4 Note: This is just an ASCII snapshot of the faq and may not be up to
5 date. Please go to http://www.wireshark.org/faq.html for the up
6 to date version. The version of this snapshot can be found at
7 the end of this document.
14 1.1 What is Wireshark?
16 1.2 What's up with the name change? Is Wireshark a fork?
18 1.3 Where can I get help?
20 1.4 How much does Wireshark cost?
22 1.5 Can I use Wireshark commercially?
24 1.6 Can I use Wireshark as part of my commercial product?
26 1.7 What protocols are currently supported?
28 1.8 Are there any plans to support {your favorite protocol}?
30 1.9 Can Wireshark read capture files from {your favorite network analyzer}?
32 1.10 What devices can Wireshark use to capture packets?
34 1.11 Does Wireshark work on Windows Me?
36 1.12 Does Wireshark work on Windows XP?
38 2. Downloading Wireshark:
40 2.1 Why do I get an error when I try to run the Win32 installer?
42 3. Installing Wireshark:
44 3.1 I installed the Wireshark RPM (or other package); why did it install
45 TShark but not Wireshark?
47 4. Building Wireshark:
49 4.1 I have libpcap installed; why did the configure script not find pcap.h
52 4.2 Why do I get the error
54 dftest_DEPENDENCIES was already defined in condition TRUE, which implies
55 condition HAVE_PLUGINS_TRUE
57 when I try to build Wireshark from SVN or a SVN snapshot?
59 4.3 Why does the linker fail with a number of "Output line too long."
60 messages followed by linker errors when I try to buil Wireshark?
62 4.4 When I try to build Wireshark on Solaris, why does the link fail
63 complaining that plugin_list is undefined?
65 4.5 When I try to build Wireshark on Windows, why does the build fail
66 because of conflicts between winsock.h and winsock2.h?
68 5. Starting Wireshark:
70 5.1 Why does Wireshark crash with a Bus Error when I try to run it on
73 5.2 When I run Wireshark on Windows NT, why does it die with a Dr. Watson
74 error, reporting an "Integer division by zero" exception, when I start it?
76 5.3 When I try to run Wireshark, why does it complain about
77 sprint_realloc_objid being undefined?
79 5.4 When I try to run Wireshark on Windows, why does it fail to run with a
80 complaint that it can't find packet.dll?
82 5.5 I've installed Wireshark from Fink on Mac OS X; why is it very slow to
85 6. Crashes and other fatal errors:
87 6.1 I have an XXX network card on my machine; if I try to capture on it, why
88 does my machine crash or reset itself?
90 6.2 Why does my machine crash or reset itself when I select "Start" from the
91 "Capture" menu or select "Preferences" from the "Edit" menu?
95 7.1 When I use Wireshark to capture packets, why do I see only packets to
96 and from my machine, or not see all the traffic I'm expecting to see from or
97 to the machine I'm trying to monitor?
99 7.2 When I capture with Wireshark, why can't I see any TCP packets other
100 than packets to and from my machine, even though another analyzer on the
101 network sees those packets?
103 7.3 Why am I only seeing ARP packets when I try to capture traffic?
105 7.4 Why am I not seeing any traffic when I try to capture traffic?
107 7.5 Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?
109 7.6 How do I put an interface into promiscuous mode?
111 7.7 I can set a display filter just fine; why don't capture filters work?
113 7.8 I'm entering valid capture filters; why do I still get "parse error"
116 7.9 How can I capture packets with CRC errors?
118 7.10 How can I capture entire frames, including the FCS?
120 7.11 I'm capturing packets on a machine on a VLAN; why don't the packets I'm
121 capturing have VLAN tags?
123 7.12 Why does Wireshark hang after I stop a capture?
125 8. Capturing packets on Windows:
127 8.1 I'm running Wireshark on Windows; why does some network interface on my
128 machine not show up in the list of interfaces in the "Interface:" field in
129 the dialog box popped up by "Capture->Start", and/or why does Wireshark give
130 me an error if I try to capture on that interface?
132 8.2 I'm running Wireshark on Windows; why do no network interfaces show up
133 in the list of interfaces in the "Interface:" field in the dialog box popped
134 up by "Capture->Start"?
136 8.3 I'm running Wireshark on Windows; why doesn't my serial port/ADSL
137 modem/ISDN modem show up in the list of interfaces in the "Interface:" field
138 in the dialog box popped up by "Capture->Start"?
140 8.4 I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows XP/Windows
141 Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.) interface, and
142 it shows up in the "Interface" item in the "Capture Options" dialog box. Why
143 can no packets be sent on or received from that network while I'm trying to
144 capture traffic on that interface?
146 8.5 I'm running Wireshark on Windows 95/98/Me, on a machine with more than
147 one network adapter of the same type; why does Wireshark show all of those
148 adapters with the same name, not letting me use any of those adapters other
151 8.6 I'm running Wireshark on Windows; why am I not seeing any traffic being
152 sent by the machine running Wireshark?
154 8.7 When I capture on Windows in promiscuous mode, I can see packets other
155 than those sent to or from my machine; however, those packets show up with a
156 "Short Frame" indication, unlike packets to or from my machine. What should
157 I do to arrange that I see those packets in their entirety?
159 8.8 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; why are
160 the time stamps on packets wrong?
162 8.9 I'm trying to capture 802.11 traffic on Windows; why am I not seeing any
165 8.10 I'm trying to capture 802.11 traffic on Windows; why am I seeing
166 packets received by the machine on which I'm capturing traffic, but not
167 packets sent by that machine?
169 8.11 I'm trying to capture Ethernet VLAN traffic on Windows, and I'm
170 capturing on a "raw" Ethernet device rather than a "VLAN interface", so that
171 I can see the VLAN headers; why am I seeing packets received by the machine
172 on which I'm capturing traffic, but not packets sent by that machine?
174 9. Capturing packets on UN*Xes:
176 9.1 I'm running Wireshark on a UNIX-flavored OS; why does some network
177 interface on my machine not show up in the list of interfaces in the
178 "Interface:" field in the dialog box popped up by "Capture->Start", and/or
179 why does Wireshark give me an error if I try to capture on that interface?
181 9.2 I'm running Wireshark on a UNIX-flavored OS; why do no network
182 interfaces show up in the list of interfaces in the "Interface:" field in
183 the dialog box popped up by "Capture->Start"?
185 9.3 I'm capturing packets on Linux; why do the time stamps have only 100ms
186 resolution, rather than 1us resolution?
188 10. Capturing packets on wireless LANs:
190 10.1 How can I capture raw 802.11 frames, including non-data (management,
193 10.2 How do I capture on an 802.11 device in monitor mode?
197 11.1 Why am I seeing lots of packets with incorrect TCP checksums?
199 11.2 I've just installed Wireshark, and the traffic on my local LAN is
200 boring. Where can I find more interesting captures?
202 11.3 Why doesn't Wireshark correctly identify RTP packets? It shows them
205 11.4 Why doesn't Wireshark show Yahoo Messenger packets in captures that
206 contain Yahoo Messenger traffic?
208 12. Filtering traffic:
210 12.1 I saved a filter and tried to use its name to filter the display; why
211 do I get an "Unexpected end of filter string" error?
213 12.2 How can I search for, or filter, packets that have a particular string
216 12.3 How do I filter a capture to see traffic for virus XXX?
220 Q 1.1: What is Wireshark?
222 A: Gerald Combs, the creator of Ethereal®, has initiated the Wireshark
223 network protocol analyzer project, a successor to Ethereal®. The Ethereal®
224 core developer team has moved with Gerald to the Wireshark project. It is
225 the world's most popular network protocol analyzer. It has a rich and
226 powerful feature set, and runs on most computing platforms including
227 Windows, OS X, and Linux. It is freely available as open source, and is
228 released under the GNU General Public License.
230 For more information, please see the About Wireshark page.
232 Q 1.2: What's up with the name change? Is Wireshark a fork?
234 A: In May of 2006, the original author of Ethereal® went to work for CACE
235 Technologies (best known for WinPcap). Unfortunately, he had to leave the
236 Ethereal® trademarks behind.
238 This left the project in an awkward position. The only reasonable way to
239 ensure the continued success of the project was to change the name. This is
240 how Wireshark was born.
242 Wireshark is almost (but not quite) a fork. Normally a "fork" of an open
243 source project results in two names, web sites, development teams, support
244 infrastructures, etc. This is the case with Wireshark except for one notable
245 exception -- every member of the core development team is now working on
246 Wireshark. More information on the name change can be found here:
250 Q 1.3: Where can I get help?
252 A: Community support is available on the wireshark-users mailing list.
253 Subscription information and archives for all of Wireshark's mailing lists
254 can be found at http://www.wireshark.org/mailman/listinfo. An IRC channel
255 dedicated to Wireshark can be found at irc://irc.freenode.net/wireshark.
257 Commercial support, training, and development services are available from
260 Q 1.4: How much does Wireshark cost?
262 A: Wireshark is "free software"; you can download it without paying any
263 license fee. The version of Wireshark you download isn't a "demo" version,
264 with limitations not present in a "full" version; it is the full version.
266 The license under which Wireshark is issued is the GNU General Public
267 License. See the GNU GPL FAQ for some more information.
269 Q 1.5: Can I use Wireshark commercially?
271 A: Yes, if, for example, you mean "I work for a commercial organization; can
272 I use Wireshark to capture and analyze network traffic in our company's
273 networks or in our customer's networks?"
275 If you mean "Can I use Wireshark as part of my commercial product?", see the
276 next entry in the FAQ.
278 Q 1.6: Can I use Wireshark as part of my commercial product?
280 A: As noted, Wireshark is licensed under the GNU General Public License. The
281 GPL imposes conditions on your use of GPL'ed code in your own products; you
282 cannot, for example, make a "derived work" from Wireshark, by making
283 modifications to it, and then sell the resulting derived work and not allow
284 recipients to give away the resulting work. You must also make the changes
285 you've made to the Wireshark source available to all recipients of your
286 modified version; those changes must also be licensed under the terms of the
287 GPL. See the GPL FAQ for more details; in particular, note the answer to the
288 question about modifying a GPLed program and selling it commercially, and
289 the question about linking GPLed code with other code to make a proprietary
292 You can combine a GPLed program such as Wireshark and a commercial program
293 as long as they communicate "at arm's length", as per this item in the GPL
296 Q 1.7: What protocols are currently supported?
298 A: There are currently hundreds of supported protocols and media. Details
299 can be found in the wireshark(1) man page.
301 Q 1.8: Are there any plans to support {your favorite protocol}?
303 A: Support for particular protocols is added to Wireshark as a result of
304 people contributing that support; no formal plans for adding support for
305 particular protocols in particular future releases exist.
307 Q 1.9: Can Wireshark read capture files from {your favorite network
310 A: Support for particular protocols is added to Wireshark as a result of
311 people contributing that support; no formal plans for adding support for
312 particular protocols in particular future releases exist.
314 If a network analyzer writes out files in a format already supported by
315 Wireshark (e.g., in libpcap format), Wireshark may already be able to read
316 them, unless the analyzer has added its own proprietary extensions to that
319 If a network analyzer writes out files in its own format, or has added
320 proprietary extensions to another format, in order to make Wireshark read
321 captures from that network analyzer, we would either have to have a
322 specification for the file format, or the extensions, sufficient to give us
323 enough information to read the parts of the file relevant to Wireshark, or
324 would need at least one capture file in that format AND a detailed textual
325 analysis of the packets in that capture file (showing packet time stamps,
326 packet lengths, and the top-level packet header) in order to
327 reverse-engineer the file format.
329 Note that there is no guarantee that we will be able to reverse-engineer a
332 Q 1.10: What devices can Wireshark use to capture packets?
334 A: Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial (PPP
335 and SLIP) (if the OS on which it's running allows Wireshark to do so),
336 802.11 wireless LAN (if the OS on which it's running allows Wireshark to do
337 so), ATM connections (if the OS on which it's running allows Wireshark to do
338 so), and the "any" device supported on Linux by recent versions of libpcap.
340 It can also read a variety of capture file formats, including:
341 * AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
343 * AIX's iptrace captures
344 * Accellent's 5Views LAN agent output
345 * Cinco Networks NetXRay captures
346 * Cisco Secure Intrusion Detection System IPLog output
347 * CoSine L2 debug output
348 * DBS Etherwatch VMS text output
349 * Endace Measurement Systems' ERF format captures
350 * EyeSDN USB S0 traces
351 * HP-UX nettl captures
352 * ISDN4BSD project i4btrace captures
353 * Linux Bluez Bluetooth stack hcidump -w traces
354 * Lucent/Ascend router debug output
355 * Microsoft Network Monitor captures
356 * Network Associates Windows-based Sniffer captures
357 * Network General/Network Associates DOS-based Sniffer (compressed or
358 uncompressed) captures
359 * Network Instruments Observer version 9 captures
360 * Novell LANalyzer captures
361 * RADCOM's WAN/LAN analyzer captures
362 * Shomiti/Finisar Surveyor captures
363 * Toshiba's ISDN routers dump output
364 * VMS TCPIPtrace/TCPtrace/UCX$TRACE output
365 * Visual Networks' Visual UpTime traffic capture
366 * libpcap, tcpdump and various other tools using tcpdump's capture format
367 * snoop and atmsnoop output
369 so that it can read traces from various network types, as captured by other
370 applications or equipment, even if it cannot itself capture on those network
373 Q 1.11: Does Wireshark work on Windows Me?
375 A: Yes, but if you want to capture packets, you will need to install the
376 latest version of WinPcap, as 2.02 and earlier versions of WinPcap didn't
377 support Windows Me. You should also install the latest version of Wireshark
380 Q 1.12: Does Wireshark work on Windows XP?
382 A: Yes, but if you want to capture packets, you will need to install the
383 latest version of WinPcap, as 2.2 and earlier versions of WinPcap didn't
386 2. Downloading Wireshark
388 Q 2.1: Why do I get an error when I try to run the Win32 installer?
390 A: The program you used to download it may have downloaded it incorrectly.
391 Web browsers sometimes may do this.
393 Try downloading it with, for example:
394 * Wget, for which Windows binaries are available on the SunSITE FTP server
395 at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI offers a GUI
396 interface that uses wget;
397 * WS_FTP from Ipswitch,
398 * the ftp command that comes with Windows.
400 If you use the ftp command, make sure you do the transfer in binary mode
401 rather than ASCII mode, by using the binary command before transferring the
404 3. Installing Wireshark
406 Q 3.1: I installed the Wireshark RPM (or other package); why did it install
407 TShark but not Wireshark?
409 A: Many distributions have separate Wireshark packages, one for non-GUI
410 components such as TShark, editcap, dumpcap, etc. and one for the GUI. If
411 this is the case on your system, there's probably a separate package named
412 wireshark-gnome or wireshark-gtk+. Find it and install it.
414 4. Building Wireshark
416 Q 4.1: I have libpcap installed; why did the configure script not find
419 A: Are you sure pcap.h and bpf.h are installed? The official distribution of
420 libpcap only installs the libpcap.a library file when "make install" is run.
421 To install pcap.h and bpf.h, you must run "make install-incl". If you're
422 running Debian or Redhat, make sure you have the "libpcap-dev" or
423 "libpcap-devel" packages installed.
425 It's also possible that pcap.h and bpf.h have been installed in a strange
426 location. If this is the case, you may have to tweak aclocal.m4.
428 Q 4.2: Why do I get the error
430 dftest_DEPENDENCIES was already defined in condition TRUE, which implies
431 condition HAVE_PLUGINS_TRUE
433 when I try to build Wireshark from SVN or a SVN snapshot?
435 A: You probably have automake 1.5 installed on your machine (the command
436 automake --version will report the version of automake on your machine).
437 There is a bug in that version of automake that causes this problem; upgrade
438 to a later version of automake (1.6 or later).
440 Q 4.3: Why does the linker fail with a number of "Output line too long."
441 messages followed by linker errors when I try to buil Wireshark?
443 A: The version of the sed command on your system is incapable of handling
444 very long lines. On Solaris, for example, /usr/bin/sed has a line length
445 limit too low to allow libtool to work; /usr/xpg4/bin/sed can handle it, as
446 can GNU sed if you have it installed.
448 On Solaris, changing your command search path to search /usr/xpg4/bin before
449 /usr/bin should make the problem go away; on any platform on which you have
450 this problem, installing GNU sed and changing your command path to search
451 the directory in which it is installed before searching the directory with
452 the version of sed that came with the OS should make the problem go away.
454 Q 4.4: When I try to build Wireshark on Solaris, why does the link fail
455 complaining that plugin_list is undefined?
457 A: This appears to be due to a problem with some versions of the GTK+ and
458 GLib packages from www.sunfreeware.org; un-install those packages, and try
459 getting the 1.2.10 versions from that site, or the versions from The Written
460 Word, or the versions from Sun's GNOME distribution, or the versions from
461 the supplemental software CD that comes with the Solaris media kit, or build
462 them from source from the GTK Web site. Then re-run the configuration
463 script, and try rebuilding Wireshark. (If you get the 1.2.10 versions from
464 www.sunfreeware.org, and the problem persists, un-install them and try
465 installing one of the other versions mentioned.)
467 Q 4.5: When I try to build Wireshark on Windows, why does the build fail
468 because of conflicts between winsock.h and winsock2.h?
470 A: As of Wireshark 0.9.5, you must install WinPcap 2.3 or later, and the
471 corresponding version of the developer's pack, in order to be able to
472 compile Wireshark; it will not compile with older versions of the
473 developer's pack. The symptoms of this failure are conflicts between
474 definitions in winsock.h and in winsock2.h; Wireshark uses winsock2.h, but
475 pre-2.3 versions of the WinPcap developer's packet use winsock.h. (2.3 uses
476 winsock2.h, so if Wireshark were to use winsock.h, it would not be able to
477 build with current versions of the WinPcap developer's pack.)
479 Note that the installed version of the developer's pack should be the same
480 version as the version of WinPcap you have installed.
482 5. Starting Wireshark
484 Q 5.1: Why does Wireshark crash with a Bus Error when I try to run it on
487 A: Some versions of the GTK+ library from www.sunfreeware.org appear to be
488 buggy, causing Wireshark to drop core with a Bus Error. Un-install those
489 packages, and try getting the 1.2.10 version from that site, or the version
490 from The Written Word, or the version from Sun's GNOME distribution, or the
491 version from the supplemental software CD that comes with the Solaris media
492 kit, or build it from source from the GTK Web site. Update the GLib library
493 to the 1.2.10 version, from the same source, as well. (If you get the 1.2.10
494 versions from www.sunfreeware.org, and the problem persists, un-install them
495 and try installing one of the other versions mentioned.)
497 Similar problems may exist with older versions of GTK+ for earlier versions
500 Q 5.2: When I run Wireshark on Windows NT, why does it die with a Dr. Watson
501 error, reporting an "Integer division by zero" exception, when I start it?
503 A: In at least some case, this appears to be due to using the default VGA
504 driver; if that's not the correct driver for your video card, try running
505 the correct driver for your video card.
507 Q 5.3: When I try to run Wireshark, why does it complain about
508 sprint_realloc_objid being undefined?
510 A: Wireshark can only be linked with version 4.2.2 or later of UCD SNMP.
511 Your version of Wireshark was dynamically linked with such a version of UCD
512 SNMP; however, you have an older version of UCD SNMP installed, which means
513 that when Wireshark is run, it tries to link to the older version, and
514 fails. You will have to replace that version of UCD SNMP with version 4.2.2
517 Q 5.4: When I try to run Wireshark on Windows, why does it fail to run with
518 a complaint that it can't find packet.dll?
520 A: In older versions of Wireshark, there were two binary distributions
521 available for Windows, one that supported capturing packets, and one that
522 didn't. The version that supported capturing packets required that you
523 install the WinPcap driver; if you didn't install it, it would fail to run
524 because it couldn't find packet.dll.
526 The current version of Wireshark has only one binary distribution for
527 Windows; that version will check whether WinPcap is installed and, if it's
528 not, will disable support for packet capture.
530 The WinPcap driver and libraries can be downloaded from the WinPcap Web site
531 or the Wiretapped.net mirror of the WinPcap site.
533 Q 5.5: I've installed Wireshark from Fink on Mac OS X; why is it very slow
536 A: When an application is installed on OS X, prior to 10.4, it is usually
537 "prebound" to speed up launching the application. (That's what the
538 "Optimizing" phase of installation is.) Fink normally performs prebinding
539 automatically when you install a package. However, in some rare cases, for
540 whatever reason the prebinding caches get corrupt, and then not only does
541 prebinding fail, but startup actually becomes much slower, because the
542 system tries in vain to perform prebinding "on the fly" as you launch the
543 application. This fails, causing sometimes huge delays. To fix the
544 prebinding caches, run the command
545 sudo /sw/var/lib/fink/prebound/update-package-prebinding.pl -f
547 6. Crashes and other fatal errors
549 Q 6.1: I have an XXX network card on my machine; if I try to capture on it,
550 why does my machine crash or reset itself?
552 A: This is almost certainly a problem with one or more of:
553 * the operating system you're using;
554 * the device driver for the interface you're using;
555 * the libpcap/WinPcap library and, if this is Windows, the WinPcap device
559 * if you are using Windows, see the WinPcap support page - check the
560 "Submitting bugs" section;
561 * if you are using some Linux distribution, some version of BSD, or some
562 other UNIX-flavored OS, you should report the problem to the company or
563 organization that produces the OS (in the case of a Linux distribution,
564 report the problem to whoever produces the distribution).
566 Q 6.2: Why does my machine crash or reset itself when I select "Start" from
567 the "Capture" menu or select "Preferences" from the "Edit" menu?
569 A: Both of those operations cause Wireshark to try to build a list of the
570 interfaces that it can open; it does so by getting a list of interfaces and
571 trying to open them. There is probably an OS, driver, or, for Windows,
572 WinPcap bug that causes the system to crash when this happens; see the
577 Q 7.1: When I use Wireshark to capture packets, why do I see only packets to
578 and from my machine, or not see all the traffic I'm expecting to see from or
579 to the machine I'm trying to monitor?
581 A: This might be because the interface on which you're capturing is plugged
582 into an Ethernet or Token Ring switch; on a switched network, unicast
583 traffic between two ports will not necessarily appear on other ports - only
584 broadcast and multicast traffic will be sent to all ports.
586 Note that even if your machine is plugged into a hub, the "hub" may be a
587 switched hub, in which case you're still on a switched network.
589 Note also that on the Linksys Web site, they say that their auto-sensing
590 hubs "broadcast the 10Mb packets to the port that operate at 10Mb only and
591 broadcast the 100Mb packets to the ports that operate at 100Mb only", which
592 would indicate that if you sniff on a 10Mb port, you will not see traffic
593 coming sent to a 100Mb port, and vice versa. This problem has also been
594 reported for Netgear dual-speed hubs, and may exist for other "auto-sensing"
595 or "dual-speed" hubs.
597 Some switches have the ability to replicate all traffic on all ports to a
598 single port so that you can plug your analyzer into that single port to
599 sniff all traffic. You would have to check the documentation for the switch
600 to see if this is possible and, if so, to see how to do this. See the switch
601 reference page on the Wireshark Wiki for information on some switches. (Note
602 that it's a Wiki, so you can update or fix that information, or add
603 additional information on those switches or information on new switches,
606 Note also that many firewall/NAT boxes have a switch built into them; this
607 includes many of the "cable/DSL router" boxes. If you have a box of that
608 sort, that has a switch with some number of Ethernet ports into which you
609 plug machines on your network, and another Ethernet port used to connect to
610 a cable or DSL modem, you can, at least, sniff traffic between the machines
611 on your network and the Internet by plugging the Ethernet port on the router
612 going to the modem, the Ethernet port on the modem, and the machine on which
613 you're running Wireshark into a hub (make sure it's not a switching hub, and
614 that, if it's a dual-speed hub, all three of those ports are running at the
617 If your machine is not plugged into a switched network or a dual-speed hub,
618 or it is plugged into a switched network but the port is set up to have all
619 traffic replicated to it, the problem might be that the network interface on
620 which you're capturing doesn't support "promiscuous" mode, or because your
621 OS can't put the interface into promiscuous mode. Normally, network
622 interfaces supply to the host only:
623 * packets sent to one of that host's link-layer addresses;
625 * multicast packets sent to a multicast address that the host has
626 configured the interface to accept.
628 Most network interfaces can also be put in "promiscuous" mode, in which they
629 supply to the host all network packets they see. Wireshark will try to put
630 the interface on which it's capturing into promiscuous mode unless the
631 "Capture packets in promiscuous mode" option is turned off in the "Capture
632 Options" dialog box, and TShark will try to put the interface on which it's
633 capturing into promiscuous mode unless the -p option was specified. However,
634 some network interfaces don't support promiscuous mode, and some OSes might
635 not allow interfaces to be put into promiscuous mode.
637 If the interface is not running in promiscuous mode, it won't see any
638 traffic that isn't intended to be seen by your machine. It will see
639 broadcast packets, and multicast packets sent to a multicast MAC address the
640 interface is set up to receive.
642 You should ask the vendor of your network interface whether it supports
643 promiscuous mode. If it does, you should ask whoever supplied the driver for
644 the interface (the vendor, or the supplier of the OS you're running on your
645 machine) whether it supports promiscuous mode with that network interface.
647 In the case of token ring interfaces, the drivers for some of them, on
648 Windows, may require you to enable promiscuous mode in order to capture in
649 promiscuous mode. See the Wireshark Wiki item on Token Ring capturing for
652 In the case of wireless LAN interfaces, it appears that, when those
653 interfaces are promiscuously sniffing, they're running in a significantly
654 different mode from the mode that they run in when they're just acting as
655 network interfaces (to the extent that it would be a significant effor for
656 those drivers to support for promiscuously sniffing and acting as regular
657 network interfaces at the same time), so it may be that Windows drivers for
658 those interfaces don't support promiscuous mode.
660 Q 7.2: When I capture with Wireshark, why can't I see any TCP packets other
661 than packets to and from my machine, even though another analyzer on the
662 network sees those packets?
664 A: You're probably not seeing any packets other than unicast packets to or
665 from your machine, and broadcast and multicast packets; a switch will
666 normally send to a port only unicast traffic sent to the MAC address for the
667 interface on that port, and broadcast and multicast traffic - it won't send
668 to that port unicast traffic sent to a MAC address for some other interface
669 - and a network interface not in promiscuous mode will receive only unicast
670 traffic sent to the MAC address for that interface, broadcast traffic, and
671 multicast traffic sent to a multicast MAC address the interface is set up to
674 TCP doesn't use broadcast or multicast, so you will only see your own TCP
675 traffic, but UDP services may use broadcast or multicast so you'll see some
676 UDP traffic - however, this is not a problem with TCP traffic, it's a
677 problem with unicast traffic, as you also won't see all UDP traffic between
680 I.e., this is probably the same question as this earlier one; see the
681 response to that question.
683 Q 7.3: Why am I only seeing ARP packets when I try to capture traffic?
685 A: You're probably on a switched network, and running Wireshark on a machine
686 that's not sending traffic to the switch and not being sent any traffic from
687 other machines on the switch. ARP packets are often broadcast packets, which
688 are sent to all switch ports.
690 I.e., this is probably the same question as this earlier one; see the
691 response to that question.
693 Q 7.4: Why am I not seeing any traffic when I try to capture traffic?
695 A: Is the machine running Wireshark sending out any traffic on the network
696 interface on which you're capturing, or receiving any traffic on that
697 network, or is there any broadcast traffic on the network or multicast
698 traffic to a multicast group to which the machine running Wireshark belongs?
700 If not, this may just be a problem with promiscuous sniffing, either due to
701 running on a switched network or a dual-speed hub, or due to problems with
702 the interface not supporting promiscuous mode; see the response to this
705 Otherwise, on Windows, see the response to this question and, on a
706 UNIX-flavored OS, see the response to this question.
708 Q 7.5: Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?
710 A: Wireshark can only capture on devices supported by libpcap/WinPcap. On
711 most OSes, only devices that can act as network interfaces of the type that
712 support IP are supported as capture devices for libpcap/WinPcap, although
713 the device doesn't necessarily have to be running as an IP interface in
714 order to support traffic capture.
716 On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
717 Measurement Systems' DAG cards, so that a system with one of those cards,
718 and its driver and libraries, installed can capture traffic with those cards
719 with libpcap-based applications. You would either have to have a version of
720 Wireshark built with that version of libpcap, or a dynamically-linked
721 version of Wireshark and a shared libpcap library with DAG support, in order
722 to do so with Wireshark. You should ask Endace whether that could be used to
723 capture traffic on, for example, your T1/E1 link. See the SS7 capture setup
724 page on the Wireshark Wiki for current information on capturing SS7 traffic
727 Q 7.6: How do I put an interface into promiscuous mode?
729 A: By not disabling promiscuous mode when running Wireshark or TShark.
732 * the form of promiscuous mode that libpcap (the library that programs
733 such as tcpdump, Wireshark, etc. use to do packet capture) turns on will
734 not necessarily be shown if you run ifconfig on the interface on a UNIX
736 * some network interfaces might not support promiscuous mode, and some
737 drivers might not allow promiscuous mode to be turned on - see this
738 earlier question for more information on that;
739 * the fact that you're not seeing any traffic, or are only seeing
740 broadcast traffic, or aren't seeing any non-broadcast traffic other than
741 traffic to or from the machine running Wireshark, does not mean that
742 promiscuous mode isn't on - see this earlier question for more
745 I.e., this is probably the same question as this earlier one; see the
746 response to that question.
748 Q 7.7: I can set a display filter just fine; why don't capture filters work?
750 A: Capture filters currently use a different syntax than display filters.
751 Here's the corresponding section from the wireshark(1) man page:
753 "Display filters in Wireshark are very powerful; more fields are filterable
754 in Wireshark than in other protocol analyzers, and the syntax you can use to
755 create your filters is richer. As Wireshark progresses, expect more and more
756 protocol fields to be allowed in display filters.
758 Packet capturing is performed with the pcap library. The capture filter
759 syntax follows the rules of the pcap library. This syntax is different from
760 the display filter syntax."
762 The capture filter syntax used by libpcap can be found in the tcpdump(8) man
765 Q 7.8: I'm entering valid capture filters; why do I still get "parse error"
768 A: There is a bug in some versions of libpcap/WinPcap that cause it to
769 report parse errors even for valid expressions if a previous filter
770 expression was invalid and got a parse error.
772 Try exiting and restarting Wireshark; if you are using a version of
773 libpcap/WinPcap with this bug, this will "erase" its memory of the previous
774 parse error. If the capture filter that got the "parse error" now works, the
775 earlier error with that filter was probably due to this bug.
777 The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of libpcap
778 have this bug, but 0.6[.x] and later versions don't.
780 Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of libpcap,
781 and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and doesn't have
784 If you are running Wireshark on a UNIX-flavored platform, run "wireshark
785 -v", or select "About Wireshark..." from the "Help" menu in Wireshark, to
786 see what version of libpcap it's using. If it's not 0.6 or later, you will
787 need either to upgrade your OS to get a later version of libpcap, or will
788 need to build and install a later version of libpcap from the tcpdump.org
789 Web site and then recompile Wireshark from source with that later version of
792 If you are running Wireshark on Windows with a pre-2.3 version of WinPcap,
793 you will need to un-install WinPcap and then download and install WinPcap
796 Q 7.9: How can I capture packets with CRC errors?
798 A: Wireshark can capture only the packets that the packet capture library -
799 libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of libpcap on
800 Windows - can capture, and libpcap/WinPcap can capture only the packets that
801 the OS's raw packet capture mechanism (or the WinPcap driver, and the
802 underlying OS networking code and network interface drivers, on Windows)
803 will allow it to capture.
805 Unless the OS always supplies packets with errors such as invalid CRCs to
806 the raw packet capture mechanism, or can be configured to do so, invalid
807 CRCs to the raw packet capture mechanism, Wireshark - and other programs
808 that capture raw packets, such as tcpdump - cannot capture those packets.
809 You will have to determine whether your OS needs to be so configured and, if
810 so, can be so configured, configure it if necessary and possible, and make
811 whatever changes to libpcap and the packet capture program you're using are
812 necessary, if any, to support capturing those packets.
814 Most OSes probably do not support capturing packets with invalid CRCs on
815 Ethernet, and probably do not support it on most other link-layer types.
816 Some drivers on some OSes do support it, such as some Ethernet drivers on
817 FreeBSD; in those OSes, you might always get those packets, or you might
818 only get them if you capture in promiscuous mode (you'd have to determine
821 Note that libpcap does not currently supply to programs that use it an
822 indication of whether the packet's CRC was invalid (because the drivers
823 themselves do not supply that information to the raw packet capture
824 mechanism); therefore, Wireshark will not indicate which packets had CRC
825 errors unless the FCS was captured (see the next question) and you're using
826 Wireshark 0.9.15 and later, in which case Wireshark will check the CRC and
827 indicate whether it's correct or not.
829 Q 7.10: How can I capture entire frames, including the FCS?
831 A: Wireshark can only capture data that the packet capture library - libpcap
832 on UNIX-flavored OSes, and the WinPcap port to Windows of libpcap on Windows
833 - can capture, and libpcap/WinPcap can capture only the data that the OS's
834 raw packet capture mechanism (or the WinPcap driver, and the underlying OS
835 networking code and network interface drivers, on Windows) will allow it to
838 For any particular link-layer network type, unless the OS supplies the FCS
839 of a frame as part of the frame, or can be configured to do so, Wireshark -
840 and other programs that capture raw packets, such as tcpdump - cannot
841 capture the FCS of a frame. You will have to determine whether your OS needs
842 to be so configured and, if so, can be so configured, configure it if
843 necessary and possible, and make whatever changes to libpcap and the packet
844 capture program you're using are necessary, if any, to support capturing the
847 Most OSes do not support capturing the FCS of a frame on Ethernet, and
848 probably do not support it on most other link-layer types. Some drivres on
849 some OSes do support it, such as some (all?) Ethernet drivers on NetBSD and
850 possibly the driver for Apple's gigabit Ethernet interface in Mac OS X; in
851 those OSes, you might always get the FCS, or you might only get the FCS if
852 you capture in promiscuous mode (you'd have to determine which is the case).
854 Versions of Wireshark prior to 0.9.15 will not treat an Ethernet FCS in a
855 captured packet as an FCS. 0.9.15 and later will attempt to determine
856 whether there's an FCS at the end of the frame and, if it thinks there is,
857 will display it as such, and will check whether it's the correct CRC-32
860 Q 7.11: I'm capturing packets on a machine on a VLAN; why don't the packets
861 I'm capturing have VLAN tags?
863 A: You might be capturing on what might be called a "VLAN interface" - the
864 way a particular OS makes VLANs plug into the networking stack might, for
865 example, be to have a network device object for the physical interface,
866 which takes VLAN packets, strips off the VLAN header and constructs an
867 Ethernet header, and passes that packet to an internal network device object
868 for the VLAN, which then passes the packets onto various higher-level
869 protocol implementations.
871 In order to see the raw Ethernet packets, rather than "de-VLANized" packets,
872 you would have to capture not on the virtual interface for the VLAN, but on
873 the interface corresponding to the physical network device, if possible. See
874 the Wireshark Wiki item on VLAN capturing for details.
876 Q 7.12: Why does Wireshark hang after I stop a capture?
878 A: The most likely reason for this is that Wireshark is trying to look up an
879 IP address in the capture to convert it to a name (so that, for example, it
880 can display the name in the source address or destination address columns),
881 and that lookup process is taking a very long time.
883 Wireshark calls a routine in the OS of the machine on which it's running to
884 convert of IP addresses to the corresponding names. That routine probably
886 * a search of a system file listing IP addresses and names;
887 * a lookup using DNS;
888 * on UNIX systems, a lookup using NIS;
889 * on Windows systems, a NetBIOS-over-TCP query.
891 If a DNS server that's used in an address lookup is not responding, the
892 lookup will fail, but will only fail after a timeout while the system
893 routine waits for a reply.
895 In addition, on Windows systems, if the DNS lookup of the address fails,
896 either because the server isn't responding or because there are no records
897 in the DNS that could be used to map the address to a name, a
898 NetBIOS-over-TCP query will be made. That query involves sending a message
899 to the NetBIOS-over-TCP name service on that machine, asking for the name
900 and other information about the machine. If the machine isn't running
901 software that responds to those queries - for example, many non-Windows
902 machines wouldn't be running that software - the lookup will only fail after
903 a timeout. Those timeouts can cause the lookup to take a long time.
905 If you disable network address-to-name translation - for example, by turning
906 off the "Enable network name resolution" option in the "Capture Options"
907 dialog box for starting a network capture - the lookups of the address won't
908 be done, which may speed up the process of reading the capture file after
909 the capture is stopped. You can make that setting the default by selecting
910 "Preferences" from the "Edit" menu, turning off the "Enable network name
911 resolution" option in the "Name resolution" options in the preferences
912 disalog box, and using the "Save" button in that dialog box; note that this
913 will save all your current preference settings.
915 If Wireshark hangs when reading a capture even with network name resolution
916 turned off, there might, for example, be a bug in one of Wireshark's
917 dissectors for a protocol causing it to loop infinitely. If you're not
918 running the most recent release of Wireshark, you should first upgrade to
919 that release, as, if there's a bug of that sort, it might've been fixed in a
920 release after the one you're running. If the hang occurs in the most recent
921 release of Wireshark, the bug should be reported to the Wireshark
922 developers' mailing list at wireshark-dev@wireshark.org.
924 On UNIX-flavored OSes, please try to force Wireshark to dump core, by
925 sending it a SIGABRT signal (usually signal 6) with the kill command, and
926 then get a stack trace if you have a debugger installed. A stack trace can
927 be obtained by using your debugger (gdb in this example), the Wireshark
928 binary, and the resulting core file. Here's an example of how to use the gdb
929 command backtrace to do so.
932 ..... prints the stack trace
936 The core dump file may be named "wireshark.core" rather than "core" on some
937 platforms (e.g., BSD systems).
939 Also, if at all possible, please send a copy of the capture file that caused
940 the problem; when capturing packets, Wireshark normally writes captured
941 packets to a temporary file, which will probably be in /tmp or /var/tmp on
942 UNIX-flavored OSes, \TEMP on the main system disk (normally C:) on Windows
943 9x/Me/NT 4.0, and \Documents and Settings\your login name\Local
944 Settings\Temp on the main system disk on Windows 2000/Windows XP/Windows
945 Server 2003, so the capture file will probably be there. It will have a name
946 beginning with ether, with some mixture of letters and numbers after that.
947 Please don't send a trace file greater than 1 MB when compressed; instead,
948 make it available via FTP or HTTP, or say it's available but leave it up to
949 a developer to ask for it. If the trace file contains sensitive information
950 (e.g., passwords), then please do not send it.
952 8. Capturing packets on Windows
954 Q 8.1: I'm running Wireshark on Windows; why does some network interface on
955 my machine not show up in the list of interfaces in the "Interface:" field
956 in the dialog box popped up by "Capture->Start", and/or why does Wireshark
957 give me an error if I try to capture on that interface?
959 A: If you are running Wireshark on Windows NT 4.0, Windows 2000, Windows XP,
960 or Windows Server 2003, and this is the first time you have run a
961 WinPcap-based program (such as Wireshark, or TShark, or WinDump, or
962 Analyzer, or...) since the machine was rebooted, you need to run that
963 program from an account with administrator privileges; once you have run
964 such a program, you will not need administrator privileges to run any such
965 programs until you reboot.
967 If you are running on Windows 95/98/Me, or if you are running on Windows NT
968 4.0/Windows 2000/Windows XP/Windows Server 2003 and have administrator
969 privileges or a WinPcap-based program has been run with those privileges
970 since the machine rebooted, this problem might clear up if you completely
971 un-install WinPcap and then re-install it.
973 If that doesn't work, then note that Wireshark relies on the WinPcap
974 library, on the WinPcap device driver, and on the facilities that come with
975 the OS on which it's running in order to do captures.
977 Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
978 support capturing on a particular network interface device, Wireshark won't
979 be able to capture on that device.
982 1. 2.02 and earlier versions of the WinPcap driver and library that
983 Wireshark uses for packet capture didn't support Token Ring interfaces;
984 versions 2.1 and later support Token Ring, and the current version of
985 Wireshark works with (and, in fact, requires) WinPcap 2.1 or later.
986 If you are having problems capturing on Token Ring interfaces, and you
987 have WinPcap 2.02 or an earlier version of WinPcap installed, you should
988 uninstall WinPcap, download and install the current version of WinPcap,
989 and then install the latest version of Wireshark.
990 2. On Windows 95, 98, or Me, sometimes more than one interface will be
991 given the same name; if that is the case, you will only be able to
992 capture on one of those interfaces - it's not clear to which one the
993 name, when used in a WinPcap-based application, will refer. For example,
994 if you have a PPP serial interface and a VPN interface, they might show
995 up with the same name, for example "ppp-mac", and if you try to capture
996 on "ppp-mac", it might not capture on the interface you're currently
997 using. In that case, you might, for example, have to remove the VPN
998 interface from the system in order to capture on the PPP serial
1000 3. WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows NT
1001 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to avoid
1002 those problems, support for PPP WAN interfaces on those versions of
1003 Windows has been disabled in WinPcap 3.0. Regular dial-up lines, ISDN
1004 lines, ADSL connections using PPPoE or PPPoA, and various other lines
1005 such as T1/E1 lines are all PPP interfaces, so those interfaces might
1006 not show up on the list of interfaces in the "Capture Options" dialog on
1008 On Windows 2000, Windows XP, and Windows Server 2003, but not Windows NT
1009 4.0 or Windows Vista Beta 1, you should be able to capture on the
1010 "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it
1011 the "NdisWanAdapter"; if you're using a 3.1 beta release, you should
1012 un-install it and install the final 3.1 release.) See the Wireshark Wiki
1013 item on PPP capturing for details.
1014 4. WinPcap prior to 3.0 does not support multiprocessor machines (note that
1015 machines with a single multi-threaded processor, such as Intel's new
1016 multi-threaded x86 processors, are multiprocessor machines as far as the
1017 OS and WinPcap are concerned), and recent 2.x versions of WinPcap refuse
1018 to operate if they detect that they're running on a multiprocessor
1019 machine, which means that they may not show any network interfaces. You
1020 will need to use WinPcap 3.0 to capture on a multiprocessor machine.
1022 If an interface doesn't show up in the list of interfaces in the
1023 "Interface:" field, and you know the name of the interface, try entering
1024 that name in the "Interface:" field and capturing on that device.
1026 If the attempt to capture on it succeeds, the interface is somehow not being
1027 reported by the mechanism Wireshark uses to get a list of interfaces. Try
1028 listing the interfaces with WinDump; see the WinDump Web site for
1029 information on using WinDump.
1031 You would run WinDump with the -D flag; if it lists the interface, please
1032 report this to wireshark-dev@wireshark.org giving full details of the
1034 * the operating system you're using, and the version of that operating
1036 * the type of network device you're using;
1037 * the output of WinDump.
1039 If WinDump does not list the interface, this is almost certainly a problem
1040 with one or more of:
1041 * the operating system you're using;
1042 * the device driver for the interface you're using;
1043 * the WinPcap library and/or the WinPcap device driver;
1045 so first check the WinPcap FAQ or the Wiretapped.net mirror of that FAQ, to
1046 see if your problem is mentioned there. If not, then see the WinPcap support
1047 page - check the "Submitting bugs" section.
1049 If you are having trouble capturing on a particular network interface, first
1050 try capturing on that device with WinDump; see the WinDump Web site for
1051 information on using WinDump.
1053 If you can capture on the interface with WinDump, send mail to
1054 wireshark-users@wireshark.org giving full details of the problem, including
1055 * the operating system you're using, and the version of that operating
1057 * the type of network device you're using;
1058 * the error message you get from Wireshark.
1060 If you cannot capture on the interface with WinDump, this is almost
1061 certainly a problem with one or more of:
1062 * the operating system you're using;
1063 * the device driver for the interface you're using;
1064 * the WinPcap library and/or the WinPcap device driver;
1066 so first check the WinPcap FAQ or the Wiretapped.net mirror of that FAQ, to
1067 see if your problem is mentioned there. If not, then see the WinPcap support
1068 page - check the "Submitting bugs" section.
1070 You may also want to ask the wireshark-users@wireshark.org and the
1071 winpcap-users@winpcap.org mailing lists to see if anybody happens to know
1072 about the problem and know a workaround or fix for the problem. (Note that
1073 you will have to subscribe to that list in order to be allowed to mail to
1074 it; see the WinPcap support page for information on the mailing list.) In
1075 your mail, please give full details of the problem, as described above, and
1076 also indicate that the problem occurs with WinDump, not just with Wireshark.
1078 Q 8.2: I'm running Wireshark on Windows; why do no network interfaces show
1079 up in the list of interfaces in the "Interface:" field in the dialog box
1080 popped up by "Capture->Start"?
1082 A: This is really the same question as the previous one; see the response to
1085 Q 8.3: I'm running Wireshark on Windows; why doesn't my serial port/ADSL
1086 modem/ISDN modem show up in the list of interfaces in the "Interface:" field
1087 in the dialog box popped up by "Capture->Start"?
1089 A: Internet access on those devices is often done with the Point-to-Point
1090 (PPP) protocol; WinPcap 2.3 has problems supporting PPP WAN interfaces on
1091 Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to
1092 avoid those problems, support for PPP WAN interfaces on those versions of
1093 Windows has been disabled in WinPcap 3.0.
1095 On Windows 2000, Windows XP, and Windows Server 2003, but not Windows NT 4.0
1096 or Windows Vista Beta 1, you should be able to capture on the
1097 "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it the
1098 "NdisWanAdapter"; if you're using a 3.1 beta release, you should un-install
1099 it and install the final 3.1 release.) See the Wireshark Wiki item on PPP
1100 capturing for details.
1102 Q 8.4: I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows
1103 XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.)
1104 interface, and it shows up in the "Interface" item in the "Capture Options"
1105 dialog box. Why can no packets be sent on or received from that network
1106 while I'm trying to capture traffic on that interface?
1108 A: Some versions of WinPcap have problems with PPP WAN interfaces on Windows
1109 NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; one symptom that
1110 may be seen is that attempts to capture in promiscuous mode on the interface
1111 cause the interface to be incapable of sending or receiving packets. You can
1112 disable promiscuous mode using the -p command-line flag or the item in the
1113 "Capture Preferences" dialog box, but this may mean that outgoing packets,
1114 or incoming packets, won't be seen in the capture.
1116 On Windows 2000, Windows XP, and Windows Server 2003, but not Windows NT 4.0
1117 or Windows Vista Beta 1, you should be able to capture on the
1118 "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it the
1119 "NdisWanAdapter"; if you're using a 3.1 beta release, you should un-install
1120 it and install the final 3.1 release.) See the Wireshark Wiki item on PPP
1121 capturing for details.
1123 Q 8.5: I'm running Wireshark on Windows 95/98/Me, on a machine with more
1124 than one network adapter of the same type; why does Wireshark show all of
1125 those adapters with the same name, not letting me use any of those adapters
1126 other than the first one?
1128 A: Unfortunately, Windows 95/98/Me gives the same name to multiple instances
1129 of the type of same network adapter. Therefore, WinPcap cannot distinguish
1130 between them, so a WinPcap-based application can capture only on the first
1131 such interface; Wireshark is a libpcap/WinPcap-based application.
1133 Q 8.6: I'm running Wireshark on Windows; why am I not seeing any traffic
1134 being sent by the machine running Wireshark?
1136 A: If you are running some form of VPN client software, it might be causing
1137 this problem; people have seen this problem when they have Check Point's VPN
1138 software installed on their machine. If that's the cause of the problem, you
1139 will have to remove the VPN software in order to have Wireshark (or any
1140 other application using WinPcap) see outgoing packets; unfortunately,
1141 neither we nor the WinPcap developers know any way to make WinPcap and the
1142 VPN software work well together.
1144 Also, some drivers for Windows (especially some wireless network interface
1145 drivers) apparently do not, when running in promiscuous mode, arrange that
1146 outgoing packets are delivered to the software that requested that the
1147 interface run promiscuously; try turning promiscuous mode off.
1149 Q 8.7: When I capture on Windows in promiscuous mode, I can see packets
1150 other than those sent to or from my machine; however, those packets show up
1151 with a "Short Frame" indication, unlike packets to or from my machine. What
1152 should I do to arrange that I see those packets in their entirety?
1154 A: In at least some cases, this appears to be the result of PGPnet running
1155 on the network interface on which you're capturing; turn it off on that
1158 Q 8.8: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; why
1159 are the time stamps on packets wrong?
1161 A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap 3.0
1164 Q 8.9: I'm trying to capture 802.11 traffic on Windows; why am I not seeing
1167 A: At least some 802.11 card drivers on Windows appear not to see any
1168 packets if they're running in promiscuous mode. Try turning promiscuous mode
1169 off; you'll only be able to see packets sent by and received by your
1170 machine, not third-party traffic, and it'll look like Ethernet traffic and
1171 won't include any management or control frames, but that's a limitation of
1174 See MicroLogix's list of cards supported with WinPcap for information on
1175 support of various adapters and drivers with WinPcap.
1177 Q 8.10: I'm trying to capture 802.11 traffic on Windows; why am I seeing
1178 packets received by the machine on which I'm capturing traffic, but not
1179 packets sent by that machine?
1181 A: This appears to be another problem with promiscuous mode; try turning it
1184 Q 8.11: I'm trying to capture Ethernet VLAN traffic on Windows, and I'm
1185 capturing on a "raw" Ethernet device rather than a "VLAN interface", so that
1186 I can see the VLAN headers; why am I seeing packets received by the machine
1187 on which I'm capturing traffic, but not packets sent by that machine?
1189 A: The way the Windows networking code works probably means that packets are
1190 sent on a "VLAN interface" rather than the "raw" device, so packets sent by
1191 the machine will only be seen when you capture on the "VLAN interface". If
1192 so, you will be unable to see outgoing packets when capturing on the "raw"
1193 device, so you are stuck with a choice between seeing VLAN headers and
1194 seeing outgoing packets.
1196 9. Capturing packets on UN*Xes
1198 Q 9.1: I'm running Wireshark on a UNIX-flavored OS; why does some network
1199 interface on my machine not show up in the list of interfaces in the
1200 "Interface:" field in the dialog box popped up by "Capture->Start", and/or
1201 why does Wireshark give me an error if I try to capture on that interface?
1203 A: You may need to run Wireshark from an account with sufficient privileges
1204 to capture packets, such as the super-user account, or may need to give your
1205 account sufficient privileges to capture packets. Only those interfaces that
1206 Wireshark can open for capturing show up in that list; if you don't have
1207 sufficient privileges to capture on any interfaces, no interfaces will show
1208 up in the list. See the Wireshark Wiki item on capture privileges for
1209 details on how to give a particular account or account group capture
1210 privileges on platforms where that can be done.
1212 If you are running Wireshark from an account with sufficient privileges,
1213 then note that Wireshark relies on the libpcap library, and on the
1214 facilities that come with the OS on which it's running in order to do
1215 captures. On some OSes, those facilities aren't present by default; see the
1216 Wireshark Wiki item on adding capture support for details.
1218 And, even if you're running with an account that has sufficient privileges
1219 to capture, and capture support is present in your OS, if the OS or the
1220 libpcap library don't support capturing on a particular network interface
1221 device or particular types of devices, Wireshark won't be able to capture on
1224 On Solaris, note that libpcap 0.6.2 and earlier didn't support Token Ring
1225 interfaces; the current version, 0.7.2, does support Token Ring, and the
1226 current version of Wireshark works with libcap 0.7.2 and later.
1228 If an interface doesn't show up in the list of interfaces in the
1229 "Interface:" field, and you know the name of the interface, try entering
1230 that name in the "Interface:" field and capturing on that device.
1232 If the attempt to capture on it succeeds, the interface is somehow not being
1233 reported by the mechanism Wireshark uses to get a list of interfaces; please
1234 report this to wireshark-dev@wireshark.org giving full details of the
1236 * the operating system you're using, and the version of that operating
1237 system (for Linux, give both the version number of the kernel and the
1238 name and version number of the distribution you're using);
1239 * the type of network device you're using.
1241 If you are having trouble capturing on a particular network interface, and
1242 you've made sure that (on platforms that require it) you've arranged that
1243 packet capture support is present, as per the above, first try capturing on
1244 that device with tcpdump.
1246 If you can capture on the interface with tcpdump, send mail to
1247 wireshark-users@wireshark.org giving full details of the problem, including
1248 * the operating system you're using, and the version of that operating
1249 system (for Linux, give both the version number of the kernel and the
1250 name and version number of the distribution you're using);
1251 * the type of network device you're using;
1252 * the error message you get from Wireshark.
1254 If you cannot capture on the interface with tcpdump, this is almost
1255 certainly a problem with one or more of:
1256 * the operating system you're using;
1257 * the device driver for the interface you're using;
1258 * the libpcap library;
1260 so you should report the problem to the company or organization that
1261 produces the OS (in the case of a Linux distribution, report the problem to
1262 whoever produces the distribution).
1264 You may also want to ask the wireshark-users@wireshark.org and the
1265 tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to know
1266 about the problem and know a workaround or fix for the problem. In your
1267 mail, please give full details of the problem, as described above, and also
1268 indicate that the problem occurs with tcpdump not just with Wireshark.
1270 Q 9.2: I'm running Wireshark on a UNIX-flavored OS; why do no network
1271 interfaces show up in the list of interfaces in the "Interface:" field in
1272 the dialog box popped up by "Capture->Start"?
1274 A: This is really the same question as the previous one; see the response to
1277 Q 9.3: I'm capturing packets on Linux; why do the time stamps have only
1278 100ms resolution, rather than 1us resolution?
1280 A: Wireshark gets time stamps from libpcap/WinPcap, and libpcap/WinPcap get
1281 them from the OS kernel, so Wireshark - and any other program using libpcap,
1282 such as tcpdump - is at the mercy of the time stamping code in the OS for
1285 At least on x86-based machines, Linux can get high-resolution time stamps on
1286 newer processors with the Time Stamp Counter (TSC) register; for example,
1287 Intel x86 processors, starting with the Pentium Pro, and including all x86
1288 processors since then, have had a TSC, and other vendors probably added the
1289 TSC at some point to their families of x86 processors.
1291 The Linux kernel must be configured with the CONFIG_X86_TSC option enabled
1292 in order to use the TSC. Make sure this option is enabled in your kernel.
1294 In addition, some Linux distributions may have bugs in their versions of the
1295 kernel that cause packets not to be given high-resolution time stamps even
1296 if the TSC is enabled. See, for example, bug 61111 for Red Hat Linux 7.2. If
1297 your distribution has a bug such as this, you may have to run a standard
1298 kernel from kernel.org in order to get high-resolution time stamps.
1300 10. Capturing packets on wireless LANs
1302 Q 10.1: How can I capture raw 802.11 frames, including non-data (management,
1305 A: That depends on the operating system on which you're running, and on the
1306 802.11 interface on which you're capturing.
1308 This would probably require that you capture in promiscuous mode or in the
1309 mode called "monitor mode" or "RFMON mode". On some platforms, or with some
1310 cards, this might require that you capture in monitor mode - promiscuous
1311 mode might not be sufficient. If you want to capture traffic on networks
1312 other than the one with which you're associated, you will have to capture in
1315 Not all operating systems support capturing non-data packets and, even on
1316 operating systems that do support it, not all drivers, and thus not all
1317 interfaces, support it. Even on those that do, monitor mode might not be
1318 supported by the operating system or by the drivers for all interfaces.
1320 NOTE: an interface running in monitor mode will, on most if not all
1321 platforms, not be able to act as a regular network interface; putting it
1322 into monitor mode will, in effect, take your machine off of whatever network
1323 it's on as long as the interface is in monitor mode, allowing it only to
1324 passively capture packets.
1326 This means that you should disable name resolution when capturing in monitor
1327 mode; otherwise, when Wireshark (or TShark, or tcpdump) tries to display IP
1328 addresses as host names, it will probably block for a long time trying to
1329 resolve the name because it will not be able to communicate with any DNS or
1332 See the Wireshark Wiki item on 802.11 capturing for details.
1334 Q 10.2: How do I capture on an 802.11 device in monitor mode?
1336 A: Whether you will be able to capture in monitor mode depends on the
1337 operating system, adapter, and driver you're using. See the previous
1338 question for information on monitor mode, including a link to the Wireshark
1339 Wiki page that gives details on 802.11 capturing.
1343 Q 11.1: Why am I seeing lots of packets with incorrect TCP checksums?
1345 A: If the packets that have incorrect TCP checksums are all being sent by
1346 the machine on which Wireshark is running, this is probably because the
1347 network interface on which you're capturing does TCP checksum offloading.
1348 That means that the TCP checksum is added to the packet by the network
1349 interface, not by the OS's TCP/IP stack; when capturing on an interface,
1350 packets being sent by the host on which you're capturing are directly handed
1351 to the capture interface by the OS, which means that they are handed to the
1352 capture interface without a TCP checksum being added to them.
1354 The only way to prevent this from happening would be to disable TCP checksum
1356 1. that might not even be possible on some OSes;
1357 2. that could reduce networking performance significantly.
1359 However, you can disable the check that Wireshark does of the TCP checksum,
1360 so that it won't report any packets as having TCP checksum errors, and so
1361 that it won't refuse to do TCP reassembly due to a packet having an
1362 incorrect TCP checksum. That can be set as an Wireshark preference by
1363 selecting "Preferences" from the "Edit" menu, opening up the "Protocols"
1364 list in the left-hand pane of the "Preferences" dialog box, selecting "TCP",
1365 from that list, turning off the "Check the validity of the TCP checksum when
1366 possible" option, clicking "Save" if you want to save that setting in your
1367 preference file, and clicking "OK".
1369 It can also be set on the Wireshark or TShark command line with a -o
1370 tcp.check_checksum:false command-line flag, or manually set in your
1371 preferences file by adding a tcp.check_checksum:false line.
1373 Q 11.2: I've just installed Wireshark, and the traffic on my local LAN is
1374 boring. Where can I find more interesting captures?
1376 A: We have a collection of strange and exotic sample capture files at
1377 http://wiki.wireshark.org/SampleCaptures
1379 Q 11.3: Why doesn't Wireshark correctly identify RTP packets? It shows them
1382 A: Wireshark can identify a UDP datagram as containing a packet of a
1383 particular protocol running atop UDP only if
1384 1. The protocol in question has a particular standard port number, and the
1385 UDP source or destination port number is that port
1386 2. Packets of that protocol can be identified by looking for a "signature"
1387 of some type in the packet - i.e., some data that, if Wireshark finds it
1388 in some particular part of a packet, means that the packet is almost
1389 certainly a packet of that type.
1390 3. Some other traffic earlier in the capture indicated that, for example,
1391 UDP traffic between two particular addresses and ports will be RTP
1394 RTP doesn't have a standard port number, so 1) doesn't work; it doesn't, as
1395 far as I know, have any "signature", so 2) doesn't work.
1397 That leaves 3). If there's RTSP traffic that sets up an RTP session, then,
1398 at least in some cases, the RTSP dissector will set things up so that
1399 subsequent RTP traffic will be identified. Currently, that's the only place
1400 we do that; there may be other places.
1402 However, there will always be places where Wireshark is simply incapable of
1403 deducing that a given UDP flow is RTP; a mechanism would be needed to allow
1404 the user to specify that a given conversation should be treated as RTP. As
1405 of Wireshark 0.8.16, such a mechanism exists; if you select a UDP or TCP
1406 packet, the right mouse button menu will have a "Decode As..." menu item,
1407 which will pop up a dialog box letting you specify that the source port, the
1408 destination port, or both the source and destination ports of the packet
1409 should be dissected as some particular protocol.
1411 Q 11.4: Why doesn't Wireshark show Yahoo Messenger packets in captures that
1412 contain Yahoo Messenger traffic?
1414 A: Wireshark only recognizes as Yahoo Messenger traffic packets to or from
1415 TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP segments that
1416 start with the middle of a Yahoo Messenger packet that takes more than one
1417 TCP segment will not be recognized as Yahoo Messenger packets (even if the
1418 TCP segment also contains the beginning of another Yahoo Messenger packet).
1420 12. Filtering traffic
1422 Q 12.1: I saved a filter and tried to use its name to filter the display;
1423 why do I get an "Unexpected end of filter string" error?
1425 A: You cannot use the name of a saved display filter as a filter. To filter
1426 the display, you can enter a display filter expression - not the name of a
1427 saved display filter - in the "Filter:" box at the bottom of the display,
1428 and type the key or press the "Apply" button (that does not require you to
1429 have a saved filter), or, if you want to use a saved filter, you can press
1430 the "Filter:" button, select the filter in the dialog box that pops up, and
1431 press the "OK" button.
1433 Q 12.2: How can I search for, or filter, packets that have a particular
1434 string anywhere in them?
1436 A: If you want to do this when capturing, you can't. That's a feature that
1437 would be hard to implement in capture filters without changes to the capture
1438 filter code, which, on many platforms, is in the OS kernel and, on other
1439 platforms, is in the libpcap library.
1441 In releases prior to 0.9.14, you also can't search for, or filter, packets
1442 containing a particular string even after you've captured them.
1444 In 0.9.14, you can search for, but not filter, packets that have a
1445 particular string; this has been added to the "Find Frame" dialog ("Find
1446 Frame" under the "Edit" menu, or control-F).
1448 In 0.9.15 and later, you can search for those packets using either the
1449 mechanism introduced in 0.9.14 or using the new "contains" operator in
1450 filter expressions, which lets you search the entire packet or text string
1451 or byte string fields in the packet; the "contains" operator can also be
1452 used in expressions used to filter the display.
1454 Q 12.3: How do I filter a capture to see traffic for virus XXX?
1456 A: For some viruses/worms there might be a capture filter to recognize the
1457 virus traffic. Check the CaptureFilters page on the Wireshark Wiki to see if
1458 anybody's added such a filter.
1460 Note that Wireshark was not designed to be an intrusion detection system;
1461 you might be able to use it as an IDS, but in most cases software designed
1462 to be an IDS, such as Snort or Prelude, will probably work better.
1464 The Bleeding Edge of Snort has a collection of signatures for Snort to
1465 detect various viruses, worms, and the like.