4 Note: This is just an ASCII snapshot of the faq and may not be up to
5 date. Please go to http://www.ethereal.com/faq.html for the up
6 to date version. The version of this snapshot can be found at
7 the end of this document.
14 1.1 Where can I get help?
16 1.2 How much does Ethereal cost?
18 1.3 Can I use Ethereal commercially?
20 1.4 Can I use Ethereal as part of my commercial product?
22 1.5 What protocols are currently supported?
24 1.6 Are there any plans to support {your favorite protocol}?
26 1.7 Can Ethereal read capture files from {your favorite network analyzer}?
28 1.8 What devices can Ethereal use to capture packets?
30 1.9 How do you pronounce Ethereal? Where did the name come from?
32 1.10 Does Ethereal work on Windows Me?
34 1.11 Does Ethereal work on Windows XP?
36 2. Downloading Ethereal:
38 2.1 Why do I get an error when I try to run the Win32 installer?
40 2.2 Why can't I get to the WinPcap Web site in order to download WinPcap?
42 3. Installing Ethereal:
44 3.1 I installed an Ethereal RPM; why did it install Tethereal but not
49 4.1 I have libpcap installed; why did the configure script not find pcap.h
52 4.2 Why do I get the error
54 dftest_DEPENDENCIES was already defined in condition TRUE, which implies
55 condition HAVE_PLUGINS_TRUE
57 when I try to build Ethereal from SVN or a SVN snapshot?
59 4.3 Why does the linker fail with a number of "Output line too long."
60 messages followed by linker errors when I try to buil Ethereal?
62 4.4 When I try to build Ethereal on Solaris, why does the link fail
63 complaining that plugin_list is undefined?
65 4.5 When I try to build Ethereal on Windows, why does the build fail because
66 of conflicts between winsock.h and winsock2.h?
70 5.1 Why does Ethereal crash with a Bus Error when I try to run it on Solaris
73 5.2 When I run Tethereal with the "-x" option, why does it crash with an
76 "** ERROR **: file print.c: line 691 (print_line): should not be reached.
78 5.3 When I run Ethereal on Windows NT, why does it die with a Dr. Watson
79 error, reporting an "Integer division by zero" exception, when I start it?
81 5.4 When I try to run Ethereal, why does it complain about
82 sprint_realloc_objid being undefined?
84 5.5 When I try to run Ethereal on Windows, why does it fail to run with a
85 complaint that it can't find packet.dll?
87 5.6 Why do I get the error
89 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
93 when I try to run Ethereal on Windows?
95 5.7 I've installed Ethereal from Fink on Mac OS X; why is it very slow to
98 6. Crashes and other fatal errors:
100 6.1 When I run Ethereal, why do I get an error
102 Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_resize):
103 assertion `height > 0' failed.
105 6.2 I have an XXX network card on my machine; if I try to capture on it, why
106 does my machine crash or reset itself?
108 6.3 Why does my machine crash or reset itself when I select "Start" from the
109 "Capture" menu or select "Preferences" from the "Edit" menu?
111 7. Capturing packets:
113 7.1 When I use Ethereal to capture packets, why do I see only packets to and
114 from my machine, or not see all the traffic I'm expecting to see from or to
115 the machine I'm trying to monitor?
117 7.2 When I capture with Ethereal, why can't I see any TCP packets other than
118 packets to and from my machine, even though another analyzer on the network
121 7.3 Why am I only seeing ARP packets when I try to capture traffic?
123 7.4 Why am I not seeing any traffic when I try to capture traffic?
125 7.5 Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
127 7.6 How do I put an interface into promiscuous mode?
129 7.7 I can set a display filter just fine; why don't capture filters work?
131 7.8 I'm entering valid capture filters; why do I still get "parse error"
134 7.9 How can I capture packets with CRC errors?
136 7.10 How can I capture entire frames, including the FCS?
138 7.11 I'm capturing packets on a machine on a VLAN; why don't the packets I'm
139 capturing have VLAN tags?
141 7.12 Why does Ethereal hang after I stop a capture?
143 8. Capturing packets on Windows:
145 8.1 I'm running Ethereal on Windows; why does some network interface on my
146 machine not show up in the list of interfaces in the "Interface:" field in
147 the dialog box popped up by "Capture->Start", and/or why does Ethereal give
148 me an error if I try to capture on that interface?
150 8.2 I'm running Ethereal on Windows; why do no network interfaces show up in
151 the list of interfaces in the "Interface:" field in the dialog box popped up
154 8.3 I'm running Ethereal on Windows; why doesn't my serial port/ADSL
155 modem/ISDN modem show up in the list of interfaces in the "Interface:" field
156 in the dialog box popped up by "Capture->Start"?
158 8.4 I'm running Ethereal on Windows NT 4.0/Windows 2000/Windows XP/Windows
159 Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.) interface, and
160 it shows up in the "Interface" item in the "Capture Options" dialog box. Why
161 can no packets be sent on or received from that network while I'm trying to
162 capture traffic on that interface?
164 8.5 I'm running Ethereal on Windows 95/98/Me, on a machine with more than
165 one network adapter of the same type; why does Ethereal show all of those
166 adapters with the same name, not letting me use any of those adapters other
169 8.6 I'm running Ethereal on Windows; why am I not seeing any traffic being
170 sent by the machine running Ethereal?
172 8.7 When I capture on Windows in promiscuous mode, I can see packets other
173 than those sent to or from my machine; however, those packets show up with a
174 "Short Frame" indication, unlike packets to or from my machine. What should
175 I do to arrange that I see those packets in their entirety?
177 8.8 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; why are
178 the time stamps on packets wrong?
180 8.9 I'm trying to capture 802.11 traffic on Windows; why am I not seeing any
183 8.10 I'm trying to capture 802.11 traffic on Windows; why am I seeing
184 packets received by the machine on which I'm capturing traffic, but not
185 packets sent by that machine?
187 8.11 I'm trying to capture Ethernet VLAN traffic on Windows, and I'm
188 capturing on a "raw" Ethernet device rather than a "VLAN interface", so that
189 I can see the VLAN headers; why am I seeing packets received by the machine
190 on which I'm capturing traffic, but not packets sent by that machine?
192 9. Capturing packets on UN*Xes:
194 9.1 I'm running Ethereal on a UNIX-flavored OS; why does some network
195 interface on my machine not show up in the list of interfaces in the
196 "Interface:" field in the dialog box popped up by "Capture->Start", and/or
197 why does Ethereal give me an error if I try to capture on that interface?
199 9.2 I'm running Ethereal on a UNIX-flavored OS; why do no network interfaces
200 show up in the list of interfaces in the "Interface:" field in the dialog
201 box popped up by "Capture->Start"?
203 9.3 I'm capturing packets on Linux; why do the time stamps have only 100ms
204 resolution, rather than 1us resolution?
206 10. Capturing packets on wireless LANs:
208 10.1 How can I capture raw 802.11 frames, including non-data (management,
211 10.2 How do I capture on an 802.11 device in monitor mode?
215 11.1 Why am I seeing lots of packets with incorrect TCP checksums?
217 11.2 I've just installed Ethereal, and the traffic on my local LAN is
218 boring. Where can I find more interesting captures?
220 11.3 Why doesn't Ethereal correctly identify RTP packets? It shows them only
223 11.4 Why doesn't Ethereal show Yahoo Messenger packets in captures that
224 contain Yahoo Messenger traffic?
226 12. Filtering traffic:
228 12.1 I saved a filter and tried to use its name to filter the display; why
229 do I get an "Unexpected end of filter string" error?
231 12.2 How can I search for, or filter, packets that have a particular string
234 12.3 How do I filter a capture to see traffic for virus XXX?
238 Q 1.1: Where can I get help?
240 A: Community support is available on the ethereal-users mailing list.
241 Subscription information and archives for all of Ethereal's mailing lists
242 can be found at http://www.ethereal.com/lists. An IRC channel dedicated to
243 Ethereal can be found at irc://irc.freenode.net/ethereal.
245 Commercial support, training, and development services are available from
248 Q 1.2: How much does Ethereal cost?
250 A: Ethereal is "free software"; you can download it without paying any
251 license fee. The version of Ethereal you download isn't a "demo" version,
252 with limitations not present in a "full" version; it is the full version.
254 The license under which Ethereal is issued is the GNU General Public
255 License. See the GNU GPL FAQ for some more information.
257 Q 1.3: Can I use Ethereal commercially?
259 A: Yes, if, for example, you mean "I work for a commercial organization; can
260 I use Ethereal to capture and analyze network traffic in our company's
261 networks or in our customer's networks?"
263 If you mean "Can I use Ethereal as part of my commercial product?", see the
264 next entry in the FAQ.
266 Q 1.4: Can I use Ethereal as part of my commercial product?
268 A: As noted, Ethereal is licensed under the GNU General Public License. The
269 GPL imposes conditions on your use of GPL'ed code in your own products; you
270 cannot, for example, make a "derived work" from Ethereal, by making
271 modifications to it, and then sell the resulting derived work and not allow
272 recipients to give away the resulting work. You must also make the changes
273 you've made to the Ethereal source available to all recipients of your
274 modified version; those changes must also be licensed under the terms of the
275 GPL. See the GPL FAQ for more details; in particular, note the answer to the
276 question about modifying a GPLed program and selling it commercially, and
277 the question about linking GPLed code with other code to make a proprietary
280 You can combine a GPLed program such as Ethereal and a commercial program as
281 long as they communicate "at arm's length", as per this item in the GPL FAQ.
283 Q 1.5: What protocols are currently supported?
285 A: There are currently 750 supported protocols and media, listed below.
286 Descriptions can be found in the ethereal(1) man page.
288 3Com XNS Encapsulation
292 802.1X Authentication
293 AAL type 2 signalling protocol (Q.2630)
295 AFS (4.0) Replication Server call declarations
298 AIM Buddylist Service
305 AIM Invitation Service
310 AIM Privacy Management Service
312 AIM Server Side Themes
319 ANSI IS-637-A (SMS) Teleservice Layer
320 ANSI IS-637-A (SMS) Transport Layer
321 ANSI IS-683-A (OTA (Mobile))
322 ANSI IS-801 (Location Services (PLD))
323 ANSI Mobile Application Part
324 AOL Instant Messenger
333 AVS WLAN Capture header
335 Active Directory Setup
336 Ad hoc On-demand Distance Vector Routing Protocol
338 Address Resolution Protocol
340 Aggregate Server Access Protocol
342 Alteon - Transparent Proxy Cache Protocol
343 Andrew File System (AFS)
344 Apache JServ Protocol v1.3
345 Apple Filing Protocol
346 Apple IP-over-IEEE 1394
347 AppleTalk Session Protocol
348 AppleTalk Transaction Protocol packet
349 Appletalk Address Resolution Protocol
350 Application Configuration Access Protocol
352 Aruba - Aruba Discovery Protocol
353 Async data over ISDN (V.120)
354 Asynchronous Layered Coding
355 AudioCodes Trunk Trace
356 Authentication Header
357 BACnet Virtual Link Control
362 Banyan Vines Fragmentation Protocol
369 Base Station Subsystem GPRS Protocol
370 Basic Encoding Rules (ASN.1 X.690)
371 Bearer Independent Call Control
372 Bi-directional Fault Detection Control Message
374 Blocks Extensible Exchange Protocol
375 Blubster/Piolet MANOLITO Protocol
379 Border Gateway Protocol
380 Building Automation and Control Network APDU
381 Building Automation and Control Network NPDU
384 CDS Clerk Server Calls
387 Cast Client Control Protocol
388 Certificate Management Protocol
389 Certificate Request Message Format
390 Check Point High Availability Protocol
393 Cisco Discovery Protocol
394 Cisco Group Management Protocol
396 Cisco Hot Standby Router Protocol
398 Cisco Interior Gateway Routing Protocol
401 Cisco Session Management
402 Cisco Wireless Layer 2
404 CoSine IPNOS L2 debug output
405 Common Image Generator Interface
406 Common Industrial Protocol
407 Common Open Policy Service
408 Common Unix Printing System (CUPS) Browsing Protocol
411 Computer Interface to Message Distribution
412 Configuration Test Protocol (loopback)
413 Connectionless Lightweight Directory Access Protocol
414 Coseventcomm Dissector Using GIOP API
415 Cosnaming Dissector Using GIOP API
416 Cross Point Frame Injector
417 Cryptographic Message Syntax
418 DCE Distributed Time Service Local Server
419 DCE Distributed Time Service Provider
422 DCE Security ID Mapper
426 DCE/RPC CDS Solicitation
427 DCE/RPC Conversation Manager
428 DCE/RPC Directory Acl Interface
429 DCE/RPC Endpoint Mapper
430 DCE/RPC Endpoint Mapper v4
432 DCE/RPC FLDB UBIK TRANSFER
433 DCE/RPC FLDB UBIKVOTE
436 DCE/RPC NCS 1.5.1 Local Location Broker
437 DCE/RPC Operations between registry server replicas
444 DCE/RPC Registry Password Management
445 DCE/RPC Registry Server Attributes Schema
446 DCE/RPC Registry server propagation interface - ACLs.
447 DCE/RPC Registry server propagation interface - PGO items
448 DCE/RPC Registry server propagation interface - properties and poli
450 DCE/RPC Remote Management
451 DCE/RPC Repserver Calls
452 DCE/RPC TokenServer Calls
456 DCOM IRemoteActivation
458 DEC DNA Routing Protocol
459 DEC Spanning Tree Protocol
469 DNS Control Program Server
471 DOCSIS Appendix C TLV's
472 DOCSIS Baseline Privacy Key Management Attributes
473 DOCSIS Baseline Privacy Key Management Request
474 DOCSIS Baseline Privacy Key Management Response
475 DOCSIS Dynamic Service Addition Acknowledge
476 DOCSIS Dynamic Service Addition Request
477 DOCSIS Dynamic Service Addition Response
478 DOCSIS Dynamic Service Change Acknowledgement
479 DOCSIS Dynamic Service Change Request
480 DOCSIS Dynamic Service Change Response
481 DOCSIS Dynamic Service Delete Request
482 DOCSIS Dynamic Service Delete Response
483 DOCSIS Initial Ranging Message
484 DOCSIS Mac Management
485 DOCSIS Range Request Message
486 DOCSIS Ranging Response
487 DOCSIS Registration Acknowledge
488 DOCSIS Registration Requests
489 DOCSIS Registration Responses
490 DOCSIS Upstream Bandwidth Allocation
491 DOCSIS Upstream Channel Change Request
492 DOCSIS Upstream Channel Change Response
493 DOCSIS Upstream Channel Descriptor
494 DOCSIS Upstream Channel Descriptor Type 29
495 DOCSIS Vendor Specific Endodings
496 DPNSS/DASS2-User Adaptation Layer
500 Data Stream Interface
501 Datagram Congestion Control Protocol
502 Datagram Delivery Protocol
503 Decompressed SigComp message as raw text
505 Digital Audio Access Protocol
506 Distance Vector Multicast Routing Protocol
507 Distcc Distributed Compiler
508 Distributed Checksum Clearinghouse Protocol
509 Distributed Interactive Simulation
510 Distributed Network Protocol 3.0
512 Dublin Core Metadata (DC)
513 Dynamic DNS Tools Protocol
514 Dynamic Trunking Protocol
517 Encapsulating Security Payload
518 Endpoint Name Resolution Protocol
519 Enhanced Interior Gateway Routing Protocol
520 EtherNet/IP (Industrial Protocol)
524 Extended Security Services
525 Extensible Authentication Protocol
526 Extreme Discovery Protocol
528 FC Fabric Configuration Server
532 Fiber Distributed Data Interface
534 Fibre Channel Common Transport
535 Fibre Channel Fabric Zone Server
536 Fibre Channel Name Server
537 Fibre Channel Protocol for SCSI
539 Fibre Channel Security Protocol
540 Fibre Channel Single Byte Command
541 File Transfer Protocol (FTP)
542 Financial Information eXchange Protocol
546 GARP Multicast Registration Protocol
547 GARP VLAN Registration Protocol
549 GPRS Tunneling Protocol
553 GSM Mobile Application
554 GSM SMS TPDU (GSM 03.40)
555 GSM Short Message Service User Data
557 GSS-API Generic Security Service Application Program Interface
558 General Inter-ORB Protocol
559 Generic Routing Encapsulation
565 H235-SECURITY-MESSAGES
567 HP Extended Local-Link Control
568 HP Remote Maintenance Protocol
570 HP-UX Network Tracing and Logging
571 Hummingbird NFS Daemon
573 Hypertext Transfer Protocol
593 ICBAPhysicalDevicePCEvent
601 IEEE 802.11 Radiotap Capture header
602 IEEE 802.11 wireless LAN
603 IEEE 802.11 wireless LAN management frame
604 IEEE802a OUI Extended Ethertype
606 IP Device Control (SS7 over IP)
608 IP Payload Compression
609 IP Virtual Services Sync Daemon
611 IPX Routing Information Protocol
616 ISDN Q.921-User Adaptation Layer
618 ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol
619 ISO 8073 COTP Connection-Oriented Transport Protocol
620 ISO 8327-1 OSI Session Protocol
621 ISO 8473 CLNP ConnectionLess Network Protocol
623 ISO 8602 CLTP ConnectionLess Transport Protocol
624 ISO 8650-1 OSI Association Control Service
625 ISO 8823 OSI Presentation Protocol
626 ISO 9542 ESIS Routeing Information Exchange Protocol
628 ISystemActivator ISystemActivator Resolver
629 ITU M.3100 Generic Network Information Model
631 ITU-T Recommendation H.223
632 ITU-T Recommendation H.261
633 ITU-T Recommendation H.263
634 ITU-T Recommendation H.263 RTP Payload header (RFC2190)
636 Information Access Protocol
637 Init shutdown service
639 Intelligent Network Application Protocol
640 Intelligent Platform Management Interface
641 Inter-Access-Point Protocol
642 Inter-Asterisk eXchange v2
643 InterSwitch Message Protocol
645 Internet Cache Protocol
646 Internet Communications Engine Protocol
647 Internet Content Adaptation Protocol
648 Internet Control Message Protocol
649 Internet Control Message Protocol v6
650 Internet Group Management Protocol
651 Internet Group membership Authentication Protocol
652 Internet Message Access Protocol
653 Internet Printing Protocol
655 Internet Protocol Version 6
657 Internet Security Association and Key Management Protocol
658 Internetwork Datagram Protocol
659 Internetwork Packet eXchange
661 IrDA Link Access Protocol
662 IrDA Link Management Protocol
664 JPEG File Interchange Format
665 JXTA Connection Welcome Message
675 Kerberized Internet Negotiation of Key
677 Kerberos Administration
681 LWAPP Encapsulated Packet
683 Label Distribution Protocol
685 Layer 2 Tunneling Protocol
686 Light Weight DNS RESolver (BIND9)
687 Lightweight Directory Access Protocol
688 Lightweight User Datagram Protocol
689 Line Printer Daemon Protocol
691 Link Access Procedure Balanced (LAPB)
692 Link Access Procedure Balanced Ethernet (LAPBETHER)
693 Link Access Procedure, Channel D (LAPD)
694 Link Layer Discovery Protocol
695 Link Management Protocol (LMP)
696 Linux cooked-mode capture
697 Local Management Interface
698 LocalTalk Link Access Protocol
700 Logical Link Control GPRS
702 Logical-Link Control Basic Format XID
703 Logotype Certificate Extensions
704 Lucent/Ascend debug output
709 MIME Multipart Media Encapsulation
711 MMS Message Encapsulation
713 MS Network Load Balancing
715 MSN Messenger Service
716 MSNIP: Multicast Source Notification of Interest Protocol
717 MTP 2 Transparent Proxy
718 MTP 2 User Adaptation Layer
719 MTP 3 User Adaptation Layer
720 MTP2 Peer Adaptation Layer
721 MULTIMEDIA-SYSTEM-CONTROL
722 Media Gateway Control Protocol
724 Media Type: message/http
725 Message Session Relay Protocol
726 Message Transfer Part Level 2
727 Message Transfer Part Level 3
728 Message Transfer Part Level 3 Management
729 Meta Analysis Tracing Engine
730 Microsoft AT-Scheduler Service
731 Microsoft Distributed File System
732 Microsoft Distributed Link Tracking Server Service
733 Microsoft Encrypted File System Service
734 Microsoft Eventlog Service
735 Microsoft Exchange MAPI
736 Microsoft File Replication Service
737 Microsoft File Replication Service API
738 Microsoft Local Security Architecture
739 Microsoft Media Server
740 Microsoft Messenger Service
741 Microsoft Network Logon
742 Microsoft Plug and Play service
743 Microsoft Routing and Remote Access Service
744 Microsoft Security Account Manager
745 Microsoft Server Service
746 Microsoft Service Control
747 Microsoft Spool Subsystem
748 Microsoft Telephony API Service
749 Microsoft Windows Browser Protocol
750 Microsoft Windows Lanman Remote API Protocol
751 Microsoft Windows Logon Protocol (Old)
752 Microsoft Workstation Service
754 Mobile IPv6 / Network Mobility
758 MultiProtocol Label Switching Header
759 Multicast Router DISCovery protocol
760 Multicast Source Discovery Protocol
761 Multiprotocol Label Switching Echo
763 NBMA Next Hop Resolution Protocol
769 NTLM Secure Service Provider
770 Name Binding Protocol
771 Name Management Protocol over IPX
772 Negative-acknowledgment Oriented Reliable Multicast
774 NetBIOS Datagram Service
776 NetBIOS Session Service
778 NetScape Certificate Extensions
779 NetWare Core Protocol
780 NetWare Link Services Protocol
781 NetWare Serialization Protocol
782 Network Data Management Protocol
784 Network Lock Manager Protocol
785 Network News Transfer Protocol
786 Network Service Over IP
787 Network Status Monitor CallBack Protocol
788 Network Status Monitor Protocol
789 Network Time Protocol
791 Novell Cluster Services
792 Novell Distributed Print System
793 Novell Modular Authentication Service
794 Novell SecretStore Services
796 Online Certificate Status Protocol
797 Open Policy Service Interface
798 Open Shortest Path First
799 OpenBSD Encapsulating device
800 OpenBSD Packet Filter log file
801 OpenBSD Packet Filter log file, pre 3.4
802 Optimized Link State Routing Protocol
806 PKIX CERT File Format
808 PKIX Time Stamp Protocol
812 PPP Bandwidth Allocation Control Protocol
813 PPP Bandwidth Allocation Protocol
814 PPP CDP Control Protocol
815 PPP Callback Control Protocol
816 PPP Challenge Handshake Authentication Protocol
817 PPP Compressed Datagram
818 PPP Compression Control Protocol
819 PPP IP Control Protocol
820 PPP IPv6 Control Protocol
821 PPP In HDLC-Like Framing
822 PPP Link Control Protocol
823 PPP MPLS Control Protocol
824 PPP Multilink Protocol
826 PPP OSI Control Protocol
827 PPP Password Authentication Protocol
829 PPP-over-Ethernet Discovery
830 PPP-over-Ethernet Session
831 PPPMux Control Protocol
834 PROFINET Real-Time Protocol
836 Packed Encoding Rules (ASN.1 X.691)
837 Packet Cable Lawful Intercept
839 Parallel Virtual File System
840 Parlay Dissector Using GIOP API
842 Point-to-Point Protocol
843 Point-to-Point Tunnelling Protocol
844 Port Aggregation Protocol
848 Pragmatic General Multicast
849 Precision Time Protocol (IEEE1588)
850 Printer Access Protocol
852 Privilege Server operations
853 Protocol Independent Multicast
857 Quake II Network Protocol
858 Quake III Arena Network Protocol
859 Quake Network Protocol
860 QuakeWorld Network Protocol
861 Qualified Logical Link Control
867 RS Interface properties
869 RSYNC File Synchroniser
872 Radio Access Network Application Part
876 Real Time Streaming Protocol
877 Real-Time Media Access Control
878 Real-Time Publish-Subscribe Wire Protocol
879 Real-Time Transport Protocol
880 Real-time Transport Control Protocol
882 Redundant Link Management Protocol
883 Registry Server Attributes Manipulation Interface
884 Registry server administration operations.
886 Remote Management Control Protocol
887 Remote Override interface
888 Remote Procedure Call
891 Remote Registry Service
894 Remote sec_login preauth interface.
895 Resource ReserVation Protocol (RSVP)
896 Retix Spanning Tree Protocol
898 Routing Information Protocol
899 Routing Table Maintenance Protocol
902 SEBEK - Kernel Data Capture
904 SMB (Server Message Block Protocol)
905 SMB MailSlot Protocol
907 SMB2 (Server Message Block Protocol version 2)
909 SNMP Multiplex Protocol
912 SS7 SCCP-User Adaptation Layer
916 STANAG 4406 Military Message
917 STANAG 5066 (SIS layer)
919 Sequenced Packet Protocol
920 Sequenced Packet eXchange
922 Service Advertisement Protocol
923 Service Location Protocol
924 Session Announcement Protocol
925 Session Description Protocol
926 Session Initiation Protocol
927 Session Initiation Protocol (SIP as raw text)
928 Short Message Peer to Peer
929 Short Message Relaying Service
930 Signaling Compression
931 Signalling Connection Control Part
932 Signalling Connection Control Part Management
933 Simple Mail Transfer Protocol
934 Simple Network Management Protocol
935 Simple Protected Negotiation
936 Simple Traversal of UDP Through NAT
939 Skinny Client Control Protocol
940 SliMP3 Communication Protocol
944 Spanning Tree Protocol
945 Stream Control Transmission Protocol
946 Subnetwork Dependent Convergence Protocol
947 Symantec Enterprise Firewall
948 Synchronized Multimedia Integration Language
949 Synchronous Data Link Control (SDLC)
952 Systems Network Architecture
953 Systems Network Architecture XID
957 TDMA RTmac Discipline
958 TEI Management Procedure, Channel D (LAPD)
959 TPKT - ISO on TCP - RFC1006
961 Tango Dissector Using GIOP API
962 Tazmen Sniffer Protocol
964 Teredo IPv6 over UDP tunneling
965 The Armagetron Advanced OpenGL Tron clone
967 Time Synchronization Protocol
968 Tiny Transport Protocol
970 Token-Ring Media Access Control
971 Transaction Capabilities Application Part
972 Transmission Control Protocol
973 Transparent Inter Process Communication(TIPC)
974 Transparent Network Substrate Protocol
975 Transport Adapter Layer Interface v1.0, RFC 3094
976 Trivial File Transfer Protocol
977 UDP Encapsulation of IPsec Packets
978 UTRAN Iub interface NBAP signalling
979 UTRAN Iur interface Radio Network Subsystem Application Part
980 Universal Computer Protocol
981 Unlicensed Mobile Access
982 User Datagram Protocol
983 V5.2-User Adaptation Layer
984 Virtual Network Computing
985 Virtual Router Redundancy Protocol
986 Virtual Trunking Protocol
988 WAP Session Initiation Request
989 WINS (Windows Internet Name Service) Replication
990 Web Cache Coordination Protocol
992 WebSphere MQ Programmable Command Formats
993 Wellfleet Breath of Life
994 Wellfleet Compression
998 Wireless Session Protocol
999 Wireless Transaction Protocol
1000 Wireless Transport Layer Security
1001 Wlan Certificate Extension
1002 X Display Manager Control Protocol
1003 X.228 OSI Reliable Transfer Service
1007 X.411 Message Transfer Service
1008 X.420 File Transfer Body Part
1009 X.420 Information Object
1010 X.501 Directory Operational Binding Management Protocol
1011 X.509 Authentication Framework
1012 X.509 Certificate Extensions
1013 X.509 Information Framework
1014 X.509 Selected Attribute Types
1015 X.519 Directory Access Protocol
1016 X.519 Directory Information Shadowing Protocol
1017 X.519 Directory System Protocol
1018 X.880 OSI Remote Operations Service
1022 Yahoo Messenger Protocol
1023 Yahoo YMSG Messenger Protocol
1026 Yellow Pages Service
1027 Yellow Pages Transfer
1029 Zone Information Protocol
1031 eXtensible Markup Language
1032 giFT Internet File Transfer
1037 iTunes podCast rss elements
1040 Q 1.6: Are there any plans to support {your favorite protocol}?
1042 A: Support for particular protocols is added to Ethereal as a result of
1043 people contributing that support; no formal plans for adding support for
1044 particular protocols in particular future releases exist.
1046 Q 1.7: Can Ethereal read capture files from {your favorite network
1049 A: Support for particular protocols is added to Ethereal as a result of
1050 people contributing that support; no formal plans for adding support for
1051 particular protocols in particular future releases exist.
1053 If a network analyzer writes out files in a format already supported by
1054 Ethereal (e.g., in libpcap format), Ethereal may already be able to read
1055 them, unless the analyzer has added its own proprietary extensions to that
1058 If a network analyzer writes out files in its own format, or has added
1059 proprietary extensions to another format, in order to make Ethereal read
1060 captures from that network analyzer, we would either have to have a
1061 specification for the file format, or the extensions, sufficient to give us
1062 enough information to read the parts of the file relevant to Ethereal, or
1063 would need at least one capture file in that format AND a detailed textual
1064 analysis of the packets in that capture file (showing packet time stamps,
1065 packet lengths, and the top-level packet header) in order to
1066 reverse-engineer the file format.
1068 Note that there is no guarantee that we will be able to reverse-engineer a
1069 capture file format.
1071 Q 1.8: What devices can Ethereal use to capture packets?
1073 A: Ethereal can read live data from Ethernet, Token-Ring, FDDI, serial (PPP
1074 and SLIP) (if the OS on which it's running allows Ethereal to do so), 802.11
1075 wireless LAN (if the OS on which it's running allows Ethereal to do so), ATM
1076 connections (if the OS on which it's running allows Ethereal to do so), and
1077 the "any" device supported on Linux by recent versions of libpcap. See the
1078 list of supported capture media on various OSes for details (several items
1079 in there say "Unknown", which doesn't mean "Ethereal can't capture on them",
1080 it means "we don't know whether it can capture on them"; we expect that it
1081 will be able to capture on many of them, but we haven't tried it ourselves -
1082 if you try one of those types and it works, please send an update to
1083 ethereal-web[AT]ethereal.com).
1085 It can also read a variety of capture file formats, including:
1086 * AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
1088 * AIX's iptrace captures
1089 * Accellent's 5Views LAN agent output
1090 * Cinco Networks NetXRay captures
1091 * Cisco Secure Intrusion Detection System IPLog output
1092 * CoSine L2 debug output
1093 * DBS Etherwatch VMS text output
1094 * Endace Measurement Systems' ERF format captures
1095 * EyeSDN USB S0 traces
1096 * HP-UX nettl captures
1097 * ISDN4BSD project i4btrace captures
1098 * Linux Bluez Bluetooth stack hcidump -w traces
1099 * Lucent/Ascend router debug output
1100 * Microsoft Network Monitor captures
1101 * Network Associates Windows-based Sniffer captures
1102 * Network General/Network Associates DOS-based Sniffer (compressed or
1103 uncompressed) captures
1104 * Network Instruments Observer version 9 captures
1105 * Novell LANalyzer captures
1106 * RADCOM's WAN/LAN analyzer captures
1107 * Shomiti/Finisar Surveyor captures
1108 * Toshiba's ISDN routers dump output
1109 * VMS TCPIPtrace/TCPtrace/UCX$TRACE output
1110 * Visual Networks' Visual UpTime traffic capture
1111 * libpcap, tcpdump and various other tools using tcpdump's capture format
1112 * snoop and atmsnoop output
1114 so that it can read traces from various network types, as captured by other
1115 applications or equipment, even if it cannot itself capture on those network
1118 Q 1.9: How do you pronounce Ethereal? Where did the name come from?
1120 A: The English pronunciation can be found in Merriam-Webster's online
1122 http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=ethereal.
1124 According to the book "Computer Networks" by Andrew Tannenbaum, Ethernet was
1125 named after the "luminiferous ether" which was once thought to carry
1126 electromagnetic radiation. Taking that into consideration, Ethereal seemed
1127 like an appropriate name for something that started out as an Ethernet
1130 Q 1.10: Does Ethereal work on Windows Me?
1132 A: Yes, but if you want to capture packets, you will need to install the
1133 latest version of WinPcap, as 2.02 and earlier versions of WinPcap didn't
1134 support Windows Me. You should also install the latest version of Ethereal
1137 Q 1.11: Does Ethereal work on Windows XP?
1139 A: Yes, but if you want to capture packets, you will need to install the
1140 latest version of WinPcap, as 2.2 and earlier versions of WinPcap didn't
1143 2. Downloading Ethereal
1145 Q 2.1: Why do I get an error when I try to run the Win32 installer?
1147 A: The program you used to download it may have downloaded it incorrectly.
1148 Web browsers sometimes may do this.
1150 Try downloading it with, for example:
1151 * Wget, for which Windows binaries are available on the SunSITE FTP server
1152 at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI offers a GUI
1153 interface that uses wget;
1154 * WS_FTP from Ipswitch,
1155 * the ftp command that comes with Windows.
1157 If you use the ftp command, make sure you do the transfer in binary mode
1158 rather than ASCII mode, by using the binary command before transferring the
1161 Q 2.2: Why can't I get to the WinPcap Web site in order to download WinPcap?
1163 A: As is the case with all Web sites, that site won't necessarily always be
1164 accessible; the server may be down due to a problem or down for maintenance,
1165 or there may be a networking problem between you and the server. You should
1166 try again later, or try the local mirror or the Wiretapped.net mirror.
1168 Note that current Ethereal releases include an installer for WinPcap.
1170 3. Installing Ethereal
1172 Q 3.1: I installed an Ethereal RPM; why did it install Tethereal but not
1175 A: Older versions of the Red Hat RPMs for Ethereal put only the non-GUI
1176 components into the ethereal RPM, the fact that Ethereal is a GUI program
1177 nonwithstanding; newer versions make it a bit clearer by giving that RPM a
1178 name starting with ethereal-base.
1180 In those older versions, there's a separate ethereal-gnome RPM that includes
1181 GUI components such as Ethereal itself, the fact that Ethereal doesn't use
1182 GNOME nonwithstanding; newer versions make it a bit clearer by giving that
1183 RPM a name starting with ethereal-gtk+.
1185 Find the ethereal-gnome or ethereal-gtk+ RPM, and install that also.
1187 4. Building Ethereal
1189 Q 4.1: I have libpcap installed; why did the configure script not find
1192 A: Are you sure pcap.h and bpf.h are installed? The official distribution of
1193 libpcap only installs the libpcap.a library file when "make install" is run.
1194 To install pcap.h and bpf.h, you must run "make install-incl". If you're
1195 running Debian or Redhat, make sure you have the "libpcap-dev" or
1196 "libpcap-devel" packages installed.
1198 It's also possible that pcap.h and bpf.h have been installed in a strange
1199 location. If this is the case, you may have to tweak aclocal.m4.
1201 Q 4.2: Why do I get the error
1203 dftest_DEPENDENCIES was already defined in condition TRUE, which implies
1204 condition HAVE_PLUGINS_TRUE
1206 when I try to build Ethereal from SVN or a SVN snapshot?
1208 A: You probably have automake 1.5 installed on your machine (the command
1209 automake --version will report the version of automake on your machine).
1210 There is a bug in that version of automake that causes this problem; upgrade
1211 to a later version of automake (1.6 or later).
1213 Q 4.3: Why does the linker fail with a number of "Output line too long."
1214 messages followed by linker errors when I try to buil Ethereal?
1216 A: The version of the sed command on your system is incapable of handling
1217 very long lines. On Solaris, for example, /usr/bin/sed has a line length
1218 limit too low to allow libtool to work; /usr/xpg4/bin/sed can handle it, as
1219 can GNU sed if you have it installed.
1221 On Solaris, changing your command search path to search /usr/xpg4/bin before
1222 /usr/bin should make the problem go away; on any platform on which you have
1223 this problem, installing GNU sed and changing your command path to search
1224 the directory in which it is installed before searching the directory with
1225 the version of sed that came with the OS should make the problem go away.
1227 Q 4.4: When I try to build Ethereal on Solaris, why does the link fail
1228 complaining that plugin_list is undefined?
1230 A: This appears to be due to a problem with some versions of the GTK+ and
1231 GLib packages from www.sunfreeware.org; un-install those packages, and try
1232 getting the 1.2.10 versions from that site, or the versions from The Written
1233 Word, or the versions from Sun's GNOME distribution, or the versions from
1234 the supplemental software CD that comes with the Solaris media kit, or build
1235 them from source from the GTK Web site. Then re-run the configuration
1236 script, and try rebuilding Ethereal. (If you get the 1.2.10 versions from
1237 www.sunfreeware.org, and the problem persists, un-install them and try
1238 installing one of the other versions mentioned.)
1240 Q 4.5: When I try to build Ethereal on Windows, why does the build fail
1241 because of conflicts between winsock.h and winsock2.h?
1243 A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and the
1244 corresponding version of the developer's pack, in order to be able to
1245 compile Ethereal; it will not compile with older versions of the developer's
1246 pack. The symptoms of this failure are conflicts between definitions in
1247 winsock.h and in winsock2.h; Ethereal uses winsock2.h, but pre-2.3 versions
1248 of the WinPcap developer's packet use winsock.h. (2.3 uses winsock2.h, so if
1249 Ethereal were to use winsock.h, it would not be able to build with current
1250 versions of the WinPcap developer's pack.)
1252 Note that the installed version of the developer's pack should be the same
1253 version as the version of WinPcap you have installed.
1255 5. Starting Ethereal
1257 Q 5.1: Why does Ethereal crash with a Bus Error when I try to run it on
1260 A: Some versions of the GTK+ library from www.sunfreeware.org appear to be
1261 buggy, causing Ethereal to drop core with a Bus Error. Un-install those
1262 packages, and try getting the 1.2.10 version from that site, or the version
1263 from The Written Word, or the version from Sun's GNOME distribution, or the
1264 version from the supplemental software CD that comes with the Solaris media
1265 kit, or build it from source from the GTK Web site. Update the GLib library
1266 to the 1.2.10 version, from the same source, as well. (If you get the 1.2.10
1267 versions from www.sunfreeware.org, and the problem persists, un-install them
1268 and try installing one of the other versions mentioned.)
1270 Similar problems may exist with older versions of GTK+ for earlier versions
1273 Q 5.2: When I run Tethereal with the "-x" option, why does it crash with an
1276 "** ERROR **: file print.c: line 691 (print_line): should not be reached.
1278 A: This is a bug in Ethereal 0.10.0a, which is fixed in 0.10.1 and later
1279 releases. To work around the bug, don't use "-x" unless you're also using
1280 "-V"; note that "-V" produces a full dissection of each packet, so you might
1283 Q 5.3: When I run Ethereal on Windows NT, why does it die with a Dr. Watson
1284 error, reporting an "Integer division by zero" exception, when I start it?
1286 A: In at least some case, this appears to be due to using the default VGA
1287 driver; if that's not the correct driver for your video card, try running
1288 the correct driver for your video card.
1290 Q 5.4: When I try to run Ethereal, why does it complain about
1291 sprint_realloc_objid being undefined?
1293 A: Ethereal can only be linked with version 4.2.2 or later of UCD SNMP. Your
1294 version of Ethereal was dynamically linked with such a version of UCD SNMP;
1295 however, you have an older version of UCD SNMP installed, which means that
1296 when Ethereal is run, it tries to link to the older version, and fails. You
1297 will have to replace that version of UCD SNMP with version 4.2.2 or a later
1300 Q 5.5: When I try to run Ethereal on Windows, why does it fail to run with a
1301 complaint that it can't find packet.dll?
1303 A: In older versions of Ethereal, there were two binary distributions
1304 available for Windows, one that supported capturing packets, and one that
1305 didn't. The version that supported capturing packets required that you
1306 install the WinPcap driver; if you didn't install it, it would fail to run
1307 because it couldn't find packet.dll.
1309 The current version of Ethereal has only one binary distribution for
1310 Windows; that version will check whether WinPcap is installed and, if it's
1311 not, will disable support for packet capture.
1313 The WinPcap driver and libraries can be downloaded from the WinPcap Web
1314 site, the local mirror of the WinPcap Web site, or the Wiretapped.net mirror
1315 of the WinPcap site.
1317 Q 5.6: Why do I get the error
1319 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
1323 when I try to run Ethereal on Windows?
1325 A: Ethereal is built using the GTK+ toolkit, which supports most
1326 UNIX-flavored OSes, and also supports Windows.
1328 Windows versions of Ethereal before 0.9.14 were built with an older version
1329 of that toolkit, which didn't support 256-color mode on Windows - it
1330 required HiColor (16-bit colors) or more.
1332 Windows versions of Ethereal 0.9.14 and later are built with a version of
1333 that toolkit that supports 256-color mode; upgrade to the current version of
1334 Ethereal if you want to run on a display in 256-color mode.
1336 Q 5.7: I've installed Ethereal from Fink on Mac OS X; why is it very slow to
1339 A: When an application is installed on OS X, prior to 10.4, it is usually
1340 "prebound" to speed up launching the application. (That's what the
1341 "Optimizing" phase of installation is.) Fink normally performs prebinding
1342 automatically when you install a package. However, in some rare cases, for
1343 whatever reason the prebinding caches get corrupt, and then not only does
1344 prebinding fail, but startup actually becomes much slower, because the
1345 system tries in vain to perform prebinding "on the fly" as you launch the
1346 application. This fails, causing sometimes huge delays. To fix the
1347 prebinding caches, run the command
1348 sudo /sw/var/lib/fink/prebound/update-package-prebinding.pl -f
1350 6. Crashes and other fatal errors
1352 Q 6.1: When I run Ethereal, why do I get an error
1354 Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_resize):
1355 assertion `height > 0' failed.
1357 A: This is a bug in Ethereal 0.10.5 and 0.10.5a, which is fixed in Ethereal
1358 0.10.6 and later releases.
1360 Q 6.2: I have an XXX network card on my machine; if I try to capture on it,
1361 why does my machine crash or reset itself?
1363 A: This is almost certainly a problem with one or more of:
1364 * the operating system you're using;
1365 * the device driver for the interface you're using;
1366 * the libpcap/WinPcap library and, if this is Windows, the WinPcap device
1370 * if you are using Windows, see the WinPcap support page (or the local
1371 mirror of that page) - check the "Submitting bugs" section;
1372 * if you are using some Linux distribution, some version of BSD, or some
1373 other UNIX-flavored OS, you should report the problem to the company or
1374 organization that produces the OS (in the case of a Linux distribution,
1375 report the problem to whoever produces the distribution).
1377 Q 6.3: Why does my machine crash or reset itself when I select "Start" from
1378 the "Capture" menu or select "Preferences" from the "Edit" menu?
1380 A: Both of those operations cause Ethereal to try to build a list of the
1381 interfaces that it can open; it does so by getting a list of interfaces and
1382 trying to open them. There is probably an OS, driver, or, for Windows,
1383 WinPcap bug that causes the system to crash when this happens; see the
1386 7. Capturing packets
1388 Q 7.1: When I use Ethereal to capture packets, why do I see only packets to
1389 and from my machine, or not see all the traffic I'm expecting to see from or
1390 to the machine I'm trying to monitor?
1392 A: This might be because the interface on which you're capturing is plugged
1393 into an Ethernet or Token Ring switch; on a switched network, unicast
1394 traffic between two ports will not necessarily appear on other ports - only
1395 broadcast and multicast traffic will be sent to all ports.
1397 Note that even if your machine is plugged into a hub, the "hub" may be a
1398 switched hub, in which case you're still on a switched network.
1400 Note also that on the Linksys Web site, they say that their auto-sensing
1401 hubs "broadcast the 10Mb packets to the port that operate at 10Mb only and
1402 broadcast the 100Mb packets to the ports that operate at 100Mb only", which
1403 would indicate that if you sniff on a 10Mb port, you will not see traffic
1404 coming sent to a 100Mb port, and vice versa. This problem has also been
1405 reported for Netgear dual-speed hubs, and may exist for other "auto-sensing"
1406 or "dual-speed" hubs.
1408 Some switches have the ability to replicate all traffic on all ports to a
1409 single port so that you can plug your analyzer into that single port to
1410 sniff all traffic. You would have to check the documentation for the switch
1411 to see if this is possible and, if so, to see how to do this. See the switch
1412 reference page on the Ethereal Wiki for information on some switches. (Note
1413 that it's a Wiki, so you can update or fix that information, or add
1414 additional information on those switches or information on new switches,
1417 Note also that many firewall/NAT boxes have a switch built into them; this
1418 includes many of the "cable/DSL router" boxes. If you have a box of that
1419 sort, that has a switch with some number of Ethernet ports into which you
1420 plug machines on your network, and another Ethernet port used to connect to
1421 a cable or DSL modem, you can, at least, sniff traffic between the machines
1422 on your network and the Internet by plugging the Ethernet port on the router
1423 going to the modem, the Ethernet port on the modem, and the machine on which
1424 you're running Ethereal into a hub (make sure it's not a switching hub, and
1425 that, if it's a dual-speed hub, all three of those ports are running at the
1428 If your machine is not plugged into a switched network or a dual-speed hub,
1429 or it is plugged into a switched network but the port is set up to have all
1430 traffic replicated to it, the problem might be that the network interface on
1431 which you're capturing doesn't support "promiscuous" mode, or because your
1432 OS can't put the interface into promiscuous mode. Normally, network
1433 interfaces supply to the host only:
1434 * packets sent to one of that host's link-layer addresses;
1435 * broadcast packets;
1436 * multicast packets sent to a multicast address that the host has
1437 configured the interface to accept.
1439 Most network interfaces can also be put in "promiscuous" mode, in which they
1440 supply to the host all network packets they see. Ethereal will try to put
1441 the interface on which it's capturing into promiscuous mode unless the
1442 "Capture packets in promiscuous mode" option is turned off in the "Capture
1443 Options" dialog box, and Tethereal will try to put the interface on which
1444 it's capturing into promiscuous mode unless the -p option was specified.
1445 However, some network interfaces don't support promiscuous mode, and some
1446 OSes might not allow interfaces to be put into promiscuous mode.
1448 If the interface is not running in promiscuous mode, it won't see any
1449 traffic that isn't intended to be seen by your machine. It will see
1450 broadcast packets, and multicast packets sent to a multicast MAC address the
1451 interface is set up to receive.
1453 You should ask the vendor of your network interface whether it supports
1454 promiscuous mode. If it does, you should ask whoever supplied the driver for
1455 the interface (the vendor, or the supplier of the OS you're running on your
1456 machine) whether it supports promiscuous mode with that network interface.
1458 In the case of token ring interfaces, the drivers for some of them, on
1459 Windows, may require you to enable promiscuous mode in order to capture in
1460 promiscuous mode. See the Ethereal Wiki item on Token Ring capturing for
1463 In the case of wireless LAN interfaces, it appears that, when those
1464 interfaces are promiscuously sniffing, they're running in a significantly
1465 different mode from the mode that they run in when they're just acting as
1466 network interfaces (to the extent that it would be a significant effor for
1467 those drivers to support for promiscuously sniffing and acting as regular
1468 network interfaces at the same time), so it may be that Windows drivers for
1469 those interfaces don't support promiscuous mode.
1471 Q 7.2: When I capture with Ethereal, why can't I see any TCP packets other
1472 than packets to and from my machine, even though another analyzer on the
1473 network sees those packets?
1475 A: You're probably not seeing any packets other than unicast packets to or
1476 from your machine, and broadcast and multicast packets; a switch will
1477 normally send to a port only unicast traffic sent to the MAC address for the
1478 interface on that port, and broadcast and multicast traffic - it won't send
1479 to that port unicast traffic sent to a MAC address for some other interface
1480 - and a network interface not in promiscuous mode will receive only unicast
1481 traffic sent to the MAC address for that interface, broadcast traffic, and
1482 multicast traffic sent to a multicast MAC address the interface is set up to
1485 TCP doesn't use broadcast or multicast, so you will only see your own TCP
1486 traffic, but UDP services may use broadcast or multicast so you'll see some
1487 UDP traffic - however, this is not a problem with TCP traffic, it's a
1488 problem with unicast traffic, as you also won't see all UDP traffic between
1491 I.e., this is probably the same question as this earlier one; see the
1492 response to that question.
1494 Q 7.3: Why am I only seeing ARP packets when I try to capture traffic?
1496 A: You're probably on a switched network, and running Ethereal on a machine
1497 that's not sending traffic to the switch and not being sent any traffic from
1498 other machines on the switch. ARP packets are often broadcast packets, which
1499 are sent to all switch ports.
1501 I.e., this is probably the same question as this earlier one; see the
1502 response to that question.
1504 Q 7.4: Why am I not seeing any traffic when I try to capture traffic?
1506 A: Is the machine running Ethereal sending out any traffic on the network
1507 interface on which you're capturing, or receiving any traffic on that
1508 network, or is there any broadcast traffic on the network or multicast
1509 traffic to a multicast group to which the machine running Ethereal belongs?
1511 If not, this may just be a problem with promiscuous sniffing, either due to
1512 running on a switched network or a dual-speed hub, or due to problems with
1513 the interface not supporting promiscuous mode; see the response to this
1516 Otherwise, on Windows, see the response to this question and, on a
1517 UNIX-flavored OS, see the response to this question.
1519 Q 7.5: Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
1521 A: Ethereal can only capture on devices supported by libpcap/WinPcap. On
1522 most OSes, only devices that can act as network interfaces of the type that
1523 support IP are supported as capture devices for libpcap/WinPcap, although
1524 the device doesn't necessarily have to be running as an IP interface in
1525 order to support traffic capture.
1527 On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
1528 Measurement Systems' DAG cards, so that a system with one of those cards,
1529 and its driver and libraries, installed can capture traffic with those cards
1530 with libpcap-based applications. You would either have to have a version of
1531 Ethereal built with that version of libpcap, or a dynamically-linked version
1532 of Ethereal and a shared libpcap library with DAG support, in order to do so
1533 with Ethereal. You should ask Endace whether that could be used to capture
1534 traffic on, for example, your T1/E1 link.
1535 See the SS7 capture setup page on the Ethereal Wiki for current information
1536 on capturing SS7 traffic on TDM links.
1538 Q 7.6: How do I put an interface into promiscuous mode?
1540 A: By not disabling promiscuous mode when running Ethereal or Tethereal.
1542 Note, however, that:
1543 * the form of promiscuous mode that libpcap (the library that programs
1544 such as tcpdump, Ethereal, etc. use to do packet capture) turns on will
1545 not necessarily be shown if you run ifconfig on the interface on a UNIX
1547 * some network interfaces might not support promiscuous mode, and some
1548 drivers might not allow promiscuous mode to be turned on - see this
1549 earlier question for more information on that;
1550 * the fact that you're not seeing any traffic, or are only seeing
1551 broadcast traffic, or aren't seeing any non-broadcast traffic other than
1552 traffic to or from the machine running Ethereal, does not mean that
1553 promiscuous mode isn't on - see this earlier question for more
1554 information on that.
1556 I.e., this is probably the same question as this earlier one; see the
1557 response to that question.
1559 Q 7.7: I can set a display filter just fine; why don't capture filters work?
1561 A: Capture filters currently use a different syntax than display filters.
1562 Here's the corresponding section from the ethereal(1) man page:
1564 "Display filters in Ethereal are very powerful; more fields are filterable
1565 in Ethereal than in other protocol analyzers, and the syntax you can use to
1566 create your filters is richer. As Ethereal progresses, expect more and more
1567 protocol fields to be allowed in display filters.
1569 Packet capturing is performed with the pcap library. The capture filter
1570 syntax follows the rules of the pcap library. This syntax is different from
1571 the display filter syntax."
1573 The capture filter syntax used by libpcap can be found in the tcpdump(8) man
1576 Q 7.8: I'm entering valid capture filters; why do I still get "parse error"
1579 A: There is a bug in some versions of libpcap/WinPcap that cause it to
1580 report parse errors even for valid expressions if a previous filter
1581 expression was invalid and got a parse error.
1583 Try exiting and restarting Ethereal; if you are using a version of
1584 libpcap/WinPcap with this bug, this will "erase" its memory of the previous
1585 parse error. If the capture filter that got the "parse error" now works, the
1586 earlier error with that filter was probably due to this bug.
1588 The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of libpcap
1589 have this bug, but 0.6[.x] and later versions don't.
1591 Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of libpcap,
1592 and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and doesn't have
1595 If you are running Ethereal on a UNIX-flavored platform, run "ethereal -v",
1596 or select "About Ethereal..." from the "Help" menu in Ethereal, to see what
1597 version of libpcap it's using. If it's not 0.6 or later, you will need
1598 either to upgrade your OS to get a later version of libpcap, or will need to
1599 build and install a later version of libpcap from the tcpdump.org Web site
1600 and then recompile Ethereal from source with that later version of libpcap.
1602 If you are running Ethereal on Windows with a pre-2.3 version of WinPcap,
1603 you will need to un-install WinPcap and then download and install WinPcap
1606 Q 7.9: How can I capture packets with CRC errors?
1608 A: Ethereal can capture only the packets that the packet capture library -
1609 libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of libpcap on
1610 Windows - can capture, and libpcap/WinPcap can capture only the packets that
1611 the OS's raw packet capture mechanism (or the WinPcap driver, and the
1612 underlying OS networking code and network interface drivers, on Windows)
1613 will allow it to capture.
1615 Unless the OS always supplies packets with errors such as invalid CRCs to
1616 the raw packet capture mechanism, or can be configured to do so, invalid
1617 CRCs to the raw packet capture mechanism, Ethereal - and other programs that
1618 capture raw packets, such as tcpdump - cannot capture those packets. You
1619 will have to determine whether your OS needs to be so configured and, if so,
1620 can be so configured, configure it if necessary and possible, and make
1621 whatever changes to libpcap and the packet capture program you're using are
1622 necessary, if any, to support capturing those packets.
1624 Most OSes probably do not support capturing packets with invalid CRCs on
1625 Ethernet, and probably do not support it on most other link-layer types.
1626 Some drivers on some OSes do support it, such as some Ethernet drivers on
1627 FreeBSD; in those OSes, you might always get those packets, or you might
1628 only get them if you capture in promiscuous mode (you'd have to determine
1631 Note that libpcap does not currently supply to programs that use it an
1632 indication of whether the packet's CRC was invalid (because the drivers
1633 themselves do not supply that information to the raw packet capture
1634 mechanism); therefore, Ethereal will not indicate which packets had CRC
1635 errors unless the FCS was captured (see the next question) and you're using
1636 Ethereal 0.9.15 and later, in which case Ethereal will check the CRC and
1637 indicate whether it's correct or not.
1639 Q 7.10: How can I capture entire frames, including the FCS?
1641 A: Ethereal can only capture data that the packet capture library - libpcap
1642 on UNIX-flavored OSes, and the WinPcap port to Windows of libpcap on Windows
1643 - can capture, and libpcap/WinPcap can capture only the data that the OS's
1644 raw packet capture mechanism (or the WinPcap driver, and the underlying OS
1645 networking code and network interface drivers, on Windows) will allow it to
1648 For any particular link-layer network type, unless the OS supplies the FCS
1649 of a frame as part of the frame, or can be configured to do so, Ethereal -
1650 and other programs that capture raw packets, such as tcpdump - cannot
1651 capture the FCS of a frame. You will have to determine whether your OS needs
1652 to be so configured and, if so, can be so configured, configure it if
1653 necessary and possible, and make whatever changes to libpcap and the packet
1654 capture program you're using are necessary, if any, to support capturing the
1657 Most OSes do not support capturing the FCS of a frame on Ethernet, and
1658 probably do not support it on most other link-layer types. Some drivres on
1659 some OSes do support it, such as some (all?) Ethernet drivers on NetBSD and
1660 possibly the driver for Apple's gigabit Ethernet interface in Mac OS X; in
1661 those OSes, you might always get the FCS, or you might only get the FCS if
1662 you capture in promiscuous mode (you'd have to determine which is the case).
1664 Versions of Ethereal prior to 0.9.15 will not treat an Ethernet FCS in a
1665 captured packet as an FCS. 0.9.15 and later will attempt to determine
1666 whether there's an FCS at the end of the frame and, if it thinks there is,
1667 will display it as such, and will check whether it's the correct CRC-32
1670 Q 7.11: I'm capturing packets on a machine on a VLAN; why don't the packets
1671 I'm capturing have VLAN tags?
1673 A: You might be capturing on what might be called a "VLAN interface" - the
1674 way a particular OS makes VLANs plug into the networking stack might, for
1675 example, be to have a network device object for the physical interface,
1676 which takes VLAN packets, strips off the VLAN header and constructs an
1677 Ethernet header, and passes that packet to an internal network device object
1678 for the VLAN, which then passes the packets onto various higher-level
1679 protocol implementations.
1681 In order to see the raw Ethernet packets, rather than "de-VLANized" packets,
1682 you would have to capture not on the virtual interface for the VLAN, but on
1683 the interface corresponding to the physical network device, if possible. See
1684 the Ethereal Wiki item on VLAN capturing for details.
1686 Q 7.12: Why does Ethereal hang after I stop a capture?
1688 A: The most likely reason for this is that Ethereal is trying to look up an
1689 IP address in the capture to convert it to a name (so that, for example, it
1690 can display the name in the source address or destination address columns),
1691 and that lookup process is taking a very long time.
1693 Ethereal calls a routine in the OS of the machine on which it's running to
1694 convert of IP addresses to the corresponding names. That routine probably
1695 does one or more of:
1696 * a search of a system file listing IP addresses and names;
1697 * a lookup using DNS;
1698 * on UNIX systems, a lookup using NIS;
1699 * on Windows systems, a NetBIOS-over-TCP query.
1701 If a DNS server that's used in an address lookup is not responding, the
1702 lookup will fail, but will only fail after a timeout while the system
1703 routine waits for a reply.
1705 In addition, on Windows systems, if the DNS lookup of the address fails,
1706 either because the server isn't responding or because there are no records
1707 in the DNS that could be used to map the address to a name, a
1708 NetBIOS-over-TCP query will be made. That query involves sending a message
1709 to the NetBIOS-over-TCP name service on that machine, asking for the name
1710 and other information about the machine. If the machine isn't running
1711 software that responds to those queries - for example, many non-Windows
1712 machines wouldn't be running that software - the lookup will only fail after
1713 a timeout. Those timeouts can cause the lookup to take a long time.
1715 If you disable network address-to-name translation - for example, by turning
1716 off the "Enable network name resolution" option in the "Capture Options"
1717 dialog box for starting a network capture - the lookups of the address won't
1718 be done, which may speed up the process of reading the capture file after
1719 the capture is stopped. You can make that setting the default by selecting
1720 "Preferences" from the "Edit" menu, turning off the "Enable network name
1721 resolution" option in the "Name resolution" options in the preferences
1722 disalog box, and using the "Save" button in that dialog box; note that this
1723 will save all your current preference settings.
1725 If Ethereal hangs when reading a capture even with network name resolution
1726 turned off, there might, for example, be a bug in one of Ethereal's
1727 dissectors for a protocol causing it to loop infinitely. If you're not
1728 running the most recent release of Ethereal, you should first upgrade to
1729 that release, as, if there's a bug of that sort, it might've been fixed in a
1730 release after the one you're running. If the hang occurs in the most recent
1731 release of Ethereal, the bug should be reported to the Ethereal developers'
1732 mailing list at ethereal-dev@ethereal.com.
1734 On UNIX-flavored OSes, please try to force Ethereal to dump core, by sending
1735 it a SIGABRT signal (usually signal 6) with the kill command, and then get a
1736 stack trace if you have a debugger installed. A stack trace can be obtained
1737 by using your debugger (gdb in this example), the Ethereal binary, and the
1738 resulting core file. Here's an example of how to use the gdb command
1742 ..... prints the stack trace
1746 The core dump file may be named "ethereal.core" rather than "core" on some
1747 platforms (e.g., BSD systems).
1749 Also, if at all possible, please send a copy of the capture file that caused
1750 the problem; when capturing packets, Ethereal normally writes captured
1751 packets to a temporary file, which will probably be in /tmp or /var/tmp on
1752 UNIX-flavored OSes, \TEMP on the main system disk (normally C:) on Windows
1753 9x/Me/NT 4.0, and \Documents and Settings\your login name\Local
1754 Settings\Temp on the main system disk on Windows 2000/Windows XP/Windows
1755 Server 2003, so the capture file will probably be there. It will have a name
1756 beginning with ether, with some mixture of letters and numbers after that.
1757 Please don't send a trace file greater than 1 MB when compressed; instead,
1758 make it available via FTP or HTTP, or say it's available but leave it up to
1759 a developer to ask for it. If the trace file contains sensitive information
1760 (e.g., passwords), then please do not send it.
1762 8. Capturing packets on Windows
1764 Q 8.1: I'm running Ethereal on Windows; why does some network interface on
1765 my machine not show up in the list of interfaces in the "Interface:" field
1766 in the dialog box popped up by "Capture->Start", and/or why does Ethereal
1767 give me an error if I try to capture on that interface?
1769 A: If you are running Ethereal on Windows NT 4.0, Windows 2000, Windows XP,
1770 or Windows Server 2003, and this is the first time you have run a
1771 WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, or
1772 Analyzer, or...) since the machine was rebooted, you need to run that
1773 program from an account with administrator privileges; once you have run
1774 such a program, you will not need administrator privileges to run any such
1775 programs until you reboot.
1777 If you are running on Windows 95/98/Me, or if you are running on Windows NT
1778 4.0/Windows 2000/Windows XP/Windows Server 2003 and have administrator
1779 privileges or a WinPcap-based program has been run with those privileges
1780 since the machine rebooted, this problem might clear up if you completely
1781 un-install WinPcap and then re-install it.
1783 If that doesn't work, then note that Ethereal relies on the WinPcap library,
1784 on the WinPcap device driver, and on the facilities that come with the OS on
1785 which it's running in order to do captures.
1787 Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
1788 support capturing on a particular network interface device, Ethereal won't
1789 be able to capture on that device.
1792 1. 2.02 and earlier versions of the WinPcap driver and library that
1793 Ethereal uses for packet capture didn't support Token Ring interfaces;
1794 versions 2.1 and later support Token Ring, and the current version of
1795 Ethereal works with (and, in fact, requires) WinPcap 2.1 or later.
1796 If you are having problems capturing on Token Ring interfaces, and you
1797 have WinPcap 2.02 or an earlier version of WinPcap installed, you should
1798 uninstall WinPcap, download and install the current version of WinPcap,
1799 and then install the latest version of Ethereal.
1800 2. On Windows 95, 98, or Me, sometimes more than one interface will be
1801 given the same name; if that is the case, you will only be able to
1802 capture on one of those interfaces - it's not clear to which one the
1803 name, when used in a WinPcap-based application, will refer. For example,
1804 if you have a PPP serial interface and a VPN interface, they might show
1805 up with the same name, for example "ppp-mac", and if you try to capture
1806 on "ppp-mac", it might not capture on the interface you're currently
1807 using. In that case, you might, for example, have to remove the VPN
1808 interface from the system in order to capture on the PPP serial
1810 3. WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows NT
1811 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to avoid
1812 those problems, support for PPP WAN interfaces on those versions of
1813 Windows has been disabled in WinPcap 3.0. Regular dial-up lines, ISDN
1814 lines, ADSL connections using PPPoE or PPPoA, and various other lines
1815 such as T1/E1 lines are all PPP interfaces, so those interfaces might
1816 not show up on the list of interfaces in the "Capture Options" dialog on
1818 On Windows 2000, Windows XP, and Windows Server 2003, but not Windows NT
1819 4.0 or Windows Vista Beta 1, you should be able to capture on the
1820 "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it
1821 the "NdisWanAdapter"; if you're using a 3.1 beta release, you should
1822 un-install it and install the final 3.1 release.) See the Ethereal Wiki
1823 item on PPP capturing for details.
1824 4. WinPcap prior to 3.0 does not support multiprocessor machines (note that
1825 machines with a single multi-threaded processor, such as Intel's new
1826 multi-threaded x86 processors, are multiprocessor machines as far as the
1827 OS and WinPcap are concerned), and recent 2.x versions of WinPcap refuse
1828 to operate if they detect that they're running on a multiprocessor
1829 machine, which means that they may not show any network interfaces. You
1830 will need to use WinPcap 3.0 to capture on a multiprocessor machine.
1832 If an interface doesn't show up in the list of interfaces in the
1833 "Interface:" field, and you know the name of the interface, try entering
1834 that name in the "Interface:" field and capturing on that device.
1836 If the attempt to capture on it succeeds, the interface is somehow not being
1837 reported by the mechanism Ethereal uses to get a list of interfaces. Try
1838 listing the interfaces with WinDump; see the WinDump Web site or the local
1839 mirror of the WinDump Web site for information on using WinDump.
1841 You would run WinDump with the -D flag; if it lists the interface, please
1842 report this to ethereal-dev@ethereal.com giving full details of the problem,
1844 * the operating system you're using, and the version of that operating
1846 * the type of network device you're using;
1847 * the output of WinDump.
1849 If WinDump does not list the interface, this is almost certainly a problem
1850 with one or more of:
1851 * the operating system you're using;
1852 * the device driver for the interface you're using;
1853 * the WinPcap library and/or the WinPcap device driver;
1855 so first check the WinPcap FAQ, the local mirror of that FAQ, or the
1856 Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
1857 there. If not, then see the WinPcap support page (or the local mirror of
1858 that page) - check the "Submitting bugs" section.
1860 If you are having trouble capturing on a particular network interface, first
1861 try capturing on that device with WinDump; see the WinDump Web site or the
1862 local mirror of the WinDump Web site for information on using WinDump.
1864 If you can capture on the interface with WinDump, send mail to
1865 ethereal-users@ethereal.com giving full details of the problem, including
1866 * the operating system you're using, and the version of that operating
1868 * the type of network device you're using;
1869 * the error message you get from Ethereal.
1871 If you cannot capture on the interface with WinDump, this is almost
1872 certainly a problem with one or more of:
1873 * the operating system you're using;
1874 * the device driver for the interface you're using;
1875 * the WinPcap library and/or the WinPcap device driver;
1877 so first check the WinPcap FAQ, the local mirror of that FAQ, or the
1878 Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
1879 there. If not, then see the WinPcap support page (or the local mirror of
1880 that page) - check the "Submitting bugs" section.
1882 You may also want to ask the ethereal-users@ethereal.com and the
1883 winpcap-users@winpcap.org mailing lists to see if anybody happens to know
1884 about the problem and know a workaround or fix for the problem. (Note that
1885 you will have to subscribe to that list in order to be allowed to mail to
1886 it; see the WinPcap support page, or the local mirror of that page, for
1887 information on the mailing list.) In your mail, please give full details of
1888 the problem, as described above, and also indicate that the problem occurs
1889 with WinDump, not just with Ethereal.
1891 Q 8.2: I'm running Ethereal on Windows; why do no network interfaces show up
1892 in the list of interfaces in the "Interface:" field in the dialog box popped
1893 up by "Capture->Start"?
1895 A: This is really the same question as the previous one; see the response to
1898 Q 8.3: I'm running Ethereal on Windows; why doesn't my serial port/ADSL
1899 modem/ISDN modem show up in the list of interfaces in the "Interface:" field
1900 in the dialog box popped up by "Capture->Start"?
1902 A: Internet access on those devices is often done with the Point-to-Point
1903 (PPP) protocol; WinPcap 2.3 has problems supporting PPP WAN interfaces on
1904 Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to
1905 avoid those problems, support for PPP WAN interfaces on those versions of
1906 Windows has been disabled in WinPcap 3.0.
1908 On Windows 2000, Windows XP, and Windows Server 2003, but not Windows NT 4.0
1909 or Windows Vista Beta 1, you should be able to capture on the
1910 "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it the
1911 "NdisWanAdapter"; if you're using a 3.1 beta release, you should un-install
1912 it and install the final 3.1 release.) See the Ethereal Wiki item on PPP
1913 capturing for details.
1915 Q 8.4: I'm running Ethereal on Windows NT 4.0/Windows 2000/Windows
1916 XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
1917 interface, and it shows up in the "Interface" item in the "Capture Options"
1918 dialog box. Why can no packets be sent on or received from that network
1919 while I'm trying to capture traffic on that interface?
1921 A: Some versions of WinPcap have problems with PPP WAN interfaces on Windows
1922 NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; one symptom that
1923 may be seen is that attempts to capture in promiscuous mode on the interface
1924 cause the interface to be incapable of sending or receiving packets. You can
1925 disable promiscuous mode using the -p command-line flag or the item in the
1926 "Capture Preferences" dialog box, but this may mean that outgoing packets,
1927 or incoming packets, won't be seen in the capture.
1929 On Windows 2000, Windows XP, and Windows Server 2003, but not Windows NT 4.0
1930 or Windows Vista Beta 1, you should be able to capture on the
1931 "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it the
1932 "NdisWanAdapter"; if you're using a 3.1 beta release, you should un-install
1933 it and install the final 3.1 release.) See the Ethereal Wiki item on PPP
1934 capturing for details.
1936 Q 8.5: I'm running Ethereal on Windows 95/98/Me, on a machine with more than
1937 one network adapter of the same type; why does Ethereal show all of those
1938 adapters with the same name, not letting me use any of those adapters other
1941 A: Unfortunately, Windows 95/98/Me gives the same name to multiple instances
1942 of the type of same network adapter. Therefore, WinPcap cannot distinguish
1943 between them, so a WinPcap-based application can capture only on the first
1944 such interface; Ethereal is a libpcap/WinPcap-based application.
1946 Q 8.6: I'm running Ethereal on Windows; why am I not seeing any traffic
1947 being sent by the machine running Ethereal?
1949 A: If you are running some form of VPN client software, it might be causing
1950 this problem; people have seen this problem when they have Check Point's VPN
1951 software installed on their machine. If that's the cause of the problem, you
1952 will have to remove the VPN software in order to have Ethereal (or any other
1953 application using WinPcap) see outgoing packets; unfortunately, neither we
1954 nor the WinPcap developers know any way to make WinPcap and the VPN software
1957 Also, some drivers for Windows (especially some wireless network interface
1958 drivers) apparently do not, when running in promiscuous mode, arrange that
1959 outgoing packets are delivered to the software that requested that the
1960 interface run promiscuously; try turning promiscuous mode off.
1962 Q 8.7: When I capture on Windows in promiscuous mode, I can see packets
1963 other than those sent to or from my machine; however, those packets show up
1964 with a "Short Frame" indication, unlike packets to or from my machine. What
1965 should I do to arrange that I see those packets in their entirety?
1967 A: In at least some cases, this appears to be the result of PGPnet running
1968 on the network interface on which you're capturing; turn it off on that
1971 Q 8.8: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; why
1972 are the time stamps on packets wrong?
1974 A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap 3.0
1977 Q 8.9: I'm trying to capture 802.11 traffic on Windows; why am I not seeing
1980 A: At least some 802.11 card drivers on Windows appear not to see any
1981 packets if they're running in promiscuous mode. Try turning promiscuous mode
1982 off; you'll only be able to see packets sent by and received by your
1983 machine, not third-party traffic, and it'll look like Ethernet traffic and
1984 won't include any management or control frames, but that's a limitation of
1987 See MicroLogix's list of cards supported with WinPcap for information on
1988 support of various adapters and drivers with WinPcap.
1990 Q 8.10: I'm trying to capture 802.11 traffic on Windows; why am I seeing
1991 packets received by the machine on which I'm capturing traffic, but not
1992 packets sent by that machine?
1994 A: This appears to be another problem with promiscuous mode; try turning it
1997 Q 8.11: I'm trying to capture Ethernet VLAN traffic on Windows, and I'm
1998 capturing on a "raw" Ethernet device rather than a "VLAN interface", so that
1999 I can see the VLAN headers; why am I seeing packets received by the machine
2000 on which I'm capturing traffic, but not packets sent by that machine?
2002 A: The way the Windows networking code works probably means that packets are
2003 sent on a "VLAN interface" rather than the "raw" device, so packets sent by
2004 the machine will only be seen when you capture on the "VLAN interface". If
2005 so, you will be unable to see outgoing packets when capturing on the "raw"
2006 device, so you are stuck with a choice between seeing VLAN headers and
2007 seeing outgoing packets.
2009 9. Capturing packets on UN*Xes
2011 Q 9.1: I'm running Ethereal on a UNIX-flavored OS; why does some network
2012 interface on my machine not show up in the list of interfaces in the
2013 "Interface:" field in the dialog box popped up by "Capture->Start", and/or
2014 why does Ethereal give me an error if I try to capture on that interface?
2016 A: You may need to run Ethereal from an account with sufficient privileges
2017 to capture packets, such as the super-user account, or may need to give your
2018 account sufficient privileges to capture packets. Only those interfaces that
2019 Ethereal can open for capturing show up in that list; if you don't have
2020 sufficient privileges to capture on any interfaces, no interfaces will show
2021 up in the list. See the Ethereal Wiki item on capture privileges for details
2022 on how to give a particular account or account group capture privileges on
2023 platforms where that can be done.
2025 If you are running Ethereal from an account with sufficient privileges, then
2026 note that Ethereal relies on the libpcap library, and on the facilities that
2027 come with the OS on which it's running in order to do captures. On some
2028 OSes, those facilities aren't present by default; see the Ethereal Wiki item
2029 on adding capture support for details.
2031 And, even if you're running with an account that has sufficient privileges
2032 to capture, and capture support is present in your OS, if the OS or the
2033 libpcap library don't support capturing on a particular network interface
2034 device or particular types of devices, Ethereal won't be able to capture on
2037 On Solaris, note that libpcap 0.6.2 and earlier didn't support Token Ring
2038 interfaces; the current version, 0.7.2, does support Token Ring, and the
2039 current version of Ethereal works with libcap 0.7.2 and later.
2041 If an interface doesn't show up in the list of interfaces in the
2042 "Interface:" field, and you know the name of the interface, try entering
2043 that name in the "Interface:" field and capturing on that device.
2045 If the attempt to capture on it succeeds, the interface is somehow not being
2046 reported by the mechanism Ethereal uses to get a list of interfaces; please
2047 report this to ethereal-dev@ethereal.com giving full details of the problem,
2049 * the operating system you're using, and the version of that operating
2050 system (for Linux, give both the version number of the kernel and the
2051 name and version number of the distribution you're using);
2052 * the type of network device you're using.
2054 If you are having trouble capturing on a particular network interface, and
2055 you've made sure that (on platforms that require it) you've arranged that
2056 packet capture support is present, as per the above, first try capturing on
2057 that device with tcpdump.
2059 If you can capture on the interface with tcpdump, send mail to
2060 ethereal-users@ethereal.com giving full details of the problem, including
2061 * the operating system you're using, and the version of that operating
2062 system (for Linux, give both the version number of the kernel and the
2063 name and version number of the distribution you're using);
2064 * the type of network device you're using;
2065 * the error message you get from Ethereal.
2067 If you cannot capture on the interface with tcpdump, this is almost
2068 certainly a problem with one or more of:
2069 * the operating system you're using;
2070 * the device driver for the interface you're using;
2071 * the libpcap library;
2073 so you should report the problem to the company or organization that
2074 produces the OS (in the case of a Linux distribution, report the problem to
2075 whoever produces the distribution).
2077 You may also want to ask the ethereal-users@ethereal.com and the
2078 tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to know
2079 about the problem and know a workaround or fix for the problem. In your
2080 mail, please give full details of the problem, as described above, and also
2081 indicate that the problem occurs with tcpdump not just with Ethereal.
2083 Q 9.2: I'm running Ethereal on a UNIX-flavored OS; why do no network
2084 interfaces show up in the list of interfaces in the "Interface:" field in
2085 the dialog box popped up by "Capture->Start"?
2087 A: This is really the same question as the previous one; see the response to
2090 Q 9.3: I'm capturing packets on Linux; why do the time stamps have only
2091 100ms resolution, rather than 1us resolution?
2093 A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap get
2094 them from the OS kernel, so Ethereal - and any other program using libpcap,
2095 such as tcpdump - is at the mercy of the time stamping code in the OS for
2098 At least on x86-based machines, Linux can get high-resolution time stamps on
2099 newer processors with the Time Stamp Counter (TSC) register; for example,
2100 Intel x86 processors, starting with the Pentium Pro, and including all x86
2101 processors since then, have had a TSC, and other vendors probably added the
2102 TSC at some point to their families of x86 processors.
2104 The Linux kernel must be configured with the CONFIG_X86_TSC option enabled
2105 in order to use the TSC. Make sure this option is enabled in your kernel.
2107 In addition, some Linux distributions may have bugs in their versions of the
2108 kernel that cause packets not to be given high-resolution time stamps even
2109 if the TSC is enabled. See, for example, bug 61111 for Red Hat Linux 7.2. If
2110 your distribution has a bug such as this, you may have to run a standard
2111 kernel from kernel.org in order to get high-resolution time stamps.
2113 10. Capturing packets on wireless LANs
2115 Q 10.1: How can I capture raw 802.11 frames, including non-data (management,
2118 A: That depends on the operating system on which you're running, and on the
2119 802.11 interface on which you're capturing.
2121 This would probably require that you capture in promiscuous mode or in the
2122 mode called "monitor mode" or "RFMON mode". On some platforms, or with some
2123 cards, this might require that you capture in monitor mode - promiscuous
2124 mode might not be sufficient. If you want to capture traffic on networks
2125 other than the one with which you're associated, you will have to capture in
2128 Not all operating systems support capturing non-data packets and, even on
2129 operating systems that do support it, not all drivers, and thus not all
2130 interfaces, support it. Even on those that do, monitor mode might not be
2131 supported by the operating system or by the drivers for all interfaces.
2133 NOTE: an interface running in monitor mode will, on most if not all
2134 platforms, not be able to act as a regular network interface; putting it
2135 into monitor mode will, in effect, take your machine off of whatever network
2136 it's on as long as the interface is in monitor mode, allowing it only to
2137 passively capture packets.
2139 This means that you should disable name resolution when capturing in monitor
2140 mode; otherwise, when Ethereal (or Tethereal, or tcpdump) tries to display
2141 IP addresses as host names, it will probably block for a long time trying to
2142 resolve the name because it will not be able to communicate with any DNS or
2145 See the Ethereal Wiki item on 802.11 capturing for details.
2147 Q 10.2: How do I capture on an 802.11 device in monitor mode?
2149 A: Whether you will be able to capture in monitor mode depends on the
2150 operating system, adapter, and driver you're using. See the previous
2151 question for information on monitor mode, including a link to the Ethereal
2152 Wiki page that gives details on 802.11 capturing.
2156 Q 11.1: Why am I seeing lots of packets with incorrect TCP checksums?
2158 A: If the packets that have incorrect TCP checksums are all being sent by
2159 the machine on which Ethereal is running, this is probably because the
2160 network interface on which you're capturing does TCP checksum offloading.
2161 That means that the TCP checksum is added to the packet by the network
2162 interface, not by the OS's TCP/IP stack; when capturing on an interface,
2163 packets being sent by the host on which you're capturing are directly handed
2164 to the capture interface by the OS, which means that they are handed to the
2165 capture interface without a TCP checksum being added to them.
2167 The only way to prevent this from happening would be to disable TCP checksum
2169 1. that might not even be possible on some OSes;
2170 2. that could reduce networking performance significantly.
2172 However, you can disable the check that Ethereal does of the TCP checksum,
2173 so that it won't report any packets as having TCP checksum errors, and so
2174 that it won't refuse to do TCP reassembly due to a packet having an
2175 incorrect TCP checksum. That can be set as an Ethereal preference by
2176 selecting "Preferences" from the "Edit" menu, opening up the "Protocols"
2177 list in the left-hand pane of the "Preferences" dialog box, selecting "TCP",
2178 from that list, turning off the "Check the validity of the TCP checksum when
2179 possible" option, clicking "Save" if you want to save that setting in your
2180 preference file, and clicking "OK".
2182 It can also be set on the Ethereal or Tethereal command line with a -o
2183 tcp.check_checksum:false command-line flag, or manually set in your
2184 preferences file by adding a tcp.check_checksum:false line.
2186 Q 11.2: I've just installed Ethereal, and the traffic on my local LAN is
2187 boring. Where can I find more interesting captures?
2189 A: We have a collection of strange and exotic sample capture files at
2190 http://wiki.ethereal.com/SampleCaptures
2192 Q 11.3: Why doesn't Ethereal correctly identify RTP packets? It shows them
2195 A: Ethereal can identify a UDP datagram as containing a packet of a
2196 particular protocol running atop UDP only if
2197 1. The protocol in question has a particular standard port number, and the
2198 UDP source or destination port number is that port
2199 2. Packets of that protocol can be identified by looking for a "signature"
2200 of some type in the packet - i.e., some data that, if Ethereal finds it
2201 in some particular part of a packet, means that the packet is almost
2202 certainly a packet of that type.
2203 3. Some other traffic earlier in the capture indicated that, for example,
2204 UDP traffic between two particular addresses and ports will be RTP
2207 RTP doesn't have a standard port number, so 1) doesn't work; it doesn't, as
2208 far as I know, have any "signature", so 2) doesn't work.
2210 That leaves 3). If there's RTSP traffic that sets up an RTP session, then,
2211 at least in some cases, the RTSP dissector will set things up so that
2212 subsequent RTP traffic will be identified. Currently, that's the only place
2213 we do that; there may be other places.
2215 However, there will always be places where Ethereal is simply incapable of
2216 deducing that a given UDP flow is RTP; a mechanism would be needed to allow
2217 the user to specify that a given conversation should be treated as RTP. As
2218 of Ethereal 0.8.16, such a mechanism exists; if you select a UDP or TCP
2219 packet, the right mouse button menu will have a "Decode As..." menu item,
2220 which will pop up a dialog box letting you specify that the source port, the
2221 destination port, or both the source and destination ports of the packet
2222 should be dissected as some particular protocol.
2224 Q 11.4: Why doesn't Ethereal show Yahoo Messenger packets in captures that
2225 contain Yahoo Messenger traffic?
2227 A: Ethereal only recognizes as Yahoo Messenger traffic packets to or from
2228 TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP segments that
2229 start with the middle of a Yahoo Messenger packet that takes more than one
2230 TCP segment will not be recognized as Yahoo Messenger packets (even if the
2231 TCP segment also contains the beginning of another Yahoo Messenger packet).
2233 12. Filtering traffic
2235 Q 12.1: I saved a filter and tried to use its name to filter the display;
2236 why do I get an "Unexpected end of filter string" error?
2238 A: You cannot use the name of a saved display filter as a filter. To filter
2239 the display, you can enter a display filter expression - not the name of a
2240 saved display filter - in the "Filter:" box at the bottom of the display,
2241 and type the key or press the "Apply" button (that does not require you to
2242 have a saved filter), or, if you want to use a saved filter, you can press
2243 the "Filter:" button, select the filter in the dialog box that pops up, and
2244 press the "OK" button.
2246 Q 12.2: How can I search for, or filter, packets that have a particular
2247 string anywhere in them?
2249 A: If you want to do this when capturing, you can't. That's a feature that
2250 would be hard to implement in capture filters without changes to the capture
2251 filter code, which, on many platforms, is in the OS kernel and, on other
2252 platforms, is in the libpcap library.
2254 In releases prior to 0.9.14, you also can't search for, or filter, packets
2255 containing a particular string even after you've captured them.
2257 In 0.9.14, you can search for, but not filter, packets that have a
2258 particular string; this has been added to the "Find Frame" dialog ("Find
2259 Frame" under the "Edit" menu, or control-F).
2261 In 0.9.15 and later, you can search for those packets using either the
2262 mechanism introduced in 0.9.14 or using the new "contains" operator in
2263 filter expressions, which lets you search the entire packet or text string
2264 or byte string fields in the packet; the "contains" operator can also be
2265 used in expressions used to filter the display.
2267 Q 12.3: How do I filter a capture to see traffic for virus XXX?
2269 A: For some viruses/worms there might be a capture filter to recognize the
2270 virus traffic. Check the CaptureFilters page on the Ethereal Wiki to see if
2271 anybody's added such a filter.
2273 Note that Ethereal was not designed to be an intrusion detection system; you
2274 might be able to use it as an IDS, but in most cases software designed to be
2275 an IDS, such as Snort or Prelude, will probably work better.
2277 The Bleeding Edge of Snort has a collection of signatures for Snort to
2278 detect various viruses, worms, and the like.
2280 Please send support questions about Ethereal to the
2281 ethereal-users[AT]ethereal.com mailing list.
2282 For corrections/additions/suggestions for this web page (and not Ethereal
2283 support questions), please send email to ethereal-web[AT]ethereal.com.
2284 Last modified: Thu, February 23 2006.
2285 "Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.