4 Note: This is just an ASCII snapshot of the faq and may not be up to
5 date. Please go to http://www.ethereal.com/faq.html for the up
6 to date version. The version of this snapshot can be found at
7 the end of this document.
14 1.1 Where can I get help?
16 1.2 What protocols are currently supported?
18 1.3 Are there any plans to support {your favorite protocol}?
20 1.4 Can Ethereal read capture files from {your favorite network
23 1.5 What devices can Ethereal use to capture packets?
25 1.6 How do you pronounce Ethereal? Where did the name come from?
29 2.1 I downloaded the Win32 installer, but when I try to run it, I get
32 2.2 When I try to download the WinPcap driver and library, I can't get
33 to the WinPcap Web site.
37 3.1 I installed an Ethereal RPM, but Ethereal doesn't seem to be
38 installed; only Tethereal is installed.
42 4.1 The configure script can't find pcap.h or bpf.h, but I have
45 4.2 Why do I get the error
47 dftest_DEPENDENCIES was already defined in condition TRUE, which
48 implies condition HAVE_PLUGINS_TRUE
50 when I try to build Ethereal from CVS or a CVS snapshot?
52 4.3 The link fails with a number of "Output line too long." messages
53 followed by linker errors.
55 4.4 The link fails on Solaris because plugin_list is undefined.
57 4.5 The build fails on Windows because of conflicts between winsock.h
60 4.6 I'm trying to build Ethereal 0.10.0a on Windows; why is the the
61 build failing with an error saying it can't find "Makefile.nmake"?
65 5.1 When I use Ethereal to capture packets, I see only packets to and
66 from my machine, or I'm not seeing all the traffic I'm expecting to
67 see from or to the machine I'm trying to monitor.
69 5.2 I can't see any TCP packets other than packets to and from my
70 machine, even though another analyzer on the network sees those
73 5.3 I'm only seeing ARP packets when I try to capture traffic.
75 5.4 I'm running Ethereal on Windows; why does some network interface
76 on my machine not show up in the list of interfaces in the
77 "Interface:" field in the dialog box popped up by "Capture->Start",
78 and/or why does Ethereal give me an error if I try to capture on that
81 5.5 I'm running Ethereal on Windows; why do no network interfaces show
82 up in the list of interfaces in the "Interface:" field in the dialog
83 box popped up by "Capture->Start"?
85 5.6 I'm running Ethereal on Windows; why doesn't my serial port/ADSL
86 modem/ISDN modem/show up in the list of interfaces in the "Interface:"
87 field in the dialog box popped up by "Capture->Start"?
89 5.7 I'm running Ethereal on a UNIX-flavored OS; why does some network
90 interface on my machine not show up in the list of interfaces in the
91 "Interface:" field in the dialog box popped up by "Capture->Start",
92 and/or why does Ethereal give me an error if I try to capture on that
95 5.8 I'm running Ethereal on a UNIX-flavored OS; why do no network
96 interfaces show up in the list of interfaces in the "Interface:" field
97 in the dialog box popped up by "Capture->Start"?
99 5.9 Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
101 5.10 How do I put an interface into promiscuous mode?
103 5.11 I can set a display filter just fine, but capture filters don't
106 5.12 I'm entering valid capture filters, but I still get "parse error"
109 5.13 I saved a filter and tried to use its name to filter the display,
110 but I got an "Unexpected end of filter string" error.
112 5.14 Why am I seeing lots of packets with incorrect TCP checksums?
114 5.15 I've just installed Ethereal, and the traffic on my local LAN is
117 5.16 When I run Ethereal on Solaris 8, it dies with a Bus Error when I
120 5.17 When I run Tethereal with the "-x" option, it crashes with an
121 error "** ERROR **: file print.c: line 691 (print_line): should not be
124 5.18 When I run Ethereal on Windows NT, it dies with a Dr. Watson
125 error, reporting an "Integer division by zero" exception, when I start
128 5.19 When I try to run Ethereal, it complains about
129 sprint_realloc_objid being undefined.
131 5.20 I'm running Ethereal on Linux; why do my time stamps have only
132 100ms resolution, rather than 1us resolution?
134 5.21 I'm capturing packets on {Windows 95, Windows 98, Windows Me};
135 why are the time stamps on packets wrong?
137 5.22 When I try to run Ethereal on Windows, it fails to run because it
138 can't find packet.dll.
140 5.23 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has
141 a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
142 "Interface" item in the "Capture Options" dialog box. Why can no
143 packets be sent on or received from that network while I'm trying to
144 capture traffic on that interface?
146 5.24 I'm running Ethereal on Windows 95/98/Me, on a machine with more
147 than one network adapter of the same type; Ethereal shows all of those
148 adapters with the same name, but I can't use any of those adapters
149 other than the first one.
151 5.25 I'm running Ethereal on Windows, and I'm not seeing any traffic
152 being sent by the machine running Ethereal.
154 5.26 I'm trying to capture traffic but I'm not seeing any.
156 5.27 I have an XXX network card on my machine; if I try to capture on
157 it, my machine crashes or resets itself.
159 5.28 My machine crashes or resets itself when I select "Start" from
160 the "Capture" menu or select "Preferences" from the "Edit" menu.
162 5.29 Does Ethereal work on Windows Me?
164 5.30 Does Ethereal work on Windows XP?
166 5.31 Why doesn't Ethereal correctly identify RTP packets? It shows
169 5.32 Why doesn't Ethereal show Yahoo Messenger packets in captures
170 that contain Yahoo Messenger traffic?
172 5.33 Why do I get the error
174 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
178 when I try to run Ethereal on Windows?
180 5.34 When I capture on Windows in promiscuous mode, I can see packets
181 other than those sent to or from my machine; however, those packets
182 show up with a "Short Frame" indication, unlike packets to or from my
183 machine. What should I do to arrange that I see those packets in their
186 5.35 I'm capturing packets on a machine on a VLAN; why don't the
187 packets I'm capturing have VLAN tags?
189 5.36 How can I capture raw 802.11 packets, including non-data
190 (management, beacon) packets?
192 5.37 I'm trying to capture 802.11 traffic on Windows; why am I not
195 5.38 I'm trying to capture 802.11 traffic on Windows; why am I seeing
196 packets received by the machine on which I'm capturing traffic, but
197 not packets sent by that machine?
199 5.39 How can I capture packets with CRC errors?
201 5.40 How can I capture entire frames, including the FCS?
203 5.41 Ethereal hangs after I stop a capture.
205 5.42 How can I search for, or filter, packets that have a particular
206 string anywhere in them?
210 Q 1.1: Where can I get help?
212 A: Support is available on the ethereal-users mailing list.
213 Subscription information and archives for all of Ethereal's mailing
214 lists can be found at http://www.ethereal.com/lists
216 Q 1.2: What protocols are currently supported?
218 A: There are currently 500 supported protocols and media, listed
219 below. Descriptions can be found in the ethereal(1) man page.
223 802.1x Authentication
224 AAL type 2 signalling protocol - Capability set 1 (Q.2630.1)
225 AFS (4.0) Replication Server call declarations
228 AIM Buddylist Service
234 AIM Invitation Service
239 AIM Privacy Management Service
247 ANSI IS-637-A (SMS) Teleservice Layer
248 ANSI IS-637-A (SMS) Transport Layer
249 ANSI IS-683-A (OTA (Mobile))
250 ANSI Mobile Application Part
251 AOL Instant Messenger
258 AVS WLAN Capture header
259 Ad hoc On-demand Distance Vector Routing Protocol
260 Address Resolution Protocol
261 Aggregate Server Access Protocol
263 Alteon - Transparent Proxy Cache Protocol
264 Andrew File System (AFS)
265 Apache JServ Protocol v1.3
266 Apple IP-over-IEEE 1394
267 AppleTalk Filing Protocol
268 AppleTalk Session Protocol
269 AppleTalk Transaction Protocol packet
270 Appletalk Address Resolution Protocol
271 Application Configuration Access Protocol
272 Async data over ISDN (V.120)
273 Authentication Header
274 BACnet Virtual Link Control
279 Banyan Vines Fragmentation Protocol
286 Basic Encoding Rules (ASN.1 X.690)
287 Bearer Independent Call Control
288 Bi-directional Fault Detection Control Message
289 Blocks Extensible Exchange Protocol
293 Border Gateway Protocol
294 Building Automation and Control Network APDU
295 Building Automation and Control Network NPDU
297 CDS Clerk Server Calls
298 Cast Client Control Protocol
299 Check Point High Availability Protocol
302 Cisco Discovery Protocol
303 Cisco Group Management Protocol
305 Cisco Hot Standby Router Protocol
307 Cisco Interior Gateway Routing Protocol
311 CoSine IPNOS L2 debug output
312 Common Open Policy Service
313 Common Unix Printing System (CUPS) Browsing Protocol
315 Connectionless Lightweight Directory Access Protocol
316 Cross Point Frame Injector
317 DCE Distributed Time Service Local Server
318 DCE Distributed Time Service Provider
321 DCE Security ID Mapper
325 DCE/RPC CDS Solicitation
326 DCE/RPC Conversation Manager
327 DCE/RPC Directory Acl Interface
328 DCE/RPC Endpoint Mapper
329 DCE/RPC Endpoint Mapper4
331 DCE/RPC FLDB UBIK TRANSFER
332 DCE/RPC FLDB UBIKVOTE
335 DCE/RPC NCS 1.5.1 Local Location Broker
336 DCE/RPC Operations between registry server replicas
343 DCE/RPC Registry Password Management
344 DCE/RPC Registry Server Attributes Schema
345 DCE/RPC Registry server propagation interface - ACLs.
346 DCE/RPC Registry server propagation interface - PGO items
347 DCE/RPC Registry server propagation interface - properties and poli
349 DCE/RPC Remote Management
350 DCE/RPC Repserver Calls
351 DCE/RPC TokenServer Calls
354 DCOM Remote Activation
355 DEC Spanning Tree Protocol
358 DNS Control Program Server
361 Data Stream Interface
362 Datagram Delivery Protocol
364 Distance Vector Multicast Routing Protocol
365 Distcc Distributed Compiler
366 Distributed Checksum Clearinghouse Protocol
368 Dynamic DNS Tools Protocol
370 Encapsulating Security Payload
371 Enhanced Interior Gateway Routing Protocol
372 EtherNet/IP (Industrial Protocol)
375 Extensible Authentication Protocol
377 FC Fabric Configuration Server
381 Fiber Distributed Data Interface
383 Fibre Channel Common Transport
384 Fibre Channel Fabric Zone Server
385 Fibre Channel Name Server
386 Fibre Channel Protocol for SCSI
388 Fibre Channel Security Protocol
389 Fibre Channel Single Byte Command
390 File Transfer Protocol (FTP)
391 Financial Information eXchange Protocol
394 GARP Multicast Registration Protocol
395 GARP VLAN Registration Protocol
397 GPRS Tunneling Protocol
401 GSM Mobile Application Part
402 GSM SMS TPDU (GSM 03.40)
403 GSM Short Message Service User Data
404 General Inter-ORB Protocol
405 Generic Routing Encapsulation
406 Generic Security Service Application Program Interface
411 HP Extended Local-Link Control
412 HP Remote Maintenance Protocol
413 Hummingbird NFS Daemon
415 Hypertext Transfer Protocol
418 IEEE 802.11 Radiotap Capture header
419 IEEE 802.11 wireless LAN
420 IEEE 802.11 wireless LAN management frame
422 IP Device Control (SS7 over IP)
424 IP Payload Compression
425 IP Virtual Services Sync Daemon
427 IPX Routing Information Protocol
430 ISDN Q.921-User Adaptation Layer
432 ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol
433 ISO 8073 COTP Connection-Oriented Transport Protocol
434 ISO 8327-1 OSI Session Protocol
435 ISO 8473 CLNP ConnectionLess Network Protocol
436 ISO 8602 CLTP ConnectionLess Transport Protocol
437 ISO 8823 OSI Presentation Protocol
438 ISO 9542 ESIS Routeing Information Exchange Protocol
440 ITU-T Recommendation H.261
441 ITU-T Recommendation H.263 RTP Payload header (RFC2190)
444 Intelligent Platform Management Interface
445 Inter-Access-Point Protocol
446 InterSwitch Message Protocol
448 Internet Cache Protocol
449 Internet Content Adaptation Protocol
450 Internet Control Message Protocol
451 Internet Control Message Protocol v6
452 Internet Group Management Protocol
453 Internet Group membership Authentication Protocol
454 Internet Message Access Protocol
455 Internet Printing Protocol
457 Internet Protocol Version 6
459 Internet Security Association and Key Management Protocol
460 Internetwork Packet eXchange
461 JPEG File Interchange Format
466 Kerberos Administration
469 LWAPP Encapsulated Packet
471 Label Distribution Protocol
473 Layer 2 Tunneling Protocol
474 Lightweight Directory Access Protocol
475 Line Printer Daemon Protocol
477 Link Access Procedure Balanced (LAPB)
478 Link Access Procedure Balanced Ethernet (LAPBETHER)
479 Link Access Procedure, Channel D (LAPD)
480 Link Aggregation Control Protocol
481 Link Management Protocol (LMP)
482 Linux cooked-mode capture
483 Local Management Interface
484 LocalTalk Link Access Protocol
486 Lucent/Ascend debug output
488 MIME Multipart Media Encapsulation
489 MMS Message Encapsulation
492 MSN Messenger Service
493 MSNIP: Multicast Source Notification of Interest Protocol
494 MTP 2 Transparent Proxy
495 MTP 2 User Adaptation Layer
496 MTP 3 User Adaptation Layer
497 MTP2 Peer Adaptation Layer
498 Media Type: message/http
499 Message Transfer Part Level 2
500 Message Transfer Part Level 3
501 Message Transfer Part Level 3 Management
502 Microsoft Directory Replication Service
503 Microsoft Distributed File System
504 Microsoft Distributed Link Tracking Server Service
505 Microsoft Exchange MAPI
506 Microsoft Local Security Architecture
507 Microsoft Local Security Architecture (Directory Services)
508 Microsoft Messenger Service
509 Microsoft Network Logon
511 Microsoft Security Account Manager
512 Microsoft Server Service
513 Microsoft Service Control
514 Microsoft Spool Subsystem
515 Microsoft Task Scheduler Service
516 Microsoft Telephony API Service
517 Microsoft Windows Browser Protocol
518 Microsoft Windows Lanman Remote API Protocol
519 Microsoft Windows Logon Protocol
520 Microsoft Workstation Service
525 MultiProtocol Label Switching Header
526 Multicast Router DISCovery protocol
527 Multicast Source Discovery Protocol
534 NTLM Secure Service Provider
535 Name Binding Protocol
536 Name Management Protocol over IPX
538 NetBIOS Datagram Service
540 NetBIOS Session Service
542 NetWare Core Protocol
543 NetWare Link Services Protocol
544 NetWare Serialization Protocol
545 Network Data Management Protocol
547 Network Lock Manager Protocol
548 Network News Transfer Protocol
549 Network Status Monitor CallBack Protocol
550 Network Status Monitor Protocol
551 Network Time Protocol
553 Novell Distributed Print System
554 Novell Modular Authentication Service
556 OSI ISO 8571 FTAM Protocol
557 OSI ISO/IEC 10035-1 ACSE Protocol
558 Open Shortest Path First
559 OpenBSD Encapsulating device
560 OpenBSD Packet Filter log file
561 OpenBSD Packet Filter log file, pre 3.4
562 Optimized Link State Routing Protocol
565 PPP Bandwidth Allocation Control Protocol
566 PPP Bandwidth Allocation Protocol
567 PPP CDP Control Protocol
568 PPP Callback Control Protocol
569 PPP Challenge Handshake Authentication Protocol
570 PPP Compressed Datagram
571 PPP Compression Control Protocol
572 PPP IP Control Protocol
573 PPP IPv6 Control Protocol
574 PPP Link Control Protocol
575 PPP MPLS Control Protocol
576 PPP Multilink Protocol
578 PPP Password Authentication Protocol
580 PPP-over-Ethernet Discovery
581 PPP-over-Ethernet Session
582 PPPMux Control Protocol
583 Packed Encoding Rules (ASN.1 X.691)
584 Point-to-Point Protocol
585 Point-to-Point Tunnelling Protocol
588 Pragmatic General Multicast
590 Privilege Server operations
591 Protocol Independent Multicast
595 Quake II Network Protocol
596 Quake III Arena Network Protocol
597 Quake Network Protocol
598 QuakeWorld Network Protocol
599 Qualified Logical Link Control
604 RS Interface properties
606 RSYNC File Synchroniser
608 Radio Access Network Application Part
611 Real Time Streaming Protocol
612 Real-Time Transport Protocol
613 Real-time Transport Control Protocol
614 Registry Server Attributes Manipulation Interface
615 Registry server administration operations.
616 Remote Management Control Protocol
617 Remote Override interface
618 Remote Procedure Call
624 Remote sec_login preauth interface.
625 Resource ReserVation Protocol (RSVP)
627 Routing Information Protocol
628 Routing Table Maintenance Protocol
631 SEBEK - Kernel Data Capture
633 SMB (Server Message Block Protocol)
634 SMB MailSlot Protocol
637 SNMP Multiplex Protocol
640 SS7 SCCP-User Adaptation Layer
644 Sequenced Packet eXchange
645 Service Advertisement Protocol
646 Service Location Protocol
647 Session Announcement Protocol
648 Session Description Protocol
649 Session Initiation Protocol
650 Session Initiation Protocol (SIP as raw text)
651 Short Message Peer to Peer
652 Signalling Connection Control Part
653 Signalling Connection Control Part Management
654 Simple Mail Transfer Protocol
655 Simple Network Management Protocol
656 Simple Traversal of UDP Through NAT
659 Skinny Client Control Protocol
660 SliMP3 Communication Protocol
663 Spanning Tree Protocol
665 Stream Control Transmission Protocol
666 Symantec Enterprise Firewall
667 Synchronous Data Link Control (SDLC)
669 Systems Network Architecture
670 Systems Network Architecture XID
674 TEI Management Procedure, Channel D (LAPD)
675 TEREDO Tunneling IPv6 over UDP through NATs
678 Tazmen Sniffer Protocol
681 Time Synchronization Protocol
683 Token-Ring Media Access Control
684 Transaction Capabilities Application Part
685 Transmission Control Protocol
686 Transparent Network Substrate Protocol
687 Trivial File Transfer Protocol
688 UDP Encapsulation of IPsec Packets
689 Universal Computer Protocol
690 User Datagram Protocol
691 Virtual Router Redundancy Protocol
692 Virtual Trunking Protocol
694 WAP Session Initiation Request
695 Web Cache Coordination Protocol
697 Wellfleet Breath of Life
698 Wellfleet Compression
702 Wireless Session Protocol
703 Wireless Transaction Protocol
704 Wireless Transport Layer Security
705 X Display Manager Control Protocol
711 Yahoo Messenger Protocol
712 Yahoo YMSG Messenger Protocol
716 Yellow Pages Transfer
718 Zone Information Protocol
723 Q 1.3: Are there any plans to support {your favorite protocol}?
725 A: Support for particular protocols is added to Ethereal as a result
726 of people contributing that support; no formal plans for adding
727 support for particular protocols in particular future releases exist.
729 Q 1.4: Can Ethereal read capture files from {your favorite network
732 A: Support for particular protocols is added to Ethereal as a result
733 of people contributing that support; no formal plans for adding
734 support for particular protocols in particular future releases exist.
736 If a network analyzer writes out files in a format already supported
737 by Ethereal (e.g., in libpcap format), Ethereal may already be able to
738 read them, unless the analyzer has added its own proprietary
739 extensions to that format.
741 If a network analyzer writes out files in its own format, or has added
742 proprietary extensions to another format, in order to make Ethereal
743 read captures from that network analyzer, we would either have to have
744 a specification for the file format, or the extensions, sufficient to
745 give us enough information to read the parts of the file relevant to
746 Ethereal, or would need at least one capture file in that format AND a
747 detailed textual analysis of the packets in that capture file (showing
748 packet time stamps, packet lengths, and the top-level packet header)
749 in order to reverse-engineer the file format.
751 Note that there is no guarantee that we will be able to
752 reverse-engineer a capture file format.
754 Q 1.5: What devices can Ethereal use to capture packets?
756 A: Ethereal can read live data from Ethernet, Token-Ring, FDDI, serial
757 (PPP and SLIP) (if the OS on which it's running allows Ethereal to do
758 so), 802.11 wireless LAN (if the OS on which it's running allows
759 Ethereal to do so), ATM connections (if the OS on which it's running
760 allows Ethereal to do so), and the "any" device supported on Linux by
761 recent versions of libpcap. See the list of supported capture media on
762 various OSes for details (several items in there say "Unknown", which
763 doesn't mean "Ethereal can't capture on them", it means "we don't know
764 whether it can capture on them"; we expect that it will be able to
765 capture on many of them, but we haven't tried it ourselves - if you
766 try one of those types and it works, please send an update to
769 It can also read a variety of capture file formats, including:
772 * Shomiti/Finisar Surveyor
774 * DOS-based Sniffer (compressed and uncompressed)
777 * NetXray and Windows-based Sniffer
778 * EtherPeek/TokenPeek/AiroPeek
779 * RADCOM WAN/LAN analyzer
780 * Lucent/Ascend debug output
781 * Toshiba ISDN router "snoop" output
783 * ISDN4BSD "i4btrace" utility.
785 * pppd log files (pppdump format)
788 * Visual Networks' Visual UpTime
791 so that it can read traces from various network types, as captured by
792 other applications or equipment, even if it cannot itself capture on
795 Q 1.6: How do you pronounce Ethereal? Where did the name come from?
797 A: The English pronunciation can be found in Merriam-Webster's online
799 http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=ethereal.
801 According to the book "Computer Networks" by Andrew Tannenbaum,
802 Ethernet was named after the "luminiferous ether" which was once
803 thought to carry electromagnetic radiation. Taking that into
804 consideration, Ethereal seemed like an appropriate name for an
809 Q 2.1: I downloaded the Win32 installer, but when I try to run it, I
812 A: The program you used to download it may have downloaded it
813 incorrectly. Web browsers sometimes may do this.
815 Try downloading it with, for example:
816 * Wget, for which Windows binaries are available on the SunSITE FTP
817 server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI
818 offers a GUI interface that uses wget;
819 * WS_FTP from Ipswitch,
820 * the ftp command that comes with Windows.
822 If you use the ftp command, make sure you do the transfer in binary
823 mode rather than ASCII mode, by using the binary command before
824 transferring the file.
826 Q 2.2: When I try to download the WinPcap driver and library, I can't
827 get to the WinPcap Web site.
829 A: As is the case with all Web sites, that site won't necessarily
830 always be accessible; the server may be down due to a problem or down
831 for maintenance, or there may be a networking problem between you and
832 the server. You should try again later, or try the local mirror or the
833 Wiretapped.net mirror.
837 Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be
838 installed; only Tethereal is installed.
840 A: Older versions of the Red Hat RPMs for Ethereal put only the
841 non-GUI components into the ethereal RPM, the fact that Ethereal is a
842 GUI program nonwithstanding; newer versions make it a bit clearer by
843 giving that RPM a name starting with ethereal-base.
845 In those older versions, there's a separate ethereal-gnome RPM that
846 includes GUI components such as Ethereal itself, the fact that
847 Ethereal doesn't use GNOME nonwithstanding; newer versions make it a
848 bit clearer by giving that RPM a name starting with ethereal-gtk+.
850 Find the ethereal-gnome or ethereal-gtk+ RPM, and install that also.
854 Q 4.1: The configure script can't find pcap.h or bpf.h, but I have
857 A: Are you sure pcap.h and bpf.h are installed? The official
858 distribution of libpcap only installs the libpcap.a library file when
859 "make install" is run. To install pcap.h and bpf.h, you must run "make
860 install-incl". If you're running Debian or Redhat, make sure you have
861 the "libpcap-dev" or "libpcap-devel" packages installed.
863 It's also possible that pcap.h and bpf.h have been installed in a
864 strange location. If this is the case, you may have to tweak
867 Q 4.2: Why do I get the error
869 dftest_DEPENDENCIES was already defined in condition TRUE, which
870 implies condition HAVE_PLUGINS_TRUE
872 when I try to build Ethereal from CVS or a CVS snapshot?
874 A: You probably have automake 1.5 installed on your machine (the
875 command automake --version will report the version of automake on your
876 machine). There is a bug in that version of automake that causes this
877 problem; upgrade to a later version of automake (1.6 or later).
879 Q 4.3: The link fails with a number of "Output line too long."
880 messages followed by linker errors.
882 A: The version of the sed command on your system is incapable of
883 handling very long lines. On Solaris, for example, /usr/bin/sed has a
884 line length limit too low to allow libtool to work; /usr/xpg4/bin/sed
885 can handle it, as can GNU sed if you have it installed.
887 On Solaris, changing your command search path to search /usr/xpg4/bin
888 before /usr/bin should make the problem go away; on any platform on
889 which you have this problem, installing GNU sed and changing your
890 command path to search the directory in which it is installed before
891 searching the directory with the version of sed that came with the OS
892 should make the problem go away.
894 Q 4.4: The link fails on Solaris because plugin_list is undefined.
896 A: This appears to be due to a problem with some versions of the GTK+
897 and GLib packages from www.sunfreeware.org; un-install those packages,
898 and try getting the 1.2.10 versions from that site, or the versions
899 from The Written Word, or the versions from Sun's GNOME distribution,
900 or the versions from the supplemental software CD that comes with the
901 Solaris media kit, or build them from source from the GTK Web site.
902 Then re-run the configuration script, and try rebuilding Ethereal. (If
903 you get the 1.2.10 versions from www.sunfreeware.org, and the problem
904 persists, un-install them and try installing one of the other versions
907 Q 4.5: The build fails on Windows because of conflicts between
908 winsock.h and winsock2.h.
910 A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and
911 the corresponding version of the developer's pack, in order to be able
912 to compile Ethereal; it will not compile with older versions of the
913 developer's pack. The symptoms of this failure are conflicts between
914 definitions in winsock.h and in winsock2.h; Ethereal uses winsock2.h,
915 but pre-2.3 versions of the WinPcap developer's packet use winsock.h.
916 (2.3 uses winsock2.h, so if Ethereal were to use winsock.h, it would
917 not be able to build with current versions of the WinPcap developer's
920 Note that the installed version of the developer's pack should be the
921 same version as the version of WinPcap you have installed.
923 Q 4.6: I'm trying to build Ethereal 0.10.0a on Windows; why is the the
924 build failing with an error saying it can't find "Makefile.nmake"?
926 A: There was a bug in the 0.10.0a distribution that caused
927 "tools\Makefile.nmake" not to be in the source code release. You can
928 download it with the URL
929 http://www.ethereal.com/cgi-bin/viewcvs.cgi/*checkout*/ethereal/tools/
930 Makefile.nmake?rev=1.5. Put it into "tools\Makefile.nmake" and try the
935 Q 5.1: When I use Ethereal to capture packets, I see only packets to
936 and from my machine, or I'm not seeing all the traffic I'm expecting
937 to see from or to the machine I'm trying to monitor.
939 A: This might be because the interface on which you're capturing is
940 plugged into a switch; on a switched network, unicast traffic between
941 two ports will not necessarily appear on other ports - only broadcast
942 and multicast traffic will be sent to all ports.
944 Note that even if your machine is plugged into a hub, the "hub" may be
945 a switched hub, in which case you're still on a switched network.
947 Note also that on the Linksys Web site, they say that their
948 auto-sensing hubs "broadcast the 10Mb packets to the port that operate
949 at 10Mb only and broadcast the 100Mb packets to the ports that operate
950 at 100Mb only", which would indicate that if you sniff on a 10Mb port,
951 you will not see traffic coming sent to a 100Mb port, and vice versa.
952 This problem has also been reported for Netgear dual-speed hubs, and
953 may exist for other "auto-sensing" or "dual-speed" hubs.
955 Some switches have the ability to replicate all traffic on all ports
956 to a single port so that you can plug your analyzer into that single
957 port to sniff all traffic. You would have to check the documentation
958 for the switch to see if this is possible and, if so, to see how to do
959 this. See, for example:
960 * this documentation from Cisco on the Switched Port Analyzer (SPAN)
961 feature on Catalyst switches;
962 * documentation from HP on how to set "monitoring"/"mirroring" on
963 ports on the console for HP Advancestack Switch 208 and 224;
964 * the "Network Monitoring Port Features" section of chapter 6 of
965 documentation from HP for HP ProCurve Switches 1600M, 2424M,
967 * the "Switch Port-Mirroring" section of chapter 6 of documentation
968 from Extreme Networks for their Summit 200 switches;
969 * the documentation on "Configuring Port Mirroring and Monitoring"
970 in Foundry Networks' documentation for their FastIron Edge
972 * the documentation on "Configuring Port Mirroring and Monitoring"
973 in Foundry Networks' documentation for their BigIron MG8 Layer 3
975 * the "Port Monitor" subsection of the "Status Monitor and
976 Statistics" section of the documentation from Foundry Networks for
977 their EdgeIron 4802F and 10GC2F switches;
978 * the "Configuring Port Mirroring" section of chapter 3 of the
979 documentation from Foundry Networks for their EdgeIron 24G,
980 2402CF, and 4802CF switches;
981 * the documentation on "Configuring Port Mirroring and Monitoring"
982 in Foundry Networks' documentation for their other switches and
985 Note also that many firewall/NAT boxes have a switch built into them;
986 this includes many of the "cable/DSL router" boxes. If you have a box
987 of that sort, that has a switch with some number of Ethernet ports
988 into which you plug machines on your network, and another Ethernet
989 port used to connect to a cable or DSL modem, you can, at least, sniff
990 traffic between the machines on your network and the Internet by
991 plugging the Ethernet port on the router going to the modem, the
992 Ethernet port on the modem, and the machine on which you're running
993 Ethereal into a hub (make sure it's not a switching hub, and that, if
994 it's a dual-speed hub, all three of those ports are running at the
997 If your machine is not plugged into a switched network or a dual-speed
998 hub, or it is plugged into a switched network but the port is set up
999 to have all traffic replicated to it, the problem might be that the
1000 network interface on which you're capturing doesn't support
1001 "promiscuous" mode, or because your OS can't put the interface into
1002 promiscuous mode. Normally, network interfaces supply to the host
1004 * packets sent to one of that host's link-layer addresses;
1005 * broadcast packets;
1006 * multicast packets sent to a multicast address that the host has
1007 configured the interface to accept.
1009 Most network interfaces can also be put in "promiscuous" mode, in
1010 which they supply to the host all network packets they see. Ethereal
1011 will try to put the interface on which it's capturing into promiscuous
1012 mode unless the "Capture packets in promiscuous mode" option is turned
1013 off in the "Capture Options" dialog box, and Tethereal will try to put
1014 the interface on which it's capturing into promiscuous mode unless the
1015 -p option was specified. However, some network interfaces don't
1016 support promiscuous mode, and some OSes might not allow interfaces to
1017 be put into promiscuous mode.
1019 If the interface is not running in promiscuous mode, it won't see any
1020 traffic that isn't intended to be seen by your machine. It will see
1021 broadcast packets, and multicast packets sent to a multicast MAC
1022 address the interface is set up to receive.
1024 You should ask the vendor of your network interface whether it
1025 supports promiscuous mode. If it does, you should ask whoever supplied
1026 the driver for the interface (the vendor, or the supplier of the OS
1027 you're running on your machine) whether it supports promiscuous mode
1028 with that network interface.
1030 In the case of token ring interfaces, the drivers for some of them, on
1031 Windows, may require you to enable promiscuous mode in order to
1032 capture in promiscuous mode. Ask the vendor of the card how to do
1033 this, or see, for example, this information on promiscuous mode on
1034 some Madge token ring adapters (note that those cards can have
1035 promiscuous mode disabled permanently, in which case you can't enable
1038 In the case of wireless LAN interfaces, it appears that, when those
1039 interfaces are promiscuously sniffing, they're running in a
1040 significantly different mode from the mode that they run in when
1041 they're just acting as network interfaces (to the extent that it would
1042 be a significant effor for those drivers to support for promiscuously
1043 sniffing and acting as regular network interfaces at the same time),
1044 so it may be that Windows drivers for those interfaces don't support
1047 Q 5.2: I can't see any TCP packets other than packets to and from my
1048 machine, even though another analyzer on the network sees those
1051 A: You're probably not seeing any packets other than unicast packets
1052 to or from your machine, and broadcast and multicast packets; a switch
1053 will normally send to a port only unicast traffic sent to the MAC
1054 address for the interface on that port, and broadcast and multicast
1055 traffic - it won't send to that port unicast traffic sent to a MAC
1056 address for some other interface - and a network interface not in
1057 promiscuous mode will receive only unicast traffic sent to the MAC
1058 address for that interface, broadcast traffic, and multicast traffic
1059 sent to a multicast MAC address the interface is set up to receive.
1061 TCP doesn't use broadcast or multicast, so you will only see your own
1062 TCP traffic, but UDP services may use broadcast or multicast so you'll
1063 see some UDP traffic - however, this is not a problem with TCP
1064 traffic, it's a problem with unicast traffic, as you also won't see
1065 all UDP traffic between other machines.
1067 I.e., this is probably the same question as this earlier one; see the
1068 response to that question.
1070 Q 5.3: I'm only seeing ARP packets when I try to capture traffic.
1072 A: You're probably on a switched network, and running Ethereal on a
1073 machine that's not sending traffic to the switch and not being sent
1074 any traffic from other machines on the switch. ARP packets are often
1075 broadcast packets, which are sent to all switch ports.
1077 I.e., this is probably the same question as this earlier one; see the
1078 response to that question.
1080 Q 5.4: I'm running Ethereal on Windows; why does some network
1081 interface on my machine not show up in the list of interfaces in the
1082 "Interface:" field in the dialog box popped up by "Capture->Start",
1083 and/or why does Ethereal give me an error if I try to capture on that
1086 A: If you are running Ethereal on Windows NT 4.0, Windows 2000,
1087 Windows XP, or Windows Server, and this is the first time you have run
1088 a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump,
1089 or Analyzer, or...) since the machine was rebooted, you need to run
1090 that program from an account with administrator privileges; once you
1091 have run such a program, you will not need administrator privileges to
1092 run any such programs until you reboot.
1094 If you are running on Windows 95/98/Me, or if you are running on
1095 Windows NT 4.0/2000/XP/Server and have administrator privileges or a
1096 WinPcap-based program has been run with those privileges since the
1097 machine rebooted, then note that Ethereal relies on the WinPcap
1098 library, on the WinPcap device driver, and on the facilities that come
1099 with the OS on which it's running in order to do captures.
1101 Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
1102 support capturing on a particular network interface device, Ethereal
1103 won't be able to capture on that device.
1106 1. 2.02 and earlier versions of the WinPcap driver and library that
1107 Ethereal uses for packet capture didn't support Token Ring
1108 interfaces; versions 2.1 and later support Token Ring, and the
1109 current version of Ethereal works with (and, in fact, requires)
1110 WinPcap 2.1 or later.
1111 If you are having problems capturing on Token Ring interfaces, and
1112 you have WinPcap 2.02 or an earlier version of WinPcap installed,
1113 you should uninstall WinPcap, download and install the current
1114 version of WinPcap, and then install the latest version of
1116 2. On Windows 95, 98, or Me, sometimes more than one interface will
1117 be given the same name; if that is the case, you will only be able
1118 to capture on one of those interfaces - it's not clear to which
1119 one the name, when used in a WinPcap-based application, will
1120 refer. For example, if you have a PPP serial interface and a VPN
1121 interface, they might show up with the same name, for example
1122 "ppp-mac", and if you try to capture on "ppp-mac", it might not
1123 capture on the interface you're currently using. In that case, you
1124 might, for example, have to remove the VPN interface from the
1125 system in order to capture on the PPP serial interface.
1126 3. WinPcap 3.0 doesn't support PPP WAN interfaces, and WinPcap 2.3
1127 doesn't support PPP WAN interfaces on Windows NT/2000/XP/Server,
1128 so Ethereal cannot capture packets on those devices with WinPcap
1129 3.0, or with WInPcap 2.x when running on Windows
1130 NT/2000/XP/Server. Regular dial-up lines, ISDN lines, and various
1131 other lines such as T1/E1 lines are all PPP interfaces. This may
1132 cause the interface not to show up on the list of interfaces in
1133 the "Capture Options" dialog.
1134 4. WinPcap prior to 3.0 does not support multiprocessor machines
1135 (note that machines with a single multi-threaded processor, such
1136 as Intel's new multi-threaded x86 processors, are multiprocessor
1137 machines as far as the OS and WinPcap are concerned), and recent
1138 2.x versions of WinPcap refuse to operate if they detect that
1139 they're running on a multiprocessor machine, which means that they
1140 may not show any network interfaces. You will need to use WinPcap
1141 3.0 to capture on a multiprocessor machine.
1143 If an interface doesn't show up in the list of interfaces in the
1144 "Interface:" field, and you know the name of the interface, try
1145 entering that name in the "Interface:" field and capturing on that
1148 If the attempt to capture on it succeeds, the interface is somehow not
1149 being reported by the mechanism Ethereal uses to get a list of
1150 interfaces; please report this to ethereal-dev@ethereal.com giving
1151 full details of the problem, including
1152 * the operating system you're using, and the version of that
1154 * the type of network device you're using.
1156 If you are having trouble capturing on a particular network interface,
1157 first try capturing on that device with WinDump; see the WinDump Web
1158 site or the local mirror of the WinDump Web site for information on
1161 If you can capture on the interface with WinDump, send mail to
1162 ethereal-users@ethereal.com giving full details of the problem,
1164 * the operating system you're using, and the version of that
1166 * the type of network device you're using;
1167 * the error message you get from Ethereal.
1169 If you cannot capture on the interface with WinDump, this is almost
1170 certainly a problem with one or more of:
1171 * the operating system you're using;
1172 * the device driver for the interface you're using;
1173 * the WinPcap library and/or the WinPcap device driver;
1175 so first check the WinPcap FAQ, the local mirror of that FAQ, or the
1176 Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
1177 there. If not, then see the WinPcap support page (or the local mirror
1178 of that page) - check the "Submitting bugs" section.
1180 You may also want to ask the ethereal-users@ethereal.com and the
1181 winpcap-users@winpcap.polito.it mailing lists to see if anybody
1182 happens to know about the problem and know a workaround or fix for the
1183 problem. (Note that you will have to subscribe to that list in order
1184 to be allowed to mail to it; see the WinPcap support page, or the
1185 local mirror of that page, for information on the mailing list.) In
1186 your mail, please give full details of the problem, as described
1187 above, and also indicate that the problem occurs with WinDump, not
1190 Q 5.5: I'm running Ethereal on Windows; why do no network interfaces
1191 show up in the list of interfaces in the "Interface:" field in the
1192 dialog box popped up by "Capture->Start"?
1194 A: This is really the same question as the previous one; see the
1195 response to that question.
1197 Q 5.6: I'm running Ethereal on Windows; why doesn't my serial
1198 port/ADSL modem/ISDN modem/show up in the list of interfaces in the
1199 "Interface:" field in the dialog box popped up by "Capture->Start"?
1201 A: All of those devices support Internet access using the
1202 Point-to-Point (PPP) protocol; WinPcap 3.0 doesn't support PPP
1203 interfaces, and WinPcap 2.x doesn't support PPP interfaces on Windows
1204 NT/2000/XP/Server, so Ethereal cannot capture packets on those devices
1205 with WinPcap 3.0, or with WinPcap 2.x when running on Windows
1206 NT/2000/XP/Server. This may cause the interface not to show up on the
1207 list of interfaces in the "Capture Options" dialog.
1209 Q 5.7: I'm running Ethereal on a UNIX-flavored OS; why does some
1210 network interface on my machine not show up in the list of interfaces
1211 in the "Interface:" field in the dialog box popped up by
1212 "Capture->Start", and/or why does Ethereal give me an error if I try
1213 to capture on that interface?
1215 A: You may need to run Ethereal from an account with sufficient
1216 privileges to capture packets, such as the super-user account. Only
1217 those interfaces that Ethereal can open for capturing show up in that
1218 list; if you don't have sufficient privileges to capture on any
1219 interfaces, no interfaces will show up in the list.
1221 If you are running Ethereal from an account with sufficient
1222 privileges, then note that Ethereal relies on the libpcap library, and
1223 on the facilities that come with the OS on which it's running in order
1226 Therefore, if the OS or the libpcap library don't support capturing on
1227 a particular network interface device, Ethereal won't be able to
1228 capture on that device.
1230 On Linux, note that you need to have "packet socket" support enabled
1231 in your kernel; see the "Packet socket" item in the Linux
1232 "Configure.help" file.
1234 On BSD, note that you need to have BPF support enabled in your kernel;
1235 see the documentation for your system for information on how to enable
1236 BPF support (if it's not enabled by default on your system).
1238 On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have
1239 packet filtering support in your kernel; the doconfig command will
1240 allow you to configure and build a new kernel with that option.
1242 On Solaris, note that libpcap 0.6.2 and earlier didn't support Token
1243 Ring interfaces; the current version, 0.7.2, does support Token Ring,
1244 and the current version of Ethereal works with libcap 0.7.2 and later.
1246 If an interface doesn't show up in the list of interfaces in the
1247 "Interface:" field, and you know the name of the interface, try
1248 entering that name in the "Interface:" field and capturing on that
1251 If the attempt to capture on it succeeds, the interface is somehow not
1252 being reported by the mechanism Ethereal uses to get a list of
1253 interfaces; please report this to ethereal-dev@ethereal.com giving
1254 full details of the problem, including
1255 * the operating system you're using, and the version of that
1256 operating system (for Linux, give both the version number of the
1257 kernel and the name and version number of the distribution you're
1259 * the type of network device you're using.
1261 If you are having trouble capturing on a particular network interface,
1262 and you've made sure that (on platforms that require it) you've
1263 arranged that packet capture support is present, as per the above,
1264 first try capturing on that device with tcpdump.
1266 If you can capture on the interface with tcpdump, send mail to
1267 ethereal-users@ethereal.com giving full details of the problem,
1269 * the operating system you're using, and the version of that
1270 operating system (for Linux, give both the version number of the
1271 kernel and the name and version number of the distribution you're
1273 * the type of network device you're using;
1274 * the error message you get from Ethereal.
1276 If you cannot capture on the interface with tcpdump, this is almost
1277 certainly a problem with one or more of:
1278 * the operating system you're using;
1279 * the device driver for the interface you're using;
1280 * the libpcap library;
1282 so you should report the problem to the company or organization that
1283 produces the OS (in the case of a Linux distribution, report the
1284 problem to whoever produces the distribution).
1286 You may also want to ask the ethereal-users@ethereal.com and the
1287 tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to
1288 know about the problem and know a workaround or fix for the problem.
1289 In your mail, please give full details of the problem, as described
1290 above, and also indicate that the problem occurs with tcpdump not just
1293 Q 5.8: I'm running Ethereal on a UNIX-flavored OS; why do no network
1294 interfaces show up in the list of interfaces in the "Interface:" field
1295 in the dialog box popped up by "Capture->Start"?
1297 A: This is really the same question as the previous one; see the
1298 response to that question.
1300 Q 5.9: Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
1302 A: Ethereal can only capture on devices supported by libpcap/WinPcap.
1303 On most OSes, only devices that can act as network interfaces of the
1304 type that support IP are supported as capture devices for
1305 libpcap/WinPcap, although the device doesn't necessarily have to be
1306 running as an IP interface in order to support traffic capture.
1308 On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
1309 Measurement Systems' DAG cards, so that a system with one of those
1310 cards, and its driver and libraries, installed can capture traffic
1311 with those cards with libpcap-based applications. You would either
1312 have to have a version of Ethereal built with that version of libpcap,
1313 or a dynamically-linked version of Ethereal and a shared libpcap
1314 library with DAG support, in order to do so with Ethereal. You should
1315 ask Endace whether that could be used to capture traffic on, for
1316 example, your T1/E1 link.
1317 There is currently no hardware to support capturing on SS7 links with
1318 libpcap. (Note that the fact that Ethereal includes dissectors for
1319 many SS7 protocols doesn't imply that it can capture traffic from SS7
1320 links; those protocols can be run over Internet protocols.)
1322 Q 5.10: How do I put an interface into promiscuous mode?
1324 A: By not disabling promiscuous mode when running Ethereal or
1327 Note, however, that:
1328 * the form of promiscuous mode that libpcap (the library that
1329 programs such as tcpdump, Ethereal, etc. use to do packet capture)
1330 turns on will not necessarily be shown if you run ifconfig on the
1331 interface on a UNIX system;
1332 * some network interfaces might not support promiscuous mode, and
1333 some drivers might not allow promiscuous mode to be turned on -
1334 see this earlier question for more information on that;
1335 * the fact that you're not seeing any traffic, or are only seeing
1336 broadcast traffic, or aren't seeing any non-broadcast traffic
1337 other than traffic to or from the machine running Ethereal, does
1338 not mean that promiscuous mode isn't on - see this earlier
1339 question for more information on that.
1341 I.e., this is probably the same question as this earlier one; see the
1342 response to that question.
1344 Q 5.11: I can set a display filter just fine, but capture filters
1347 A: Capture filters currently use a different syntax than display
1348 filters. Here's the corresponding section from the ethereal(1) man
1351 "Display filters in Ethereal are very powerful; more fields are
1352 filterable in Ethereal than in other protocol analyzers, and the
1353 syntax you can use to create your filters is richer. As Ethereal
1354 progresses, expect more and more protocol fields to be allowed in
1357 Packet capturing is performed with the pcap library. The capture
1358 filter syntax follows the rules of the pcap library. This syntax is
1359 different from the display filter syntax."
1361 The capture filter syntax used by libpcap can be found in the
1362 tcpdump(8) man page.
1364 Q 5.12: I'm entering valid capture filters, but I still get "parse
1367 A: There is a bug in some versions of libpcap/WinPcap that cause it to
1368 report parse errors even for valid expressions if a previous filter
1369 expression was invalid and got a parse error.
1371 Try exiting and restarting Ethereal; if you are using a version of
1372 libpcap/WinPcap with this bug, this will "erase" its memory of the
1373 previous parse error. If the capture filter that got the "parse error"
1374 now works, the earlier error with that filter was probably due to this
1377 The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of
1378 libpcap have this bug, but 0.6[.x] and later versions don't.
1380 Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of
1381 libpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and
1382 doesn't have this bug.
1384 If you are running Ethereal on a UNIX-flavored platform, run "ethereal
1385 -v", or select "About Ethereal..." from the "Help" menu in Ethereal,
1386 to see what version of libpcap it's using. If it's not 0.6 or later,
1387 you will need either to upgrade your OS to get a later version of
1388 libpcap, or will need to build and install a later version of libpcap
1389 from the tcpdump.org Web site and then recompile Ethereal from source
1390 with that later version of libpcap.
1392 If you are running Ethereal on Windows with a pre-2.3 version of
1393 WinPcap, you will need to un-install WinPcap and then download and
1394 install WinPcap 2.3.
1396 Q 5.13: I saved a filter and tried to use its name to filter the
1397 display, but I got an "Unexpected end of filter string" error.
1399 A: You cannot use the name of a saved display filter as a filter. To
1400 filter the display, you can enter a display filter expression - not
1401 the name of a saved display filter - in the "Filter:" box at the
1402 bottom of the display, and type the key or press the "Apply" button
1403 (that does not require you to have a saved filter), or, if you want to
1404 use a saved filter, you can press the "Filter:" button, select the
1405 filter in the dialog box that pops up, and press the "OK" button.
1407 Q 5.14: Why am I seeing lots of packets with incorrect TCP checksums?
1409 A: If the packets that have incorrect TCP checksums are all being sent
1410 by the machine on which Ethereal is running, this is probably because
1411 the network interface on which you're capturing does TCP checksum
1412 offloading. That means that the TCP checksum is added to the packet by
1413 the network interface, not by the OS's TCP/IP stack; when capturing on
1414 an interface, packets being sent by the host on which you're capturing
1415 are directly handed to the capture interface by the OS, which means
1416 that they are handed to the capture interface without a TCP checksum
1417 being added to them.
1419 The only way to prevent this from happening would be to disable TCP
1420 checksum offloading, but
1421 1. that might not even be possible on some OSes;
1422 2. that could reduce networking performance significantly.
1424 However, you can disable the check that Ethereal does of the TCP
1425 checksum, so that it won't report any packets as having TCP checksum
1426 errors, and so that it won't refuse to do TCP reassembly due to a
1427 packet having an incorrect TCP checksum. That can be set as an
1428 Ethereal preference by selecting "Preferences" from the "Edit" menu,
1429 opening up the "Protocols" list in the left-hand pane of the
1430 "Preferences" dialog box, selecting "TCP", from that list, turning off
1431 the "Check the validity of the TCP checksum when possible" option,
1432 clicking "Save" if you want to save that setting in your preference
1433 file, and clicking "OK".
1435 It can also be set on the Ethereal or Tethereal command line with a -o
1436 tcp.check_checksum:false command-line flag, or manually set in your
1437 preferences file by adding a tcp.check_checksum:false line.
1439 Q 5.15: I've just installed Ethereal, and the traffic on my local LAN
1442 A: We have a collection of strange and exotic sample capture files at
1443 http://www.ethereal.com/sample/
1445 Q 5.16: When I run Ethereal on Solaris 8, it dies with a Bus Error
1448 A: Some versions of the GTK+ library from www.sunfreeware.org appear
1449 to be buggy, causing Ethereal to drop core with a Bus Error.
1450 Un-install those packages, and try getting the 1.2.10 version from
1451 that site, or the version from The Written Word, or the version from
1452 Sun's GNOME distribution, or the version from the supplemental
1453 software CD that comes with the Solaris media kit, or build it from
1454 source from the GTK Web site. Update the GLib library to the 1.2.10
1455 version, from the same source, as well. (If you get the 1.2.10
1456 versions from www.sunfreeware.org, and the problem persists,
1457 un-install them and try installing one of the other versions
1460 Similar problems may exist with older versions of GTK+ for earlier
1461 versions of Solaris.
1463 Q 5.17: When I run Tethereal with the "-x" option, it crashes with an
1464 error "** ERROR **: file print.c: line 691 (print_line): should not be
1467 A: This is a bug in Ethereal 0.10.0a, which is fixed in the Ethereal
1468 CVS tree and will thus be fixed in the next release. To work around
1469 the bug, don't use "-x" unless you're also using "-V"; note that "-V"
1470 produces a full dissection of each packet, so you might not want to
1473 To get a fixed version, either build the current CVS version from
1474 anonymous CVS or a nightly CVS snapshot, or apply to tethereal.c in
1475 the 0.10.0a source tarball the changes between the broken and the
1476 fixed versions, which you can download with the URL
1477 http://www.ethereal.com/cgi-bin/viewcvs.cgi/ethereal/tethereal.c.diff?
1478 r2=1.211&r1=1.210&diff_format=u and (re-)build from source. It might
1479 be easier to get the CVS version than to get the patch and apply it to
1480 the 0.10.0a source tarball, but it's probably easier to build from the
1481 source tarball than from the CVS version, as you'll need to have more
1482 tools and make more steps to generate from the CVS version some files
1483 that are bundled with the source tarball.
1485 Note that to build from the 0.10.0a source tarball on Windows with
1486 Microsoft Visual C++, you will need to get a file that was missing
1487 from the 0.10.0a source tarball; see the FAQ for that problem.
1489 Q 5.18: When I run Ethereal on Windows NT, it dies with a Dr. Watson
1490 error, reporting an "Integer division by zero" exception, when I start
1493 A: In at least some case, this appears to be due to using the default
1494 VGA driver; if that's not the correct driver for your video card, try
1495 running the correct driver for your video card.
1497 Q 5.19: When I try to run Ethereal, it complains about
1498 sprint_realloc_objid being undefined.
1500 A: Ethereal can only be linked with version 4.2.2 or later of UCD
1501 SNMP. Your version of Ethereal was dynamically linked with such a
1502 version of UCD SNMP; however, you have an older version of UCD SNMP
1503 installed, which means that when Ethereal is run, it tries to link to
1504 the older version, and fails. You will have to replace that version of
1505 UCD SNMP with version 4.2.2 or a later version.
1507 Q 5.20: I'm running Ethereal on Linux; why do my time stamps have only
1508 100ms resolution, rather than 1us resolution?
1510 A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap
1511 get them from the OS kernel, so Ethereal - and any other program using
1512 libpcap, such as tcpdump - is at the mercy of the time stamping code
1513 in the OS for time stamps.
1515 At least on x86-based machines, Linux can get high-resolution time
1516 stamps on newer processors with the Time Stamp Counter (TSC) register;
1517 for example, Intel x86 processors, starting with the Pentium Pro, and
1518 including all x86 processors since then, have had a TSC, and other
1519 vendors probably added the TSC at some point to their families of x86
1522 The Linux kernel must be configured with the CONFIG_X86_TSC option
1523 enabled in order to use the TSC. Make sure this option is enabled in
1526 In addition, some Linux distributions may have bugs in their versions
1527 of the kernel that cause packets not to be given high-resolution time
1528 stamps even if the TSC is enabled. See, for example, bug 61111 for Red
1529 Hat Linux 7.2. If your distribution has a bug such as this, you may
1530 have to run a standard kernel from kernel.org in order to get
1531 high-resolution time stamps.
1533 Q 5.21: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
1534 why are the time stamps on packets wrong?
1536 A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap
1539 Q 5.22: When I try to run Ethereal on Windows, it fails to run because
1540 it can't find packet.dll.
1542 A: In older versions of Ethereal, there were two binary distributions
1543 available for Windows, one that supported capturing packets, and one
1544 that didn't. The version that supported capturing packets required
1545 that you install the WinPcap driver; if you didn't install it, it
1546 would fail to run because it couldn't find packet.dll.
1548 The current version of Ethereal has only one binary distribution for
1549 Windows; that version will check whether WinPcap is installed and, if
1550 it's not, will disable support for packet capture.
1552 The WinPcap driver and libraries can be downloaded from the WinPcap
1553 Web site, the local mirror of the WinPcap Web site, or the
1554 Wiretapped.net mirror of the WinPcap site.
1556 Q 5.23: I'm running Ethereal on Windows NT/2000/XP/Server; my machine
1557 has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
1558 "Interface" item in the "Capture Options" dialog box. Why can no
1559 packets be sent on or received from that network while I'm trying to
1560 capture traffic on that interface?
1562 A: WinPcap doesn't support PPP WAN interfaces on Windows
1563 NT/2000/XP/Server; one symptom that may be seen is that attempts to
1564 capture in promiscuous mode on the interface cause the interface to be
1565 incapable of sending or receiving packets. You can disable promiscuous
1566 mode using the -p command-line flag or the item in the "Capture
1567 Preferences" dialog box, but this may mean that outgoing packets, or
1568 incoming packets, won't be seen in the capture.
1570 Q 5.24: I'm running Ethereal on Windows 95/98/Me, on a machine with
1571 more than one network adapter of the same type; Ethereal shows all of
1572 those adapters with the same name, but I can't use any of those
1573 adapters other than the first one.
1575 A: Unfortunately, Windows 95/98/Me gives the same name to multiple
1576 instances of the type of same network adapter. Therefore, WinPcap
1577 cannot distinguish between them, so a WinPcap-based application can
1578 capture only on the first such interface; Ethereal is a
1579 libpcap/WinPcap-based application.
1581 Q 5.25: I'm running Ethereal on Windows, and I'm not seeing any
1582 traffic being sent by the machine running Ethereal.
1584 A: If you are running some form of VPN client software, it might be
1585 causing this problem; people have seen this problem when they have
1586 Check Point's VPN software installed on their machine. If that's the
1587 cause of the problem, you will have to remove the VPN software in
1588 order to have Ethereal (or any other application using WinPcap) see
1589 outgoing packets; unfortunately, neither we nor the WinPcap developers
1590 know any way to make WinPcap and the VPN software work well together.
1592 Also, some drivers for Windows (especially some wireless network
1593 interface drivers) apparently do not, when running in promiscuous
1594 mode, arrange that outgoing packets are delivered to the software that
1595 requested that the interface run promiscuously; try turning
1596 promiscuous mode off.
1598 Q 5.26: I'm trying to capture traffic but I'm not seeing any.
1600 A: Is the machine running Ethereal sending out any traffic on the
1601 network interface on which you're capturing, or receiving any traffic
1602 on that network, or is there any broadcast traffic on the network or
1603 multicast traffic to a multicast group to which the machine running
1606 If not, this may just be a problem with promiscuous sniffing, either
1607 due to running on a switched network or a dual-speed hub, or due to
1608 problems with the interface not supporting promiscuous mode; see the
1609 response to this earlier question.
1611 Otherwise, on Windows, see the response to this question and, on a
1612 UNIX-flavored OS, see the response to this question.
1614 Q 5.27: I have an XXX network card on my machine; if I try to capture
1615 on it, my machine crashes or resets itself.
1617 A: This is almost certainly a problem with one or more of:
1618 * the operating system you're using;
1619 * the device driver for the interface you're using;
1620 * the libpcap/WinPcap library and, if this is Windows, the WinPcap
1624 * if you are using Windows, see the WinPcap support page (or the
1625 local mirror of that page) - check the "Submitting bugs" section;
1626 * if you are using some Linux distribution, some version of BSD, or
1627 some other UNIX-flavored OS, you should report the problem to the
1628 company or organization that produces the OS (in the case of a
1629 Linux distribution, report the problem to whoever produces the
1632 Q 5.28: My machine crashes or resets itself when I select "Start" from
1633 the "Capture" menu or select "Preferences" from the "Edit" menu.
1635 A: Both of those operations cause Ethereal to try to build a list of
1636 the interfaces that it can open; it does so by getting a list of
1637 interfaces and trying to open them. There is probably an OS, driver,
1638 or, for Windows, WinPcap bug that causes the system to crash when this
1639 happens; see the previous question.
1641 Q 5.29: Does Ethereal work on Windows Me?
1643 A: Yes, but if you want to capture packets, you will need to install
1644 the latest version of WinPcap, as 2.02 and earlier versions of WinPcap
1645 didn't support Windows Me. You should also install the latest version
1646 of Ethereal as well.
1648 Q 5.30: Does Ethereal work on Windows XP?
1650 A: Yes, but if you want to capture packets, you will need to install
1651 the latest version of WinPcap, as 2.2 and earlier versions of WinPcap
1652 didn't support Windows XP.
1654 Q 5.31: Why doesn't Ethereal correctly identify RTP packets? It shows
1657 A: Ethereal can identify a UDP datagram as containing a packet of a
1658 particular protocol running atop UDP only if
1659 1. The protocol in question has a particular standard port number,
1660 and the UDP source or destination port number is that port
1661 2. Packets of that protocol can be identified by looking for a
1662 "signature" of some type in the packet - i.e., some data that, if
1663 Ethereal finds it in some particular part of a packet, means that
1664 the packet is almost certainly a packet of that type.
1665 3. Some other traffic earlier in the capture indicated that, for
1666 example, UDP traffic between two particular addresses and ports
1667 will be RTP traffic.
1669 RTP doesn't have a standard port number, so 1) doesn't work; it
1670 doesn't, as far as I know, have any "signature", so 2) doesn't work.
1672 That leaves 3). If there's RTSP traffic that sets up an RTP session,
1673 then, at least in some cases, the RTSP dissector will set things up so
1674 that subsequent RTP traffic will be identified. Currently, that's the
1675 only place we do that; there may be other places.
1677 However, there will always be places where Ethereal is simply
1678 incapable of deducing that a given UDP flow is RTP; a mechanism would
1679 be needed to allow the user to specify that a given conversation
1680 should be treated as RTP. As of Ethereal 0.8.16, such a mechanism
1681 exists; if you select a UDP or TCP packet, the right mouse button menu
1682 will have a "Decode As..." menu item, which will pop up a dialog box
1683 letting you specify that the source port, the destination port, or
1684 both the source and destination ports of the packet should be
1685 dissected as some particular protocol.
1687 Q 5.32: Why doesn't Ethereal show Yahoo Messenger packets in captures
1688 that contain Yahoo Messenger traffic?
1690 A: Ethereal only recognizes as Yahoo Messenger traffic packets to or
1691 from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP
1692 segments that start with the middle of a Yahoo Messenger packet that
1693 takes more than one TCP segment will not be recognized as Yahoo
1694 Messenger packets (even if the TCP segment also contains the beginning
1695 of another Yahoo Messenger packet).
1697 Q 5.33: Why do I get the error
1699 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
1703 when I try to run Ethereal on Windows?
1705 A: Ethereal is built using the GTK+ toolkit, which supports most
1706 UNIX-flavored OSes, and also supports Windows.
1708 Windows versions of Ethereal before 0.9.14 were built with an older
1709 version of that toolkit, which didn't support 256-color mode on
1710 Windows - it required HiColor (16-bit colors) or more.
1712 Windows versions of Ethereal 0.9.14 and later are built with a version
1713 of that toolkit that supports 256-color mode; upgrade to the current
1714 version of Ethereal if you want to run on a display in 256-color mode.
1716 Q 5.34: When I capture on Windows in promiscuous mode, I can see
1717 packets other than those sent to or from my machine; however, those
1718 packets show up with a "Short Frame" indication, unlike packets to or
1719 from my machine. What should I do to arrange that I see those packets
1722 A: In at least some cases, this appears to be the result of PGPnet
1723 running on the network interface on which you're capturing; turn it
1724 off on that interface.
1726 Q 5.35: I'm capturing packets on a machine on a VLAN; why don't the
1727 packets I'm capturing have VLAN tags?
1729 A: You might be capturing on what might be called a "VLAN interface" -
1730 the way a particular OS makes VLANs plug into the networking stack
1731 might, for example, be to have a network device object for the
1732 physical interface, which takes VLAN packets, strips off the VLAN
1733 header and constructs an Ethernet header, and passes that packet to an
1734 internal network device object for the VLAN, which then passes the
1735 packets onto various higher-level protocol implementations.
1737 In order to see the raw Ethernet packets, rather than "de-VLANized"
1738 packets, you would have to capture not on the virtual interface for
1739 the VLAN, but on the interface corresponding to the physical network
1740 device, if possible.
1742 Q 5.36: How can I capture raw 802.11 packets, including non-data
1743 (management, beacon) packets?
1745 A: That would require that your 802.11 interface run in the mode
1746 called "monitor mode" or "RFMON mode". Not all operating systems
1747 support that and, even on operating systems that do support it, not
1748 all drivers, and thus not all cards, support it.
1750 NOTE: an interface running in monitor mode will, on most if not all
1751 platforms, not be able to act as a regular network interface; putting
1752 it into monitor mode will, in effect, take your machine off of
1753 whatever network it's on as long as the interface is in monitor mode,
1754 allowing it only to passively capture packets.
1756 This means that you should disable name resolution when capturing in
1757 monitor mode; otherwise, when Ethereal (or Tethereal, or tcpdump)
1758 tries to display IP addresses as host names, it will probably block
1759 for a long time trying to resolve the name because it will not be able
1760 to communicate with any DNS or NIS servers.
1762 Cisco Aironet cards:
1764 The only platforms that allow Ethereal to capture raw 802.11 packets
1765 on Cisco Aironet cards are:
1766 * Linux, with a 2.4.6 or later kernel;
1767 * FreeBSD 4.6 or later, as the driver in FreeBSD 4.5 has bugs that
1768 cause packets not to be captured correctly, and the driver in
1769 releases prior to 4.5 didn't support capturing raw packets.
1771 On FreeBSD, the ancontrol utility must be used. The command
1773 ancontrol -i anN -M flag
1775 is used to enable or disable monitor mode. If flag is 0, monitor mode
1776 will be turned off; otherwise, flag should be the sum of:
1777 * 1, to turn monitor mode on;
1778 * 2, if you want to capture traffic from any BSS rather than just
1779 the BSS with which the card is associated;
1780 * 4, if you want to see beacon packets (capturing beacon packets
1781 increases the CPU requirements of capturing).
1783 Don't add 8 in; Ethereal currently doesn't support the full Aironet
1786 On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will
1789 echo "Mode: rfmon">/proc/driver/aironet/ethN/Config
1791 if your Aironet card is ethN. To capture traffic from any BSS rather
1792 than just the BSS with which the card is associated, do
1794 echo "Mode: y">/proc/driver/aironet/ethN/Config
1796 and to return to the normal mode, do
1798 echo "Mode: ess">/proc/driver/aironet/ethN/Config
1800 On Linux with the driver in the 2.4.20 or later kernel, or with the
1801 CVS drivers from the airo-linux SourceForge site, you will have to
1802 capture on the wifiN interface if your Aironet card is ethN, after
1803 running the commands listed above.
1805 In all of those cases, Ethereal would have to be linked with libpcap
1806 0.7.1 or later; this means that most Ethereal binary packages won't
1807 work unless they're statically linked with libpcap 0.7.1 or later, or
1808 they're dynamically linked with libpcap and your system has a libpcap
1809 0.7.1 or later shared library installed (note that libpcap source
1810 package from tcpdump.org does not build shared libraries). Some binary
1811 packaging mechanisms might make it difficult to install Ethereal
1812 binary packages built to depend on older libpcap binary packages if
1813 you have a newer libpcap binary package installed; the installer
1814 programs for those packaging mechanisms might support disabling
1815 dependency checking so that they will install Ethereal even though a
1816 newer version of libpcap is installed.
1818 Cards using the Prism II chip set (see this page of Linux 802.11
1819 information for details on wireless cards, including information on
1820 the chips they use):
1822 You can capture raw 802.11 packets with Prism II cards on Linux
1823 systems with the 0.1.14-pre6 or later version of the linux-wlan-ng
1824 drivers (see the linux-wlan page, and the linux-wlan-ng tarball
1827 Those require either Solomon Peachy's patch to libpcap 0.7.1 (see his
1828 libpcap-0.7.1-prism.diff file, or his RPMs of that version of
1829 libpcap), or the current CVS version of libpcap, which includes his
1830 patch (download it from the "Current Tar files" section of the
1831 tcpdump.org Web site). If you apply his patches to libpcap 0.7.1 and
1832 rebuild and install libpcap, or if you build and install the current
1833 CVS version of libpcap, you would have to rebuild Ethereal from
1834 source, linking it with that new version of libpcap; an Ethereal
1835 binary package would not work. Ethereal binary packages might work if
1836 you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install
1837 a libpcap shared library in place of the one on your system.
1839 You may have to run a command to put the interface into monitor mode,
1840 or to change other interface settings, and you might have to capture
1841 on a wlanN interface rather than a ethN interface, in order to capture
1842 raw 802.11 packets. The interface settings are available in your
1843 wlan-ng.conf file. See the wlan-ng FAQ for additional information.
1845 On other platforms, capturing raw 802.11 packets on Prism II cards is
1846 not currently supported.
1848 Orinoco Silver and Gold cards:
1850 On Linux systems, there are patches on the Orinoco Monitor Mode Patch
1851 Page that should allow you to do capture raw 802.11 packets. You will
1852 have to determine which version of the driver you have, and select the
1855 Note that the page indicates that not all versions of the Orinoco
1856 firmware support this patch. It says, for some versions of the patch,
1857 "This patch should allow monitor mode with v8.10 firmware (untested w/
1858 8.42);" if you have version 8.10 or later firmware on your Orinoco
1859 cards, you might have to use those patches, with the corresponding
1860 versions of the Orinoco driver, in order to run in monitor mode.
1862 That patch is written for the drivers included with the pcmcia-cs
1863 drivers, but works equally well for the Orinoco drivers provided with
1864 Linux kernels up to 2.4.20. To apply a patch to your kernel drivers,
1865 simply copy the orinoco-09b-patch.diff file to the
1866 /usr/src/linux/drivers/net directory and patch according to the
1867 directions on the Orinoco Monitor Mode Patch Page. You can double-
1868 check the version of the Orinoco drivers that shipped with your kernel
1869 by examining the first few lines of the orinoco.c file.
1871 The Orinoco patches require either Solomon Peachy's patch to libpcap
1872 0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that
1873 version of libpcap), or the current CVS version of libpcap, which
1874 includes his patch (download it from the "Current Tar files" section
1875 of the tcpdump.org Web site). If you apply his patches to libpcap
1876 0.7.1 and rebuild and install libpcap, or if you build and install the
1877 current CVS version of libpcap, you would have to rebuild Ethereal
1878 from source, linking it with that new version of libpcap; an Ethereal
1879 binary package would not work. Ethereal binary packages might work if
1880 you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install
1881 a libpcap shared library in place of the one on your system.
1883 On other platforms, capturing raw 802.11 packets on Orinoco cards is
1884 not currently supported.
1886 Cards with the Atheros Communications AR5000 or AR5001 chipsets:
1888 You can capture raw 802.11 packets with AR5K cards on Linux systems
1889 with the v5_ar5k drivers. You will need the Linux wireless-tools
1890 version 25 or higher to put the card into monitor mode.
1892 Cards with the Texas Instruments ACX100 chipset:
1894 You can capture raw 802.11 packets with ACX100 cards on Linux systems
1895 with the ACX100 OSS drivers available from the ACX100 wireless network
1896 driver project SourceForge site.
1898 Other 802.11 interfaces:
1900 With other 802.11 interfaces, no platform allows Ethereal to capture
1901 raw 802.11 packets, as far as we know. If you know of other 802.11
1902 interfaces that are supported (note that there are many "Prism II
1903 cards", so your card might be a Prism II card), please let us know,
1904 and include URLs for sites containing any necessary patches to add
1907 On platforms that don't allow Ethereal to capture raw 802.11 packets,
1908 the 802.11 network will appear like an Ethernet to Ethereal.
1910 Q 5.37: I'm trying to capture 802.11 traffic on Windows; why am I not
1913 A: At least some 802.11 card drivers on Windows appear not to see any
1914 packets if they're running in promiscuous mode. Try turning
1915 promiscuous mode off; you'll only be able to see packets sent by and
1916 received by your machine, not third-party traffic, and it'll look like
1917 Ethernet traffic and won't include any management or control frames,
1918 but that's a limitation of the card drivers.
1920 Q 5.38: I'm trying to capture 802.11 traffic on Windows; why am I
1921 seeing packets received by the machine on which I'm capturing traffic,
1922 but not packets sent by that machine?
1924 A: This appears to be another problem with promiscuous mode; try
1927 Q 5.39: How can I capture packets with CRC errors?
1929 A: Ethereal can capture only the packets that the packet capture
1930 library - libpcap on UNIX-flavored OSes, and the WinPcap port to
1931 Windows of libpcap on Windows - can capture, and libpcap/WinPcap can
1932 capture only the packets that the OS's raw packet capture mechanism
1933 (or the WinPcap driver, and the underlying OS networking code and
1934 network interface drivers, on Windows) will allow it to capture.
1936 Unless the OS always supplies packets with errors such as invalid CRCs
1937 to the raw packet capture mechanism, or can be configured to do so,
1938 invalid CRCs to the raw packet capture mechanism, Ethereal - and other
1939 programs that capture raw packets, such as tcpdump - cannot capture
1940 those packets. You will have to determine whether your OS needs to be
1941 so configured and, if so, can be so configured, configure it if
1942 necessary and possible, and make whatever changes to libpcap and the
1943 packet capture program you're using are necessary, if any, to support
1944 capturing those packets.
1946 Most OSes probably do not support capturing packets with invalid CRCs
1947 on Ethernet, and probably do not support it on most other link-layer
1948 types. Some drivers on some OSes do support it, such as some Ethernet
1949 drivers on FreeBSD; in those OSes, you might always get those packets,
1950 or you might only get them if you capture in promiscuous mode (you'd
1951 have to determine which is the case).
1953 Note that libpcap does not currently supply to programs that use it an
1954 indication of whether the packet's CRC was invalid (because the
1955 drivers themselves do not supply that information to the raw packet
1956 capture mechanism); therefore, Ethereal will not indicate which
1957 packets had CRC errors unless the FCS was captured (see the next
1958 question) and you're using Ethereal 0.9.15 and later, in which case
1959 Ethereal will check the CRC and indicate whether it's correct or not.
1961 Q 5.40: How can I capture entire frames, including the FCS?
1963 A: Ethereal can only capture data that the packet capture library -
1964 libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of
1965 libpcap on Windows - can capture, and libpcap/WinPcap can capture only
1966 the data that the OS's raw packet capture mechanism (or the WinPcap
1967 driver, and the underlying OS networking code and network interface
1968 drivers, on Windows) will allow it to capture.
1970 For any particular link-layer network type, unless the OS supplies the
1971 FCS of a frame as part of the frame, or can be configured to do so,
1972 Ethereal - and other programs that capture raw packets, such as
1973 tcpdump - cannot capture the FCS of a frame. You will have to
1974 determine whether your OS needs to be so configured and, if so, can be
1975 so configured, configure it if necessary and possible, and make
1976 whatever changes to libpcap and the packet capture program you're
1977 using are necessary, if any, to support capturing the FCS of a frame.
1979 Most OSes do not support capturing the FCS of a frame on Ethernet, and
1980 probably do not support it on most other link-layer types. Some
1981 drivres on some OSes do support it, such as some (all?) Ethernet
1982 drivers on NetBSD and possibly the driver for Apple's gigabit Ethernet
1983 interface in Mac OS X; in those OSes, you might always get the FCS, or
1984 you might only get the FCS if you capture in promiscuous mode (you'd
1985 have to determine which is the case).
1987 Versions of Ethereal prior to 0.9.15 will not treat an Ethernet FCS in
1988 a captured packet as an FCS. 0.9.15 and later will attempt to
1989 determine whether there's an FCS at the end of the frame and, if it
1990 thinks there is, will display it as such, and will check whether it's
1991 the correct CRC-32 value or not.
1993 Q 5.41: Ethereal hangs after I stop a capture.
1995 A: The most likely reason for this is that Ethereal is trying to look
1996 up an IP address in the capture to convert it to a name (so that, for
1997 example, it can display the name in the source address or destination
1998 address columns), and that lookup process is taking a very long time.
2000 Ethereal calls a routine in the OS of the machine on which it's
2001 running to convert of IP addresses to the corresponding names. That
2002 routine probably does one or more of:
2003 * a search of a system file listing IP addresses and names;
2004 * a lookup using DNS;
2005 * on UNIX systems, a lookup using NIS;
2006 * on Windows systems, a NetBIOS-over-TCP query.
2008 If a DNS server that's used in an address lookup is not responding,
2009 the lookup will fail, but will only fail after a timeout while the
2010 system routine waits for a reply.
2012 In addition, on Windows systems, if the DNS lookup of the address
2013 fails, either because the server isn't responding or because there are
2014 no records in the DNS that could be used to map the address to a name,
2015 a NetBIOS-over-TCP query will be made. That query involves sending a
2016 message to the NetBIOS-over-TCP name service on that machine, asking
2017 for the name and other information about the machine. If the machine
2018 isn't running software that responds to those queries - for example,
2019 many non-Windows machines wouldn't be running that software - the
2020 lookup will only fail after a timeout. Those timeouts can cause the
2021 lookup to take a long time.
2023 If you disable network address-to-name translation - for example, by
2024 turning off the "Enable network name resolution" option in the "Name
2025 resolution" options in the dialog box you get by selecting
2026 "Preferences" from the "Edit" menu - the lookups of the address won't
2027 be done, which may speed up the process of reading the capture file
2028 after the capture is stopped. You can make that setting the default by
2029 using the "Save" button in that dialog box; note that this will save
2030 all your current preference settings.
2032 If Ethereal hangs when reading a capture even with network name
2033 resolution turned off, there might, for example, be a bug in one of
2034 Ethereal's dissectors for a protocol causing it to loop infinitely.
2035 The bug should be reported to the Ethereal developers' mailing list at
2036 ethereal-dev@ethereal.com.
2038 On UNIX-flavored OSes, please try to force Ethereal to dump core, by
2039 sending it a SIGABRT signal (usually signal 6) with the kill command,
2040 and then get a stack trace if you have a debugger installed. A stack
2041 trace can be obtained by using your debugger (gdb in this example),
2042 the Ethereal binary, and the resulting core file. Here's an example of
2043 how to use the gdb command backtrace to do so.
2046 ..... prints the stack trace
2050 The core dump file may be named "ethereal.core" rather than "core" on
2051 some platforms (e.g., BSD systems)
2053 Also, if at all possible, please send a copy of the capture file that
2054 caused the problem; when capturing packets, Ethereal normally writes
2055 captured packets to a temporary file, which will probably be in /tmp
2056 or /var/tmp on UNIX-flavored OSes and \TEMP on Windows, so the capture
2057 file will probably be there. It will have a name beginning with ether,
2058 with some mixture of letters and numbers after that. Please don't send
2059 a trace file greater than 1 MB when compressed. If the trace file
2060 contains sensitive information (e.g., passwords), then please do not
2063 Q 5.42: How can I search for, or filter, packets that have a
2064 particular string anywhere in them?
2066 A: If you want to do this when capturing, you can't. That's a feature
2067 that would be hard to implement in capture filters without changes to
2068 the capture filter code, which, on many platforms, is in the OS kernel
2069 and, on other platforms, is in the libpcap library.
2071 In releases prior to 0.9.14, you also can't search for, or filter,
2072 packets containing a particular string even after you've captured
2075 In 0.9.14, you can search for, but not filter, packets that have a
2076 particular string; this has been added to the "Find Frame" dialog
2077 ("Find Frame" under the "Edit" menu, or control-F).
2079 In 0.9.15 and later, you can search for those packets using either the
2080 mechanism introduced in 0.9.14 or using the new "contains" operator in
2081 filter expressions, which lets you search the entire packet or text
2082 string or byte string fields in the packet; the "contains" operator
2083 can also be used in expressions used to filter the display.
2085 Please send support questions about Ethereal to the
2086 ethereal-users[AT]ethereal.com mailing list.
2087 For corrections/additions/suggestions for this web page (and not
2088 Ethereal support questions), please send email to
2089 ethereal-web[AT]ethereal.com .
2090 Last modified: Mon, April 26 2004.