame and, if it thinks there
+is, will display it as such, and will check whether it's the correct
+CRC-32 value or not.
+""")
+
+question("""
+I'm capturing packets on a machine on a VLAN; why don't the packets I'm
+capturing have VLAN tags?
+""")
+
+answer("""
+You might be capturing on what might be called a "VLAN interface" - the
+way a particular OS makes VLANs plug into the networking stack might,
+for example, be to have a network device object for the physical
+interface, which takes VLAN packets, strips off the VLAN header and
+constructs an Ethernet header, and passes that packet to an internal
+network device object for the VLAN, which then passes the packets onto
+various higher-level protocol implementations.
+
+<br />
+
+In order to see the raw Ethernet packets, rather than "de-VLANized"
+packets, you would have to capture not on the virtual interface for the
+VLAN, but on the interface corresponding to the physical network device,
+if possible. See <a
+href="http://wiki.wireshark.org/CaptureSetup/VLAN">the Wireshark Wiki
+item on VLAN capturing</a> for details.
+""")
+
+question("""
+Why does Wireshark hang after I stop a capture?
+""")
+
+answer("""
+The most likely reason for this is that Wireshark is trying to look up an
+IP address in the capture to convert it to a name (so that, for example,
+it can display the name in the source address or destination address
+columns), and that lookup process is taking a very long time.
+
+<br />
+
+Wireshark calls a routine in the OS of the machine on which it's running
+to convert of IP addresses to the corresponding names. That routine
+probably does one or more of:
+<ul><li>a search of a system file listing IP addresses and names;
+<li>a lookup using DNS;
+<li>on UNIX systems, a lookup using NIS;
+<li>on Windows systems, a NetBIOS-over-TCP query.
+</ul>
+
+If a DNS server that's used in an address lookup is not responding, the
+lookup will fail, but will only fail after a timeout while the system
+routine waits for a reply.
+
+<br />
+
+In addition, on Windows systems, if the DNS lookup of the address fails,
+either because the server isn't responding or because there are no
+records in the DNS that could be used to map the address to a name, a
+NetBIOS-over-TCP query will be made. That query involves sending a
+message to the NetBIOS-over-TCP name service on that machine, asking for
+the name and other information about the machine. If the machine isn't
+running software that responds to those queries - for example, many
+non-Windows machines wouldn't be running that software - the lookup will
+only fail after a timeout. Those timeouts can cause the lookup to take
+a long time.
+
+<br />
+
+If you disable network address-to-name translation - for example, by
+turning off the "Enable network name resolution" option in the "Capture
+Options" dialog box for starting a network capture - the lookups of the
+address won't be done, which may speed up the process of reading the
+capture file after the capture is stopped. You can make that setting
+the default by selecting "Preferences" from the "Edit" menu, turning off
+the "Enable network name resolution" option in the "Name resolution"
+options in the preferences disalog box, and using the "Save" button in
+that dialog box; note that this will save <em>all</em> your current
+preference settings.
+
+<br />
+
+If Wireshark hangs when reading a capture even with network name
+resolution turned off, there might, for example, be a bug in one of
+Wireshark's dissectors for a protocol causing it to loop infinitely. If
+you're not running the most recent release of Wireshark, you should first
+upgrade to that release, as, if there's a bug of that sort, it might've
+been fixed in a release after the one you're running. If the hang
+occurs in the most recent release of Wireshark, the bug should be
+reported to <a href="mailto:wireshark-dev@wireshark.org">the Wireshark
+developers' mailing list</a> at <tt>wireshark-dev@wireshark.org</tt>.
+
+<br />
+
+On UNIX-flavored OSes, please try to force Wireshark to dump core, by
+sending it a <tt>SIGABRT</tt> signal (usually signal 6) with the
+<tt>kill</tt> command, and then get a stack trace if you have a debugger
+installed. A stack trace can be obtained by using your debugger
+(<tt>gdb</tt> in this example), the Wireshark binary, and the resulting
+core file. Here's an example of how to use the gdb command
+<tt>backtrace</tt> to do so.
+
+<pre>
+ $ gdb wireshark core
+ (gdb) backtrace
+ ..... prints the stack trace
+ (gdb) quit
+ $
+</pre>
+
+The core dump file may be named "wireshark.core" rather than "core" on
+some platforms (e.g., BSD systems).
+
+<br />
+
+Also, if at all possible, please send a copy of the capture file that
+caused the problem; when capturing packets, Wireshark normally writes
+captured packets to a temporary file, which will probably be in
+<tt>/tmp</tt> or <tt>/var/tmp</tt> on UNIX-flavored OSes, <tt>\TEMP</tt>
+on the main system disk (normally <tt>C:</tt>) on Windows 9x/Me/NT 4.0,
+and <tt>\Documents and Settings\</tt><var>your login
+name</var><tt>\Local Settings\Temp</tt> on the main system disk on
+Windows 2000/Windows XP/Windows Server 2003, so the capture file will
+probably be there. It will have a name beginning with <tt>ether</tt>,
+with some mixture of letters and numbers after that. Please don't send
+a trace file greater than 1 MB when compressed; instead, make it
+available via FTP or HTTP, or say it's available but leave it up to a
+developer to ask for it. If the trace file contains sensitive
+information (e.g., passwords), then please do not send it.
+""")
+
+
+#################################################################
+section("Capturing packets on Windows")
+#################################################################
+
+question("""
+I'm running Wireshark on Windows; why does some network interface on my
+machine not show up in the list of interfaces in the "Interface:" field
+in the dialog box popped up by "Capture->Start", and/or why does
+Wireshark give me an error if I try to capture on that interface?
+""", "capprobwin")
+
+answer("""
+If you are running Wireshark on Windows NT 4.0, Windows 2000, Windows XP,
+or Windows Server 2003, and this is the first time you have run a
+WinPcap-based program (such as Wireshark, or TShark, or WinDump, or
+Analyzer, or...) since the machine was rebooted, you need to run that
+program from an account with administrator privileges; once you have run
+such a program, you will not need administrator privileges to run any
+such programs until you reboot.
+
+<br />
+
+If you are running on Windows Windows 2000/Windows XP/Windows Server
+2003 and have administrator privileges or a WinPcap-based program has
+been run with those privileges since the machine rebooted, this problem
+<em>might</em> clear up if you completely un-install WinPcap and then
+re-install it.
+
+<br />
+
+If that doesn't work, then note that Wireshark relies on the WinPcap
+library, on the WinPcap device driver, and on the facilities that come
+with the OS on which it's running in order to do captures.
+
+<br />
+
+Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
+support capturing on a particular network interface device, Wireshark
+won't be able to capture on that device.
+
+<br />
+
+Note that:
+
+<ol>
+<li>2.02 and earlier versions of the WinPcap driver and library that
+Wireshark uses for packet capture didn't support Token Ring interfaces;
+versions 2.1 and later support Token Ring, and the current version of
+Wireshark works with (and, in fact, requires) WinPcap 2.1 or later.
+
+<br />
+
+If you are having problems capturing on Token Ring interfaces, and you
+have WinPcap 2.02 or an earlier version of WinPcap installed, you should
+uninstall WinPcap, download and install the current version of WinPcap,
+and then install the latest version of Wireshark.
+
+<br >
+
+<li>WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows NT
+4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to avoid
+those problems, support for PPP WAN interfaces on those versions of
+Windows has been disabled in WinPcap 3.0. Regular dial-up lines, ISDN
+lines, ADSL connections using PPPoE or PPPoA, and various other lines
+such as T1/E1 lines are all PPP interfaces, so those interfaces might
+not show up on the list of interfaces in the "Capture Options"
+dialog on those OSes.
+
+<br />
+
+On Windows 2000, Windows XP, and Windows Server 2003, but
+<strong>not</strong> Windows NT 4.0 or Windows Vista Beta 1, you should
+be able to capture on the "GenericDialupAdapter" with WinPcap 3.1. (3.1
+beta releases called it the "NdisWanAdapter"; if you're using a 3.1 beta
+release, you should un-install it and install the final 3.1 release.)
+See <a href="http://wiki.wireshark.org/CaptureSetup/PPP">the Wireshark
+Wiki item on PPP capturing</a> for details.
+
+<br />
+
+<li>WinPcap prior to 3.0 does not support multiprocessor machines (note
+that machines with a single multi-threaded processor, such as Intel's
+new multi-threaded x86 processors, are multiprocessor machines as far as
+the OS and WinPcap are concerned), and recent 2.x versions of WinPcap
+refuse to operate if they detect that they're running on a
+multiprocessor machine, which means that they may not show any network
+interfaces. You will need to use WinPcap 3.0 to capture on a
+multiprocessor machine.
+
+</ol>
+
+<br />
+
+If an interface doesn't show up in the list of interfaces in the
+"Interface:" field, and you know the name of the interface, try entering
+that name in the "Interface:" field and capturing on that device.
+
+<br />
+
+If the attempt to capture on it succeeds, the interface is somehow not
+being reported by the mechanism Wireshark uses to get a list of
+interfaces. Try listing the interfaces with WinDump; see <a
+href="http://www.windump.org/">the WinDump Web site</a>
+for information on using WinDump.
+
+<br />
+
+You would run WinDump with the <tt>-D</tt> flag; if it lists the
+interface, please report this to <a
+href="mailto:wireshark-dev@wireshark.org">wireshark-dev@wireshark.org</a>
+giving full details of the problem, including
+
+<ul>
+<li>the operating system you're using, and the version of that operating
+system;
+<li>the type of network device you're using;
+<li>the output of WinDump.
+</ul>
+
+If WinDump does <em>not</em> list the interface,
+this is almost certainly a problem with one or more of:
+
+<ul>
+<li>the operating system you're using;
+<li>the device driver for the interface you're using;
+<li>the WinPcap library and/or the WinPcap device driver;
+</ul>
+
+so first check <a href="http://www.winpcap.org/misc/faq.htm">the
+WinPcap FAQ</a> or <a
+href="http://www.mirrors.wiretapped.net/security/packet-capture/winpcap/misc/faq.htm">
+the Wiretapped.net mirror of that FAQ</a>, to see if your problem is
+mentioned there. If not, then see <a
+href="http://www.winpcap.org/contact.htm">the WinPcap support page</a>
+- check the "Submitting bugs" section.
+
+<br />
+
+If you are having trouble capturing on a particular network interface,
+first try capturing on that device with WinDump; see <a
+href="http://www.windump.org/">the WinDump Web site</a>
+for information on using WinDump.
+
+<br />
+
+If you can capture on the interface with WinDump, send mail to <a
+href="mailto:wireshark-users@wireshark.org">wireshark-users@wireshark.org</a>
+giving full details of the problem, including
+
+<ul>
+<li>the operating system you're using, and the version of that operating
+system;
+<li>the type of network device you're using;
+<li>the error message you get from Wireshark.
+</ul>
+
+If you <em>cannot</em> capture on the interface with WinDump,
+this is almost certainly a problem with one or more of:
+
+<ul>
+<li>the operating system you're using;
+<li>the device driver for the interface you're using;
+<li>the WinPcap library and/or the WinPcap device driver;
+</ul>
+
+so first check <a href="http://www.winpcap.org/misc/faq.htm">the
+WinPcap FAQ</a> or <a
+href="http://www.mirrors.wiretapped.net/security/packet-capture/winpcap/misc/faq.htm">
+the Wiretapped.net mirror of that FAQ</a>, to see if your problem is
+mentioned there. If not, then see <a
+href="http://www.winpcap.org/contact.htm">the WinPcap support page</a>
+- check the "Submitting bugs" section.
+
+<br />
+
+You may also want to ask the <a
+href="mailto:wireshark-users@wireshark.org">wireshark-users@wireshark.org</a>
+and the <a
+href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a>
+mailing lists to see if anybody happens to know about the problem and
+know a workaround or fix for the problem. (Note that you will have to
+subscribe to that list in order to be allowed to mail to it; see <a
+href="http://www.winpcap.org/contact.htm">the WinPcap support
+page</a> for information on the mailing list.) In your mail,
+please give full details of the problem, as described above, and also
+indicate that the problem occurs with WinDump, not just with Wireshark.
+""")
+
+question("""
+I'm running Wireshark on Windows; why do no network interfaces show up in
+the list of interfaces in the "Interface:" field in the dialog box
+popped up by "Capture->Start"?
+""")
+
+answer("""
+This is really <a href="#capprobwin">the same question as a previous
+one</a>; see the response to that question.
+""")
+
+question("""
+I'm running Wireshark on Windows; why doesn't my serial port/ADSL
+modem/ISDN modem show up in the list of interfaces in the "Interface:"
+field in the dialog box popped up by "Capture->Start"?
+""")
+
+answer("""
+Internet access on those devices is often done with the Point-to-Point
+(PPP) protocol; WinPcap 2.3 has problems supporting PPP WAN interfaces
+on Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003,
+and, to avoid those problems, support for PPP WAN interfaces on those
+versions of Windows has been disabled in WinPcap 3.0.
+
+<br />
+
+On Windows 2000, Windows XP, and Windows Server 2003, but
+<strong>not</strong> Windows NT 4.0 or Windows Vista Beta 1, you should
+be able to capture on the "GenericDialupAdapter" with WinPcap 3.1. (3.1
+beta releases called it the "NdisWanAdapter"; if you're using a 3.1 beta
+release, you should un-install it and install the final 3.1 release.)
+See <a href="http://wiki.wireshark.org/CaptureSetup/PPP">the Wireshark
+Wiki item on PPP capturing</a> for details.
+""")
+
+question("""
+I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows XP/Windows
+Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.) interface,
+and it shows up in the "Interface" item in the "Capture Options" dialog
+box. Why can no packets be sent on or received from that network while
+I'm trying to capture traffic on that interface?""", "nt_ppp_sniff")
+
+answer("""
+Some versions of WinPcap have problems with PPP WAN interfaces on
+Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; one
+symptom that may be seen is that attempts to capture in promiscuous mode
+on the interface cause the interface to be incapable of sending or
+receiving packets. You can disable promiscuous mode using the
+<tt>-p</tt> command-line flag or the item in the "Capture Preferences"
+dialog box, but this may mean that outgoing packets, or incoming
+packets, won't be seen in the capture.
+
+<br />
+
+On Windows 2000, Windows XP, and Windows Server 2003, but
+<strong>not</strong> Windows NT 4.0 or Windows Vista Beta 1, you should
+be able to capture on the "GenericDialupAdapter" with WinPcap 3.1. (3.1
+beta releases called it the "NdisWanAdapter"; if you're using a 3.1 beta
+release, you should un-install it and install the final 3.1 release.)
+See <a href="http://wiki.wireshark.org/CaptureSetup/PPP">the Wireshark
+Wiki item on PPP capturing</a> for details.
+""")
+
+question("""
+I'm running Wireshark on Windows; why am I not seeing any traffic being
+sent by the machine running Wireshark?""")
+
+answer("""
+If you are running some form of VPN client software, it might be causing
+this problem; people have seen this problem when they have Check Point's
+VPN software installed on their machine. If that's the cause of the
+problem, you will have to remove the VPN software in order to have
+Wireshark (or any other application using WinPcap) see outgoing packets;
+unfortunately, neither we nor the WinPcap developers know any way to
+make WinPcap and the VPN software work well together.
+
+<br />
+
+Also, some drivers for Windows (especially some wireless network
+interface drivers) apparently do not, when running in promiscuous mode,
+arrange that outgoing packets are delivered to the software that
+requested that the interface run promiscuously; try turning promiscuous
+mode off.
+""")
+
+question("""
+When I capture on Windows in promiscuous mode, I can see packets other
+than those sent to or from my machine; however, those packets show up
+with a "Short Frame" indication, unlike packets to or from my machine.
+What should I do to arrange that I see those packets in their entirety?
+""")
+
+answer("""
+In at least some cases, this appears to be the result of PGPnet running
+on the network interface on which you're capturing; turn it off on that
+interface.
+""")
+
+question("""
+I'm trying to capture 802.11 traffic on Windows; why am I not seeing any
+packets?
+""", "win802_11promisc")
+
+answer("""
+At least some 802.11 card drivers on Windows appear not to see any
+packets if they're running in promiscuous mode. Try turning promiscuous
+mode off; you'll only be able to see packets sent by and received by
+your machine, not third-party traffic, and it'll look like Ethernet
+traffic and won't include any management or control frames, but that's a
+limitation of the card drivers.
+
+<br />
+
+See <a
+href="http://www.micro-logix.com/WinPcap/Supported.asp">MicroLogix's
+list of cards supported with WinPcap</a> for information on
+support of various adapters and drivers with WinPcap.
+""")
+
+question("""
+I'm trying to capture 802.11 traffic on Windows; why am I seeing packets
+received by the machine on which I'm capturing traffic, but not packets
+sent by that machine?
+""")
+
+answer("""
+This appears to be another problem with promiscuous mode; try turning it
+off.
+""")
+
+question("""
+I'm trying to capture Ethernet VLAN traffic on Windows, and I'm
+capturing on a "raw" Ethernet device rather than a "VLAN interface", so
+that I can see the VLAN headers; why am I seeing packets received by the
+machine on which I'm capturing traffic, but not packets sent by that
+machine?
+""")
+
+answer("""
+The way the Windows networking code works probably means that packets
+are sent on a "VLAN interface" rather than the "raw" device, so packets
+sent by the machine will only be seen when you capture on the "VLAN
+interface". If so, you will be unable to see outgoing packets when
+capturing on the "raw" device, so you are stuck with a choice between
+seeing VLAN headers and seeing outgoing packets.
+""")
+
+#################################################################
+section("Capturing packets on UN*Xes")
+#################################################################
+
+question("""
+I'm running Wireshark on a UNIX-flavored OS; why does some network
+interface on my machine not show up in the list of interfaces in the
+"Interface:" field in the dialog box popped up by "Capture->Start",
+and/or why does Wireshark give me an error if I try to capture on that
+interface? """, "capprobunix")
+
+answer("""
+You may need to run Wireshark from an account with sufficient privileges
+to capture packets, such as the super-user account, or may need to give
+your account sufficient privileges to capture packets. Only those
+interfaces that Wireshark can open for capturing show up in that list; if
+you don't have sufficient privileges to capture on any interfaces, no
+interfaces will show up in the list. See
+<a href="http://wiki.wireshark.org/CaptureSetup/CapturePrivileges">the
+Wireshark Wiki item on capture privileges</a> for details on how to give
+a particular account or account group capture privileges on platforms
+where that can be done.
+
+<br />
+
+If you are running Wireshark from an account with sufficient privileges,
+then note that Wireshark relies on the libpcap library, and on the
+facilities that come with the OS on which it's running in order to do
+captures. On some OSes, those facilities aren't present by default; see
+<a href="http://wiki.wireshark.org/CaptureSetup/CaptureSupport">the
+Wireshark Wiki item on adding capture support</a> for details.
+
+<br />
+
+And, even if you're running with an account that has sufficient
+privileges to capture, and capture support is present in your OS, if the
+OS or the libpcap library don't support capturing on a particular
+network interface device or particular types of devices, Wireshark won't
+be able to capture on that device.
+
+<br />
+
+On Solaris, note that libpcap 0.6.2 and earlier didn't support Token
+Ring interfaces; the current version, 0.7.2, does support Token Ring,
+and the current version of Wireshark works with libpcap 0.7.2 and later.
+
+<br />
+
+If an interface doesn't show up in the list of interfaces in the
+"Interface:" field, and you know the name of the interface, try entering
+that name in the "Interface:" field and capturing on that device.
+
+<br />
+
+If the attempt to capture on it succeeds, the interface is somehow not
+being reported by the mechanism Wireshark uses to get a list of
+interfaces; please report this to <a
+href="mailto:wireshark-dev@wireshark.org">wireshark-dev@wireshark.org</a>
+giving full details of the problem, including
+
+<ul>
+<li>the operating system you're using, and the version of that operating
+system (for Linux, give both the version number of the kernel and the
+name and version number of the distribution you're using);
+<li>the type of network device you're using.
+</ul>
+
+If you are having trouble capturing on a particular network interface,
+and you've made sure that (on platforms that require it) you've arranged
+that packet capture support is present, as per the above, first try
+capturing on that device with <tt>tcpdump</tt>.
+
+<br />
+
+If you can capture on the interface with <tt>tcpdump</tt>, send mail to
+<a
+href="mailto:wireshark-users@wireshark.org">wireshark-users@wireshark.org</a>
+giving full details of the problem, including
+
+<ul>
+<li>the operating system you're using, and the version of that operating
+system (for Linux, give both the version number of the kernel and the
+name and version number of the distribution you're using);
+<li>the type of network device you're using;
+<li>the error message you get from Wireshark.
+</ul>
+
+If you <em>cannot</em> capture on the interface with <tt>tcpdump</tt>,
+this is almost certainly a problem with one or more of:
+
+<ul>
+<li>the operating system you're using;
+<li>the device driver for the interface you're using;
+<li>the libpcap library;
+</ul>
+
+so you should report the problem to the company or organization that
+produces the OS (in the case of a Linux distribution, report the problem
+to whoever produces the distribution).
+
+<br />
+
+You may also want to ask the <a
+href="mailto:wireshark-users@wireshark.org">wireshark-users@wireshark.org</a>
+and the <a
+href="mailto:tcpdump-workers@lists.tcpdump.org">tcpdump-workers@lists.tcpdump.org</a>
+mailing lists to see if anybody happens to know about the problem and
+know a workaround or fix for the problem. In your mail, please give
+full details of the problem, as described above, and also indicate that
+the problem occurs with <tt>tcpdump</tt> not just with Wireshark.
+""")
+
+question("""
+I'm running Wireshark on a UNIX-flavored OS; why do no network interfaces
+show up in the list of interfaces in the "Interface:" field in the
+dialog box popped up by "Capture->Start"?
+""")
+
+answer("""
+This is really <a href="#capprobunix">the same question as the previous
+one</a>; see the response to that question.
+""")
+
+question("""I'm capturing packets on Linux; why do the time stamps have
+only 100ms resolution, rather than 1us resolution?""")
+
+answer("""
+Wireshark gets time stamps from libpcap/WinPcap, and
+libpcap/WinPcap get them from the OS kernel, so Wireshark - and any other
+program using libpcap, such as tcpdump - is at the mercy of the time
+stamping code in the OS for time stamps.
+
+<br />
+
+At least on x86-based machines, Linux can get high-resolution time
+stamps on newer processors with the Time Stamp Counter (TSC) register;
+for example, Intel x86 processors, starting with the Pentium Pro, and
+including all x86 processors since then, have had a TSC, and other
+vendors probably added the TSC at some point to their families of x86
+processors.
+
+The Linux kernel must be configured with the CONFIG_X86_TSC option
+enabled in order to use the TSC. Make sure this option is enabled in
+your kernel.
+
+<br />
+
+In addition, some Linux distributions may have bugs in their versions of
+the kernel that cause packets not to be given high-resolution time
+stamps even if the TSC is enabled. See, for example, bug 61111 for Red
+Hat Linux 7.2. If your distribution has a bug such as this, you may
+have to run a standard kernel from kernel.org in order to get
+high-resolution time stamps.
+""")
+
+#################################################################
+section("Capturing packets on wireless LANs")
+#################################################################
+
+
+question("""
+How can I capture raw 802.11 frames, including non-data (management,
+beacon) frames?
+""", "raw_80211_sniff")
+
+answer("""
+That depends on the operating system on which you're running, and on the
+802.11 interface on which you're capturing.
+
+<br />
+
+This would probably require that you capture in promiscuous mode or in
+the mode called "monitor mode" or "RFMON mode". On some platforms, or
+with some cards, this might require that you capture in monitor mode -
+promiscuous mode might not be sufficient. If you want to capture
+traffic on networks other than the one with which you're associated, you
+will have to capture in monitor mode.
+
+<br />
+
+Not all operating systems support capturing non-data packets and, even
+on operating systems that do support it, not all drivers, and thus not
+all interfaces, support it. Even on those that do, monitor mode might
+not be supported by the operating system or by the drivers for all
+interfaces.
+
+<br />
+
+<strong>NOTE:</strong> an interface running in monitor mode will, on
+most if not all platforms, not be able to act as a regular network
+interface; putting it into monitor mode will, in effect, take your
+machine off of whatever network it's on as long as the interface is in
+monitor mode, allowing it only to passively capture packets.
+
+<br />
+
+This means that you should disable name resolution when capturing in
+monitor mode; otherwise, when Wireshark (or TShark, or tcpdump) tries
+to display IP addresses as host names, it will probably block for a long
+time trying to resolve the name because it will not be able to
+communicate with any DNS or NIS servers.
+
+<br />
+
+See <a
+href="http://wiki.wireshark.org/CaptureSetup/WLAN">the Wireshark
+Wiki item on 802.11 capturing</a> for details.
+""")
+
+question("""
+How do I capture on an 802.11 device in monitor mode?""",
+"monitor")
+
+answer("""
+Whether you will be able to capture in monitor mode depends on the
+operating system, adapter, and driver you're using.
+See <a href="#raw_80211_sniff">the previous question</a> for information
+on monitor mode, including a link to the Wireshark Wiki page that gives
+details on 802.11 capturing.
+""")
+
+#################################################################
+section("Viewing traffic")
+#################################################################
+
+
+question("Why am I seeing lots of packets with incorrect TCP checksums?")
+
+answer("""
+If the packets that have incorrect TCP checksums are all being sent by
+the machine on which Wireshark is running, this is probably because the
+network interface on which you're capturing does TCP checksum
+offloading. That means that the TCP checksum is added to the packet by
+the network interface, not by the OS's TCP/IP stack; when capturing on
+an interface, packets being sent by the host on which you're capturing
+are directly handed to the capture interface by the OS, which means that
+they are handed to the capture interface without a TCP checksum being
+added to them.
+
+<br />
+
+The only way to prevent this from happening would be to disable TCP
+checksum offloading, but
+
+<ol>
+<li>that might not even be possible on some OSes;
+<li>that could reduce networking performance significantly.
+</ol>
+
+However, you can disable the check that Wireshark does of the TCP
+checksum, so that it won't report any packets as having TCP checksum
+errors, and so that it won't refuse to do TCP reassembly due to a packet
+having an incorrect TCP checksum. That can be set as an Wireshark
+preference by selecting "Preferences" from the "Edit" menu, opening up
+the "Protocols" list in the left-hand pane of the "Preferences" dialog
+box, selecting "TCP", from that list, turning off the "Check the
+validity of the TCP checksum when possible" option, clicking "Save" if
+you want to save that setting in your preference file, and clicking
+"OK".
+
+<br />
+
+It can also be set on the Wireshark or TShark command line with a
+<tt>-o tcp.check_checksum:false</tt> command-line flag, or manually set
+in your preferences file by adding a <tt>tcp.check_checksum:false</tt>
+line.
+""")
+
+question("""
+I've just installed Wireshark, and the traffic on my local LAN
+is boring. Where can I find more interesting captures?
+""")
+
+answer("""
+We have a collection of strange and exotic sample capture
+files at %s""" % (selflink("http://wiki.wireshark.org/SampleCaptures")))
+
+
+question("""
+Why doesn't Wireshark correctly identify RTP packets? It shows them
+only as UDP.""")
+
+answer("""
+Wireshark can identify a UDP datagram as containing a packet of a
+particular protocol running atop UDP only if
+
+<ol>
+<li> The protocol in question has a particular standard port
+number, and the UDP source or destination port number is that port
+
+<li> Packets of that protocol can be identified by looking for a
+"signature" of some type in the packet - i.e., some data
+that, if Wireshark finds it in some particular part of a
+packet, means that the packet is almost certainly a packet of
+that type.
+
+<li> Some <em>other</em> traffic earlier in the capture indicated that,
+for example, UDP traffic between two particular addresses and
+ports will be RTP traffic.
+</ol>
+
+RTP doesn't have a standard port number, so 1) doesn't work; it doesn't,
+as far as I know, have any "signature", so 2) doesn't work.
+
+<br />
+
+That leaves 3). If there's RTSP traffic that sets up an RTP session,
+then, at least in some cases, the RTSP dissector will set things up so
+that subsequent RTP traffic will be identified. Currently, that's the
+only place we do that; there may be other places.
+
+<br />
+
+However, there will always be places where Wireshark is simply
+<b>incapable</b> of deducing that a given UDP flow is RTP; a mechanism
+would be needed to allow the user to specify that a given conversation
+should be treated as RTP. As of Wireshark 0.8.16, such a mechanism
+exists; if you select a UDP or TCP packet, the right mouse button menu
+will have a "Decode As..." menu item, which will pop up a dialog box
+letting you specify that the source port, the destination port, or both
+the source and destination ports of the packet should be dissected as
+some particular protocol.
+""")
+
+question("""
+Why doesn't Wireshark show Yahoo Messenger packets in captures that
+contain Yahoo Messenger traffic?""")
+
+answer("""
+Wireshark only recognizes as Yahoo Messenger traffic packets to or from TCP
+port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP segments that
+start with the middle of a Yahoo Messenger packet that takes more than one
+TCP segment will not be recognized as Yahoo Messenger packets (even if the
+TCP segment also contains the beginning of another Yahoo Messenger
+packet).
+""")
+
+#################################################################
+section("Filtering traffic")
+#################################################################
+
+
+question("""I saved a filter and tried to use its name to filter the
+display; why do I get an "Unexpected end of filter string" error?""")
+
+answer("""
+You cannot use the name of a saved display filter as a filter. To
+filter the display, you can enter a display filter expression -
+<strong>not</strong> the name of a saved display filter - in the
+"Filter:" box at the bottom of the display, and type the <Enter> key or
+press the "Apply" button (that does not require you to have a saved
+filter), or, if you want to use a saved filter, you can press the
+"Filter:" button, select the filter in the dialog box that pops up, and
+press the "OK" button.""")
+
+question("""
+How can I search for, or filter, packets that have a particular string
+anywhere in them?
+""")
+
+answer("""
+If you want to do this when capturing, you can't. That's a feature that
+would be hard to implement in capture filters without changes to the
+capture filter code, which, on many platforms, is in the OS kernel and,
+on other platforms, is in the libpcap library.
+
+<br />
+
+After capture, you can search for text by selecting <i>Edit→Find
+Packet...</i> and making sure <i>String</i> is selected. Alternately, you can
+use the "contains" display filter operator or "matches" operator if it's
+supported on your system.
+""")
+
+question("""
+How do I filter a capture to see traffic for virus XXX?
+""")
+
+answer("""
+For some viruses/worms there might be a capture filter to recognize the
+virus traffic. Check the <a
+href="http://wiki.wireshark.org/CaptureFilters">CaptureFilters</a> page
+on the <a href="http://wiki.wireshark.org/">Wireshark Wiki</a> to see if
+anybody's added such a filter.
+
+<br />
+
+Note that Wireshark was not designed to be an intrusion detection system;
+you might be able to use it as an IDS, but in most cases software
+designed to be an IDS, such as <a href="http://www.snort.org/">Snort</a>
+or <a href="http://www.prelude-ids.org/">Prelude</a>, will probably work
+better.
+
+<br />
+
+The <a href="http://www.bleedingsnort.com/">Bleeding Edge of Snort</a>
+has a collection of signatures for Snort to detect various viruses,
+worms, and the like.
+""")
+
+#################################################################
+create_output()
+#################################################################
git.samba.org / metze / wireshark / wip.git / commitdiff