" \n"
" 5.3 I'm only seeing ARP packets when I try to capture traffic. \n"
" \n"
-" 5.4 How do I put an interface into promiscuous mode? \n"
+" 5.4 I'm running Ethereal on Windows; why does some network interface \n"
+" on my machine not show up in the list of interfaces in the \n"
+" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
+" and/or why does Ethereal give me an error if I try to capture on that \n"
+" interface? \n"
+" \n"
+" 5.5 I'm running on a UNIX-flavored OS; why does some network interface \n"
+" on my machine not show up in the list of interfaces in the \n"
+" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
+" and/or why does Ethereal give me an error if I try to capture on that \n"
+" interface? \n"
" \n"
-" 5.5 I can set a display filter just fine, but capture filters don't \n"
+" 5.6 How do I put an interface into promiscuous mode? \n"
+" \n"
+" 5.7 I can set a display filter just fine, but capture filters don't \n"
" work. \n"
" \n"
-" 5.6 I'm entering valid capture filters, but I still get \"parse error\" \n"
+" 5.8 I'm entering valid capture filters, but I still get \"parse error\" \n"
" errors. \n"
" \n"
-" 5.7 I saved a filter and tried to use its name to filter the display, \n"
+" 5.9 I saved a filter and tried to use its name to filter the display, \n"
" but I got an \"Unexpected end of filter string\" error. \n"
" \n"
-" 5.8 Why am I seeing lots of packets with incorrect TCP checksums? \n"
+" 5.10 Why am I seeing lots of packets with incorrect TCP checksums? \n"
" \n"
-" 5.9 I've just installed Ethereal, and the traffic on my local LAN is \n"
+" 5.11 I've just installed Ethereal, and the traffic on my local LAN is \n"
" boring. \n"
" \n"
-" 5.10 When I run Ethereal on Solaris 8, it dies with a Bus Error when I \n"
+" 5.12 When I run Ethereal on Solaris 8, it dies with a Bus Error when I \n"
" start it. \n"
" \n"
-" 5.11 When I run Ethereal on Windows NT, it dies with a Dr. Watson \n"
+" 5.13 When I run Ethereal on Windows NT, it dies with a Dr. Watson \n"
" error, reporting an \"Integer division by zero\" exception, when I start \n"
" it. \n"
" \n"
-" 5.12 When I try to run Ethereal, it complains about \n"
+" 5.14 When I try to run Ethereal, it complains about \n"
" sprint_realloc_objid being undefined. \n"
" \n"
-" 5.13 I'm running Ethereal on Linux; why do my time stamps have only \n"
+" 5.15 I'm running Ethereal on Linux; why do my time stamps have only \n"
" 100ms resolution, rather than 1us resolution? \n"
" \n"
-" 5.14 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n"
+" 5.16 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n"
" why are the time stamps on packets wrong? \n"
" \n"
-" 5.15 When I try to run Ethereal on Windows, it fails to run because it \n"
+" 5.17 When I try to run Ethereal on Windows, it fails to run because it \n"
" can't find packet.dll. \n"
" \n"
-" 5.16 I'm running Ethereal on Windows; why does some network interface \n"
-" on my machine not show up in the list of interfaces in the \n"
-" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
-" and/or why does Ethereal give me an error if I try to capture on that \n"
-" interface? \n"
-" \n"
-" 5.17 I'm running on a UNIX-flavored OS; why does some network \n"
-" interface on my machine not show up in the list of interfaces in the \n"
-" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
-" and/or why does Ethereal give me an error if I try to capture on that \n"
-" interface? \n"
-" \n"
" 5.18 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has \n"
" a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the \n"
" \"Interface\" item in the \"Capture Options\" dialog box. Why can no \n"
" 5.23 My machine crashes or resets itself when I select \"Start\" from \n"
" the \"Capture\" menu or select \"Preferences\" from the \"Edit\" menu. \n"
" \n"
-" 5.24 Does Ethereal work on Windows ME? \n"
+" 5.24 Does Ethereal work on Windows Me? \n"
" \n"
" 5.25 Does Ethereal work on Windows XP? \n"
" \n"
" 5.30 How can I capture raw 802.11 packets, including non-data \n"
" (management, beacon) packets? \n"
" \n"
-" 5.31 How can I capture packets with CRC errors? \n"
+" 5.31 I'm trying to capture 802.11 traffic on Windows; why am I not \n"
+" seeing any packets? \n"
+" \n"
+" 5.32 I'm trying to capture 802.11 traffic on Windows; why am I seeing \n"
+" packets received by the machine on which I'm capturing traffic, but \n"
+" not packets sent by that machine? \n"
" \n"
-" 5.32 How can I capture entire frames, including the FCS? \n"
+" 5.33 How can I capture packets with CRC errors? \n"
" \n"
-" 5.33 Ethereal hangs after I stop a capture. \n"
+" 5.34 How can I capture entire frames, including the FCS? \n"
" \n"
-" 5.34 How can I search for, or filter, packets that have a particular \n"
+" 5.35 Ethereal hangs after I stop a capture. \n"
+" \n"
+" 5.36 How can I search for, or filter, packets that have a particular \n"
" string anywhere in them? \n"
" \n"
" GENERAL QUESTIONS \n"
" \n"
" Q 1.2: What protocols are currently supported? \n"
" \n"
-" A: There are currently 393 supported protocols and media, listed \n"
+" A: There are currently 442 supported protocols and media, listed \n"
" below. Descriptions can be found in the ethereal(1) man page. \n"
" \n"
" 802.1q Virtual LAN \n"
" 802.1x Authentication \n"
+" AAL type 2 signalling protocol - Capability set 1 (Q.2630.1) \n"
" AFS (4.0) Replication Server call declarations \n"
+" ANSI A-I/F BSMAP \n"
+" ANSI A-I/F DTAP \n"
+" ANSI IS-637-A (SMS) Teleservice Layer \n"
+" ANSI IS-637-A (SMS) Transport Layer \n"
+" ANSI IS-683-A (OTA (Mobile)) \n"
+" ANSI Mobile Application Part \n"
" AOL Instant Messenger \n"
" ARCNET \n"
" ATM \n"
" Address Resolution Protocol \n"
" Aggregate Server Access Protocol \n"
" Alert Standard Forum \n"
+" Alteon - Transparent Proxy Cache Protocol \n"
" Andrew File System (AFS) \n"
" Apache JServ Protocol v1.3 \n"
" AppleTalk Filing Protocol \n"
" Async data over ISDN (V.120) \n"
" Authentication Header \n"
" BACnet Virtual Link Control \n"
+" BSS GPRS Protocol \n"
+" BSSAP/BSAP \n"
" Banyan Vines ARP \n"
" Banyan Vines Echo \n"
" Banyan Vines Fragmentation Protocol \n"
" Banyan Vines LLC \n"
" Banyan Vines RTP \n"
" Banyan Vines SPP \n"
+" Bearer Independent Call Control \n"
+" Bi-directional Fault Detection Control Message \n"
" Blocks Extensible Exchange Protocol \n"
" Boardwalk \n"
" Boot Parameters \n"
" Border Gateway Protocol \n"
" Building Automation and Control Network APDU \n"
" Building Automation and Control Network NPDU \n"
+" CCSDS \n"
" CDS Clerk Server Calls \n"
" Check Point High Availability Protocol \n"
" Checkpoint FW-1 \n"
" CoSine IPNOS L2 debug output \n"
" Common Open Policy Service \n"
" Common Unix Printing System (CUPS) Browsing Protocol \n"
+" Connectionless Lightweight Directory Access Protocol \n"
+" Cross Point Frame Injector \n"
" DCE DFS Calls \n"
" DCE Distributed Time Service Local Server \n"
" DCE Distributed Time Service Provider \n"
" DCE RPC \n"
" DCE Security ID Mapper \n"
" DCE/RPC BOS Server \n"
+" DCE/RPC BUDB \n"
+" DCE/RPC BUTC \n"
" DCE/RPC CDS Solicitation \n"
" DCE/RPC Conversation Manager \n"
" DCE/RPC Endpoint Mapper \n"
+" DCE/RPC Endpoint Mapper4 \n"
" DCE/RPC FLDB \n"
" DCE/RPC FLDB UBIK TRANSFER \n"
" DCE/RPC FLDB UBIKVOTE \n"
+" DCE/RPC ICL RPC \n"
" DCE/RPC Kerberos V \n"
" DCE/RPC RS_ACCT \n"
+" DCE/RPC RS_BIND \n"
" DCE/RPC RS_MISC \n"
+" DCE/RPC RS_PROP_ACCT \n"
" DCE/RPC RS_UNIX \n"
" DCE/RPC Remote Management \n"
" DCE/RPC Repserver Calls \n"
" Fibre Channel Name Server \n"
" Fibre Channel Protocol for SCSI \n"
" Fibre Channel SW_ILS \n"
+" Fibre Channel Security Protocol \n"
+" Fibre Channel Single Byte Command \n"
" File Transfer Protocol (FTP) \n"
" Financial Information eXchange Protocol \n"
" Frame \n"
" Frame Relay \n"
" GARP Multicast Registration Protocol \n"
" GARP VLAN Registration Protocol \n"
+" GPRS Network service \n"
" GPRS Tunneling Protocol \n"
-" GPRS Tunnelling Protocol v0 \n"
-" GPRS Tunnelling Protocol v1 \n"
+" GSM A-I/F BSSMAP \n"
+" GSM A-I/F DTAP \n"
+" GSM A-I/F RP \n"
+" GSM Mobile Application Part \n"
+" GSM SMS TPDU (GSM 03.40) \n"
" General Inter-ORB Protocol \n"
" Generic Routing Encapsulation \n"
" Generic Security Service Application Program Interface \n"
" Gnutella Protocol \n"
+" H225 \n"
" H245 \n"
+" H4501 \n"
" HP Extended Local-Link Control \n"
" HP Remote Maintenance Protocol \n"
" Hummingbird NFS Daemon \n"
" ISDN User Part \n"
" ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol \n"
" ISO 8073 COTP Connection-Oriented Transport Protocol \n"
+" ISO 8327-1 OSI Session Protocol \n"
" ISO 8473 CLNP ConnectionLess Network Protocol \n"
" ISO 8602 CLTP ConnectionLess Transport Protocol \n"
" ISO 9542 ESIS Routeing Information Exchange Protocol \n"
" ITU-T Recommendation H.261 \n"
+" ITU-T Recommendation H.263 RTP Payload header (RFC2190) \n"
" InMon sFlow \n"
" Intel ANS probe \n"
" Intelligent Platform Management Interface \n"
" Internet Control Message Protocol \n"
" Internet Control Message Protocol v6 \n"
" Internet Group Management Protocol \n"
+" Internet Group membership Authentication Protocol \n"
" Internet Message Access Protocol \n"
" Internet Printing Protocol \n"
" Internet Protocol \n"
" Kerberos \n"
" Kerberos Administration \n"
" Kernel Lock Manager \n"
+" LWAP Control Message \n"
+" LWAPP Encapsulated Packet \n"
+,
+
+" LWAPP Layer 3 Packet \n"
" Label Distribution Protocol \n"
+" Laplink \n"
" Layer 2 Tunneling Protocol \n"
" Lightweight Directory Access Protocol \n"
" Line Printer Daemon Protocol \n"
" Lucent/Ascend debug output \n"
" MDS Header \n"
" MMS Message Encapsulation \n"
+" MS Kpasswd \n"
" MS Proxy Protocol \n"
" MSN Messenger Service \n"
" MSNIP: Multicast Source Notification of Interest Protocol \n"
" Message Transfer Part Level 2 \n"
" Message Transfer Part Level 3 \n"
" Message Transfer Part Level 3 Management \n"
+" Microsoft Directory Replication Service \n"
" Microsoft Distributed File System \n"
" Microsoft Exchange MAPI \n"
" Microsoft Local Security Architecture \n"
" Microsoft Telephony API Service \n"
" Microsoft Windows Browser Protocol \n"
" Microsoft Windows Lanman Remote API Protocol \n"
-,
-
" Microsoft Windows Logon Protocol \n"
" Microsoft Workstation Service \n"
" Mobile IP \n"
" Network Status Monitor CallBack Protocol \n"
" Network Status Monitor Protocol \n"
" Network Time Protocol \n"
+" Nortel SONMP \n"
" Novell Distributed Print System \n"
" Null/Loopback \n"
" Open Shortest Path First \n"
" PPP-over-Ethernet Discovery \n"
" PPP-over-Ethernet Session \n"
" PPPMux Control Protocol \n"
-" Packet Encoding Rules (ASN.1 X.691) \n"
+" Packed Encoding Rules (ASN.1 X.691) \n"
" Point-to-Point Protocol \n"
" Point-to-Point Tunnelling Protocol \n"
" Portmap \n"
" Protocol Independent Multicast \n"
" Q.2931 \n"
" Q.931 \n"
+" Q.933 \n"
" Quake II Network Protocol \n"
" Quake III Arena Network Protocol \n"
" Quake Network Protocol \n"
" QuakeWorld Network Protocol \n"
" Qualified Logical Link Control \n"
" RFC 2250 MPEG1 \n"
+" RFC 2833 RTP Event \n"
" RIPng \n"
" RPC Browser \n"
+" RS Interface properties \n"
" RSTAT \n"
" RSYNC File Synchroniser \n"
" RX Protocol \n"
" Remote Program Load \n"
" Remote Quota \n"
" Remote Shell \n"
+" Remote Shutdown \n"
" Remote Wall protocol \n"
" Remote sec_login preauth interface. \n"
" Resource ReserVation Protocol (RSVP) \n"
" Routing Table Maintenance Protocol \n"
" SADMIND \n"
" SCSI \n"
+" SEBEK - Kernel Data Capture \n"
" SGI Mount Service \n"
" SMB (Server Message Block Protocol) \n"
" SMB MailSlot Protocol \n"
" Session Announcement Protocol \n"
" Session Description Protocol \n"
" Session Initiation Protocol \n"
+" Session Initiation Protocol (SIP as raw text) \n"
" Short Message Peer to Peer \n"
" Signalling Connection Control Part \n"
" Signalling Connection Control Part Management \n"
" Simple Mail Transfer Protocol \n"
" Simple Network Management Protocol \n"
+" Simple Traversal of UDP Through NAT \n"
" Sinec H1 Protocol \n"
" Skinny Client Control Protocol \n"
" SliMP3 Communication Protocol \n"
" Syslog message \n"
" Systems Network Architecture \n"
" Systems Network Architecture XID \n"
+" T38 \n"
" TACACS \n"
" TACACS+ \n"
+" TEREDO Tunneling IPv6 over UDP through NATs \n"
" TPKT \n"
" Tabular Data Stream \n"
" Tazmen Sniffer Protocol \n"
" Time Synchronization Protocol \n"
" Token-Ring \n"
" Token-Ring Media Access Control \n"
+" Transaction Capabilities Application Part \n"
" Transmission Control Protocol \n"
" Transparent Network Substrate Protocol \n"
" Trivial File Transfer Protocol \n"
" Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be \n"
" installed; only Tethereal is installed. \n"
" \n"
-" A: Red Hat RPMs for Ethereal put only the non-GUI components into the \n"
-" ethereal RPM, the fact that Ethereal is a GUI program nonwithstanding; \n"
-" there's a separate ethereal-gnome RPM that includes GUI components \n"
-" such as Ethereal itself, the fact that Ethereal doesn't use GNOME \n"
-" nonwithstanding. Find the ethereal-gnome RPM, and install that also. \n"
+" A: Older versions of the Red Hat RPMs for Ethereal put only the \n"
+" non-GUI components into the ethereal RPM, the fact that Ethereal is a \n"
+" GUI program nonwithstanding; newer versions make it a bit clearer by \n"
+" giving that RPM a name starting with ethereal-base. \n"
+" \n"
+" In those older versions, there's a separate ethereal-gnome RPM that \n"
+" includes GUI components such as Ethereal itself, the fact that \n"
+" Ethereal doesn't use GNOME nonwithstanding; newer versions make it a \n"
+" bit clearer by giving that RPM a name starting with ethereal-gtk+. \n"
+" \n"
+" Find the ethereal-gnome or ethereal-gtk+ RPM, and install that also. \n"
" \n"
" BUILDING ETHEREAL \n"
" Q 4.1: The configure script can't find pcap.h or bpf.h, but I have \n"
" \n"
" On Solaris, changing your command search path to search /usr/xpg4/bin \n"
" before /usr/bin should make the problem go away; on any platform on \n"
+,
+
" which you have this problem, installing GNU sed and changing your \n"
" command path to search the directory in which it is installed before \n"
" searching the directory with the version of sed that came with the OS \n"
" this. See, for example: \n"
" * this documentation from Cisco on the Switched Port Analyzer (SPAN) \n"
" feature on Catalyst switches; \n"
-,
-
" * documentation from HP on how to set \"monitoring\"/\"mirroring\" on \n"
" ports on the console for HP Advancestack Switch 208 and 224; \n"
" * the \"Network Monitoring Port Features\" section of chapter 6 of \n"
" documentation from HP for HP ProCurve Switches 1600M, 2424M, \n"
-" 4000M, and 8000M. \n"
+" 4000M, and 8000M; \n"
+" * the \"Switch Port-Mirroring\" section of chapter 6 of documentation \n"
+" from Extreme Networks for their Summit 200 switches; \n"
+" * the documentation on \"Configuring Port Mirroring and Monitoring\" \n"
+" in Foundry Networks' documentation for their FastIron Edge \n"
+" Switches; \n"
+" * the documentation on \"Configuring Port Mirroring and Monitoring\" \n"
+" in Foundry Networks' documentation for their BigIron MG8 Layer 3 \n"
+" Switches; \n"
+" * the \"Port Monitor\" subsection of the \"Status Monitor and \n"
+" Statistics\" section of the documentation from Foundry Networks for \n"
+" their EdgeIron 4802F and 10GC2F switches; \n"
+" * the \"Configuring Port Mirroring\" section of chapter 3 of the \n"
+" documentation from Foundry Networks for their EdgeIron 24G, \n"
+" 2402CF, and 4802CF switches; \n"
+" * the documentation on \"Configuring Port Mirroring and Monitoring\" \n"
+" in Foundry Networks' documentation for their other switches and \n"
+" metro routers. \n"
" \n"
" Note also that many firewall/NAT boxes have a switch built into them; \n"
" this includes many of the \"cable/DSL router\" boxes. If you have a box \n"
" I.e., this is probably the same question as this earlier one; see the \n"
" response to that question. \n"
" \n"
-" Q 5.4: How do I put an interface into promiscuous mode? \n"
+" Q 5.4: I'm running Ethereal on Windows; why does some network \n"
+" interface on my machine not show up in the list of interfaces in the \n"
+" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
+" and/or why does Ethereal give me an error if I try to capture on that \n"
+" interface? \n"
+" \n"
+" A: If you are running Ethereal on Windows NT 4.0, Windows 2000, \n"
+" Windows XP, or Windows Server, and this is the first time you have run \n"
+" a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, \n"
+" or Analyzer, or...) since the machine was rebooted, you need to run \n"
+" that program from an account with administrator privileges; once you \n"
+" have run such a program, you will not need administrator privileges to \n"
+" run any such programs until you reboot. \n"
+" \n"
+" If you are running on Windows 95/98/Me, or if you are running on \n"
+" Windows NT 4.0/2000/XP/Server and have administrator privileges or a \n"
+" WinPcap-based program has been run with those privileges since the \n"
+" machine rebooted, then note that Ethereal relies on the WinPcap \n"
+" library, on the WinPcap device driver, and on the facilities that come \n"
+" with the OS on which it's running in order to do captures. \n"
+" \n"
+" Therefore, if the OS, the WinPcap library, or the WinPcap driver don't \n"
+" support capturing on a particular network interface device, Ethereal \n"
+" won't be able to capture on that device. \n"
+" \n"
+" Note that: \n"
+" 1. 2.02 and earlier versions of the WinPcap driver and library that \n"
+" Ethereal uses for packet capture didn't support Token Ring \n"
+" interfaces; versions 2.1 and later support Token Ring, and the \n"
+" current version of Ethereal works with (and, in fact, requires) \n"
+" WinPcap 2.1 or later. \n"
+" If you are having problems capturing on Token Ring interfaces, and \n"
+" you have WinPcap 2.02 or an earlier version of WinPcap installed, \n"
+" you should uninstall WinPcap, download and install the current \n"
+" version of WinPcap, and then install the latest version of \n"
+" Ethereal. \n"
+" 2. On Windows 95, 98, or Me, sometimes more than one interface will \n"
+" be given the same name; if that is the case, you will only be able \n"
+" to capture on one of those interfaces - it's not clear to which \n"
+" one the name, when used in a WinPcap-based application, will \n"
+" refer. For example, if you have a PPP serial interface and a VPN \n"
+" interface, they might show up with the same name, for example \n"
+" \"ppp-mac\", and if you try to capture on \"ppp-mac\", it might not \n"
+" capture on the interface you're currently using. In that case, you \n"
+" might, for example, have to remove the VPN interface from the \n"
+" system in order to capture on the PPP serial interface. \n"
+" 3. WinPcap doesn't support PPP WAN interfaces on Windows \n"
+" NT/2000/XP/Server, so Ethereal cannot capture packets on those \n"
+" devices when running on Windows NT/2000/XP/Server. Regular dial-up \n"
+" lines, ISDN lines, and various other lines such as T1/E1 lines are \n"
+" all PPP interfaces. This may cause the interface not to show up on \n"
+" the list of interfaces in the \"Capture Options\" dialog. \n"
+" 4. WinPcap prior to 3.0 does not support multiprocessor machines \n"
+" (note that machines with a single multi-threaded processor, such \n"
+" as Intel's new multi-threaded x86 processors, are multiprocessor \n"
+" machines as far as the OS and WinPcap are concerned), and recent \n"
+" 2.x versions of WinPcap refuse to operate if they detect that \n"
+" they're running on a multiprocessor machine, which means that they \n"
+" may not show any network interfaces. You will need to use WinPcap \n"
+" 3.0 to capture on a multiprocessor machine. \n"
+" \n"
+" If an interface doesn't show up in the list of interfaces in the \n"
+" \"Interface:\" field, and you know the name of the interface, try \n"
+" entering that name in the \"Interface:\" field and capturing on that \n"
+" device. \n"
+" \n"
+" If the attempt to capture on it succeeds, the interface is somehow not \n"
+" being reported by the mechanism Ethereal uses to get a list of \n"
+" interfaces; please report this to ethereal-dev@ethereal.com giving \n"
+" full details of the problem, including \n"
+" * the operating system you're using, and the version of that \n"
+" operating system; \n"
+" * the type of network device you're using. \n"
+" \n"
+" If you are having trouble capturing on a particular network interface, \n"
+" first try capturing on that device with WinDump; see the WinDump Web \n"
+" site or the local mirror of the WinDump Web site for information on \n"
+" using WinDump. \n"
+" \n"
+" If you can capture on the interface with WinDump, send mail to \n"
+" ethereal-users@ethereal.com giving full details of the problem, \n"
+" including \n"
+" * the operating system you're using, and the version of that \n"
+" operating system; \n"
+" * the type of network device you're using; \n"
+" * the error message you get from Ethereal. \n"
+" \n"
+" If you cannot capture on the interface with WinDump, this is almost \n"
+" certainly a problem with one or more of: \n"
+" * the operating system you're using; \n"
+" * the device driver for the interface you're using; \n"
+" * the WinPcap library and/or the WinPcap device driver; \n"
+" \n"
+" so first check the WinPcap FAQ, the local mirror of that FAQ, or the \n"
+" Wiretapped.net mirror of that FAQ, to see if your problem is mentioned \n"
+" there. If not, then see the WinPcap support page (or the local mirror \n"
+" of that page) - check the \"Submitting bugs\" section. \n"
+" \n"
+" You may also want to ask the ethereal-users@ethereal.com and the \n"
+" winpcap-users@winpcap.polito.it mailing lists to see if anybody \n"
+" happens to know about the problem and know a workaround or fix for the \n"
+" problem. (Note that you will have to subscribe to that list in order \n"
+" to be allowed to mail to it; see the WinPcap support page, or the \n"
+" local mirror of that page, for information on the mailing list.) In \n"
+" your mail, please give full details of the problem, as described \n"
+" above, and also indicate that the problem occurs with WinDump, not \n"
+" just with Ethereal. \n"
+" \n"
+" Q 5.5: I'm running on a UNIX-flavored OS; why does some network \n"
+" interface on my machine not show up in the list of interfaces in the \n"
+" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
+" and/or why does Ethereal give me an error if I try to capture on that \n"
+" interface? \n"
+" \n"
+" A: You may need to run Ethereal from an account with sufficient \n"
+" privileges to capture packets, such as the super-user account. Only \n"
+" those interfaces that Ethereal can open for capturing show up in that \n"
+" list; if you don't have sufficient privileges to capture on any \n"
+" interfaces, no interfaces will show up in the list. \n"
+" \n"
+" If you are running Ethereal from an account with sufficient \n"
+" privileges, then note that Ethereal relies on the libpcap library, and \n"
+" on the facilities that come with the OS on which it's running in order \n"
+" to do captures. \n"
+" \n"
+" Therefore, if the OS or the libpcap library don't support capturing on \n"
+" a particular network interface device, Ethereal won't be able to \n"
+" capture on that device. \n"
+" \n"
+" On Linux, note that you need to have \"packet socket\" support enabled \n"
+" in your kernel; see the \"Packet socket\" item in the Linux \n"
+" \"Configure.help\" file. \n"
+" \n"
+" On BSD, note that you need to have BPF support enabled in your kernel; \n"
+" see the documentation for your system for information on how to enable \n"
+" BPF support (if it's not enabled by default on your system). \n"
+" \n"
+" On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have \n"
+" packet filtering support in your kernel; the doconfig command will \n"
+" allow you to configure and build a new kernel with that option. \n"
+" \n"
+" On Solaris, note that libpcap 0.6.2 and earlier didn't support Token \n"
+" Ring interfaces; the current version, 0.7.2, does support Token Ring, \n"
+" and the current version of Ethereal works with libcap 0.7.2 and later. \n"
+" \n"
+" If an interface doesn't show up in the list of interfaces in the \n"
+" \"Interface:\" field, and you know the name of the interface, try \n"
+" entering that name in the \"Interface:\" field and capturing on that \n"
+" device. \n"
+" \n"
+" If the attempt to capture on it succeeds, the interface is somehow not \n"
+" being reported by the mechanism Ethereal uses to get a list of \n"
+" interfaces; please report this to ethereal-dev@ethereal.com giving \n"
+" full details of the problem, including \n"
+" * the operating system you're using, and the version of that \n"
+" operating system (for Linux, give both the version number of the \n"
+" kernel and the name and version number of the distribution you're \n"
+" using); \n"
+" * the type of network device you're using. \n"
+" \n"
+" If you are having trouble capturing on a particular network interface, \n"
+" and you've made sure that (on platforms that require it) you've \n"
+" arranged that packet capture support is present, as per the above, \n"
+" first try capturing on that device with tcpdump. \n"
+" \n"
+" If you can capture on the interface with tcpdump, send mail to \n"
+" ethereal-users@ethereal.com giving full details of the problem, \n"
+" including \n"
+" * the operating system you're using, and the version of that \n"
+" operating system (for Linux, give both the version number of the \n"
+" kernel and the name and version number of the distribution you're \n"
+" using); \n"
+" * the type of network device you're using; \n"
+" * the error message you get from Ethereal. \n"
+" \n"
+" If you cannot capture on the interface with tcpdump, this is almost \n"
+" certainly a problem with one or more of: \n"
+" * the operating system you're using; \n"
+" * the device driver for the interface you're using; \n"
+" * the libpcap library; \n"
+" \n"
+" so you should report the problem to the company or organization that \n"
+" produces the OS (in the case of a Linux distribution, report the \n"
+" problem to whoever produces the distribution). \n"
+" \n"
+" You may also want to ask the ethereal-users@ethereal.com and the \n"
+" tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to \n"
+" know about the problem and know a workaround or fix for the problem. \n"
+" In your mail, please give full details of the problem, as described \n"
+" above, and also indicate that the problem occurs with tcpdump not just \n"
+" with Ethereal. \n"
+" \n"
+" Q 5.6: How do I put an interface into promiscuous mode? \n"
" \n"
" A: By not disabling promiscuous mode when running Ethereal or \n"
" Tethereal. \n"
" I.e., this is probably the same question as this earlier one; see the \n"
" response to that question. \n"
" \n"
-" Q 5.5: I can set a display filter just fine, but capture filters don't \n"
+" Q 5.7: I can set a display filter just fine, but capture filters don't \n"
" work. \n"
" \n"
" A: Capture filters currently use a different syntax than display \n"
" filters. Here's the corresponding section from the ethereal(1) man \n"
" page: \n"
+,
+
" \n"
" \"Display filters in Ethereal are very powerful; more fields are \n"
" filterable in Ethereal than in other protocol analyzers, and the \n"
" The capture filter syntax used by libpcap can be found in the \n"
" tcpdump(8) man page. \n"
" \n"
-" Q 5.6: I'm entering valid capture filters, but I still get \"parse \n"
+" Q 5.8: I'm entering valid capture filters, but I still get \"parse \n"
" error\" errors. \n"
" \n"
" A: There is a bug in some versions of libpcap/WinPcap that cause it to \n"
" WinPcap, you will need to un-install WinPcap and then download and \n"
" install WinPcap 2.3. \n"
" \n"
-" Q 5.7: I saved a filter and tried to use its name to filter the \n"
+" Q 5.9: I saved a filter and tried to use its name to filter the \n"
" display, but I got an \"Unexpected end of filter string\" error. \n"
" \n"
" A: You cannot use the name of a saved display filter as a filter. To \n"
" use a saved filter, you can press the \"Filter:\" button, select the \n"
" filter in the dialog box that pops up, and press the \"OK\" button. \n"
" \n"
-" Q 5.8: Why am I seeing lots of packets with incorrect TCP checksums? \n"
+" Q 5.10: Why am I seeing lots of packets with incorrect TCP checksums? \n"
" \n"
" A: If the packets that have incorrect TCP checksums are all being sent \n"
" by the machine on which Ethereal is running, this is probably because \n"
" tcp.check_checksum:false command-line flag, or manually set in your \n"
" preferences file by adding a tcp.check_checksum:false line. \n"
" \n"
-" Q 5.9: I've just installed Ethereal, and the traffic on my local LAN \n"
+" Q 5.11: I've just installed Ethereal, and the traffic on my local LAN \n"
" is boring. \n"
" \n"
" A: We have a collection of strange and exotic sample capture files at \n"
" http://www.ethereal.com/sample/ \n"
" \n"
-" Q 5.10: When I run Ethereal on Solaris 8, it dies with a Bus Error \n"
+" Q 5.12: When I run Ethereal on Solaris 8, it dies with a Bus Error \n"
" when I start it. \n"
" \n"
" A: Some versions of the GTK+ library from www.sunfreeware.org appear \n"
" Similar problems may exist with older versions of GTK+ for earlier \n"
" versions of Solaris. \n"
" \n"
-" Q 5.11: When I run Ethereal on Windows NT, it dies with a Dr. Watson \n"
+" Q 5.13: When I run Ethereal on Windows NT, it dies with a Dr. Watson \n"
" error, reporting an \"Integer division by zero\" exception, when I start \n"
" it. \n"
" \n"
" VGA driver; if that's not the correct driver for your video card, try \n"
" running the correct driver for your video card. \n"
" \n"
-" Q 5.12: When I try to run Ethereal, it complains about \n"
+" Q 5.14: When I try to run Ethereal, it complains about \n"
" sprint_realloc_objid being undefined. \n"
" \n"
" A: Ethereal can only be linked with version 4.2.2 or later of UCD \n"
" the older version, and fails. You will have to replace that version of \n"
" UCD SNMP with version 4.2.2 or a later version. \n"
" \n"
-" Q 5.13: I'm running Ethereal on Linux; why do my time stamps have only \n"
+" Q 5.15: I'm running Ethereal on Linux; why do my time stamps have only \n"
" 100ms resolution, rather than 1us resolution? \n"
" \n"
" A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap \n"
" have to run a standard kernel from kernel.org in order to get \n"
" high-resolution time stamps. \n"
" \n"
-" Q 5.14: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n"
+" Q 5.16: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n"
" why are the time stamps on packets wrong? \n"
" \n"
" A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap \n"
" 3.0. \n"
" \n"
-" Q 5.15: When I try to run Ethereal on Windows, it fails to run because \n"
+" Q 5.17: When I try to run Ethereal on Windows, it fails to run because \n"
" it can't find packet.dll. \n"
" \n"
" A: In older versions of Ethereal, there were two binary distributions \n"
" Web site, the local mirror of the WinPcap Web site, or the \n"
" Wiretapped.net mirror of the WinPcap site. \n"
" \n"
-" Q 5.16: I'm running Ethereal on Windows; why does some network \n"
-" interface on my machine not show up in the list of interfaces in the \n"
-" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
-" and/or why does Ethereal give me an error if I try to capture on that \n"
-" interface? \n"
-" \n"
-" A: If you are running Ethereal on Windows NT 4.0, Windows 2000, \n"
-" Windows XP, or Windows Server, and this is the first time you have run \n"
-" a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, \n"
-" or Analyzer, or...) since the machine was rebooted, you need to run \n"
-" that program from an account with administrator privileges; once you \n"
-" have run such a program, you will not need administrator privileges to \n"
-" run any such programs until you reboot. \n"
-" \n"
-" If you are running on Windows 95/98/Me, or if you are running on \n"
-" Windows NT 4.0/2000/XP/Server and have administrator privileges or a \n"
-" WinPcap-based program has been run with those privileges since the \n"
-" machine rebooted, then note that Ethereal relies on the WinPcap \n"
-" library, on the WinPcap device driver, and on the facilities that come \n"
-" with the OS on which it's running in order to do captures. \n"
-" \n"
-" Therefore, if the OS, the WinPcap library, or the WinPcap driver don't \n"
-" support capturing on a particular network interface device, Ethereal \n"
-" won't be able to capture on that device. \n"
-" \n"
-" Note that: \n"
-" * 2.02 and earlier versions of the WinPcap driver and library that \n"
-" Ethereal uses for packet capture didn't support Token Ring \n"
-" interfaces; the current version, 2.3, does support Token Ring, and \n"
-" the current version of Ethereal works with (and, in fact, \n"
-" requires) WinPcap 2.1 or later. \n"
-" If you are having problems capturing on Token Ring interfaces, and \n"
-" you have WinPcap 2.02 or an earlier version of WinPcap installed, \n"
-" you should uninstall WinPcap, download and install the current \n"
-" version of WinPcap, and then install the latest version of \n"
-" Ethereal. \n"
-" * On Windows 95, 98, or Me, sometimes more than one interface will \n"
-" be given the same name; if that is the case, you will only be able \n"
-" to capture on one of those interfaces - it's not clear to which \n"
-" one the name, when used in a WinPcap-based application, will \n"
-" refer. For example, if you have a PPP serial interface and a VPN \n"
-" interface, they might show up with the same name, for example \n"
-" \"ppp-mac\", and if you try to capture on \"ppp-mac\", it might not \n"
-" capture on the interface you're currently using. In that case, you \n"
-" might, for example, have to remove the VPN interface from the \n"
-" system in order to capture on the PPP serial interface. \n"
-" * WinPcap doesn't support PPP WAN interfaces on Windows \n"
-" NT/2000/XP/Server, so Ethereal cannot capture packets on those \n"
-" devices when running on Windows NT/2000/XP/Server. Regular dial-up \n"
-" lines, ISDN lines, and various other lines such as T1/E1 lines are \n"
-" all PPP interfaces. This may cause the interface not to show up on \n"
-" the list of interfaces in the \"Capture Options\" dialog. \n"
-" * WinPcap prior to 3.0 does not support multiprocessor machines \n"
-" (note that machines with a single multi-threaded processor, such \n"
-" as Intel's new multi-threaded x86 processors, are multiprocessor \n"
-" machines as far as the OS and WinPcap are concerned), and recent \n"
-" 2.x versions of WinPcap refuse to operate if they detect that \n"
-" they're running on a multiprocessor machine, which means that they \n"
-" may not show any network interfaces. You will need to use WinPcap \n"
-" 3.0 to capture on a multiprocessor machine. \n"
-" \n"
-" If an interface doesn't show up in the list of interfaces in the \n"
-" \"Interface:\" field, and you know the name of the interface, try \n"
-" entering that name in the \"Interface:\" field and capturing on that \n"
-" device. \n"
-" \n"
-" If the attempt to capture on it succeeds, the interface is somehow not \n"
-" being reported by the mechanism Ethereal uses to get a list of \n"
-" interfaces; please report this to ethereal-dev@ethereal.com giving \n"
-" full details of the problem, including \n"
-" * the operating system you're using, and the version of that \n"
-" operating system; \n"
-" * the type of network device you're using. \n"
-" \n"
-" If you are having trouble capturing on a particular network interface, \n"
-" and you've made sure that (on platforms that require it) you've \n"
-" arranged that packet capture support is present, as per the above, \n"
-" first try capturing on that device with WinDump; see the WinDump Web \n"
-" site or the local mirror of the WinDump Web site for information on \n"
-" using WinDump. \n"
-" \n"
-" If you can capture on the interface with WinDump, send mail to \n"
-" ethereal-users@ethereal.com giving full details of the problem, \n"
-" including \n"
-" * the operating system you're using, and the version of that \n"
-" operating system; \n"
-" * the type of network device you're using; \n"
-" * the error message you get from Ethereal. \n"
-" \n"
-" If you cannot capture on the interface with WinDump, this is almost \n"
-" certainly a problem with one or more of: \n"
-,
-
-" * the operating system you're using; \n"
-" * the device driver for the interface you're using; \n"
-" * the WinPcap library and/or the WinPcap device driver; \n"
-" \n"
-" so first check the WinPcap FAQ, the local mirror of that FAQ, or the \n"
-" Wiretapped.net mirror of that FAQ, to see if your problem is mentioned \n"
-" there. If not, then see the WinPcap support page (or the local mirror \n"
-" of that page) - check the \"Submitting bugs\" section. \n"
-" \n"
-" You may also want to ask the ethereal-users@ethereal.com and the \n"
-" winpcap-users@winpcap.polito.it mailing lists to see if anybody \n"
-" happens to know about the problem and know a workaround or fix for the \n"
-" problem. (Note that you will have to subscribe to that list in order \n"
-" to be allowed to mail to it; see the WinPcap support page, or the \n"
-" local mirror of that page, for information on the mailing list.) In \n"
-" your mail, please give full details of the problem, as described \n"
-" above, and also indicate that the problem occurs with WinDump, not \n"
-" just with Ethereal. \n"
-" \n"
-" Q 5.17: I'm running on a UNIX-flavored OS; why does some network \n"
-" interface on my machine not show up in the list of interfaces in the \n"
-" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
-" and/or why does Ethereal give me an error if I try to capture on that \n"
-" interface? \n"
-" \n"
-" A: You may need to run Ethereal from an account with sufficient \n"
-" privileges to capture packets, such as the super-user account. Only \n"
-" those interfaces that Ethereal can open for capturing show up in that \n"
-" list; if you don't have sufficient privileges to capture on any \n"
-" interfaces, no interfaces will show up in the list. \n"
-" \n"
-" If you are running Ethereal from an account with sufficient \n"
-" privileges, then note that Ethereal relies on the libpcap library, and \n"
-" on the facilities that come with the OS on which it's running in order \n"
-" to do captures. \n"
-" \n"
-" Therefore, if the OS or the libpcap library don't support capturing on \n"
-" a particular network interface device, Ethereal won't be able to \n"
-" capture on that device. \n"
-" \n"
-" On Linux, note that you need to have \"packet socket\" support enabled \n"
-" in your kernel; see the \"Packet socket\" item in the Linux \n"
-" \"Configure.help\" file. \n"
-" \n"
-" On BSD, note that you need to have BPF support enabled in your kernel; \n"
-" see the documentation for your system for information on how to enable \n"
-" BPF support (if it's not enabled by default on your system). \n"
-" \n"
-" On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have \n"
-" packet filtering support in your kernel; the doconfig command will \n"
-" allow you to configure and build a new kernel with that option. \n"
-" \n"
-" On Solaris, note that libpcap 0.6.2 and earlier didn't support Token \n"
-" Ring interfaces; the current version, 0.7.2, does support Token Ring, \n"
-" and the current version of Ethereal works with libcap 0.7.2 and later. \n"
-" \n"
-" If an interface doesn't show up in the list of interfaces in the \n"
-" \"Interface:\" field, and you know the name of the interface, try \n"
-" entering that name in the \"Interface:\" field and capturing on that \n"
-" device. \n"
-" \n"
-" If the attempt to capture on it succeeds, the interface is somehow not \n"
-" being reported by the mechanism Ethereal uses to get a list of \n"
-" interfaces; please report this to ethereal-dev@ethereal.com giving \n"
-" full details of the problem, including \n"
-" * the operating system you're using, and the version of that \n"
-" operating system (for Linux, give both the version number of the \n"
-" kernel and the name and version number of the distribution you're \n"
-" using); \n"
-" * the type of network device you're using. \n"
-" \n"
-" If you are having trouble capturing on a particular network interface, \n"
-" and you've made sure that (on platforms that require it) you've \n"
-" arranged that packet capture support is present, as per the above, \n"
-" first try capturing on that device with tcpdump. \n"
-" \n"
-" If you can capture on the interface with tcpdump, send mail to \n"
-" ethereal-users@ethereal.com giving full details of the problem, \n"
-" including \n"
-" * the operating system you're using, and the version of that \n"
-" operating system (for Linux, give both the version number of the \n"
-" kernel and the name and version number of the distribution you're \n"
-" using); \n"
-" * the type of network device you're using; \n"
-" * the error message you get from Ethereal. \n"
-" \n"
-" If you cannot capture on the interface with tcpdump, this is almost \n"
-" certainly a problem with one or more of: \n"
-" * the operating system you're using; \n"
-" * the device driver for the interface you're using; \n"
-" * the libpcap library; \n"
-" \n"
-" so you should report the problem to the company or organization that \n"
-" produces the OS (in the case of a Linux distribution, report the \n"
-" problem to whoever produces the distribution). \n"
-" \n"
-" You may also want to ask the ethereal-users@ethereal.com and the \n"
-" tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to \n"
-" know about the problem and know a workaround or fix for the problem. \n"
-" In your mail, please give full details of the problem, as described \n"
-" above, and also indicate that the problem occurs with tcpdump not just \n"
-" with Ethereal. \n"
-" \n"
" Q 5.18: I'm running Ethereal on Windows NT/2000/XP/Server; my machine \n"
" has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the \n"
" \"Interface\" item in the \"Capture Options\" dialog box. Why can no \n"
" or, for Windows, WinPcap bug that causes the system to crash when this \n"
" happens; see the previous question. \n"
" \n"
-" Q 5.24: Does Ethereal work on Windows ME? \n"
+" Q 5.24: Does Ethereal work on Windows Me? \n"
" \n"
" A: Yes, but if you want to capture packets, you will need to install \n"
" the latest version of WinPcap, as 2.02 and earlier versions of WinPcap \n"
-" didn't support Windows ME. You should also install the latest version \n"
+" didn't support Windows Me. You should also install the latest version \n"
" of Ethereal as well. \n"
" \n"
" Q 5.25: Does Ethereal work on Windows XP? \n"
" support that and, even on operating systems that do support it, not \n"
" all drivers, and thus not all cards, support it. \n"
" \n"
+" NOTE: an interface running in monitor mode will, on most if not all \n"
+" platforms, not be able to act as a regular network interface; putting \n"
+" it into monitor mode will, in effect, take your machine off of \n"
+" whatever network it's on as long as the interface is in monitor mode, \n"
+" allowing it only to passively capture packets. \n"
+" \n"
+" This means that you should disable name resolution when capturing in \n"
+" monitor mode; otherwise, when Ethereal (or Tethereal, or tcpdump) \n"
+" tries to display IP addresses as host names, it will probably block \n"
+" for a long time trying to resolve the name because it will not be able \n"
+" to communicate with any DNS or NIS servers. \n"
+" \n"
" Cisco Aironet cards: \n"
" \n"
" The only platforms that allow Ethereal to capture raw 802.11 packets \n"
" cause packets not to be captured correctly, and the driver in \n"
" releases prior to 4.5 didn't support capturing raw packets. \n"
" \n"
-" On FreeBSD, the ancontrol utility must be used; do not enable the full \n"
-" Aironet header via BPF, as Ethereal doesn't currently support that. \n"
+" On FreeBSD, the ancontrol utility must be used. The command \n"
+" \n"
+"ancontrol -i anN -M flag \n"
+" \n"
+" is used to enable or disable monitor mode. If flag is 0, monitor mode \n"
+" will be turned off; otherwise, flag should be the sum of: \n"
+" * 1, to turn monitor mode on; \n"
+" * 2, if you want to capture traffic from any BSS rather than just \n"
+" the BSS with which the card is associated; \n"
+" * 4, if you want to see beacon packets (capturing beacon packets \n"
+" increases the CPU requirements of capturing). \n"
+" \n"
+" Don't add 8 in; Ethereal currently doesn't support the full Aironet \n"
+" header. \n"
" \n"
" On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will \n"
" need to do \n"
" \n"
"echo \"Mode: rfmon\" >/proc/driver/aironet/ethN/Config \n"
" \n"
-" if your Aironet card is ethN. To capture traffic from any BSS, do \n"
+" if your Aironet card is ethN. To capture traffic from any BSS rather \n"
+,
+
+" than just the BSS with which the card is associated, do \n"
" \n"
"echo \"Mode: y\" >/proc/driver/aironet/ethN/Config \n"
" \n"
" \n"
"echo \"Mode: ess\" >/proc/driver/aironet/ethN/Config \n"
" \n"
-" On Linux with the driver in the 2.4.20 kernel, or with the CVS drivers \n"
-" from the airo-linux SourceForge site, you will have to capture on the \n"
-" wifiN interface if your Aironet card is ethN, after running the \n"
-" commands listed above. \n"
+" On Linux with the driver in the 2.4.20 or later kernel, or with the \n"
+" CVS drivers from the airo-linux SourceForge site, you will have to \n"
+" capture on the wifiN interface if your Aironet card is ethN, after \n"
+" running the commands listed above. \n"
" \n"
" In all of those cases, Ethereal would have to be linked with libpcap \n"
" 0.7.1 or later; this means that most Ethereal binary packages won't \n"
" check the version of the Orinoco drivers that shipped with your kernel \n"
" by examining the first few lines of the orinoco.c file. \n"
" \n"
-" Te Orinoco patches require either Solomon Peachy's patch to libpcap \n"
+" The Orinoco patches require either Solomon Peachy's patch to libpcap \n"
" 0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that \n"
" version of libpcap), or the current CVS version of libpcap, which \n"
" includes his patch (download it from the \"Current Tar files\" section \n"
" On other platforms, capturing raw 802.11 packets on Orinoco cards is \n"
" not currently supported. \n"
" \n"
+" Cards with the Atheros Communications AR5000 or AR5001 chipsets: \n"
+" \n"
+" You can capture raw 802.11 packets with AR5K cards on Linux systems \n"
+" with the v5_ar5k drivers. You will need the Linux wireless-tools \n"
+" version 25 or higher to put the card into monitor mode. \n"
+" \n"
+" Cards with the Texas Instruments ACX100 chipset: \n"
+" \n"
+" You can capture raw 802.11 packets with ACX100 cards on Linux systems \n"
+" with the ACX100 OSS drivers available from the ACX100 wireless network \n"
+" driver project SourceForge site. \n"
+" \n"
" Other 802.11 interfaces: \n"
" \n"
" With other 802.11 interfaces, no platform allows Ethereal to capture \n"
" cards\", so your card might be a Prism II card), please let us know, \n"
" and include URLs for sites containing any necessary patches to add \n"
" this support. \n"
-,
-
" \n"
" On platforms that don't allow Ethereal to capture raw 802.11 packets, \n"
" the 802.11 network will appear like an Ethernet to Ethereal. \n"
" \n"
-" Q 5.31: How can I capture packets with CRC errors? \n"
+" Q 5.31: I'm trying to capture 802.11 traffic on Windows; why am I not \n"
+" seeing any packets? \n"
+" \n"
+" A: At least some 802.11 card drivers on Windows appear not to see any \n"
+" packets if they're running in promiscuous mode. Try turning \n"
+" promiscuous mode off; you'll only be able to see packets sent by and \n"
+" received by your machine, not third-party traffic, and it'll look like \n"
+" Ethernet traffic and won't include any management or control frames, \n"
+" but that's a limitation of the card drivers. \n"
+" \n"
+" Q 5.32: I'm trying to capture 802.11 traffic on Windows; why am I \n"
+" seeing packets received by the machine on which I'm capturing traffic, \n"
+" but not packets sent by that machine? \n"
+" \n"
+" A: This appears to be another problem with promiscuous mode; try \n"
+" turning it off. \n"
+" \n"
+" Q 5.33: How can I capture packets with CRC errors? \n"
" \n"
" A: Ethereal can capture only the packets that the packet capture \n"
" library - libpcap on UNIX-flavored OSes, and the WinPcap port to \n"
" (or the WinPcap driver, and the underlying OS networking code and \n"
" network interface drivers, on Windows) will allow it to capture. \n"
" \n"
-" Unless the OS can be configured to supply packets with errors such as \n"
+" Unless the OS always supplies packets with errors such as invalid CRCs \n"
+" to the raw packet capture mechanism, or can be configured to do so, \n"
" invalid CRCs to the raw packet capture mechanism, Ethereal - and other \n"
" programs that capture raw packets, such as tcpdump - cannot capture \n"
-" those packets. You will have to determine whether your OS can be so \n"
-" configured, configure it if possible, and make whatever changes to \n"
-" libpcap and the packet capture program you're using are necessary to \n"
-" support capturing those packets. \n"
-" \n"
-" Q 5.32: How can I capture entire frames, including the FCS? \n"
+" those packets. You will have to determine whether your OS needs to be \n"
+" so configured and, if so, can be so configured, configure it if \n"
+" necessary and possible, and make whatever changes to libpcap and the \n"
+" packet capture program you're using are necessary, if any, to support \n"
+" capturing those packets. \n"
+" \n"
+" Most OSes probably do not support capturing packets with invalid CRCs \n"
+" on Ethernet, and probably do not support it on most other link-layer \n"
+" types. Some drivers on some OSes do support it, such as some Ethernet \n"
+" drivers on FreeBSD; in those OSes, you might always get those packets, \n"
+" or you might only get them if you capture in promiscuous mode (you'd \n"
+" have to determine which is the case). \n"
+" \n"
+" Note that libpcap does not currently supply to programs that use it an \n"
+" indication of whether the packet's CRC was invalid (because the \n"
+" drivers themselves do not supply that information to the raw packet \n"
+" capture mechanism); therefore, Ethereal will not indicate which \n"
+" packets had CRC errors unless the FCS was captured (see the next \n"
+" question) and you're using Ethereal 0.9.15 and later, in which case \n"
+" Ethereal will check the CRC and indicate whether it's correct or not. \n"
+" \n"
+" Q 5.34: How can I capture entire frames, including the FCS? \n"
" \n"
" A: Ethereal can't capture any data that the packet capture library - \n"
" libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of \n"
" drivers, on Windows) will allow it to capture. \n"
" \n"
" For any particular link-layer network type, unless the OS supplies the \n"
-" FCS of a frame as part of the frame, or can be configured to supply \n"
-" the FCS of a frame as part of the frame, Ethereal - and other programs \n"
-" that capture raw packets, such as tcpdump - cannot capture the FCS of \n"
-" a frame. You will have to determine whether your OS can be so \n"
-" configured, configure it if possible, and make whatever changes to \n"
-" libpcap and the packet capture program you're using are necessary to \n"
-" support capturing the FCS of a frame. Most if not all OSes probably do \n"
-" not support capturing the FCS of a frame on Ethernet, and probably do \n"
-" not support it on most other link-layer types. \n"
-" \n"
-" Q 5.33: Ethereal hangs after I stop a capture. \n"
+" FCS of a frame as part of the frame, or can be configured to do so, \n"
+" Ethereal - and other programs that capture raw packets, such as \n"
+" tcpdump - cannot capture the FCS of a frame. You will have to \n"
+" determine whether your OS needs to be so configured and, if so, can be \n"
+" so configured, configure it if necessary and possible, and make \n"
+" whatever changes to libpcap and the packet capture program you're \n"
+" using are necessary, if any, to support capturing the FCS of a frame. \n"
+" \n"
+" Most OSes do not support capturing the FCS of a frame on Ethernet, and \n"
+" probably do not support it on most other link-layer types. Some \n"
+" drivres on some OSes do support it, such as some (all?) Ethernet \n"
+" drivers on NetBSD and possibly the driver for Apple's gigabit Ethernet \n"
+" interface in Mac OS X; in those OSes, you might always get the FCS, or \n"
+" you might only get the FCS if you capture in promiscuous mode (you'd \n"
+" have to determine which is the case). \n"
+" \n"
+" Versions of Ethereal prior to 0.9.15 will not treat an Ethernet FCS in \n"
+" a captured packet as an FCS. 0.9.15 and later will attempt to \n"
+" determine whether there's an FCS at the end of the frame and, if it \n"
+" thinks there is, will display it as such, and will check whether it's \n"
+" the correct CRC-32 value or not. \n"
+" \n"
+" Q 5.35: Ethereal hangs after I stop a capture. \n"
" \n"
" A: The most likely reason for this is that Ethereal is trying to look \n"
" up an IP address in the capture to convert it to a name (so that, for \n"
" contains sensitive information (e.g., passwords), then please do not \n"
" send it. \n"
" \n"
-" Q 5.34: How can I search for, or filter, packets that have a \n"
+" Q 5.36: How can I search for, or filter, packets that have a \n"
" particular string anywhere in them? \n"
" \n"
" A: If you want to do this when capturing, you can't. That's a feature \n"
" particular string; this has been added to the \"Find Frame\" dialog \n"
" (\"Find Frame\" under the \"Edit\" menu, or control-F). \n"
" \n"
+" In 0.9.15 and later, you can search for those packets using either the \n"
+" mechanism introduced in 0.9.14 or using the new \"contains\" operator in \n"
+" filter expressions, which lets you search the entire packet or text \n"
+" string or byte string fields in the packet; the \"contains\" operator \n"
+" can also be used in expressions used to filter the display. \n"
+" \n"
" \n"
" Support can be found on the ethereal-users[AT]ethereal.com mailing \n"
" list. \n"
" For corrections/additions/suggestions for this page, please send email \n"
" to: ethereal-web[AT]ethereal.com \n"
-" Last modified: Tue, August 19 2003. \n"
+" Last modified: Fri, December 12 2003. \n"
};
#define FAQ_PARTS 5
-#define FAQ_SIZE 80384
+#define FAQ_SIZE 86361
5.3 I'm only seeing ARP packets when I try to capture traffic.
- 5.4 How do I put an interface into promiscuous mode?
+ 5.4 I'm running Ethereal on Windows; why does some network interface
+ on my machine not show up in the list of interfaces in the
+ "Interface:" field in the dialog box popped up by "Capture->Start",
+ and/or why does Ethereal give me an error if I try to capture on that
+ interface?
- 5.5 I can set a display filter just fine, but capture filters don't
+ 5.5 I'm running on a UNIX-flavored OS; why does some network interface
+ on my machine not show up in the list of interfaces in the
+ "Interface:" field in the dialog box popped up by "Capture->Start",
+ and/or why does Ethereal give me an error if I try to capture on that
+ interface?
+
+ 5.6 How do I put an interface into promiscuous mode?
+
+ 5.7 I can set a display filter just fine, but capture filters don't
work.
- 5.6 I'm entering valid capture filters, but I still get "parse error"
+ 5.8 I'm entering valid capture filters, but I still get "parse error"
errors.
- 5.7 I saved a filter and tried to use its name to filter the display,
+ 5.9 I saved a filter and tried to use its name to filter the display,
but I got an "Unexpected end of filter string" error.
- 5.8 Why am I seeing lots of packets with incorrect TCP checksums?
+ 5.10 Why am I seeing lots of packets with incorrect TCP checksums?
- 5.9 I've just installed Ethereal, and the traffic on my local LAN is
+ 5.11 I've just installed Ethereal, and the traffic on my local LAN is
boring.
- 5.10 When I run Ethereal on Solaris 8, it dies with a Bus Error when I
+ 5.12 When I run Ethereal on Solaris 8, it dies with a Bus Error when I
start it.
- 5.11 When I run Ethereal on Windows NT, it dies with a Dr. Watson
+ 5.13 When I run Ethereal on Windows NT, it dies with a Dr. Watson
error, reporting an "Integer division by zero" exception, when I start
it.
- 5.12 When I try to run Ethereal, it complains about
+ 5.14 When I try to run Ethereal, it complains about
sprint_realloc_objid being undefined.
- 5.13 I'm running Ethereal on Linux; why do my time stamps have only
+ 5.15 I'm running Ethereal on Linux; why do my time stamps have only
100ms resolution, rather than 1us resolution?
- 5.14 I'm capturing packets on {Windows 95, Windows 98, Windows Me};
+ 5.16 I'm capturing packets on {Windows 95, Windows 98, Windows Me};
why are the time stamps on packets wrong?
- 5.15 When I try to run Ethereal on Windows, it fails to run because it
+ 5.17 When I try to run Ethereal on Windows, it fails to run because it
can't find packet.dll.
- 5.16 I'm running Ethereal on Windows; why does some network interface
- on my machine not show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start",
- and/or why does Ethereal give me an error if I try to capture on that
- interface?
-
- 5.17 I'm running on a UNIX-flavored OS; why does some network
- interface on my machine not show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start",
- and/or why does Ethereal give me an error if I try to capture on that
- interface?
-
5.18 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has
a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
"Interface" item in the "Capture Options" dialog box. Why can no
5.23 My machine crashes or resets itself when I select "Start" from
the "Capture" menu or select "Preferences" from the "Edit" menu.
- 5.24 Does Ethereal work on Windows ME?
+ 5.24 Does Ethereal work on Windows Me?
5.25 Does Ethereal work on Windows XP?
5.30 How can I capture raw 802.11 packets, including non-data
(management, beacon) packets?
- 5.31 How can I capture packets with CRC errors?
+ 5.31 I'm trying to capture 802.11 traffic on Windows; why am I not
+ seeing any packets?
- 5.32 How can I capture entire frames, including the FCS?
+ 5.32 I'm trying to capture 802.11 traffic on Windows; why am I seeing
+ packets received by the machine on which I'm capturing traffic, but
+ not packets sent by that machine?
- 5.33 Ethereal hangs after I stop a capture.
+ 5.33 How can I capture packets with CRC errors?
- 5.34 How can I search for, or filter, packets that have a particular
+ 5.34 How can I capture entire frames, including the FCS?
+
+ 5.35 Ethereal hangs after I stop a capture.
+
+ 5.36 How can I search for, or filter, packets that have a particular
string anywhere in them?
GENERAL QUESTIONS
Q 1.2: What protocols are currently supported?
- A: There are currently 393 supported protocols and media, listed
+ A: There are currently 442 supported protocols and media, listed
below. Descriptions can be found in the ethereal(1) man page.
802.1q Virtual LAN
802.1x Authentication
+ AAL type 2 signalling protocol - Capability set 1 (Q.2630.1)
AFS (4.0) Replication Server call declarations
+ ANSI A-I/F BSMAP
+ ANSI A-I/F DTAP
+ ANSI IS-637-A (SMS) Teleservice Layer
+ ANSI IS-637-A (SMS) Transport Layer
+ ANSI IS-683-A (OTA (Mobile))
+ ANSI Mobile Application Part
AOL Instant Messenger
ARCNET
ATM
Address Resolution Protocol
Aggregate Server Access Protocol
Alert Standard Forum
+ Alteon - Transparent Proxy Cache Protocol
Andrew File System (AFS)
Apache JServ Protocol v1.3
AppleTalk Filing Protocol
Async data over ISDN (V.120)
Authentication Header
BACnet Virtual Link Control
+ BSS GPRS Protocol
+ BSSAP/BSAP
Banyan Vines ARP
Banyan Vines Echo
Banyan Vines Fragmentation Protocol
Banyan Vines LLC
Banyan Vines RTP
Banyan Vines SPP
+ Bearer Independent Call Control
+ Bi-directional Fault Detection Control Message
Blocks Extensible Exchange Protocol
Boardwalk
Boot Parameters
Border Gateway Protocol
Building Automation and Control Network APDU
Building Automation and Control Network NPDU
+ CCSDS
CDS Clerk Server Calls
Check Point High Availability Protocol
Checkpoint FW-1
CoSine IPNOS L2 debug output
Common Open Policy Service
Common Unix Printing System (CUPS) Browsing Protocol
+ Connectionless Lightweight Directory Access Protocol
+ Cross Point Frame Injector
DCE DFS Calls
DCE Distributed Time Service Local Server
DCE Distributed Time Service Provider
DCE RPC
DCE Security ID Mapper
DCE/RPC BOS Server
+ DCE/RPC BUDB
+ DCE/RPC BUTC
DCE/RPC CDS Solicitation
DCE/RPC Conversation Manager
DCE/RPC Endpoint Mapper
+ DCE/RPC Endpoint Mapper4
DCE/RPC FLDB
DCE/RPC FLDB UBIK TRANSFER
DCE/RPC FLDB UBIKVOTE
+ DCE/RPC ICL RPC
DCE/RPC Kerberos V
DCE/RPC RS_ACCT
+ DCE/RPC RS_BIND
DCE/RPC RS_MISC
+ DCE/RPC RS_PROP_ACCT
DCE/RPC RS_UNIX
DCE/RPC Remote Management
DCE/RPC Repserver Calls
Fibre Channel Name Server
Fibre Channel Protocol for SCSI
Fibre Channel SW_ILS
+ Fibre Channel Security Protocol
+ Fibre Channel Single Byte Command
File Transfer Protocol (FTP)
Financial Information eXchange Protocol
Frame
Frame Relay
GARP Multicast Registration Protocol
GARP VLAN Registration Protocol
+ GPRS Network service
GPRS Tunneling Protocol
- GPRS Tunnelling Protocol v0
- GPRS Tunnelling Protocol v1
+ GSM A-I/F BSSMAP
+ GSM A-I/F DTAP
+ GSM A-I/F RP
+ GSM Mobile Application Part
+ GSM SMS TPDU (GSM 03.40)
General Inter-ORB Protocol
Generic Routing Encapsulation
Generic Security Service Application Program Interface
Gnutella Protocol
+ H225
H245
+ H4501
HP Extended Local-Link Control
HP Remote Maintenance Protocol
Hummingbird NFS Daemon
ISDN User Part
ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol
ISO 8073 COTP Connection-Oriented Transport Protocol
+ ISO 8327-1 OSI Session Protocol
ISO 8473 CLNP ConnectionLess Network Protocol
ISO 8602 CLTP ConnectionLess Transport Protocol
ISO 9542 ESIS Routeing Information Exchange Protocol
ITU-T Recommendation H.261
+ ITU-T Recommendation H.263 RTP Payload header (RFC2190)
InMon sFlow
Intel ANS probe
Intelligent Platform Management Interface
Internet Control Message Protocol
Internet Control Message Protocol v6
Internet Group Management Protocol
+ Internet Group membership Authentication Protocol
Internet Message Access Protocol
Internet Printing Protocol
Internet Protocol
Kerberos
Kerberos Administration
Kernel Lock Manager
+ LWAP Control Message
+ LWAPP Encapsulated Packet
+ LWAPP Layer 3 Packet
Label Distribution Protocol
+ Laplink
Layer 2 Tunneling Protocol
Lightweight Directory Access Protocol
Line Printer Daemon Protocol
Lucent/Ascend debug output
MDS Header
MMS Message Encapsulation
+ MS Kpasswd
MS Proxy Protocol
MSN Messenger Service
MSNIP: Multicast Source Notification of Interest Protocol
Message Transfer Part Level 2
Message Transfer Part Level 3
Message Transfer Part Level 3 Management
+ Microsoft Directory Replication Service
Microsoft Distributed File System
Microsoft Exchange MAPI
Microsoft Local Security Architecture
Network Status Monitor CallBack Protocol
Network Status Monitor Protocol
Network Time Protocol
+ Nortel SONMP
Novell Distributed Print System
Null/Loopback
Open Shortest Path First
PPP-over-Ethernet Discovery
PPP-over-Ethernet Session
PPPMux Control Protocol
- Packet Encoding Rules (ASN.1 X.691)
+ Packed Encoding Rules (ASN.1 X.691)
Point-to-Point Protocol
Point-to-Point Tunnelling Protocol
Portmap
Protocol Independent Multicast
Q.2931
Q.931
+ Q.933
Quake II Network Protocol
Quake III Arena Network Protocol
Quake Network Protocol
QuakeWorld Network Protocol
Qualified Logical Link Control
RFC 2250 MPEG1
+ RFC 2833 RTP Event
RIPng
RPC Browser
+ RS Interface properties
RSTAT
RSYNC File Synchroniser
RX Protocol
Remote Program Load
Remote Quota
Remote Shell
+ Remote Shutdown
Remote Wall protocol
Remote sec_login preauth interface.
Resource ReserVation Protocol (RSVP)
Routing Table Maintenance Protocol
SADMIND
SCSI
+ SEBEK - Kernel Data Capture
SGI Mount Service
SMB (Server Message Block Protocol)
SMB MailSlot Protocol
Session Announcement Protocol
Session Description Protocol
Session Initiation Protocol
+ Session Initiation Protocol (SIP as raw text)
Short Message Peer to Peer
Signalling Connection Control Part
Signalling Connection Control Part Management
Simple Mail Transfer Protocol
Simple Network Management Protocol
+ Simple Traversal of UDP Through NAT
Sinec H1 Protocol
Skinny Client Control Protocol
SliMP3 Communication Protocol
Syslog message
Systems Network Architecture
Systems Network Architecture XID
+ T38
TACACS
TACACS+
+ TEREDO Tunneling IPv6 over UDP through NATs
TPKT
Tabular Data Stream
Tazmen Sniffer Protocol
Time Synchronization Protocol
Token-Ring
Token-Ring Media Access Control
+ Transaction Capabilities Application Part
Transmission Control Protocol
Transparent Network Substrate Protocol
Trivial File Transfer Protocol
Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be
installed; only Tethereal is installed.
- A: Red Hat RPMs for Ethereal put only the non-GUI components into the
- ethereal RPM, the fact that Ethereal is a GUI program nonwithstanding;
- there's a separate ethereal-gnome RPM that includes GUI components
- such as Ethereal itself, the fact that Ethereal doesn't use GNOME
- nonwithstanding. Find the ethereal-gnome RPM, and install that also.
+ A: Older versions of the Red Hat RPMs for Ethereal put only the
+ non-GUI components into the ethereal RPM, the fact that Ethereal is a
+ GUI program nonwithstanding; newer versions make it a bit clearer by
+ giving that RPM a name starting with ethereal-base.
+
+ In those older versions, there's a separate ethereal-gnome RPM that
+ includes GUI components such as Ethereal itself, the fact that
+ Ethereal doesn't use GNOME nonwithstanding; newer versions make it a
+ bit clearer by giving that RPM a name starting with ethereal-gtk+.
+
+ Find the ethereal-gnome or ethereal-gtk+ RPM, and install that also.
BUILDING ETHEREAL
Q 4.1: The configure script can't find pcap.h or bpf.h, but I have
ports on the console for HP Advancestack Switch 208 and 224;
* the "Network Monitoring Port Features" section of chapter 6 of
documentation from HP for HP ProCurve Switches 1600M, 2424M,
- 4000M, and 8000M.
+ 4000M, and 8000M;
+ * the "Switch Port-Mirroring" section of chapter 6 of documentation
+ from Extreme Networks for their Summit 200 switches;
+ * the documentation on "Configuring Port Mirroring and Monitoring"
+ in Foundry Networks' documentation for their FastIron Edge
+ Switches;
+ * the documentation on "Configuring Port Mirroring and Monitoring"
+ in Foundry Networks' documentation for their BigIron MG8 Layer 3
+ Switches;
+ * the "Port Monitor" subsection of the "Status Monitor and
+ Statistics" section of the documentation from Foundry Networks for
+ their EdgeIron 4802F and 10GC2F switches;
+ * the "Configuring Port Mirroring" section of chapter 3 of the
+ documentation from Foundry Networks for their EdgeIron 24G,
+ 2402CF, and 4802CF switches;
+ * the documentation on "Configuring Port Mirroring and Monitoring"
+ in Foundry Networks' documentation for their other switches and
+ metro routers.
Note also that many firewall/NAT boxes have a switch built into them;
this includes many of the "cable/DSL router" boxes. If you have a box
I.e., this is probably the same question as this earlier one; see the
response to that question.
- Q 5.4: How do I put an interface into promiscuous mode?
+ Q 5.4: I'm running Ethereal on Windows; why does some network
+ interface on my machine not show up in the list of interfaces in the
+ "Interface:" field in the dialog box popped up by "Capture->Start",
+ and/or why does Ethereal give me an error if I try to capture on that
+ interface?
+
+ A: If you are running Ethereal on Windows NT 4.0, Windows 2000,
+ Windows XP, or Windows Server, and this is the first time you have run
+ a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump,
+ or Analyzer, or...) since the machine was rebooted, you need to run
+ that program from an account with administrator privileges; once you
+ have run such a program, you will not need administrator privileges to
+ run any such programs until you reboot.
+
+ If you are running on Windows 95/98/Me, or if you are running on
+ Windows NT 4.0/2000/XP/Server and have administrator privileges or a
+ WinPcap-based program has been run with those privileges since the
+ machine rebooted, then note that Ethereal relies on the WinPcap
+ library, on the WinPcap device driver, and on the facilities that come
+ with the OS on which it's running in order to do captures.
+
+ Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
+ support capturing on a particular network interface device, Ethereal
+ won't be able to capture on that device.
+
+ Note that:
+ 1. 2.02 and earlier versions of the WinPcap driver and library that
+ Ethereal uses for packet capture didn't support Token Ring
+ interfaces; versions 2.1 and later support Token Ring, and the
+ current version of Ethereal works with (and, in fact, requires)
+ WinPcap 2.1 or later.
+ If you are having problems capturing on Token Ring interfaces, and
+ you have WinPcap 2.02 or an earlier version of WinPcap installed,
+ you should uninstall WinPcap, download and install the current
+ version of WinPcap, and then install the latest version of
+ Ethereal.
+ 2. On Windows 95, 98, or Me, sometimes more than one interface will
+ be given the same name; if that is the case, you will only be able
+ to capture on one of those interfaces - it's not clear to which
+ one the name, when used in a WinPcap-based application, will
+ refer. For example, if you have a PPP serial interface and a VPN
+ interface, they might show up with the same name, for example
+ "ppp-mac", and if you try to capture on "ppp-mac", it might not
+ capture on the interface you're currently using. In that case, you
+ might, for example, have to remove the VPN interface from the
+ system in order to capture on the PPP serial interface.
+ 3. WinPcap doesn't support PPP WAN interfaces on Windows
+ NT/2000/XP/Server, so Ethereal cannot capture packets on those
+ devices when running on Windows NT/2000/XP/Server. Regular dial-up
+ lines, ISDN lines, and various other lines such as T1/E1 lines are
+ all PPP interfaces. This may cause the interface not to show up on
+ the list of interfaces in the "Capture Options" dialog.
+ 4. WinPcap prior to 3.0 does not support multiprocessor machines
+ (note that machines with a single multi-threaded processor, such
+ as Intel's new multi-threaded x86 processors, are multiprocessor
+ machines as far as the OS and WinPcap are concerned), and recent
+ 2.x versions of WinPcap refuse to operate if they detect that
+ they're running on a multiprocessor machine, which means that they
+ may not show any network interfaces. You will need to use WinPcap
+ 3.0 to capture on a multiprocessor machine.
+
+ If an interface doesn't show up in the list of interfaces in the
+ "Interface:" field, and you know the name of the interface, try
+ entering that name in the "Interface:" field and capturing on that
+ device.
+
+ If the attempt to capture on it succeeds, the interface is somehow not
+ being reported by the mechanism Ethereal uses to get a list of
+ interfaces; please report this to ethereal-dev@ethereal.com giving
+ full details of the problem, including
+ * the operating system you're using, and the version of that
+ operating system;
+ * the type of network device you're using.
+
+ If you are having trouble capturing on a particular network interface,
+ first try capturing on that device with WinDump; see the WinDump Web
+ site or the local mirror of the WinDump Web site for information on
+ using WinDump.
+
+ If you can capture on the interface with WinDump, send mail to
+ ethereal-users@ethereal.com giving full details of the problem,
+ including
+ * the operating system you're using, and the version of that
+ operating system;
+ * the type of network device you're using;
+ * the error message you get from Ethereal.
+
+ If you cannot capture on the interface with WinDump, this is almost
+ certainly a problem with one or more of:
+ * the operating system you're using;
+ * the device driver for the interface you're using;
+ * the WinPcap library and/or the WinPcap device driver;
+
+ so first check the WinPcap FAQ, the local mirror of that FAQ, or the
+ Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
+ there. If not, then see the WinPcap support page (or the local mirror
+ of that page) - check the "Submitting bugs" section.
+
+ You may also want to ask the ethereal-users@ethereal.com and the
+ winpcap-users@winpcap.polito.it mailing lists to see if anybody
+ happens to know about the problem and know a workaround or fix for the
+ problem. (Note that you will have to subscribe to that list in order
+ to be allowed to mail to it; see the WinPcap support page, or the
+ local mirror of that page, for information on the mailing list.) In
+ your mail, please give full details of the problem, as described
+ above, and also indicate that the problem occurs with WinDump, not
+ just with Ethereal.
+
+ Q 5.5: I'm running on a UNIX-flavored OS; why does some network
+ interface on my machine not show up in the list of interfaces in the
+ "Interface:" field in the dialog box popped up by "Capture->Start",
+ and/or why does Ethereal give me an error if I try to capture on that
+ interface?
+
+ A: You may need to run Ethereal from an account with sufficient
+ privileges to capture packets, such as the super-user account. Only
+ those interfaces that Ethereal can open for capturing show up in that
+ list; if you don't have sufficient privileges to capture on any
+ interfaces, no interfaces will show up in the list.
+
+ If you are running Ethereal from an account with sufficient
+ privileges, then note that Ethereal relies on the libpcap library, and
+ on the facilities that come with the OS on which it's running in order
+ to do captures.
+
+ Therefore, if the OS or the libpcap library don't support capturing on
+ a particular network interface device, Ethereal won't be able to
+ capture on that device.
+
+ On Linux, note that you need to have "packet socket" support enabled
+ in your kernel; see the "Packet socket" item in the Linux
+ "Configure.help" file.
+
+ On BSD, note that you need to have BPF support enabled in your kernel;
+ see the documentation for your system for information on how to enable
+ BPF support (if it's not enabled by default on your system).
+
+ On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have
+ packet filtering support in your kernel; the doconfig command will
+ allow you to configure and build a new kernel with that option.
+
+ On Solaris, note that libpcap 0.6.2 and earlier didn't support Token
+ Ring interfaces; the current version, 0.7.2, does support Token Ring,
+ and the current version of Ethereal works with libcap 0.7.2 and later.
+
+ If an interface doesn't show up in the list of interfaces in the
+ "Interface:" field, and you know the name of the interface, try
+ entering that name in the "Interface:" field and capturing on that
+ device.
+
+ If the attempt to capture on it succeeds, the interface is somehow not
+ being reported by the mechanism Ethereal uses to get a list of
+ interfaces; please report this to ethereal-dev@ethereal.com giving
+ full details of the problem, including
+ * the operating system you're using, and the version of that
+ operating system (for Linux, give both the version number of the
+ kernel and the name and version number of the distribution you're
+ using);
+ * the type of network device you're using.
+
+ If you are having trouble capturing on a particular network interface,
+ and you've made sure that (on platforms that require it) you've
+ arranged that packet capture support is present, as per the above,
+ first try capturing on that device with tcpdump.
+
+ If you can capture on the interface with tcpdump, send mail to
+ ethereal-users@ethereal.com giving full details of the problem,
+ including
+ * the operating system you're using, and the version of that
+ operating system (for Linux, give both the version number of the
+ kernel and the name and version number of the distribution you're
+ using);
+ * the type of network device you're using;
+ * the error message you get from Ethereal.
+
+ If you cannot capture on the interface with tcpdump, this is almost
+ certainly a problem with one or more of:
+ * the operating system you're using;
+ * the device driver for the interface you're using;
+ * the libpcap library;
+
+ so you should report the problem to the company or organization that
+ produces the OS (in the case of a Linux distribution, report the
+ problem to whoever produces the distribution).
+
+ You may also want to ask the ethereal-users@ethereal.com and the
+ tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to
+ know about the problem and know a workaround or fix for the problem.
+ In your mail, please give full details of the problem, as described
+ above, and also indicate that the problem occurs with tcpdump not just
+ with Ethereal.
+
+ Q 5.6: How do I put an interface into promiscuous mode?
A: By not disabling promiscuous mode when running Ethereal or
Tethereal.
I.e., this is probably the same question as this earlier one; see the
response to that question.
- Q 5.5: I can set a display filter just fine, but capture filters don't
+ Q 5.7: I can set a display filter just fine, but capture filters don't
work.
A: Capture filters currently use a different syntax than display
The capture filter syntax used by libpcap can be found in the
tcpdump(8) man page.
- Q 5.6: I'm entering valid capture filters, but I still get "parse
+ Q 5.8: I'm entering valid capture filters, but I still get "parse
error" errors.
A: There is a bug in some versions of libpcap/WinPcap that cause it to
WinPcap, you will need to un-install WinPcap and then download and
install WinPcap 2.3.
- Q 5.7: I saved a filter and tried to use its name to filter the
+ Q 5.9: I saved a filter and tried to use its name to filter the
display, but I got an "Unexpected end of filter string" error.
A: You cannot use the name of a saved display filter as a filter. To
use a saved filter, you can press the "Filter:" button, select the
filter in the dialog box that pops up, and press the "OK" button.
- Q 5.8: Why am I seeing lots of packets with incorrect TCP checksums?
+ Q 5.10: Why am I seeing lots of packets with incorrect TCP checksums?
A: If the packets that have incorrect TCP checksums are all being sent
by the machine on which Ethereal is running, this is probably because
tcp.check_checksum:false command-line flag, or manually set in your
preferences file by adding a tcp.check_checksum:false line.
- Q 5.9: I've just installed Ethereal, and the traffic on my local LAN
+ Q 5.11: I've just installed Ethereal, and the traffic on my local LAN
is boring.
A: We have a collection of strange and exotic sample capture files at
http://www.ethereal.com/sample/
- Q 5.10: When I run Ethereal on Solaris 8, it dies with a Bus Error
+ Q 5.12: When I run Ethereal on Solaris 8, it dies with a Bus Error
when I start it.
A: Some versions of the GTK+ library from www.sunfreeware.org appear
Similar problems may exist with older versions of GTK+ for earlier
versions of Solaris.
- Q 5.11: When I run Ethereal on Windows NT, it dies with a Dr. Watson
+ Q 5.13: When I run Ethereal on Windows NT, it dies with a Dr. Watson
error, reporting an "Integer division by zero" exception, when I start
it.
VGA driver; if that's not the correct driver for your video card, try
running the correct driver for your video card.
- Q 5.12: When I try to run Ethereal, it complains about
+ Q 5.14: When I try to run Ethereal, it complains about
sprint_realloc_objid being undefined.
A: Ethereal can only be linked with version 4.2.2 or later of UCD
the older version, and fails. You will have to replace that version of
UCD SNMP with version 4.2.2 or a later version.
- Q 5.13: I'm running Ethereal on Linux; why do my time stamps have only
+ Q 5.15: I'm running Ethereal on Linux; why do my time stamps have only
100ms resolution, rather than 1us resolution?
A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap
have to run a standard kernel from kernel.org in order to get
high-resolution time stamps.
- Q 5.14: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
+ Q 5.16: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
why are the time stamps on packets wrong?
A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap
3.0.
- Q 5.15: When I try to run Ethereal on Windows, it fails to run because
+ Q 5.17: When I try to run Ethereal on Windows, it fails to run because
it can't find packet.dll.
A: In older versions of Ethereal, there were two binary distributions
Web site, the local mirror of the WinPcap Web site, or the
Wiretapped.net mirror of the WinPcap site.
- Q 5.16: I'm running Ethereal on Windows; why does some network
- interface on my machine not show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start",
- and/or why does Ethereal give me an error if I try to capture on that
- interface?
-
- A: If you are running Ethereal on Windows NT 4.0, Windows 2000,
- Windows XP, or Windows Server, and this is the first time you have run
- a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump,
- or Analyzer, or...) since the machine was rebooted, you need to run
- that program from an account with administrator privileges; once you
- have run such a program, you will not need administrator privileges to
- run any such programs until you reboot.
-
- If you are running on Windows 95/98/Me, or if you are running on
- Windows NT 4.0/2000/XP/Server and have administrator privileges or a
- WinPcap-based program has been run with those privileges since the
- machine rebooted, then note that Ethereal relies on the WinPcap
- library, on the WinPcap device driver, and on the facilities that come
- with the OS on which it's running in order to do captures.
-
- Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
- support capturing on a particular network interface device, Ethereal
- won't be able to capture on that device.
-
- Note that:
- * 2.02 and earlier versions of the WinPcap driver and library that
- Ethereal uses for packet capture didn't support Token Ring
- interfaces; the current version, 2.3, does support Token Ring, and
- the current version of Ethereal works with (and, in fact,
- requires) WinPcap 2.1 or later.
- If you are having problems capturing on Token Ring interfaces, and
- you have WinPcap 2.02 or an earlier version of WinPcap installed,
- you should uninstall WinPcap, download and install the current
- version of WinPcap, and then install the latest version of
- Ethereal.
- * On Windows 95, 98, or Me, sometimes more than one interface will
- be given the same name; if that is the case, you will only be able
- to capture on one of those interfaces - it's not clear to which
- one the name, when used in a WinPcap-based application, will
- refer. For example, if you have a PPP serial interface and a VPN
- interface, they might show up with the same name, for example
- "ppp-mac", and if you try to capture on "ppp-mac", it might not
- capture on the interface you're currently using. In that case, you
- might, for example, have to remove the VPN interface from the
- system in order to capture on the PPP serial interface.
- * WinPcap doesn't support PPP WAN interfaces on Windows
- NT/2000/XP/Server, so Ethereal cannot capture packets on those
- devices when running on Windows NT/2000/XP/Server. Regular dial-up
- lines, ISDN lines, and various other lines such as T1/E1 lines are
- all PPP interfaces. This may cause the interface not to show up on
- the list of interfaces in the "Capture Options" dialog.
- * WinPcap prior to 3.0 does not support multiprocessor machines
- (note that machines with a single multi-threaded processor, such
- as Intel's new multi-threaded x86 processors, are multiprocessor
- machines as far as the OS and WinPcap are concerned), and recent
- 2.x versions of WinPcap refuse to operate if they detect that
- they're running on a multiprocessor machine, which means that they
- may not show any network interfaces. You will need to use WinPcap
- 3.0 to capture on a multiprocessor machine.
-
- If an interface doesn't show up in the list of interfaces in the
- "Interface:" field, and you know the name of the interface, try
- entering that name in the "Interface:" field and capturing on that
- device.
-
- If the attempt to capture on it succeeds, the interface is somehow not
- being reported by the mechanism Ethereal uses to get a list of
- interfaces; please report this to ethereal-dev@ethereal.com giving
- full details of the problem, including
- * the operating system you're using, and the version of that
- operating system;
- * the type of network device you're using.
-
- If you are having trouble capturing on a particular network interface,
- and you've made sure that (on platforms that require it) you've
- arranged that packet capture support is present, as per the above,
- first try capturing on that device with WinDump; see the WinDump Web
- site or the local mirror of the WinDump Web site for information on
- using WinDump.
-
- If you can capture on the interface with WinDump, send mail to
- ethereal-users@ethereal.com giving full details of the problem,
- including
- * the operating system you're using, and the version of that
- operating system;
- * the type of network device you're using;
- * the error message you get from Ethereal.
-
- If you cannot capture on the interface with WinDump, this is almost
- certainly a problem with one or more of:
- * the operating system you're using;
- * the device driver for the interface you're using;
- * the WinPcap library and/or the WinPcap device driver;
-
- so first check the WinPcap FAQ, the local mirror of that FAQ, or the
- Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
- there. If not, then see the WinPcap support page (or the local mirror
- of that page) - check the "Submitting bugs" section.
-
- You may also want to ask the ethereal-users@ethereal.com and the
- winpcap-users@winpcap.polito.it mailing lists to see if anybody
- happens to know about the problem and know a workaround or fix for the
- problem. (Note that you will have to subscribe to that list in order
- to be allowed to mail to it; see the WinPcap support page, or the
- local mirror of that page, for information on the mailing list.) In
- your mail, please give full details of the problem, as described
- above, and also indicate that the problem occurs with WinDump, not
- just with Ethereal.
-
- Q 5.17: I'm running on a UNIX-flavored OS; why does some network
- interface on my machine not show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start",
- and/or why does Ethereal give me an error if I try to capture on that
- interface?
-
- A: You may need to run Ethereal from an account with sufficient
- privileges to capture packets, such as the super-user account. Only
- those interfaces that Ethereal can open for capturing show up in that
- list; if you don't have sufficient privileges to capture on any
- interfaces, no interfaces will show up in the list.
-
- If you are running Ethereal from an account with sufficient
- privileges, then note that Ethereal relies on the libpcap library, and
- on the facilities that come with the OS on which it's running in order
- to do captures.
-
- Therefore, if the OS or the libpcap library don't support capturing on
- a particular network interface device, Ethereal won't be able to
- capture on that device.
-
- On Linux, note that you need to have "packet socket" support enabled
- in your kernel; see the "Packet socket" item in the Linux
- "Configure.help" file.
-
- On BSD, note that you need to have BPF support enabled in your kernel;
- see the documentation for your system for information on how to enable
- BPF support (if it's not enabled by default on your system).
-
- On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have
- packet filtering support in your kernel; the doconfig command will
- allow you to configure and build a new kernel with that option.
-
- On Solaris, note that libpcap 0.6.2 and earlier didn't support Token
- Ring interfaces; the current version, 0.7.2, does support Token Ring,
- and the current version of Ethereal works with libcap 0.7.2 and later.
-
- If an interface doesn't show up in the list of interfaces in the
- "Interface:" field, and you know the name of the interface, try
- entering that name in the "Interface:" field and capturing on that
- device.
-
- If the attempt to capture on it succeeds, the interface is somehow not
- being reported by the mechanism Ethereal uses to get a list of
- interfaces; please report this to ethereal-dev@ethereal.com giving
- full details of the problem, including
- * the operating system you're using, and the version of that
- operating system (for Linux, give both the version number of the
- kernel and the name and version number of the distribution you're
- using);
- * the type of network device you're using.
-
- If you are having trouble capturing on a particular network interface,
- and you've made sure that (on platforms that require it) you've
- arranged that packet capture support is present, as per the above,
- first try capturing on that device with tcpdump.
-
- If you can capture on the interface with tcpdump, send mail to
- ethereal-users@ethereal.com giving full details of the problem,
- including
- * the operating system you're using, and the version of that
- operating system (for Linux, give both the version number of the
- kernel and the name and version number of the distribution you're
- using);
- * the type of network device you're using;
- * the error message you get from Ethereal.
-
- If you cannot capture on the interface with tcpdump, this is almost
- certainly a problem with one or more of:
- * the operating system you're using;
- * the device driver for the interface you're using;
- * the libpcap library;
-
- so you should report the problem to the company or organization that
- produces the OS (in the case of a Linux distribution, report the
- problem to whoever produces the distribution).
-
- You may also want to ask the ethereal-users@ethereal.com and the
- tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to
- know about the problem and know a workaround or fix for the problem.
- In your mail, please give full details of the problem, as described
- above, and also indicate that the problem occurs with tcpdump not just
- with Ethereal.
-
Q 5.18: I'm running Ethereal on Windows NT/2000/XP/Server; my machine
has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
"Interface" item in the "Capture Options" dialog box. Why can no
or, for Windows, WinPcap bug that causes the system to crash when this
happens; see the previous question.
- Q 5.24: Does Ethereal work on Windows ME?
+ Q 5.24: Does Ethereal work on Windows Me?
A: Yes, but if you want to capture packets, you will need to install
the latest version of WinPcap, as 2.02 and earlier versions of WinPcap
- didn't support Windows ME. You should also install the latest version
+ didn't support Windows Me. You should also install the latest version
of Ethereal as well.
Q 5.25: Does Ethereal work on Windows XP?
support that and, even on operating systems that do support it, not
all drivers, and thus not all cards, support it.
+ NOTE: an interface running in monitor mode will, on most if not all
+ platforms, not be able to act as a regular network interface; putting
+ it into monitor mode will, in effect, take your machine off of
+ whatever network it's on as long as the interface is in monitor mode,
+ allowing it only to passively capture packets.
+
+ This means that you should disable name resolution when capturing in
+ monitor mode; otherwise, when Ethereal (or Tethereal, or tcpdump)
+ tries to display IP addresses as host names, it will probably block
+ for a long time trying to resolve the name because it will not be able
+ to communicate with any DNS or NIS servers.
+
Cisco Aironet cards:
The only platforms that allow Ethereal to capture raw 802.11 packets
cause packets not to be captured correctly, and the driver in
releases prior to 4.5 didn't support capturing raw packets.
- On FreeBSD, the ancontrol utility must be used; do not enable the full
- Aironet header via BPF, as Ethereal doesn't currently support that.
+ On FreeBSD, the ancontrol utility must be used. The command
+
+ancontrol -i anN -M flag
+
+ is used to enable or disable monitor mode. If flag is 0, monitor mode
+ will be turned off; otherwise, flag should be the sum of:
+ * 1, to turn monitor mode on;
+ * 2, if you want to capture traffic from any BSS rather than just
+ the BSS with which the card is associated;
+ * 4, if you want to see beacon packets (capturing beacon packets
+ increases the CPU requirements of capturing).
+
+ Don't add 8 in; Ethereal currently doesn't support the full Aironet
+ header.
On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will
need to do
echo "Mode: rfmon" >/proc/driver/aironet/ethN/Config
- if your Aironet card is ethN. To capture traffic from any BSS, do
+ if your Aironet card is ethN. To capture traffic from any BSS rather
+ than just the BSS with which the card is associated, do
echo "Mode: y" >/proc/driver/aironet/ethN/Config
echo "Mode: ess" >/proc/driver/aironet/ethN/Config
- On Linux with the driver in the 2.4.20 kernel, or with the CVS drivers
- from the airo-linux SourceForge site, you will have to capture on the
- wifiN interface if your Aironet card is ethN, after running the
- commands listed above.
+ On Linux with the driver in the 2.4.20 or later kernel, or with the
+ CVS drivers from the airo-linux SourceForge site, you will have to
+ capture on the wifiN interface if your Aironet card is ethN, after
+ running the commands listed above.
In all of those cases, Ethereal would have to be linked with libpcap
0.7.1 or later; this means that most Ethereal binary packages won't
check the version of the Orinoco drivers that shipped with your kernel
by examining the first few lines of the orinoco.c file.
- Te Orinoco patches require either Solomon Peachy's patch to libpcap
+ The Orinoco patches require either Solomon Peachy's patch to libpcap
0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that
version of libpcap), or the current CVS version of libpcap, which
includes his patch (download it from the "Current Tar files" section
On other platforms, capturing raw 802.11 packets on Orinoco cards is
not currently supported.
+ Cards with the Atheros Communications AR5000 or AR5001 chipsets:
+
+ You can capture raw 802.11 packets with AR5K cards on Linux systems
+ with the v5_ar5k drivers. You will need the Linux wireless-tools
+ version 25 or higher to put the card into monitor mode.
+
+ Cards with the Texas Instruments ACX100 chipset:
+
+ You can capture raw 802.11 packets with ACX100 cards on Linux systems
+ with the ACX100 OSS drivers available from the ACX100 wireless network
+ driver project SourceForge site.
+
Other 802.11 interfaces:
With other 802.11 interfaces, no platform allows Ethereal to capture
On platforms that don't allow Ethereal to capture raw 802.11 packets,
the 802.11 network will appear like an Ethernet to Ethereal.
- Q 5.31: How can I capture packets with CRC errors?
+ Q 5.31: I'm trying to capture 802.11 traffic on Windows; why am I not
+ seeing any packets?
+
+ A: At least some 802.11 card drivers on Windows appear not to see any
+ packets if they're running in promiscuous mode. Try turning
+ promiscuous mode off; you'll only be able to see packets sent by and
+ received by your machine, not third-party traffic, and it'll look like
+ Ethernet traffic and won't include any management or control frames,
+ but that's a limitation of the card drivers.
+
+ Q 5.32: I'm trying to capture 802.11 traffic on Windows; why am I
+ seeing packets received by the machine on which I'm capturing traffic,
+ but not packets sent by that machine?
+
+ A: This appears to be another problem with promiscuous mode; try
+ turning it off.
+
+ Q 5.33: How can I capture packets with CRC errors?
A: Ethereal can capture only the packets that the packet capture
library - libpcap on UNIX-flavored OSes, and the WinPcap port to
(or the WinPcap driver, and the underlying OS networking code and
network interface drivers, on Windows) will allow it to capture.
- Unless the OS can be configured to supply packets with errors such as
+ Unless the OS always supplies packets with errors such as invalid CRCs
+ to the raw packet capture mechanism, or can be configured to do so,
invalid CRCs to the raw packet capture mechanism, Ethereal - and other
programs that capture raw packets, such as tcpdump - cannot capture
- those packets. You will have to determine whether your OS can be so
- configured, configure it if possible, and make whatever changes to
- libpcap and the packet capture program you're using are necessary to
- support capturing those packets.
-
- Q 5.32: How can I capture entire frames, including the FCS?
+ those packets. You will have to determine whether your OS needs to be
+ so configured and, if so, can be so configured, configure it if
+ necessary and possible, and make whatever changes to libpcap and the
+ packet capture program you're using are necessary, if any, to support
+ capturing those packets.
+
+ Most OSes probably do not support capturing packets with invalid CRCs
+ on Ethernet, and probably do not support it on most other link-layer
+ types. Some drivers on some OSes do support it, such as some Ethernet
+ drivers on FreeBSD; in those OSes, you might always get those packets,
+ or you might only get them if you capture in promiscuous mode (you'd
+ have to determine which is the case).
+
+ Note that libpcap does not currently supply to programs that use it an
+ indication of whether the packet's CRC was invalid (because the
+ drivers themselves do not supply that information to the raw packet
+ capture mechanism); therefore, Ethereal will not indicate which
+ packets had CRC errors unless the FCS was captured (see the next
+ question) and you're using Ethereal 0.9.15 and later, in which case
+ Ethereal will check the CRC and indicate whether it's correct or not.
+
+ Q 5.34: How can I capture entire frames, including the FCS?
A: Ethereal can't capture any data that the packet capture library -
libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of
drivers, on Windows) will allow it to capture.
For any particular link-layer network type, unless the OS supplies the
- FCS of a frame as part of the frame, or can be configured to supply
- the FCS of a frame as part of the frame, Ethereal - and other programs
- that capture raw packets, such as tcpdump - cannot capture the FCS of
- a frame. You will have to determine whether your OS can be so
- configured, configure it if possible, and make whatever changes to
- libpcap and the packet capture program you're using are necessary to
- support capturing the FCS of a frame. Most if not all OSes probably do
- not support capturing the FCS of a frame on Ethernet, and probably do
- not support it on most other link-layer types.
-
- Q 5.33: Ethereal hangs after I stop a capture.
+ FCS of a frame as part of the frame, or can be configured to do so,
+ Ethereal - and other programs that capture raw packets, such as
+ tcpdump - cannot capture the FCS of a frame. You will have to
+ determine whether your OS needs to be so configured and, if so, can be
+ so configured, configure it if necessary and possible, and make
+ whatever changes to libpcap and the packet capture program you're
+ using are necessary, if any, to support capturing the FCS of a frame.
+
+ Most OSes do not support capturing the FCS of a frame on Ethernet, and
+ probably do not support it on most other link-layer types. Some
+ drivres on some OSes do support it, such as some (all?) Ethernet
+ drivers on NetBSD and possibly the driver for Apple's gigabit Ethernet
+ interface in Mac OS X; in those OSes, you might always get the FCS, or
+ you might only get the FCS if you capture in promiscuous mode (you'd
+ have to determine which is the case).
+
+ Versions of Ethereal prior to 0.9.15 will not treat an Ethernet FCS in
+ a captured packet as an FCS. 0.9.15 and later will attempt to
+ determine whether there's an FCS at the end of the frame and, if it
+ thinks there is, will display it as such, and will check whether it's
+ the correct CRC-32 value or not.
+
+ Q 5.35: Ethereal hangs after I stop a capture.
A: The most likely reason for this is that Ethereal is trying to look
up an IP address in the capture to convert it to a name (so that, for
contains sensitive information (e.g., passwords), then please do not
send it.
- Q 5.34: How can I search for, or filter, packets that have a
+ Q 5.36: How can I search for, or filter, packets that have a
particular string anywhere in them?
A: If you want to do this when capturing, you can't. That's a feature
particular string; this has been added to the "Find Frame" dialog
("Find Frame" under the "Edit" menu, or control-F).
+ In 0.9.15 and later, you can search for those packets using either the
+ mechanism introduced in 0.9.14 or using the new "contains" operator in
+ filter expressions, which lets you search the entire packet or text
+ string or byte string fields in the packet; the "contains" operator
+ can also be used in expressions used to filter the display.
+
Support can be found on the ethereal-users[AT]ethereal.com mailing
list.
For corrections/additions/suggestions for this page, please send email
to: ethereal-web[AT]ethereal.com
- Last modified: Tue, August 19 2003.
+ Last modified: Fri, December 12 2003.
git.samba.org / obnox / wireshark / wip.git / commitdiff