4 Note: This is just an ASCII snapshot of the faq and may not be up to
5 date. Please go to http://www.ethereal.com/faq.html for the up
6 to date version. The version of this snapshot can be found at
7 the end of this document.
14 1.1 Where can I get help?
16 1.2 What protocols are currently supported?
18 1.3 Are there any plans to support {your favorite protocol}?
20 1.4 Can Ethereal read capture files from {your favorite network
23 1.5 What devices can Ethereal use to capture packets?
25 1.6 How do you pronounce Ethereal? Where did the name come from?
29 2.1 I downloaded the Win32 installer, but when I try to run it, I get
32 2.2 When I try to download the WinPcap driver and library, I can't get
33 to the WinPcap Web site.
37 3.1 I installed an Ethereal RPM, but Ethereal doesn't seem to be
38 installed; only Tethereal is installed.
42 4.1 The configure script can't find pcap.h or bpf.h, but I have
45 4.2 Why do I get the error
47 dftest_DEPENDENCIES was already defined in condition TRUE, which
48 implies condition HAVE_PLUGINS_TRUE
50 when I try to build Ethereal from SVN or a SVN snapshot?
52 4.3 The link fails with a number of "Output line too long." messages
53 followed by linker errors.
55 4.4 The link fails on Solaris because plugin_list is undefined.
57 4.5 The build fails on Windows because of conflicts between winsock.h
62 5.1 When I use Ethereal to capture packets, I see only packets to and
63 from my machine, or I'm not seeing all the traffic I'm expecting to
64 see from or to the machine I'm trying to monitor.
66 5.2 I can't see any TCP packets other than packets to and from my
67 machine, even though another analyzer on the network sees those
70 5.3 I'm only seeing ARP packets when I try to capture traffic.
72 5.4 I'm running Ethereal on Windows; why does some network interface
73 on my machine not show up in the list of interfaces in the
74 "Interface:" field in the dialog box popped up by "Capture->Start",
75 and/or why does Ethereal give me an error if I try to capture on that
78 5.5 I'm running Ethereal on Windows; why do no network interfaces show
79 up in the list of interfaces in the "Interface:" field in the dialog
80 box popped up by "Capture->Start"?
82 5.6 I'm running Ethereal on Windows; why doesn't my serial port/ADSL
83 modem/ISDN modem/show up in the list of interfaces in the "Interface:"
84 field in the dialog box popped up by "Capture->Start"?
86 5.7 I'm running Ethereal on a UNIX-flavored OS; why does some network
87 interface on my machine not show up in the list of interfaces in the
88 "Interface:" field in the dialog box popped up by "Capture->Start",
89 and/or why does Ethereal give me an error if I try to capture on that
92 5.8 I'm running Ethereal on a UNIX-flavored OS; why do no network
93 interfaces show up in the list of interfaces in the "Interface:" field
94 in the dialog box popped up by "Capture->Start"?
96 5.9 Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
98 5.10 How do I put an interface into promiscuous mode?
100 5.11 I can set a display filter just fine, but capture filters don't
103 5.12 I'm entering valid capture filters, but I still get "parse error"
106 5.13 I saved a filter and tried to use its name to filter the display,
107 but I got an "Unexpected end of filter string" error.
109 5.14 Why am I seeing lots of packets with incorrect TCP checksums?
111 5.15 I've just installed Ethereal, and the traffic on my local LAN is
114 5.16 When I run Ethereal on Solaris 8, it dies with a Bus Error when I
117 5.17 When I run Ethereal, I get an error
119 Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_resize):
120 assertion `height > 0' failed.
122 5.18 When I run Tethereal with the "-x" option, it crashes with an
125 "** ERROR **: file print.c: line 691 (print_line): should not be
128 5.19 When I run Ethereal on Windows NT, it dies with a Dr. Watson
129 error, reporting an "Integer division by zero" exception, when I start
132 5.20 When I try to run Ethereal, it complains about
133 sprint_realloc_objid being undefined.
135 5.21 I'm running Ethereal on Linux; why do my time stamps have only
136 100ms resolution, rather than 1us resolution?
138 5.22 I'm capturing packets on {Windows 95, Windows 98, Windows Me};
139 why are the time stamps on packets wrong?
141 5.23 When I try to run Ethereal on Windows, it fails to run because it
142 can't find packet.dll.
144 5.24 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has
145 a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
146 "Interface" item in the "Capture Options" dialog box. Why can no
147 packets be sent on or received from that network while I'm trying to
148 capture traffic on that interface?
150 5.25 I'm running Ethereal on Windows 95/98/Me, on a machine with more
151 than one network adapter of the same type; Ethereal shows all of those
152 adapters with the same name, but I can't use any of those adapters
153 other than the first one.
155 5.26 I'm running Ethereal on Windows, and I'm not seeing any traffic
156 being sent by the machine running Ethereal.
158 5.27 I'm trying to capture traffic but I'm not seeing any.
160 5.28 I have an XXX network card on my machine; if I try to capture on
161 it, my machine crashes or resets itself.
163 5.29 My machine crashes or resets itself when I select "Start" from
164 the "Capture" menu or select "Preferences" from the "Edit" menu.
166 5.30 Does Ethereal work on Windows Me?
168 5.31 Does Ethereal work on Windows XP?
170 5.32 Why doesn't Ethereal correctly identify RTP packets? It shows
173 5.33 Why doesn't Ethereal show Yahoo Messenger packets in captures
174 that contain Yahoo Messenger traffic?
176 5.34 Why do I get the error
178 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
182 when I try to run Ethereal on Windows?
184 5.35 When I capture on Windows in promiscuous mode, I can see packets
185 other than those sent to or from my machine; however, those packets
186 show up with a "Short Frame" indication, unlike packets to or from my
187 machine. What should I do to arrange that I see those packets in their
190 5.36 I'm capturing packets on a machine on a VLAN; why don't the
191 packets I'm capturing have VLAN tags?
193 5.37 How can I capture raw 802.11 packets, including non-data
194 (management, beacon) packets?
196 5.38 How do I capture on an 802.11 device in monitor mode on Linux?
198 5.39 How do I capture on an 802.11 device in monitor mode on FreeBSD?
200 5.40 How do I capture on an 802.11 device in monitor mode on NetBSD?
202 5.41 I'm trying to capture 802.11 traffic on Windows; why am I not
205 5.42 I'm trying to capture 802.11 traffic on Windows; why am I seeing
206 packets received by the machine on which I'm capturing traffic, but
207 not packets sent by that machine?
209 5.43 How can I capture packets with CRC errors?
211 5.44 How can I capture entire frames, including the FCS?
213 5.45 Ethereal hangs after I stop a capture.
215 5.46 How can I search for, or filter, packets that have a particular
216 string anywhere in them?
220 Q 1.1: Where can I get help?
222 A: Support is available on the ethereal-users mailing list.
223 Subscription information and archives for all of Ethereal's mailing
224 lists can be found at http://www.ethereal.com/lists
226 Q 1.2: What protocols are currently supported?
228 A: There are currently 518 supported protocols and media, listed
229 below. Descriptions can be found in the ethereal(1) man page.
233 802.1x Authentication
234 AAL type 2 signalling protocol - Capability set 1 (Q.2630.1)
235 AFS (4.0) Replication Server call declarations
238 AIM Buddylist Service
244 AIM Invitation Service
249 AIM Privacy Management Service
257 ANSI IS-637-A (SMS) Teleservice Layer
258 ANSI IS-637-A (SMS) Transport Layer
259 ANSI IS-683-A (OTA (Mobile))
260 ANSI IS-801 (Location Services (PLD))
261 ANSI Mobile Application Part
262 AOL Instant Messenger
269 AVS WLAN Capture header
270 Ad hoc On-demand Distance Vector Routing Protocol
271 Address Resolution Protocol
272 Aggregate Server Access Protocol
274 Alteon - Transparent Proxy Cache Protocol
275 Andrew File System (AFS)
276 Apache JServ Protocol v1.3
277 Apple IP-over-IEEE 1394
278 AppleTalk Filing Protocol
279 AppleTalk Session Protocol
280 AppleTalk Transaction Protocol packet
281 Appletalk Address Resolution Protocol
282 Application Configuration Access Protocol
283 Async data over ISDN (V.120)
284 Authentication Header
285 BACnet Virtual Link Control
291 Banyan Vines Fragmentation Protocol
298 Basic Encoding Rules (ASN.1 X.690)
299 Bearer Independent Call Control
300 Bi-directional Fault Detection Control Message
301 Blocks Extensible Exchange Protocol
305 Border Gateway Protocol
306 Building Automation and Control Network APDU
307 Building Automation and Control Network NPDU
309 CDS Clerk Server Calls
310 Cast Client Control Protocol
311 Check Point High Availability Protocol
314 Cisco Discovery Protocol
315 Cisco Group Management Protocol
317 Cisco Hot Standby Router Protocol
319 Cisco Interior Gateway Routing Protocol
323 CoSine IPNOS L2 debug output
324 Common Open Policy Service
325 Common Unix Printing System (CUPS) Browsing Protocol
327 Connectionless Lightweight Directory Access Protocol
328 Cross Point Frame Injector
329 DCE Distributed Time Service Local Server
330 DCE Distributed Time Service Provider
333 DCE Security ID Mapper
337 DCE/RPC CDS Solicitation
338 DCE/RPC Conversation Manager
339 DCE/RPC Directory Acl Interface
340 DCE/RPC Endpoint Mapper
341 DCE/RPC Endpoint Mapper4
343 DCE/RPC FLDB UBIK TRANSFER
344 DCE/RPC FLDB UBIKVOTE
347 DCE/RPC NCS 1.5.1 Local Location Broker
348 DCE/RPC Operations between registry server replicas
355 DCE/RPC Registry Password Management
356 DCE/RPC Registry Server Attributes Schema
357 DCE/RPC Registry server propagation interface - ACLs.
358 DCE/RPC Registry server propagation interface - PGO items
359 DCE/RPC Registry server propagation interface - properties and poli
361 DCE/RPC Remote Management
362 DCE/RPC Repserver Calls
363 DCE/RPC TokenServer Calls
366 DCOM Remote Activation
367 DEC Spanning Tree Protocol
371 DNS Control Program Server
374 Data Stream Interface
375 Datagram Delivery Protocol
377 Distance Vector Multicast Routing Protocol
378 Distcc Distributed Compiler
379 Distributed Checksum Clearinghouse Protocol
380 Distributed Network Protocol 3.0
382 Dynamic DNS Tools Protocol
384 Encapsulating Security Payload
385 Endpoint Name Resolution Protocol
386 Enhanced Interior Gateway Routing Protocol
387 EtherNet/IP (Industrial Protocol)
390 Extensible Authentication Protocol
392 FC Fabric Configuration Server
396 Fiber Distributed Data Interface
398 Fibre Channel Common Transport
399 Fibre Channel Fabric Zone Server
400 Fibre Channel Name Server
401 Fibre Channel Protocol for SCSI
403 Fibre Channel Security Protocol
404 Fibre Channel Single Byte Command
405 File Transfer Protocol (FTP)
406 Financial Information eXchange Protocol
409 GARP Multicast Registration Protocol
410 GARP VLAN Registration Protocol
412 GPRS Tunneling Protocol
416 GSM Mobile Application Part
417 GSM SMS TPDU (GSM 03.40)
418 GSM Short Message Service User Data
419 General Inter-ORB Protocol
420 Generic Routing Encapsulation
421 Generic Security Service Application Program Interface
424 H235-SECURITY-MESSAGES
427 HP Extended Local-Link Control
428 HP Remote Maintenance Protocol
429 Hummingbird NFS Daemon
431 Hypertext Transfer Protocol
433 IEEE 802.11 Radiotap Capture header
434 IEEE 802.11 wireless LAN
435 IEEE 802.11 wireless LAN management frame
437 IP Device Control (SS7 over IP)
439 IP Payload Compression
440 IP Virtual Services Sync Daemon
442 IPX Routing Information Protocol
445 ISDN Q.921-User Adaptation Layer
447 ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol
448 ISO 8073 COTP Connection-Oriented Transport Protocol
449 ISO 8327-1 OSI Session Protocol
450 ISO 8473 CLNP ConnectionLess Network Protocol
451 ISO 8602 CLTP ConnectionLess Transport Protocol
452 ISO 8823 OSI Presentation Protocol
453 ISO 9542 ESIS Routeing Information Exchange Protocol
455 ITU-T Recommendation H.261
456 ITU-T Recommendation H.263 RTP Payload header (RFC2190)
459 Intelligent Platform Management Interface
460 Inter-Access-Point Protocol
461 Inter-Asterisk eXchange v2
462 InterSwitch Message Protocol
464 Internet Cache Protocol
465 Internet Content Adaptation Protocol
466 Internet Control Message Protocol
467 Internet Control Message Protocol v6
468 Internet Group Management Protocol
469 Internet Group membership Authentication Protocol
470 Internet Message Access Protocol
471 Internet Printing Protocol
473 Internet Protocol Version 6
475 Internet Security Association and Key Management Protocol
476 Internetwork Packet eXchange
477 JPEG File Interchange Format
482 Kerberos Administration
485 LWAPP Encapsulated Packet
487 Label Distribution Protocol
489 Layer 2 Tunneling Protocol
490 Lightweight Directory Access Protocol
491 Line Printer Daemon Protocol
493 Link Access Procedure Balanced (LAPB)
494 Link Access Procedure Balanced Ethernet (LAPBETHER)
495 Link Access Procedure, Channel D (LAPD)
496 Link Aggregation Control Protocol
497 Link Management Protocol (LMP)
498 Linux cooked-mode capture
499 Local Management Interface
500 LocalTalk Link Access Protocol
501 Logical Link Control GPRS
503 Lucent/Ascend debug output
505 MIME Multipart Media Encapsulation
506 MMS Message Encapsulation
509 MSN Messenger Service
510 MSNIP: Multicast Source Notification of Interest Protocol
511 MTP 2 Transparent Proxy
512 MTP 2 User Adaptation Layer
513 MTP 3 User Adaptation Layer
514 MTP2 Peer Adaptation Layer
516 Media Type: message/http
517 Message Transfer Part Level 2
518 Message Transfer Part Level 3
519 Message Transfer Part Level 3 Management
520 Microsoft Directory Replication Service
521 Microsoft Distributed File System
522 Microsoft Distributed Link Tracking Server Service
523 Microsoft Encrypted File System Service
524 Microsoft Exchange MAPI
525 Microsoft Local Security Architecture
526 Microsoft Local Security Architecture (Directory Services)
527 Microsoft Messenger Service
528 Microsoft Network Logon
530 Microsoft Security Account Manager
531 Microsoft Server Service
532 Microsoft Service Control
533 Microsoft Spool Subsystem
534 Microsoft Task Scheduler Service
535 Microsoft Telephony API Service
536 Microsoft Windows Browser Protocol
537 Microsoft Windows Lanman Remote API Protocol
538 Microsoft Windows Logon Protocol
539 Microsoft Workstation Service
544 MultiProtocol Label Switching Header
545 Multicast Router DISCovery protocol
546 Multicast Source Discovery Protocol
547 Multiprotocol Label Switching Echo
554 NTLM Secure Service Provider
555 Name Binding Protocol
556 Name Management Protocol over IPX
558 NetBIOS Datagram Service
560 NetBIOS Session Service
562 NetWare Core Protocol
563 NetWare Link Services Protocol
564 NetWare Serialization Protocol
565 Network Data Management Protocol
567 Network Lock Manager Protocol
568 Network News Transfer Protocol
569 Network Status Monitor CallBack Protocol
570 Network Status Monitor Protocol
571 Network Time Protocol
573 Novell Distributed Print System
574 Novell Modular Authentication Service
576 OSI ISO 8571 FTAM Protocol
577 OSI ISO/IEC 10035-1 ACSE Protocol
578 Open Shortest Path First
579 OpenBSD Encapsulating device
580 OpenBSD Packet Filter log file
581 OpenBSD Packet Filter log file, pre 3.4
582 Optimized Link State Routing Protocol
585 PPP Bandwidth Allocation Control Protocol
586 PPP Bandwidth Allocation Protocol
587 PPP CDP Control Protocol
588 PPP Callback Control Protocol
589 PPP Challenge Handshake Authentication Protocol
590 PPP Compressed Datagram
591 PPP Compression Control Protocol
592 PPP IP Control Protocol
593 PPP IPv6 Control Protocol
594 PPP Link Control Protocol
595 PPP MPLS Control Protocol
596 PPP Multilink Protocol
598 PPP OSI Control Protocol
599 PPP Password Authentication Protocol
601 PPP-over-Ethernet Discovery
602 PPP-over-Ethernet Session
603 PPPMux Control Protocol
604 Packed Encoding Rules (ASN.1 X.691)
606 Point-to-Point Protocol
607 Point-to-Point Tunnelling Protocol
610 Pragmatic General Multicast
611 Precision Time Protocol (IEEE1588)
613 Privilege Server operations
614 Protocol Independent Multicast
618 Quake II Network Protocol
619 Quake III Arena Network Protocol
620 Quake Network Protocol
621 QuakeWorld Network Protocol
622 Qualified Logical Link Control
627 RS Interface properties
629 RSYNC File Synchroniser
631 Radio Access Network Application Part
634 Real Time Streaming Protocol
635 Real-Time Publish-Subscribe Wire Protocol
636 Real-Time Transport Protocol
637 Real-time Transport Control Protocol
638 Registry Server Attributes Manipulation Interface
639 Registry server administration operations.
640 Remote Management Control Protocol
641 Remote Override interface
642 Remote Procedure Call
648 Remote sec_login preauth interface.
649 Resource ReserVation Protocol (RSVP)
651 Routing Information Protocol
652 Routing Table Maintenance Protocol
655 SEBEK - Kernel Data Capture
657 SMB (Server Message Block Protocol)
658 SMB MailSlot Protocol
661 SNMP Multiplex Protocol
664 SS7 SCCP-User Adaptation Layer
668 Sequenced Packet eXchange
669 Service Advertisement Protocol
670 Service Location Protocol
671 Session Announcement Protocol
672 Session Description Protocol
673 Session Initiation Protocol
674 Session Initiation Protocol (SIP as raw text)
675 Short Message Peer to Peer
676 Signaling Compression
677 Signalling Connection Control Part
678 Signalling Connection Control Part Management
679 Simple Mail Transfer Protocol
680 Simple Network Management Protocol
681 Simple Traversal of UDP Through NAT
684 Skinny Client Control Protocol
685 SliMP3 Communication Protocol
688 Spanning Tree Protocol
690 Stream Control Transmission Protocol
691 Subnetwork Dependent Convergence Protocol
692 Symantec Enterprise Firewall
693 Synchronous Data Link Control (SDLC)
695 Systems Network Architecture
696 Systems Network Architecture XID
700 TEI Management Procedure, Channel D (LAPD)
701 TEREDO Tunneling IPv6 over UDP through NATs
704 Tazmen Sniffer Protocol
707 Time Synchronization Protocol
709 Token-Ring Media Access Control
710 Transaction Capabilities Application Part
711 Transmission Control Protocol
712 Transparent Network Substrate Protocol
713 Trivial File Transfer Protocol
714 UDP Encapsulation of IPsec Packets
715 Universal Computer Protocol
716 User Datagram Protocol
717 Virtual Router Redundancy Protocol
718 Virtual Trunking Protocol
720 WAP Session Initiation Request
721 Web Cache Coordination Protocol
723 WebSphere MQ Programmable Command Formats
724 Wellfleet Breath of Life
725 Wellfleet Compression
729 Wireless Session Protocol
730 Wireless Transaction Protocol
731 Wireless Transport Layer Security
732 X Display Manager Control Protocol
738 Yahoo Messenger Protocol
739 Yahoo YMSG Messenger Protocol
743 Yellow Pages Transfer
745 Zone Information Protocol
747 giFT Internet File Transfer
751 Q 1.3: Are there any plans to support {your favorite protocol}?
753 A: Support for particular protocols is added to Ethereal as a result
754 of people contributing that support; no formal plans for adding
755 support for particular protocols in particular future releases exist.
757 Q 1.4: Can Ethereal read capture files from {your favorite network
760 A: Support for particular protocols is added to Ethereal as a result
761 of people contributing that support; no formal plans for adding
762 support for particular protocols in particular future releases exist.
764 If a network analyzer writes out files in a format already supported
765 by Ethereal (e.g., in libpcap format), Ethereal may already be able to
766 read them, unless the analyzer has added its own proprietary
767 extensions to that format.
769 If a network analyzer writes out files in its own format, or has added
770 proprietary extensions to another format, in order to make Ethereal
771 read captures from that network analyzer, we would either have to have
772 a specification for the file format, or the extensions, sufficient to
773 give us enough information to read the parts of the file relevant to
774 Ethereal, or would need at least one capture file in that format AND a
775 detailed textual analysis of the packets in that capture file (showing
776 packet time stamps, packet lengths, and the top-level packet header)
777 in order to reverse-engineer the file format.
779 Note that there is no guarantee that we will be able to
780 reverse-engineer a capture file format.
782 Q 1.5: What devices can Ethereal use to capture packets?
784 A: Ethereal can read live data from Ethernet, Token-Ring, FDDI, serial
785 (PPP and SLIP) (if the OS on which it's running allows Ethereal to do
786 so), 802.11 wireless LAN (if the OS on which it's running allows
787 Ethereal to do so), ATM connections (if the OS on which it's running
788 allows Ethereal to do so), and the "any" device supported on Linux by
789 recent versions of libpcap. See the list of supported capture media on
790 various OSes for details (several items in there say "Unknown", which
791 doesn't mean "Ethereal can't capture on them", it means "we don't know
792 whether it can capture on them"; we expect that it will be able to
793 capture on many of them, but we haven't tried it ourselves - if you
794 try one of those types and it works, please send an update to
797 It can also read a variety of capture file formats, including:
800 * Shomiti/Finisar Surveyor
802 * DOS-based Sniffer (compressed and uncompressed)
805 * NetXray and Windows-based Sniffer
806 * EtherPeek/TokenPeek/AiroPeek
807 * RADCOM WAN/LAN analyzer
808 * Lucent/Ascend debug output
809 * Toshiba ISDN router "snoop" output
811 * ISDN4BSD "i4btrace" utility.
813 * pppd log files (pppdump format)
816 * Visual Networks' Visual UpTime
819 so that it can read traces from various network types, as captured by
820 other applications or equipment, even if it cannot itself capture on
823 Q 1.6: How do you pronounce Ethereal? Where did the name come from?
825 A: The English pronunciation can be found in Merriam-Webster's online
827 http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=ethereal.
829 According to the book "Computer Networks" by Andrew Tannenbaum,
830 Ethernet was named after the "luminiferous ether" which was once
831 thought to carry electromagnetic radiation. Taking that into
832 consideration, Ethereal seemed like an appropriate name for something
833 that started out as an Ethernet analyzer.
837 Q 2.1: I downloaded the Win32 installer, but when I try to run it, I
840 A: The program you used to download it may have downloaded it
841 incorrectly. Web browsers sometimes may do this.
843 Try downloading it with, for example:
844 * Wget, for which Windows binaries are available on the SunSITE FTP
845 server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI
846 offers a GUI interface that uses wget;
847 * WS_FTP from Ipswitch,
848 * the ftp command that comes with Windows.
850 If you use the ftp command, make sure you do the transfer in binary
851 mode rather than ASCII mode, by using the binary command before
852 transferring the file.
854 Q 2.2: When I try to download the WinPcap driver and library, I can't
855 get to the WinPcap Web site.
857 A: As is the case with all Web sites, that site won't necessarily
858 always be accessible; the server may be down due to a problem or down
859 for maintenance, or there may be a networking problem between you and
860 the server. You should try again later, or try the local mirror or the
861 Wiretapped.net mirror.
865 Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be
866 installed; only Tethereal is installed.
868 A: Older versions of the Red Hat RPMs for Ethereal put only the
869 non-GUI components into the ethereal RPM, the fact that Ethereal is a
870 GUI program nonwithstanding; newer versions make it a bit clearer by
871 giving that RPM a name starting with ethereal-base.
873 In those older versions, there's a separate ethereal-gnome RPM that
874 includes GUI components such as Ethereal itself, the fact that
875 Ethereal doesn't use GNOME nonwithstanding; newer versions make it a
876 bit clearer by giving that RPM a name starting with ethereal-gtk+.
878 Find the ethereal-gnome or ethereal-gtk+ RPM, and install that also.
882 Q 4.1: The configure script can't find pcap.h or bpf.h, but I have
885 A: Are you sure pcap.h and bpf.h are installed? The official
886 distribution of libpcap only installs the libpcap.a library file when
887 "make install" is run. To install pcap.h and bpf.h, you must run "make
888 install-incl". If you're running Debian or Redhat, make sure you have
889 the "libpcap-dev" or "libpcap-devel" packages installed.
891 It's also possible that pcap.h and bpf.h have been installed in a
892 strange location. If this is the case, you may have to tweak
895 Q 4.2: Why do I get the error
897 dftest_DEPENDENCIES was already defined in condition TRUE, which
898 implies condition HAVE_PLUGINS_TRUE
900 when I try to build Ethereal from SVN or a SVN snapshot?
902 A: You probably have automake 1.5 installed on your machine (the
903 command automake --version will report the version of automake on your
904 machine). There is a bug in that version of automake that causes this
905 problem; upgrade to a later version of automake (1.6 or later).
907 Q 4.3: The link fails with a number of "Output line too long."
908 messages followed by linker errors.
910 A: The version of the sed command on your system is incapable of
911 handling very long lines. On Solaris, for example, /usr/bin/sed has a
912 line length limit too low to allow libtool to work; /usr/xpg4/bin/sed
913 can handle it, as can GNU sed if you have it installed.
915 On Solaris, changing your command search path to search /usr/xpg4/bin
916 before /usr/bin should make the problem go away; on any platform on
917 which you have this problem, installing GNU sed and changing your
918 command path to search the directory in which it is installed before
919 searching the directory with the version of sed that came with the OS
920 should make the problem go away.
922 Q 4.4: The link fails on Solaris because plugin_list is undefined.
924 A: This appears to be due to a problem with some versions of the GTK+
925 and GLib packages from www.sunfreeware.org; un-install those packages,
926 and try getting the 1.2.10 versions from that site, or the versions
927 from The Written Word, or the versions from Sun's GNOME distribution,
928 or the versions from the supplemental software CD that comes with the
929 Solaris media kit, or build them from source from the GTK Web site.
930 Then re-run the configuration script, and try rebuilding Ethereal. (If
931 you get the 1.2.10 versions from www.sunfreeware.org, and the problem
932 persists, un-install them and try installing one of the other versions
935 Q 4.5: The build fails on Windows because of conflicts between
936 winsock.h and winsock2.h.
938 A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and
939 the corresponding version of the developer's pack, in order to be able
940 to compile Ethereal; it will not compile with older versions of the
941 developer's pack. The symptoms of this failure are conflicts between
942 definitions in winsock.h and in winsock2.h; Ethereal uses winsock2.h,
943 but pre-2.3 versions of the WinPcap developer's packet use winsock.h.
944 (2.3 uses winsock2.h, so if Ethereal were to use winsock.h, it would
945 not be able to build with current versions of the WinPcap developer's
948 Note that the installed version of the developer's pack should be the
949 same version as the version of WinPcap you have installed.
953 Q 5.1: When I use Ethereal to capture packets, I see only packets to
954 and from my machine, or I'm not seeing all the traffic I'm expecting
955 to see from or to the machine I'm trying to monitor.
957 A: This might be because the interface on which you're capturing is
958 plugged into a switch; on a switched network, unicast traffic between
959 two ports will not necessarily appear on other ports - only broadcast
960 and multicast traffic will be sent to all ports.
962 Note that even if your machine is plugged into a hub, the "hub" may be
963 a switched hub, in which case you're still on a switched network.
965 Note also that on the Linksys Web site, they say that their
966 auto-sensing hubs "broadcast the 10Mb packets to the port that operate
967 at 10Mb only and broadcast the 100Mb packets to the ports that operate
968 at 100Mb only", which would indicate that if you sniff on a 10Mb port,
969 you will not see traffic coming sent to a 100Mb port, and vice versa.
970 This problem has also been reported for Netgear dual-speed hubs, and
971 may exist for other "auto-sensing" or "dual-speed" hubs.
973 Some switches have the ability to replicate all traffic on all ports
974 to a single port so that you can plug your analyzer into that single
975 port to sniff all traffic. You would have to check the documentation
976 for the switch to see if this is possible and, if so, to see how to do
977 this. See, for example:
978 * this documentation from Cisco on the Switched Port Analyzer (SPAN)
979 feature on Catalyst switches;
980 * documentation from HP on how to set "monitoring"/"mirroring" on
981 ports on the console for HP Advancestack Switch 208 and 224;
982 * the "Network Monitoring Port Features" section of chapter 6 of
983 documentation from HP for HP ProCurve Switches 1600M, 2424M,
985 * the "Switch Port-Mirroring" section of chapter 6 of documentation
986 from Extreme Networks for their Summit 200 switches;
987 * the documentation on "Configuring Port Mirroring and Monitoring"
988 in Foundry Networks' documentation for their FastIron Edge
990 * the documentation on "Configuring Port Mirroring and Monitoring"
991 in Foundry Networks' documentation for their BigIron MG8 Layer 3
993 * the "Port Monitor" subsection of the "Status Monitor and
994 Statistics" section of the documentation from Foundry Networks for
995 their EdgeIron 4802F and 10GC2F switches;
996 * the "Configuring Port Mirroring" section of chapter 3 of the
997 documentation from Foundry Networks for their EdgeIron 24G,
998 2402CF, and 4802CF switches;
999 * the documentation on "Configuring Port Mirroring and Monitoring"
1000 in Foundry Networks' documentation for their other switches and
1003 Note also that many firewall/NAT boxes have a switch built into them;
1004 this includes many of the "cable/DSL router" boxes. If you have a box
1005 of that sort, that has a switch with some number of Ethernet ports
1006 into which you plug machines on your network, and another Ethernet
1007 port used to connect to a cable or DSL modem, you can, at least, sniff
1008 traffic between the machines on your network and the Internet by
1009 plugging the Ethernet port on the router going to the modem, the
1010 Ethernet port on the modem, and the machine on which you're running
1011 Ethereal into a hub (make sure it's not a switching hub, and that, if
1012 it's a dual-speed hub, all three of those ports are running at the
1015 If your machine is not plugged into a switched network or a dual-speed
1016 hub, or it is plugged into a switched network but the port is set up
1017 to have all traffic replicated to it, the problem might be that the
1018 network interface on which you're capturing doesn't support
1019 "promiscuous" mode, or because your OS can't put the interface into
1020 promiscuous mode. Normally, network interfaces supply to the host
1022 * packets sent to one of that host's link-layer addresses;
1023 * broadcast packets;
1024 * multicast packets sent to a multicast address that the host has
1025 configured the interface to accept.
1027 Most network interfaces can also be put in "promiscuous" mode, in
1028 which they supply to the host all network packets they see. Ethereal
1029 will try to put the interface on which it's capturing into promiscuous
1030 mode unless the "Capture packets in promiscuous mode" option is turned
1031 off in the "Capture Options" dialog box, and Tethereal will try to put
1032 the interface on which it's capturing into promiscuous mode unless the
1033 -p option was specified. However, some network interfaces don't
1034 support promiscuous mode, and some OSes might not allow interfaces to
1035 be put into promiscuous mode.
1037 If the interface is not running in promiscuous mode, it won't see any
1038 traffic that isn't intended to be seen by your machine. It will see
1039 broadcast packets, and multicast packets sent to a multicast MAC
1040 address the interface is set up to receive.
1042 You should ask the vendor of your network interface whether it
1043 supports promiscuous mode. If it does, you should ask whoever supplied
1044 the driver for the interface (the vendor, or the supplier of the OS
1045 you're running on your machine) whether it supports promiscuous mode
1046 with that network interface.
1048 In the case of token ring interfaces, the drivers for some of them, on
1049 Windows, may require you to enable promiscuous mode in order to
1050 capture in promiscuous mode. Ask the vendor of the card how to do
1051 this, or see, for example, this information on promiscuous mode on
1052 some Madge token ring adapters (note that those cards can have
1053 promiscuous mode disabled permanently, in which case you can't enable
1056 In the case of wireless LAN interfaces, it appears that, when those
1057 interfaces are promiscuously sniffing, they're running in a
1058 significantly different mode from the mode that they run in when
1059 they're just acting as network interfaces (to the extent that it would
1060 be a significant effor for those drivers to support for promiscuously
1061 sniffing and acting as regular network interfaces at the same time),
1062 so it may be that Windows drivers for those interfaces don't support
1065 Q 5.2: I can't see any TCP packets other than packets to and from my
1066 machine, even though another analyzer on the network sees those
1069 A: You're probably not seeing any packets other than unicast packets
1070 to or from your machine, and broadcast and multicast packets; a switch
1071 will normally send to a port only unicast traffic sent to the MAC
1072 address for the interface on that port, and broadcast and multicast
1073 traffic - it won't send to that port unicast traffic sent to a MAC
1074 address for some other interface - and a network interface not in
1075 promiscuous mode will receive only unicast traffic sent to the MAC
1076 address for that interface, broadcast traffic, and multicast traffic
1077 sent to a multicast MAC address the interface is set up to receive.
1079 TCP doesn't use broadcast or multicast, so you will only see your own
1080 TCP traffic, but UDP services may use broadcast or multicast so you'll
1081 see some UDP traffic - however, this is not a problem with TCP
1082 traffic, it's a problem with unicast traffic, as you also won't see
1083 all UDP traffic between other machines.
1085 I.e., this is probably the same question as this earlier one; see the
1086 response to that question.
1088 Q 5.3: I'm only seeing ARP packets when I try to capture traffic.
1090 A: You're probably on a switched network, and running Ethereal on a
1091 machine that's not sending traffic to the switch and not being sent
1092 any traffic from other machines on the switch. ARP packets are often
1093 broadcast packets, which are sent to all switch ports.
1095 I.e., this is probably the same question as this earlier one; see the
1096 response to that question.
1098 Q 5.4: I'm running Ethereal on Windows; why does some network
1099 interface on my machine not show up in the list of interfaces in the
1100 "Interface:" field in the dialog box popped up by "Capture->Start",
1101 and/or why does Ethereal give me an error if I try to capture on that
1104 A: If you are running Ethereal on Windows NT 4.0, Windows 2000,
1105 Windows XP, or Windows Server, and this is the first time you have run
1106 a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump,
1107 or Analyzer, or...) since the machine was rebooted, you need to run
1108 that program from an account with administrator privileges; once you
1109 have run such a program, you will not need administrator privileges to
1110 run any such programs until you reboot.
1112 If you are running on Windows 95/98/Me, or if you are running on
1113 Windows NT 4.0/2000/XP/Server and have administrator privileges or a
1114 WinPcap-based program has been run with those privileges since the
1115 machine rebooted, then note that Ethereal relies on the WinPcap
1116 library, on the WinPcap device driver, and on the facilities that come
1117 with the OS on which it's running in order to do captures.
1119 Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
1120 support capturing on a particular network interface device, Ethereal
1121 won't be able to capture on that device.
1124 1. 2.02 and earlier versions of the WinPcap driver and library that
1125 Ethereal uses for packet capture didn't support Token Ring
1126 interfaces; versions 2.1 and later support Token Ring, and the
1127 current version of Ethereal works with (and, in fact, requires)
1128 WinPcap 2.1 or later.
1129 If you are having problems capturing on Token Ring interfaces, and
1130 you have WinPcap 2.02 or an earlier version of WinPcap installed,
1131 you should uninstall WinPcap, download and install the current
1132 version of WinPcap, and then install the latest version of
1134 2. On Windows 95, 98, or Me, sometimes more than one interface will
1135 be given the same name; if that is the case, you will only be able
1136 to capture on one of those interfaces - it's not clear to which
1137 one the name, when used in a WinPcap-based application, will
1138 refer. For example, if you have a PPP serial interface and a VPN
1139 interface, they might show up with the same name, for example
1140 "ppp-mac", and if you try to capture on "ppp-mac", it might not
1141 capture on the interface you're currently using. In that case, you
1142 might, for example, have to remove the VPN interface from the
1143 system in order to capture on the PPP serial interface.
1144 3. WinPcap 3.0 doesn't support PPP WAN interfaces, and WinPcap 2.3
1145 doesn't support PPP WAN interfaces on Windows NT/2000/XP/Server,
1146 so Ethereal cannot capture packets on those devices with WinPcap
1147 3.0, or with WInPcap 2.x when running on Windows
1148 NT/2000/XP/Server. Regular dial-up lines, ISDN lines, and various
1149 other lines such as T1/E1 lines are all PPP interfaces. This may
1150 cause the interface not to show up on the list of interfaces in
1151 the "Capture Options" dialog.
1152 4. WinPcap prior to 3.0 does not support multiprocessor machines
1153 (note that machines with a single multi-threaded processor, such
1154 as Intel's new multi-threaded x86 processors, are multiprocessor
1155 machines as far as the OS and WinPcap are concerned), and recent
1156 2.x versions of WinPcap refuse to operate if they detect that
1157 they're running on a multiprocessor machine, which means that they
1158 may not show any network interfaces. You will need to use WinPcap
1159 3.0 to capture on a multiprocessor machine.
1161 If an interface doesn't show up in the list of interfaces in the
1162 "Interface:" field, and you know the name of the interface, try
1163 entering that name in the "Interface:" field and capturing on that
1166 If the attempt to capture on it succeeds, the interface is somehow not
1167 being reported by the mechanism Ethereal uses to get a list of
1168 interfaces. Try listing the interfaces with WinDump; see the WinDump
1169 Web site or the local mirror of the WinDump Web site for information
1172 You would run WinDump with the -D flag; if it lists the interface,
1173 please report this to ethereal-dev@ethereal.com giving full details of
1174 the problem, including
1175 * the operating system you're using, and the version of that
1177 * the type of network device you're using;
1178 * the output of WinDump.
1180 If WinDump does not list the interface, this is almost certainly a
1181 problem with one or more of:
1182 * the operating system you're using;
1183 * the device driver for the interface you're using;
1184 * the WinPcap library and/or the WinPcap device driver;
1186 so first check the WinPcap FAQ, the local mirror of that FAQ, or the
1187 Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
1188 there. If not, then see the WinPcap support page (or the local mirror
1189 of that page) - check the "Submitting bugs" section.
1191 If you are having trouble capturing on a particular network interface,
1192 first try capturing on that device with WinDump; see the WinDump Web
1193 site or the local mirror of the WinDump Web site for information on
1196 If you can capture on the interface with WinDump, send mail to
1197 ethereal-users@ethereal.com giving full details of the problem,
1199 * the operating system you're using, and the version of that
1201 * the type of network device you're using;
1202 * the error message you get from Ethereal.
1204 If you cannot capture on the interface with WinDump, this is almost
1205 certainly a problem with one or more of:
1206 * the operating system you're using;
1207 * the device driver for the interface you're using;
1208 * the WinPcap library and/or the WinPcap device driver;
1210 so first check the WinPcap FAQ, the local mirror of that FAQ, or the
1211 Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
1212 there. If not, then see the WinPcap support page (or the local mirror
1213 of that page) - check the "Submitting bugs" section.
1215 You may also want to ask the ethereal-users@ethereal.com and the
1216 winpcap-users@winpcap.polito.it mailing lists to see if anybody
1217 happens to know about the problem and know a workaround or fix for the
1218 problem. (Note that you will have to subscribe to that list in order
1219 to be allowed to mail to it; see the WinPcap support page, or the
1220 local mirror of that page, for information on the mailing list.) In
1221 your mail, please give full details of the problem, as described
1222 above, and also indicate that the problem occurs with WinDump, not
1225 Q 5.5: I'm running Ethereal on Windows; why do no network interfaces
1226 show up in the list of interfaces in the "Interface:" field in the
1227 dialog box popped up by "Capture->Start"?
1229 A: This is really the same question as the previous one; see the
1230 response to that question.
1232 Q 5.6: I'm running Ethereal on Windows; why doesn't my serial
1233 port/ADSL modem/ISDN modem/show up in the list of interfaces in the
1234 "Interface:" field in the dialog box popped up by "Capture->Start"?
1236 A: All of those devices support Internet access using the
1237 Point-to-Point (PPP) protocol; WinPcap 3.0 doesn't support PPP
1238 interfaces, and WinPcap 2.x doesn't support PPP interfaces on Windows
1239 NT/2000/XP/Server, so Ethereal cannot capture packets on those devices
1240 with WinPcap 3.0, or with WinPcap 2.x when running on Windows
1241 NT/2000/XP/Server. This may cause the interface not to show up on the
1242 list of interfaces in the "Capture Options" dialog.
1244 Q 5.7: I'm running Ethereal on a UNIX-flavored OS; why does some
1245 network interface on my machine not show up in the list of interfaces
1246 in the "Interface:" field in the dialog box popped up by
1247 "Capture->Start", and/or why does Ethereal give me an error if I try
1248 to capture on that interface?
1250 A: You may need to run Ethereal from an account with sufficient
1251 privileges to capture packets, such as the super-user account. Only
1252 those interfaces that Ethereal can open for capturing show up in that
1253 list; if you don't have sufficient privileges to capture on any
1254 interfaces, no interfaces will show up in the list.
1256 If you are running Ethereal from an account with sufficient
1257 privileges, then note that Ethereal relies on the libpcap library, and
1258 on the facilities that come with the OS on which it's running in order
1261 Therefore, if the OS or the libpcap library don't support capturing on
1262 a particular network interface device, Ethereal won't be able to
1263 capture on that device.
1265 On Linux, note that you need to have "packet socket" support enabled
1266 in your kernel; see the "Packet socket" item in the Linux
1267 "Configure.help" file.
1269 On BSD, note that you need to have BPF support enabled in your kernel;
1270 see the documentation for your system for information on how to enable
1271 BPF support (if it's not enabled by default on your system).
1273 On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have
1274 packet filtering support in your kernel; the doconfig command will
1275 allow you to configure and build a new kernel with that option.
1277 On Solaris, note that libpcap 0.6.2 and earlier didn't support Token
1278 Ring interfaces; the current version, 0.7.2, does support Token Ring,
1279 and the current version of Ethereal works with libcap 0.7.2 and later.
1281 If an interface doesn't show up in the list of interfaces in the
1282 "Interface:" field, and you know the name of the interface, try
1283 entering that name in the "Interface:" field and capturing on that
1286 If the attempt to capture on it succeeds, the interface is somehow not
1287 being reported by the mechanism Ethereal uses to get a list of
1288 interfaces; please report this to ethereal-dev@ethereal.com giving
1289 full details of the problem, including
1290 * the operating system you're using, and the version of that
1291 operating system (for Linux, give both the version number of the
1292 kernel and the name and version number of the distribution you're
1294 * the type of network device you're using.
1296 If you are having trouble capturing on a particular network interface,
1297 and you've made sure that (on platforms that require it) you've
1298 arranged that packet capture support is present, as per the above,
1299 first try capturing on that device with tcpdump.
1301 If you can capture on the interface with tcpdump, send mail to
1302 ethereal-users@ethereal.com giving full details of the problem,
1304 * the operating system you're using, and the version of that
1305 operating system (for Linux, give both the version number of the
1306 kernel and the name and version number of the distribution you're
1308 * the type of network device you're using;
1309 * the error message you get from Ethereal.
1311 If you cannot capture on the interface with tcpdump, this is almost
1312 certainly a problem with one or more of:
1313 * the operating system you're using;
1314 * the device driver for the interface you're using;
1315 * the libpcap library;
1317 so you should report the problem to the company or organization that
1318 produces the OS (in the case of a Linux distribution, report the
1319 problem to whoever produces the distribution).
1321 You may also want to ask the ethereal-users@ethereal.com and the
1322 tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to
1323 know about the problem and know a workaround or fix for the problem.
1324 In your mail, please give full details of the problem, as described
1325 above, and also indicate that the problem occurs with tcpdump not just
1328 Q 5.8: I'm running Ethereal on a UNIX-flavored OS; why do no network
1329 interfaces show up in the list of interfaces in the "Interface:" field
1330 in the dialog box popped up by "Capture->Start"?
1332 A: This is really the same question as the previous one; see the
1333 response to that question.
1335 Q 5.9: Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
1337 A: Ethereal can only capture on devices supported by libpcap/WinPcap.
1338 On most OSes, only devices that can act as network interfaces of the
1339 type that support IP are supported as capture devices for
1340 libpcap/WinPcap, although the device doesn't necessarily have to be
1341 running as an IP interface in order to support traffic capture.
1343 On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
1344 Measurement Systems' DAG cards, so that a system with one of those
1345 cards, and its driver and libraries, installed can capture traffic
1346 with those cards with libpcap-based applications. You would either
1347 have to have a version of Ethereal built with that version of libpcap,
1348 or a dynamically-linked version of Ethereal and a shared libpcap
1349 library with DAG support, in order to do so with Ethereal. You should
1350 ask Endace whether that could be used to capture traffic on, for
1351 example, your T1/E1 link.
1352 There is currently no hardware to support capturing on SS7 links with
1353 libpcap. (Note that the fact that Ethereal includes dissectors for
1354 many SS7 protocols doesn't imply that it can capture traffic from SS7
1355 links; those protocols can be run over Internet protocols.)
1357 Q 5.10: How do I put an interface into promiscuous mode?
1359 A: By not disabling promiscuous mode when running Ethereal or
1362 Note, however, that:
1363 * the form of promiscuous mode that libpcap (the library that
1364 programs such as tcpdump, Ethereal, etc. use to do packet capture)
1365 turns on will not necessarily be shown if you run ifconfig on the
1366 interface on a UNIX system;
1367 * some network interfaces might not support promiscuous mode, and
1368 some drivers might not allow promiscuous mode to be turned on -
1369 see this earlier question for more information on that;
1370 * the fact that you're not seeing any traffic, or are only seeing
1371 broadcast traffic, or aren't seeing any non-broadcast traffic
1372 other than traffic to or from the machine running Ethereal, does
1373 not mean that promiscuous mode isn't on - see this earlier
1374 question for more information on that.
1376 I.e., this is probably the same question as this earlier one; see the
1377 response to that question.
1379 Q 5.11: I can set a display filter just fine, but capture filters
1382 A: Capture filters currently use a different syntax than display
1383 filters. Here's the corresponding section from the ethereal(1) man
1386 "Display filters in Ethereal are very powerful; more fields are
1387 filterable in Ethereal than in other protocol analyzers, and the
1388 syntax you can use to create your filters is richer. As Ethereal
1389 progresses, expect more and more protocol fields to be allowed in
1392 Packet capturing is performed with the pcap library. The capture
1393 filter syntax follows the rules of the pcap library. This syntax is
1394 different from the display filter syntax."
1396 The capture filter syntax used by libpcap can be found in the
1397 tcpdump(8) man page.
1399 Q 5.12: I'm entering valid capture filters, but I still get "parse
1402 A: There is a bug in some versions of libpcap/WinPcap that cause it to
1403 report parse errors even for valid expressions if a previous filter
1404 expression was invalid and got a parse error.
1406 Try exiting and restarting Ethereal; if you are using a version of
1407 libpcap/WinPcap with this bug, this will "erase" its memory of the
1408 previous parse error. If the capture filter that got the "parse error"
1409 now works, the earlier error with that filter was probably due to this
1412 The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of
1413 libpcap have this bug, but 0.6[.x] and later versions don't.
1415 Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of
1416 libpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and
1417 doesn't have this bug.
1419 If you are running Ethereal on a UNIX-flavored platform, run "ethereal
1420 -v", or select "About Ethereal..." from the "Help" menu in Ethereal,
1421 to see what version of libpcap it's using. If it's not 0.6 or later,
1422 you will need either to upgrade your OS to get a later version of
1423 libpcap, or will need to build and install a later version of libpcap
1424 from the tcpdump.org Web site and then recompile Ethereal from source
1425 with that later version of libpcap.
1427 If you are running Ethereal on Windows with a pre-2.3 version of
1428 WinPcap, you will need to un-install WinPcap and then download and
1429 install WinPcap 2.3.
1431 Q 5.13: I saved a filter and tried to use its name to filter the
1432 display, but I got an "Unexpected end of filter string" error.
1434 A: You cannot use the name of a saved display filter as a filter. To
1435 filter the display, you can enter a display filter expression - not
1436 the name of a saved display filter - in the "Filter:" box at the
1437 bottom of the display, and type the key or press the "Apply" button
1438 (that does not require you to have a saved filter), or, if you want to
1439 use a saved filter, you can press the "Filter:" button, select the
1440 filter in the dialog box that pops up, and press the "OK" button.
1442 Q 5.14: Why am I seeing lots of packets with incorrect TCP checksums?
1444 A: If the packets that have incorrect TCP checksums are all being sent
1445 by the machine on which Ethereal is running, this is probably because
1446 the network interface on which you're capturing does TCP checksum
1447 offloading. That means that the TCP checksum is added to the packet by
1448 the network interface, not by the OS's TCP/IP stack; when capturing on
1449 an interface, packets being sent by the host on which you're capturing
1450 are directly handed to the capture interface by the OS, which means
1451 that they are handed to the capture interface without a TCP checksum
1452 being added to them.
1454 The only way to prevent this from happening would be to disable TCP
1455 checksum offloading, but
1456 1. that might not even be possible on some OSes;
1457 2. that could reduce networking performance significantly.
1459 However, you can disable the check that Ethereal does of the TCP
1460 checksum, so that it won't report any packets as having TCP checksum
1461 errors, and so that it won't refuse to do TCP reassembly due to a
1462 packet having an incorrect TCP checksum. That can be set as an
1463 Ethereal preference by selecting "Preferences" from the "Edit" menu,
1464 opening up the "Protocols" list in the left-hand pane of the
1465 "Preferences" dialog box, selecting "TCP", from that list, turning off
1466 the "Check the validity of the TCP checksum when possible" option,
1467 clicking "Save" if you want to save that setting in your preference
1468 file, and clicking "OK".
1470 It can also be set on the Ethereal or Tethereal command line with a -o
1471 tcp.check_checksum:false command-line flag, or manually set in your
1472 preferences file by adding a tcp.check_checksum:false line.
1474 Q 5.15: I've just installed Ethereal, and the traffic on my local LAN
1477 A: We have a collection of strange and exotic sample capture files at
1478 http://www.ethereal.com/sample/
1480 Q 5.16: When I run Ethereal on Solaris 8, it dies with a Bus Error
1483 A: Some versions of the GTK+ library from www.sunfreeware.org appear
1484 to be buggy, causing Ethereal to drop core with a Bus Error.
1485 Un-install those packages, and try getting the 1.2.10 version from
1486 that site, or the version from The Written Word, or the version from
1487 Sun's GNOME distribution, or the version from the supplemental
1488 software CD that comes with the Solaris media kit, or build it from
1489 source from the GTK Web site. Update the GLib library to the 1.2.10
1490 version, from the same source, as well. (If you get the 1.2.10
1491 versions from www.sunfreeware.org, and the problem persists,
1492 un-install them and try installing one of the other versions
1495 Similar problems may exist with older versions of GTK+ for earlier
1496 versions of Solaris.
1498 Q 5.17: When I run Ethereal, I get an error
1500 Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_resize):
1501 assertion `height > 0' failed.
1503 A: This is a bug in Ethereal 0.10.5, which will be fixed in the next
1504 release of Ethereal. To work around this bug:
1505 1. On Windows, this message will appear in a console window; do NOT,
1506 under any circumstances, close that window!
1507 2. Make sure the "Save window size" prefrence is set the "User
1508 Interface" prefrences in the preferences window opened by
1509 "Preferences" under the "Edit" menu.
1511 4. On Windows, a "Press any key to exit" message might appear in the
1512 command window; if that message appears in the window, click on
1513 that window and press any key (such as Enter).
1515 The next time Ethereal starts, it should not produce that error
1518 Q 5.18: When I run Tethereal with the "-x" option, it crashes with an
1521 "** ERROR **: file print.c: line 691 (print_line): should not be
1524 A: This is a bug in Ethereal 0.10.0a, which is fixed in 0.10.1 and
1525 later releases. To work around the bug, don't use "-x" unless you're
1526 also using "-V"; note that "-V" produces a full dissection of each
1527 packet, so you might not want to use it.
1529 To get a fixed version, either build the current SVN version from
1530 anonymous SVN or a nightly SVN snapshot, or apply to tethereal.c in
1531 the 0.10.0a source tarball the changes between the broken and the
1532 fixed versions, which you can download with the URL
1533 http://www.ethereal.com/cgi-bin/viewcvs.cgi/ethereal/tethereal.c.diff?
1534 r2=1.211&r1=1.210&diff_format=u and (re-)build from source. It might
1535 be easier to get the SVN version than to get the patch and apply it to
1536 the 0.10.0a source tarball, but it's probably easier to build from the
1537 source tarball than from the SVN version, as you'll need to have more
1538 tools and make more steps to generate from the SVN version some files
1539 that are bundled with the source tarball.
1541 Note that to build from the 0.10.0a source tarball on Windows with
1542 Microsoft Visual C++, you will need to get a file that was missing
1543 from the 0.10.0a source tarball; see the FAQ for that problem.
1545 Q 5.19: When I run Ethereal on Windows NT, it dies with a Dr. Watson
1546 error, reporting an "Integer division by zero" exception, when I start
1549 A: In at least some case, this appears to be due to using the default
1550 VGA driver; if that's not the correct driver for your video card, try
1551 running the correct driver for your video card.
1553 Q 5.20: When I try to run Ethereal, it complains about
1554 sprint_realloc_objid being undefined.
1556 A: Ethereal can only be linked with version 4.2.2 or later of UCD
1557 SNMP. Your version of Ethereal was dynamically linked with such a
1558 version of UCD SNMP; however, you have an older version of UCD SNMP
1559 installed, which means that when Ethereal is run, it tries to link to
1560 the older version, and fails. You will have to replace that version of
1561 UCD SNMP with version 4.2.2 or a later version.
1563 Q 5.21: I'm running Ethereal on Linux; why do my time stamps have only
1564 100ms resolution, rather than 1us resolution?
1566 A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap
1567 get them from the OS kernel, so Ethereal - and any other program using
1568 libpcap, such as tcpdump - is at the mercy of the time stamping code
1569 in the OS for time stamps.
1571 At least on x86-based machines, Linux can get high-resolution time
1572 stamps on newer processors with the Time Stamp Counter (TSC) register;
1573 for example, Intel x86 processors, starting with the Pentium Pro, and
1574 including all x86 processors since then, have had a TSC, and other
1575 vendors probably added the TSC at some point to their families of x86
1578 The Linux kernel must be configured with the CONFIG_X86_TSC option
1579 enabled in order to use the TSC. Make sure this option is enabled in
1582 In addition, some Linux distributions may have bugs in their versions
1583 of the kernel that cause packets not to be given high-resolution time
1584 stamps even if the TSC is enabled. See, for example, bug 61111 for Red
1585 Hat Linux 7.2. If your distribution has a bug such as this, you may
1586 have to run a standard kernel from kernel.org in order to get
1587 high-resolution time stamps.
1589 Q 5.22: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
1590 why are the time stamps on packets wrong?
1592 A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap
1595 Q 5.23: When I try to run Ethereal on Windows, it fails to run because
1596 it can't find packet.dll.
1598 A: In older versions of Ethereal, there were two binary distributions
1599 available for Windows, one that supported capturing packets, and one
1600 that didn't. The version that supported capturing packets required
1601 that you install the WinPcap driver; if you didn't install it, it
1602 would fail to run because it couldn't find packet.dll.
1604 The current version of Ethereal has only one binary distribution for
1605 Windows; that version will check whether WinPcap is installed and, if
1606 it's not, will disable support for packet capture.
1608 The WinPcap driver and libraries can be downloaded from the WinPcap
1609 Web site, the local mirror of the WinPcap Web site, or the
1610 Wiretapped.net mirror of the WinPcap site.
1612 Q 5.24: I'm running Ethereal on Windows NT/2000/XP/Server; my machine
1613 has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
1614 "Interface" item in the "Capture Options" dialog box. Why can no
1615 packets be sent on or received from that network while I'm trying to
1616 capture traffic on that interface?
1618 A: WinPcap doesn't support PPP WAN interfaces on Windows
1619 NT/2000/XP/Server; one symptom that may be seen is that attempts to
1620 capture in promiscuous mode on the interface cause the interface to be
1621 incapable of sending or receiving packets. You can disable promiscuous
1622 mode using the -p command-line flag or the item in the "Capture
1623 Preferences" dialog box, but this may mean that outgoing packets, or
1624 incoming packets, won't be seen in the capture.
1626 Q 5.25: I'm running Ethereal on Windows 95/98/Me, on a machine with
1627 more than one network adapter of the same type; Ethereal shows all of
1628 those adapters with the same name, but I can't use any of those
1629 adapters other than the first one.
1631 A: Unfortunately, Windows 95/98/Me gives the same name to multiple
1632 instances of the type of same network adapter. Therefore, WinPcap
1633 cannot distinguish between them, so a WinPcap-based application can
1634 capture only on the first such interface; Ethereal is a
1635 libpcap/WinPcap-based application.
1637 Q 5.26: I'm running Ethereal on Windows, and I'm not seeing any
1638 traffic being sent by the machine running Ethereal.
1640 A: If you are running some form of VPN client software, it might be
1641 causing this problem; people have seen this problem when they have
1642 Check Point's VPN software installed on their machine. If that's the
1643 cause of the problem, you will have to remove the VPN software in
1644 order to have Ethereal (or any other application using WinPcap) see
1645 outgoing packets; unfortunately, neither we nor the WinPcap developers
1646 know any way to make WinPcap and the VPN software work well together.
1648 Also, some drivers for Windows (especially some wireless network
1649 interface drivers) apparently do not, when running in promiscuous
1650 mode, arrange that outgoing packets are delivered to the software that
1651 requested that the interface run promiscuously; try turning
1652 promiscuous mode off.
1654 Q 5.27: I'm trying to capture traffic but I'm not seeing any.
1656 A: Is the machine running Ethereal sending out any traffic on the
1657 network interface on which you're capturing, or receiving any traffic
1658 on that network, or is there any broadcast traffic on the network or
1659 multicast traffic to a multicast group to which the machine running
1662 If not, this may just be a problem with promiscuous sniffing, either
1663 due to running on a switched network or a dual-speed hub, or due to
1664 problems with the interface not supporting promiscuous mode; see the
1665 response to this earlier question.
1667 Otherwise, on Windows, see the response to this question and, on a
1668 UNIX-flavored OS, see the response to this question.
1670 Q 5.28: I have an XXX network card on my machine; if I try to capture
1671 on it, my machine crashes or resets itself.
1673 A: This is almost certainly a problem with one or more of:
1674 * the operating system you're using;
1675 * the device driver for the interface you're using;
1676 * the libpcap/WinPcap library and, if this is Windows, the WinPcap
1680 * if you are using Windows, see the WinPcap support page (or the
1681 local mirror of that page) - check the "Submitting bugs" section;
1682 * if you are using some Linux distribution, some version of BSD, or
1683 some other UNIX-flavored OS, you should report the problem to the
1684 company or organization that produces the OS (in the case of a
1685 Linux distribution, report the problem to whoever produces the
1688 Q 5.29: My machine crashes or resets itself when I select "Start" from
1689 the "Capture" menu or select "Preferences" from the "Edit" menu.
1691 A: Both of those operations cause Ethereal to try to build a list of
1692 the interfaces that it can open; it does so by getting a list of
1693 interfaces and trying to open them. There is probably an OS, driver,
1694 or, for Windows, WinPcap bug that causes the system to crash when this
1695 happens; see the previous question.
1697 Q 5.30: Does Ethereal work on Windows Me?
1699 A: Yes, but if you want to capture packets, you will need to install
1700 the latest version of WinPcap, as 2.02 and earlier versions of WinPcap
1701 didn't support Windows Me. You should also install the latest version
1702 of Ethereal as well.
1704 Q 5.31: Does Ethereal work on Windows XP?
1706 A: Yes, but if you want to capture packets, you will need to install
1707 the latest version of WinPcap, as 2.2 and earlier versions of WinPcap
1708 didn't support Windows XP.
1710 Q 5.32: Why doesn't Ethereal correctly identify RTP packets? It shows
1713 A: Ethereal can identify a UDP datagram as containing a packet of a
1714 particular protocol running atop UDP only if
1715 1. The protocol in question has a particular standard port number,
1716 and the UDP source or destination port number is that port
1717 2. Packets of that protocol can be identified by looking for a
1718 "signature" of some type in the packet - i.e., some data that, if
1719 Ethereal finds it in some particular part of a packet, means that
1720 the packet is almost certainly a packet of that type.
1721 3. Some other traffic earlier in the capture indicated that, for
1722 example, UDP traffic between two particular addresses and ports
1723 will be RTP traffic.
1725 RTP doesn't have a standard port number, so 1) doesn't work; it
1726 doesn't, as far as I know, have any "signature", so 2) doesn't work.
1728 That leaves 3). If there's RTSP traffic that sets up an RTP session,
1729 then, at least in some cases, the RTSP dissector will set things up so
1730 that subsequent RTP traffic will be identified. Currently, that's the
1731 only place we do that; there may be other places.
1733 However, there will always be places where Ethereal is simply
1734 incapable of deducing that a given UDP flow is RTP; a mechanism would
1735 be needed to allow the user to specify that a given conversation
1736 should be treated as RTP. As of Ethereal 0.8.16, such a mechanism
1737 exists; if you select a UDP or TCP packet, the right mouse button menu
1738 will have a "Decode As..." menu item, which will pop up a dialog box
1739 letting you specify that the source port, the destination port, or
1740 both the source and destination ports of the packet should be
1741 dissected as some particular protocol.
1743 Q 5.33: Why doesn't Ethereal show Yahoo Messenger packets in captures
1744 that contain Yahoo Messenger traffic?
1746 A: Ethereal only recognizes as Yahoo Messenger traffic packets to or
1747 from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP
1748 segments that start with the middle of a Yahoo Messenger packet that
1749 takes more than one TCP segment will not be recognized as Yahoo
1750 Messenger packets (even if the TCP segment also contains the beginning
1751 of another Yahoo Messenger packet).
1753 Q 5.34: Why do I get the error
1755 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
1759 when I try to run Ethereal on Windows?
1761 A: Ethereal is built using the GTK+ toolkit, which supports most
1762 UNIX-flavored OSes, and also supports Windows.
1764 Windows versions of Ethereal before 0.9.14 were built with an older
1765 version of that toolkit, which didn't support 256-color mode on
1766 Windows - it required HiColor (16-bit colors) or more.
1768 Windows versions of Ethereal 0.9.14 and later are built with a version
1769 of that toolkit that supports 256-color mode; upgrade to the current
1770 version of Ethereal if you want to run on a display in 256-color mode.
1772 Q 5.35: When I capture on Windows in promiscuous mode, I can see
1773 packets other than those sent to or from my machine; however, those
1774 packets show up with a "Short Frame" indication, unlike packets to or
1775 from my machine. What should I do to arrange that I see those packets
1778 A: In at least some cases, this appears to be the result of PGPnet
1779 running on the network interface on which you're capturing; turn it
1780 off on that interface.
1782 Q 5.36: I'm capturing packets on a machine on a VLAN; why don't the
1783 packets I'm capturing have VLAN tags?
1785 A: You might be capturing on what might be called a "VLAN interface" -
1786 the way a particular OS makes VLANs plug into the networking stack
1787 might, for example, be to have a network device object for the
1788 physical interface, which takes VLAN packets, strips off the VLAN
1789 header and constructs an Ethernet header, and passes that packet to an
1790 internal network device object for the VLAN, which then passes the
1791 packets onto various higher-level protocol implementations.
1793 In order to see the raw Ethernet packets, rather than "de-VLANized"
1794 packets, you would have to capture not on the virtual interface for
1795 the VLAN, but on the interface corresponding to the physical network
1796 device, if possible.
1798 Q 5.37: How can I capture raw 802.11 packets, including non-data
1799 (management, beacon) packets?
1801 A: That depends on the operating system on which you're running, and
1802 on the 802.11 interface on which you're capturing.
1804 This would probably require that you capture in promiscuous mode or in
1805 the mode called "monitor mode" or "RFMON mode". On some platforms, or
1806 with some cards, this might require that you capture in monitor mode -
1807 promiscuous mode might not be sufficient. If you want to capture
1808 traffic on networks other than the one with which you're associated,
1809 you will have to capture in monitor mode.
1811 Not all operating systems support capturing non-data packets and, even
1812 on operating systems that do support it, not all drivers, and thus not
1813 all interfaces, support it. Even on those that do, monitor mode might
1814 not be supported by the operating system or by the drivers for all
1817 NOTE: an interface running in monitor mode will, on most if not all
1818 platforms, not be able to act as a regular network interface; putting
1819 it into monitor mode will, in effect, take your machine off of
1820 whatever network it's on as long as the interface is in monitor mode,
1821 allowing it only to passively capture packets.
1823 This means that you should disable name resolution when capturing in
1824 monitor mode; otherwise, when Ethereal (or Tethereal, or tcpdump)
1825 tries to display IP addresses as host names, it will probably block
1826 for a long time trying to resolve the name because it will not be able
1827 to communicate with any DNS or NIS servers.
1829 There are FAQ items below with information on capturing in monitor
1830 mode on Linux, FreeBSD, and NetBSD.
1832 On Windows, you will not be able to capture in monitor mode on any
1833 interfaces, and you might not be able to capture in promiscuous mode,
1834 either. You might have some success in promiscuous mode with Centrino
1835 interfaces, although you will need the not-yet-released Ethereal
1836 0.10.6 in order to have the non-data packets recognized and properly
1839 You will not be able to capture in monitor mode on any other platforms
1840 (including Mac OS X). You might be able to capture in promiscuous
1841 mode, but this won't capture non-data packets.
1843 Q 5.38: How do I capture on an 802.11 device in monitor mode on Linux?
1845 A: Whether you will be able to capture in monitor mode depends on the
1846 card and driver you're using. See this page of Linux 802.11b
1847 information for details on 802.11b wireless cards, including
1848 information on the chips they use, and see this page of Linux
1849 802.11b+/a/g information for details on 802.11b+, 802.11a, and 802.11g
1850 wireless cards, including information on the chips they use.
1852 Cisco Aironet cards:
1854 On Linux with the driver in the 2.4.6 through 2.4.19 kernel:
1855 1. Put the card into monitor mode with the command echo "Mode: rfmon"
1856 >/proc/driver/aironet/interface/Config. If you want to capture
1857 traffic for any BSS rather than just the BSS with which the card
1858 is associated, use "Mode: y" rather than "Mode: rfmon".
1859 2. When the capture completes, turn off monitor mode with the command
1860 echo "Mode: ess" >/proc/driver/aironet/interface/Config.
1862 On Linux with the driver in the 2.4.20 or later kernel, or with the
1863 CVS drivers from the airo-linux SourceForge site, you will have to
1864 capture on the wifiN interface if your Aironet card is ethN, after
1865 running the commands listed above.
1867 In all of those cases, Ethereal would have to be linked with libpcap
1868 0.7.1 or later; this means that most Ethereal binary packages won't
1869 work unless they're statically linked with libpcap 0.7.1 or later, or
1870 they're dynamically linked with libpcap and your system has a libpcap
1871 0.7.1 or later shared library installed (note that libpcap source
1872 package from tcpdump.org does not build shared libraries). Some binary
1873 packaging mechanisms might make it difficult to install Ethereal
1874 binary packages built to depend on older libpcap binary packages if
1875 you have a newer libpcap binary package installed; the installer
1876 programs for those packaging mechanisms might support disabling
1877 dependency checking so that they will install Ethereal even though a
1878 newer version of libpcap is installed.
1880 Cards using the Prism II chip set:
1882 You can capture raw 802.11 packets with Prism II cards on Linux
1883 systems with the 0.1.14-pre6 or later version of the linux-wlan-ng
1884 drivers (see the linux-wlan page, and the linux-wlan-ng tarball
1885 directory), or with the hostap driver for Prism II/2.5/3.
1887 Those require either Solomon Peachy's patch to libpcap 0.7.1 (see his
1888 libpcap-0.7.1-prism.diff file, or his RPMs of that version of
1889 libpcap), or the current CVS version of libpcap, which includes his
1890 patch (download it from the "Current Tar files" section of the
1891 tcpdump.org Web site). If you apply his patches to libpcap 0.7.1 and
1892 rebuild and install libpcap, or if you build and install the current
1893 CVS version of libpcap, you would have to rebuild Ethereal from
1894 source, linking it with that new version of libpcap; an Ethereal
1895 binary package would not work. Ethereal binary packages might work if
1896 you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install
1897 a libpcap shared library in place of the one on your system.
1899 With the linux-wlan-ng driver, you should:
1900 1. Put the card into monitor mode with the command wlanctl-ng
1901 interface lnxreq_wlansniffer enable=true. You should request
1902 802.11 headers by adding to that command the option
1903 prismheader=true or, if supported, wlanheader=true; the latter
1904 might require libpcap 0.8.1 or later. You can also set the channel
1905 to monitor by adding the argument channel=channel_number to that
1907 2. When the capture completes, turn off monitor mode with the command
1908 wlanctl-ng interface enable=false. You might also have to turn
1909 802.11 headers off with prismheader=false or wlanheader=false.
1911 See the wlan-ng FAQ for additional information, although note that it
1912 does not appear to be up-to-date.
1914 With the hostap driver, you should:
1915 1. Put the card into monitor mode with the command iwpriv interface
1916 monitor mode, where mode is 2 or 3 (mode 3 would require libpcap
1918 2. When the capture completes, turn off monitor mode with the command
1919 iwpriv interface monitor 0.
1921 Orinoco Silver and Gold cards:
1923 On Linux systems, the current version of the SourceForge orinoco_cs
1924 driver should support monitor mode. There also exist patches to
1925 earlier versions of the Orinoco driver, on the Orinoco Monitor Mode
1926 Patch Page, to add support for monitor mode. You will have to
1927 determine which version of the driver you have, and select the
1928 appropriate patch, if one is necessary.
1930 Note that the page indicates that not all versions of the Orinoco
1931 firmware support this patch. It says, for some versions of the patch,
1932 "This patch should allow monitor mode with v8.10 firmware (untested w/
1933 8.42);" if you have version 8.10 or later firmware on your Orinoco
1934 cards, you might have to use those patches, with the corresponding
1935 versions of the Orinoco driver, in order to run in monitor mode.
1937 That patch is written for the drivers included with the pcmcia-cs
1938 drivers, but works equally well for the Orinoco drivers provided with
1939 Linux kernels up to 2.4.20. To apply a patch to your kernel drivers,
1940 simply copy the orinoco-09b-patch.diff file to the
1941 /usr/src/linux/drivers/net directory and patch according to the
1942 directions on the Orinoco Monitor Mode Patch Page. You can double-
1943 check the version of the Orinoco drivers that shipped with your kernel
1944 by examining the first few lines of the orinoco.c file.
1946 The Orinoco patches and SourceForge driver require either Solomon
1947 Peachy's patch to libpcap 0.7.1 (see his libpcap-0.7.1-prism.diff
1948 file, or his RPMs of that version of libpcap), or the current CVS
1949 version of libpcap, which includes his patch (download it from the
1950 "Current Tar files" section of the tcpdump.org Web site). If you apply
1951 his patches to libpcap 0.7.1 and rebuild and install libpcap, or if
1952 you build and install the current CVS version of libpcap, you would
1953 have to rebuild Ethereal from source, linking it with that new version
1954 of libpcap; an Ethereal binary package would not work. Ethereal binary
1955 packages might work if you install the libpcap-0.7.1-1prism.i386.rpm
1956 RPM, as it might install a libpcap shared library in place of the one
1959 With a driver that supports monitor mode, you should:
1960 1. Put the card into monitor mode with the command iwpriv interface
1961 monitor mode channel_number, where mode is 1 or 2, and
1962 channel_number is the number of the channel to monitor.
1963 2. When the capture completes, turn off monitor mode with the command
1964 iwpriv interface monitor 0.
1966 Cards with the Texas Instruments ACX100 chipset:
1968 You can capture raw 802.11 packets with ACX100 cards on Linux systems
1969 with the ACX100 OSS drivers available from the ACX100 wireless network
1970 driver project SourceForge site.
1974 1. Put the card into monitor mode with the command iwpriv interface
1975 monitor 2 channel_number, where channel_number is the number of
1976 the channel to monitor.
1977 2. When the capture completes, turn off monitor mode with the command
1978 iwpriv interface monitor 0.
1980 Cards with Atheros Communications chipsets:
1982 You can capture raw 802.11 packets with AR5K cards on Linux systems
1983 with the v5_ar5k drivers. You will need the Linux wireless-tools
1984 version 25 or higher to put the card into monitor mode. It might also
1985 be possible to do so with the madwifi driver. If you have information
1986 on how to do this, please supply it to us, so that we can incorporate
1987 that information into the FAQ in the future.
1991 It might be possible to capture in monitor mode on other cards. If so,
1992 please supply us with information on how to do so, so that we can
1993 incorporate that information into this FAQ in the future.
1995 Q 5.39: How do I capture on an 802.11 device in monitor mode on
1998 A: On FreeBSD 5.2 and later, you should be able to capture in monitor
1999 mode on 802.11 interfaces supported by the wi and acx drivers, if
2000 Ethereal is linked with libpcap 0.8.1 or later, and on 802.11
2001 interfaces supported by the an driver, if Ethereal is linked with
2002 libpcap 0.7.1 or later.
2004 For cards supported by the wi and acx drivers, you should:
2005 1. Put the card into monitor mode with the command ifconfig interface
2006 monitor. You can also set the channel to monitor by adding the
2007 argument channel channel_number to that command.
2008 2. When you start the capture, in Ethereal select "802.11" as the
2009 "Link-layer header type", and in Tethereal add the command-line
2011 3. When the capture completes, turn off monitor mode with the command
2012 ifconfig interface -monitor.
2014 For cards supported by the an driver, you should:
2015 1. Put the card into monitor mode with the command ancontrol -i
2016 interface -M flag, where flag should be the sum of:
2017 + 1, to turn monitor mode on;
2018 + 2, if you want to capture traffic from any BSS rather than
2019 just the BSS with which the card is associated;
2020 + 4, if you want to see beacon packets (capturing beacon
2021 packets increases the CPU requirements of capturing).
2022 2. When the capture completes, turn off monitor mode with the command
2023 ancontrol -i interface -M 0.
2025 Don't add 8 in to flag; Ethereal currently doesn't support the full
2028 On FreeBSD 4.6 through 5.1, you should be able to capture in monitor
2029 mode on 802.11 interfaces supported by the an driver, but not on any
2030 other interfaces; see the instructions for FreeBSD 5.2 or later for
2033 In FreeBSD 4.5 and earlier, you will not be able to capture in monitor
2034 mode on 802.11 interfaces (no drivers supported it prior to 4.5, and
2035 in 4.5 the an driver had bugs that caused packets not to be captured
2038 Q 5.40: How do I capture on an 802.11 device in monitor mode on
2041 A: On NetBSD 2.0-beta and later, you should be able to capture in
2042 monitor mode on 802.11 interfaces supported by the wi and acx drivers,
2043 if Ethereal is linked with libpcap 0.8.1 or later. The instructions
2044 are the same as for FreeBSD 5.2 and later.
2046 Q 5.41: I'm trying to capture 802.11 traffic on Windows; why am I not
2049 A: At least some 802.11 card drivers on Windows appear not to see any
2050 packets if they're running in promiscuous mode. Try turning
2051 promiscuous mode off; you'll only be able to see packets sent by and
2052 received by your machine, not third-party traffic, and it'll look like
2053 Ethernet traffic and won't include any management or control frames,
2054 but that's a limitation of the card drivers.
2056 Q 5.42: I'm trying to capture 802.11 traffic on Windows; why am I
2057 seeing packets received by the machine on which I'm capturing traffic,
2058 but not packets sent by that machine?
2060 A: This appears to be another problem with promiscuous mode; try
2063 Q 5.43: How can I capture packets with CRC errors?
2065 A: Ethereal can capture only the packets that the packet capture
2066 library - libpcap on UNIX-flavored OSes, and the WinPcap port to
2067 Windows of libpcap on Windows - can capture, and libpcap/WinPcap can
2068 capture only the packets that the OS's raw packet capture mechanism
2069 (or the WinPcap driver, and the underlying OS networking code and
2070 network interface drivers, on Windows) will allow it to capture.
2072 Unless the OS always supplies packets with errors such as invalid CRCs
2073 to the raw packet capture mechanism, or can be configured to do so,
2074 invalid CRCs to the raw packet capture mechanism, Ethereal - and other
2075 programs that capture raw packets, such as tcpdump - cannot capture
2076 those packets. You will have to determine whether your OS needs to be
2077 so configured and, if so, can be so configured, configure it if
2078 necessary and possible, and make whatever changes to libpcap and the
2079 packet capture program you're using are necessary, if any, to support
2080 capturing those packets.
2082 Most OSes probably do not support capturing packets with invalid CRCs
2083 on Ethernet, and probably do not support it on most other link-layer
2084 types. Some drivers on some OSes do support it, such as some Ethernet
2085 drivers on FreeBSD; in those OSes, you might always get those packets,
2086 or you might only get them if you capture in promiscuous mode (you'd
2087 have to determine which is the case).
2089 Note that libpcap does not currently supply to programs that use it an
2090 indication of whether the packet's CRC was invalid (because the
2091 drivers themselves do not supply that information to the raw packet
2092 capture mechanism); therefore, Ethereal will not indicate which
2093 packets had CRC errors unless the FCS was captured (see the next
2094 question) and you're using Ethereal 0.9.15 and later, in which case
2095 Ethereal will check the CRC and indicate whether it's correct or not.
2097 Q 5.44: How can I capture entire frames, including the FCS?
2099 A: Ethereal can only capture data that the packet capture library -
2100 libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of
2101 libpcap on Windows - can capture, and libpcap/WinPcap can capture only
2102 the data that the OS's raw packet capture mechanism (or the WinPcap
2103 driver, and the underlying OS networking code and network interface
2104 drivers, on Windows) will allow it to capture.
2106 For any particular link-layer network type, unless the OS supplies the
2107 FCS of a frame as part of the frame, or can be configured to do so,
2108 Ethereal - and other programs that capture raw packets, such as
2109 tcpdump - cannot capture the FCS of a frame. You will have to
2110 determine whether your OS needs to be so configured and, if so, can be
2111 so configured, configure it if necessary and possible, and make
2112 whatever changes to libpcap and the packet capture program you're
2113 using are necessary, if any, to support capturing the FCS of a frame.
2115 Most OSes do not support capturing the FCS of a frame on Ethernet, and
2116 probably do not support it on most other link-layer types. Some
2117 drivres on some OSes do support it, such as some (all?) Ethernet
2118 drivers on NetBSD and possibly the driver for Apple's gigabit Ethernet
2119 interface in Mac OS X; in those OSes, you might always get the FCS, or
2120 you might only get the FCS if you capture in promiscuous mode (you'd
2121 have to determine which is the case).
2123 Versions of Ethereal prior to 0.9.15 will not treat an Ethernet FCS in
2124 a captured packet as an FCS. 0.9.15 and later will attempt to
2125 determine whether there's an FCS at the end of the frame and, if it
2126 thinks there is, will display it as such, and will check whether it's
2127 the correct CRC-32 value or not.
2129 Q 5.45: Ethereal hangs after I stop a capture.
2131 A: The most likely reason for this is that Ethereal is trying to look
2132 up an IP address in the capture to convert it to a name (so that, for
2133 example, it can display the name in the source address or destination
2134 address columns), and that lookup process is taking a very long time.
2136 Ethereal calls a routine in the OS of the machine on which it's
2137 running to convert of IP addresses to the corresponding names. That
2138 routine probably does one or more of:
2139 * a search of a system file listing IP addresses and names;
2140 * a lookup using DNS;
2141 * on UNIX systems, a lookup using NIS;
2142 * on Windows systems, a NetBIOS-over-TCP query.
2144 If a DNS server that's used in an address lookup is not responding,
2145 the lookup will fail, but will only fail after a timeout while the
2146 system routine waits for a reply.
2148 In addition, on Windows systems, if the DNS lookup of the address
2149 fails, either because the server isn't responding or because there are
2150 no records in the DNS that could be used to map the address to a name,
2151 a NetBIOS-over-TCP query will be made. That query involves sending a
2152 message to the NetBIOS-over-TCP name service on that machine, asking
2153 for the name and other information about the machine. If the machine
2154 isn't running software that responds to those queries - for example,
2155 many non-Windows machines wouldn't be running that software - the
2156 lookup will only fail after a timeout. Those timeouts can cause the
2157 lookup to take a long time.
2159 If you disable network address-to-name translation - for example, by
2160 turning off the "Enable network name resolution" option in the "Name
2161 resolution" options in the dialog box you get by selecting
2162 "Preferences" from the "Edit" menu - the lookups of the address won't
2163 be done, which may speed up the process of reading the capture file
2164 after the capture is stopped. You can make that setting the default by
2165 using the "Save" button in that dialog box; note that this will save
2166 all your current preference settings.
2168 If Ethereal hangs when reading a capture even with network name
2169 resolution turned off, there might, for example, be a bug in one of
2170 Ethereal's dissectors for a protocol causing it to loop infinitely.
2171 The bug should be reported to the Ethereal developers' mailing list at
2172 ethereal-dev@ethereal.com.
2174 On UNIX-flavored OSes, please try to force Ethereal to dump core, by
2175 sending it a SIGABRT signal (usually signal 6) with the kill command,
2176 and then get a stack trace if you have a debugger installed. A stack
2177 trace can be obtained by using your debugger (gdb in this example),
2178 the Ethereal binary, and the resulting core file. Here's an example of
2179 how to use the gdb command backtrace to do so.
2182 ..... prints the stack trace
2186 The core dump file may be named "ethereal.core" rather than "core" on
2187 some platforms (e.g., BSD systems)
2189 Also, if at all possible, please send a copy of the capture file that
2190 caused the problem; when capturing packets, Ethereal normally writes
2191 captured packets to a temporary file, which will probably be in /tmp
2192 or /var/tmp on UNIX-flavored OSes and \TEMP on Windows, so the capture
2193 file will probably be there. It will have a name beginning with ether,
2194 with some mixture of letters and numbers after that. Please don't send
2195 a trace file greater than 1 MB when compressed. If the trace file
2196 contains sensitive information (e.g., passwords), then please do not
2199 Q 5.46: How can I search for, or filter, packets that have a
2200 particular string anywhere in them?
2202 A: If you want to do this when capturing, you can't. That's a feature
2203 that would be hard to implement in capture filters without changes to
2204 the capture filter code, which, on many platforms, is in the OS kernel
2205 and, on other platforms, is in the libpcap library.
2207 In releases prior to 0.9.14, you also can't search for, or filter,
2208 packets containing a particular string even after you've captured
2211 In 0.9.14, you can search for, but not filter, packets that have a
2212 particular string; this has been added to the "Find Frame" dialog
2213 ("Find Frame" under the "Edit" menu, or control-F).
2215 In 0.9.15 and later, you can search for those packets using either the
2216 mechanism introduced in 0.9.14 or using the new "contains" operator in
2217 filter expressions, which lets you search the entire packet or text
2218 string or byte string fields in the packet; the "contains" operator
2219 can also be used in expressions used to filter the display.
2221 Please send support questions about Ethereal to the
2222 ethereal-users[AT]ethereal.com mailing list.
2223 For corrections/additions/suggestions for this web page (and not
2224 Ethereal support questions), please send email to
2225 ethereal-web[AT]ethereal.com .
2226 Last modified: Sun, August 08 2004.