4 Note: This is just an ASCII snapshot of the faq and may not be up to
5 date. Please go to http://www.wireshark.org/faq.html for the up
6 to date version. The version of this snapshot can be found at
7 the end of this document.
14 1.1 What is Wireshark?
16 1.2 What's up with the name change? Is Wireshark a fork?
18 1.3 Where can I get help?
20 1.4 How much does Wireshark cost?
22 1.5 Can I use Wireshark commercially?
24 1.6 Can I use Wireshark as part of my commercial product?
26 1.7 What protocols are currently supported?
28 1.8 Are there any plans to support {your favorite protocol}?
30 1.9 Can Wireshark read capture files from {your favorite network
33 1.10 What devices can Wireshark use to capture packets?
35 1.11 Does Wireshark work on Windows Me?
37 1.12 Does Wireshark work on Windows XP?
39 2. Downloading Wireshark:
41 2.1 Why do I get an error when I try to run the Win32 installer?
43 3. Installing Wireshark:
45 3.1 I installed the Wireshark RPM (or other package); why did it
46 install TShark but not Wireshark?
48 4. Building Wireshark:
50 4.1 I have libpcap installed; why did the configure script not find
53 4.2 Why do I get the error
55 dftest_DEPENDENCIES was already defined in condition TRUE, which
56 implies condition HAVE_PLUGINS_TRUE
58 when I try to build Wireshark from SVN or a SVN snapshot?
60 4.3 Why does the linker fail with a number of "Output line too long."
61 messages followed by linker errors when I try to buil Wireshark?
63 4.4 When I try to build Wireshark on Solaris, why does the link fail
64 complaining that plugin_list is undefined?
66 4.5 When I try to build Wireshark on Windows, why does the build fail
67 because of conflicts between winsock.h and winsock2.h?
69 5. Starting Wireshark:
71 5.1 Why does Wireshark crash with a Bus Error when I try to run it on
74 5.2 When I run Wireshark on Windows NT, why does it die with a Dr.
75 Watson error, reporting an "Integer division by zero" exception, when
78 5.3 When I try to run Wireshark, why does it complain about
79 sprint_realloc_objid being undefined?
81 5.4 When I try to run Wireshark on Windows, why does it fail to run
82 with a complaint that it can't find packet.dll?
84 5.5 I've installed Wireshark from Fink on Mac OS X; why is it very
87 6. Crashes and other fatal errors:
89 6.1 I have an XXX network card on my machine; if I try to capture on
90 it, why does my machine crash or reset itself?
92 6.2 Why does my machine crash or reset itself when I select "Start"
93 from the "Capture" menu or select "Preferences" from the "Edit" menu?
97 7.1 When I use Wireshark to capture packets, why do I see only packets
98 to and from my machine, or not see all the traffic I'm expecting to
99 see from or to the machine I'm trying to monitor?
101 7.2 When I capture with Wireshark, why can't I see any TCP packets
102 other than packets to and from my machine, even though another
103 analyzer on the network sees those packets?
105 7.3 Why am I only seeing ARP packets when I try to capture traffic?
107 7.4 Why am I not seeing any traffic when I try to capture traffic?
109 7.5 Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?
111 7.6 How do I put an interface into promiscuous mode?
113 7.7 I can set a display filter just fine; why don't capture filters
116 7.8 I'm entering valid capture filters; why do I still get "parse
119 7.9 How can I capture packets with CRC errors?
121 7.10 How can I capture entire frames, including the FCS?
123 7.11 I'm capturing packets on a machine on a VLAN; why don't the
124 packets I'm capturing have VLAN tags?
126 7.12 Why does Wireshark hang after I stop a capture?
128 8. Capturing packets on Windows:
130 8.1 I'm running Wireshark on Windows; why does some network interface
131 on my machine not show up in the list of interfaces in the
132 "Interface:" field in the dialog box popped up by "Capture->Start",
133 and/or why does Wireshark give me an error if I try to capture on that
136 8.2 I'm running Wireshark on Windows; why do no network interfaces
137 show up in the list of interfaces in the "Interface:" field in the
138 dialog box popped up by "Capture->Start"?
140 8.3 I'm running Wireshark on Windows; why doesn't my serial port/ADSL
141 modem/ISDN modem show up in the list of interfaces in the "Interface:"
142 field in the dialog box popped up by "Capture->Start"?
144 8.4 I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows
145 XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN,
146 etc.) interface, and it shows up in the "Interface" item in the
147 "Capture Options" dialog box. Why can no packets be sent on or
148 received from that network while I'm trying to capture traffic on that
151 8.5 I'm running Wireshark on Windows 95/98/Me, on a machine with more
152 than one network adapter of the same type; why does Wireshark show all
153 of those adapters with the same name, not letting me use any of those
154 adapters other than the first one?
156 8.6 I'm running Wireshark on Windows; why am I not seeing any traffic
157 being sent by the machine running Wireshark?
159 8.7 When I capture on Windows in promiscuous mode, I can see packets
160 other than those sent to or from my machine; however, those packets
161 show up with a "Short Frame" indication, unlike packets to or from my
162 machine. What should I do to arrange that I see those packets in their
165 8.8 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; why
166 are the time stamps on packets wrong?
168 8.9 I'm trying to capture 802.11 traffic on Windows; why am I not
171 8.10 I'm trying to capture 802.11 traffic on Windows; why am I seeing
172 packets received by the machine on which I'm capturing traffic, but
173 not packets sent by that machine?
175 8.11 I'm trying to capture Ethernet VLAN traffic on Windows, and I'm
176 capturing on a "raw" Ethernet device rather than a "VLAN interface",
177 so that I can see the VLAN headers; why am I seeing packets received
178 by the machine on which I'm capturing traffic, but not packets sent by
181 9. Capturing packets on UN*Xes:
183 9.1 I'm running Wireshark on a UNIX-flavored OS; why does some network
184 interface on my machine not show up in the list of interfaces in the
185 "Interface:" field in the dialog box popped up by "Capture->Start",
186 and/or why does Wireshark give me an error if I try to capture on that
189 9.2 I'm running Wireshark on a UNIX-flavored OS; why do no network
190 interfaces show up in the list of interfaces in the "Interface:" field
191 in the dialog box popped up by "Capture->Start"?
193 9.3 I'm capturing packets on Linux; why do the time stamps have only
194 100ms resolution, rather than 1us resolution?
196 10. Capturing packets on wireless LANs:
198 10.1 How can I capture raw 802.11 frames, including non-data
199 (management, beacon) frames?
201 10.2 How do I capture on an 802.11 device in monitor mode?
205 11.1 Why am I seeing lots of packets with incorrect TCP checksums?
207 11.2 I've just installed Wireshark, and the traffic on my local LAN is
208 boring. Where can I find more interesting captures?
210 11.3 Why doesn't Wireshark correctly identify RTP packets? It shows
213 11.4 Why doesn't Wireshark show Yahoo Messenger packets in captures
214 that contain Yahoo Messenger traffic?
216 12. Filtering traffic:
218 12.1 I saved a filter and tried to use its name to filter the display;
219 why do I get an "Unexpected end of filter string" error?
221 12.2 How can I search for, or filter, packets that have a particular
222 string anywhere in them?
224 12.3 How do I filter a capture to see traffic for virus XXX?
228 Q 1.1: What is Wireshark?
230 A: Gerald Combs, the creator of Ethereal®, has initiated the Wireshark
231 network protocol analyzer project, a successor to Ethereal®. The
232 Ethereal® core developer team has moved with Gerald to the Wireshark
233 project. Consequently, Wireshark is positioned to be the world's most
234 popular network protocol analyzer. It has a rich and powerful feature
235 set, and runs on most computing platforms including Windows, OS X, and
236 Linux. It is freely available as open source, and is released under
237 the GNU General Public License.
239 For more information, please see the About Wireshark page.
241 Q 1.2: What's up with the name change? Is Wireshark a fork?
243 A: In May of 2006, the original author of Ethereal® went to work for
244 CACE Technologies (best known for WinPcap). At that time he started
245 the Wireshark open-source project.
247 Wireshark is almost (but not quite) a fork. Normally a "fork" of an
248 open source project results in two names, web sites, development
249 teams, support infrastructures, etc. This is the case with Wireshark
250 except for one notable exception -- every member of the core
251 development team is now working on Wireshark.
253 Q 1.3: Where can I get help?
255 A: Community support is available on the wireshark-users mailing list.
256 Subscription information and archives for all of Wireshark's mailing
257 lists can be found at http://www.wireshark.org/lists. An IRC channel
258 dedicated to Wireshark can be found at
259 irc://irc.freenode.net/ethereal.
261 Commercial support, training, and development services are available
262 from CACE Technologies.
264 Q 1.4: How much does Wireshark cost?
266 A: Wireshark is "free software"; you can download it without paying
267 any license fee. The version of Wireshark you download isn't a "demo"
268 version, with limitations not present in a "full" version; it is the
271 The license under which Wireshark is issued is the GNU General Public
272 License. See the GNU GPL FAQ for some more information.
274 Q 1.5: Can I use Wireshark commercially?
276 A: Yes, if, for example, you mean "I work for a commercial
277 organization; can I use Wireshark to capture and analyze network
278 traffic in our company's networks or in our customer's networks?"
280 If you mean "Can I use Wireshark as part of my commercial product?",
281 see the next entry in the FAQ.
283 Q 1.6: Can I use Wireshark as part of my commercial product?
285 A: As noted, Wireshark is licensed under the GNU General Public
286 License. The GPL imposes conditions on your use of GPL'ed code in your
287 own products; you cannot, for example, make a "derived work" from
288 Wireshark, by making modifications to it, and then sell the resulting
289 derived work and not allow recipients to give away the resulting work.
290 You must also make the changes you've made to the Wireshark source
291 available to all recipients of your modified version; those changes
292 must also be licensed under the terms of the GPL. See the GPL FAQ for
293 more details; in particular, note the answer to the question about
294 modifying a GPLed program and selling it commercially, and the
295 question about linking GPLed code with other code to make a
298 You can combine a GPLed program such as Wireshark and a commercial
299 program as long as they communicate "at arm's length", as per this
302 Q 1.7: What protocols are currently supported?
304 A: There are currently hundreds of supported protocols and media.
305 Details can be found in the wireshark(1) man page.
307 Q 1.8: Are there any plans to support {your favorite protocol}?
309 A: Support for particular protocols is added to Wireshark as a result
310 of people contributing that support; no formal plans for adding
311 support for particular protocols in particular future releases exist.
313 Q 1.9: Can Wireshark read capture files from {your favorite network
316 A: Support for particular protocols is added to Wireshark as a result
317 of people contributing that support; no formal plans for adding
318 support for particular protocols in particular future releases exist.
320 If a network analyzer writes out files in a format already supported
321 by Wireshark (e.g., in libpcap format), Wireshark may already be able
322 to read them, unless the analyzer has added its own proprietary
323 extensions to that format.
325 If a network analyzer writes out files in its own format, or has added
326 proprietary extensions to another format, in order to make Wireshark
327 read captures from that network analyzer, we would either have to have
328 a specification for the file format, or the extensions, sufficient to
329 give us enough information to read the parts of the file relevant to
330 Wireshark, or would need at least one capture file in that format AND
331 a detailed textual analysis of the packets in that capture file
332 (showing packet time stamps, packet lengths, and the top-level packet
333 header) in order to reverse-engineer the file format.
335 Note that there is no guarantee that we will be able to
336 reverse-engineer a capture file format.
338 Q 1.10: What devices can Wireshark use to capture packets?
340 A: Wireshark can read live data from Ethernet, Token-Ring, FDDI,
341 serial (PPP and SLIP) (if the OS on which it's running allows
342 Wireshark to do so), 802.11 wireless LAN (if the OS on which it's
343 running allows Wireshark to do so), ATM connections (if the OS on
344 which it's running allows Wireshark to do so), and the "any" device
345 supported on Linux by recent versions of libpcap. See the list of
346 supported capture media on various OSes for details (several items in
347 there say "Unknown", which doesn't mean "Wireshark can't capture on
348 them", it means "we don't know whether it can capture on them"; we
349 expect that it will be able to capture on many of them, but we haven't
350 tried it ourselves - if you try one of those types and it works,
351 please send an update to ).
353 It can also read a variety of capture file formats, including:
354 * AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
356 * AIX's iptrace captures
357 * Accellent's 5Views LAN agent output
358 * Cinco Networks NetXRay captures
359 * Cisco Secure Intrusion Detection System IPLog output
360 * CoSine L2 debug output
361 * DBS Etherwatch VMS text output
362 * Endace Measurement Systems' ERF format captures
363 * EyeSDN USB S0 traces
364 * HP-UX nettl captures
365 * ISDN4BSD project i4btrace captures
366 * Linux Bluez Bluetooth stack hcidump -w traces
367 * Lucent/Ascend router debug output
368 * Microsoft Network Monitor captures
369 * Network Associates Windows-based Sniffer captures
370 * Network General/Network Associates DOS-based Sniffer (compressed
371 or uncompressed) captures
372 * Network Instruments Observer version 9 captures
373 * Novell LANalyzer captures
374 * RADCOM's WAN/LAN analyzer captures
375 * Shomiti/Finisar Surveyor captures
376 * Toshiba's ISDN routers dump output
377 * VMS TCPIPtrace/TCPtrace/UCX$TRACE output
378 * Visual Networks' Visual UpTime traffic capture
379 * libpcap, tcpdump and various other tools using tcpdump's capture
381 * snoop and atmsnoop output
383 so that it can read traces from various network types, as captured by
384 other applications or equipment, even if it cannot itself capture on
387 Q 1.11: Does Wireshark work on Windows Me?
389 A: Yes, but if you want to capture packets, you will need to install
390 the latest version of WinPcap, as 2.02 and earlier versions of WinPcap
391 didn't support Windows Me. You should also install the latest version
392 of Wireshark as well.
394 Q 1.12: Does Wireshark work on Windows XP?
396 A: Yes, but if you want to capture packets, you will need to install
397 the latest version of WinPcap, as 2.2 and earlier versions of WinPcap
398 didn't support Windows XP.
400 2. Downloading Wireshark
402 Q 2.1: Why do I get an error when I try to run the Win32 installer?
404 A: The program you used to download it may have downloaded it
405 incorrectly. Web browsers sometimes may do this.
407 Try downloading it with, for example:
408 * Wget, for which Windows binaries are available on the SunSITE FTP
409 server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI
410 offers a GUI interface that uses wget;
411 * WS_FTP from Ipswitch,
412 * the ftp command that comes with Windows.
414 If you use the ftp command, make sure you do the transfer in binary
415 mode rather than ASCII mode, by using the binary command before
416 transferring the file.
418 3. Installing Wireshark
420 Q 3.1: I installed the Wireshark RPM (or other package); why did it
421 install TShark but not Wireshark?
423 A: Many distributions have separate Wireshark packages, one for
424 non-GUI components such as TShark, editcap, dumpcap, etc. and one for
425 the GUI. If this is the case on your system, there's probably a
426 separate package named wireshark-gnome or wireshark-gtk+. Find it and
429 4. Building Wireshark
431 Q 4.1: I have libpcap installed; why did the configure script not find
434 A: Are you sure pcap.h and bpf.h are installed? The official
435 distribution of libpcap only installs the libpcap.a library file when
436 "make install" is run. To install pcap.h and bpf.h, you must run "make
437 install-incl". If you're running Debian or Redhat, make sure you have
438 the "libpcap-dev" or "libpcap-devel" packages installed.
440 It's also possible that pcap.h and bpf.h have been installed in a
441 strange location. If this is the case, you may have to tweak
444 Q 4.2: Why do I get the error
446 dftest_DEPENDENCIES was already defined in condition TRUE, which
447 implies condition HAVE_PLUGINS_TRUE
449 when I try to build Wireshark from SVN or a SVN snapshot?
451 A: You probably have automake 1.5 installed on your machine (the
452 command automake --version will report the version of automake on your
453 machine). There is a bug in that version of automake that causes this
454 problem; upgrade to a later version of automake (1.6 or later).
456 Q 4.3: Why does the linker fail with a number of "Output line too
457 long." messages followed by linker errors when I try to buil
460 A: The version of the sed command on your system is incapable of
461 handling very long lines. On Solaris, for example, /usr/bin/sed has a
462 line length limit too low to allow libtool to work; /usr/xpg4/bin/sed
463 can handle it, as can GNU sed if you have it installed.
465 On Solaris, changing your command search path to search /usr/xpg4/bin
466 before /usr/bin should make the problem go away; on any platform on
467 which you have this problem, installing GNU sed and changing your
468 command path to search the directory in which it is installed before
469 searching the directory with the version of sed that came with the OS
470 should make the problem go away.
472 Q 4.4: When I try to build Wireshark on Solaris, why does the link
473 fail complaining that plugin_list is undefined?
475 A: This appears to be due to a problem with some versions of the GTK+
476 and GLib packages from www.sunfreeware.org; un-install those packages,
477 and try getting the 1.2.10 versions from that site, or the versions
478 from The Written Word, or the versions from Sun's GNOME distribution,
479 or the versions from the supplemental software CD that comes with the
480 Solaris media kit, or build them from source from the GTK Web site.
481 Then re-run the configuration script, and try rebuilding Wireshark.
482 (If you get the 1.2.10 versions from www.sunfreeware.org, and the
483 problem persists, un-install them and try installing one of the other
486 Q 4.5: When I try to build Wireshark on Windows, why does the build
487 fail because of conflicts between winsock.h and winsock2.h?
489 A: As of Wireshark 0.9.5, you must install WinPcap 2.3 or later, and
490 the corresponding version of the developer's pack, in order to be able
491 to compile Wireshark; it will not compile with older versions of the
492 developer's pack. The symptoms of this failure are conflicts between
493 definitions in winsock.h and in winsock2.h; Wireshark uses winsock2.h,
494 but pre-2.3 versions of the WinPcap developer's packet use winsock.h.
495 (2.3 uses winsock2.h, so if Wireshark were to use winsock.h, it would
496 not be able to build with current versions of the WinPcap developer's
499 Note that the installed version of the developer's pack should be the
500 same version as the version of WinPcap you have installed.
502 5. Starting Wireshark
504 Q 5.1: Why does Wireshark crash with a Bus Error when I try to run it
507 A: Some versions of the GTK+ library from www.sunfreeware.org appear
508 to be buggy, causing Wireshark to drop core with a Bus Error.
509 Un-install those packages, and try getting the 1.2.10 version from
510 that site, or the version from The Written Word, or the version from
511 Sun's GNOME distribution, or the version from the supplemental
512 software CD that comes with the Solaris media kit, or build it from
513 source from the GTK Web site. Update the GLib library to the 1.2.10
514 version, from the same source, as well. (If you get the 1.2.10
515 versions from www.sunfreeware.org, and the problem persists,
516 un-install them and try installing one of the other versions
519 Similar problems may exist with older versions of GTK+ for earlier
522 Q 5.2: When I run Wireshark on Windows NT, why does it die with a Dr.
523 Watson error, reporting an "Integer division by zero" exception, when
526 A: In at least some case, this appears to be due to using the default
527 VGA driver; if that's not the correct driver for your video card, try
528 running the correct driver for your video card.
530 Q 5.3: When I try to run Wireshark, why does it complain about
531 sprint_realloc_objid being undefined?
533 A: Wireshark can only be linked with version 4.2.2 or later of UCD
534 SNMP. Your version of Wireshark was dynamically linked with such a
535 version of UCD SNMP; however, you have an older version of UCD SNMP
536 installed, which means that when Wireshark is run, it tries to link to
537 the older version, and fails. You will have to replace that version of
538 UCD SNMP with version 4.2.2 or a later version.
540 Q 5.4: When I try to run Wireshark on Windows, why does it fail to run
541 with a complaint that it can't find packet.dll?
543 A: In older versions of Wireshark, there were two binary distributions
544 available for Windows, one that supported capturing packets, and one
545 that didn't. The version that supported capturing packets required
546 that you install the WinPcap driver; if you didn't install it, it
547 would fail to run because it couldn't find packet.dll.
549 The current version of Wireshark has only one binary distribution for
550 Windows; that version will check whether WinPcap is installed and, if
551 it's not, will disable support for packet capture.
553 The WinPcap driver and libraries can be downloaded from the WinPcap
554 Web site or the Wiretapped.net mirror of the WinPcap site.
556 Q 5.5: I've installed Wireshark from Fink on Mac OS X; why is it very
559 A: When an application is installed on OS X, prior to 10.4, it is
560 usually "prebound" to speed up launching the application. (That's what
561 the "Optimizing" phase of installation is.) Fink normally performs
562 prebinding automatically when you install a package. However, in some
563 rare cases, for whatever reason the prebinding caches get corrupt, and
564 then not only does prebinding fail, but startup actually becomes much
565 slower, because the system tries in vain to perform prebinding "on the
566 fly" as you launch the application. This fails, causing sometimes huge
567 delays. To fix the prebinding caches, run the command
568 sudo /sw/var/lib/fink/prebound/update-package-prebinding.pl -f
570 6. Crashes and other fatal errors
572 Q 6.1: I have an XXX network card on my machine; if I try to capture
573 on it, why does my machine crash or reset itself?
575 A: This is almost certainly a problem with one or more of:
576 * the operating system you're using;
577 * the device driver for the interface you're using;
578 * the libpcap/WinPcap library and, if this is Windows, the WinPcap
582 * if you are using Windows, see the WinPcap support page - check the
583 "Submitting bugs" section;
584 * if you are using some Linux distribution, some version of BSD, or
585 some other UNIX-flavored OS, you should report the problem to the
586 company or organization that produces the OS (in the case of a
587 Linux distribution, report the problem to whoever produces the
590 Q 6.2: Why does my machine crash or reset itself when I select "Start"
591 from the "Capture" menu or select "Preferences" from the "Edit" menu?
593 A: Both of those operations cause Wireshark to try to build a list of
594 the interfaces that it can open; it does so by getting a list of
595 interfaces and trying to open them. There is probably an OS, driver,
596 or, for Windows, WinPcap bug that causes the system to crash when this
597 happens; see the previous question.
601 Q 7.1: When I use Wireshark to capture packets, why do I see only
602 packets to and from my machine, or not see all the traffic I'm
603 expecting to see from or to the machine I'm trying to monitor?
605 A: This might be because the interface on which you're capturing is
606 plugged into an Ethernet or Token Ring switch; on a switched network,
607 unicast traffic between two ports will not necessarily appear on other
608 ports - only broadcast and multicast traffic will be sent to all
611 Note that even if your machine is plugged into a hub, the "hub" may be
612 a switched hub, in which case you're still on a switched network.
614 Note also that on the Linksys Web site, they say that their
615 auto-sensing hubs "broadcast the 10Mb packets to the port that operate
616 at 10Mb only and broadcast the 100Mb packets to the ports that operate
617 at 100Mb only", which would indicate that if you sniff on a 10Mb port,
618 you will not see traffic coming sent to a 100Mb port, and vice versa.
619 This problem has also been reported for Netgear dual-speed hubs, and
620 may exist for other "auto-sensing" or "dual-speed" hubs.
622 Some switches have the ability to replicate all traffic on all ports
623 to a single port so that you can plug your analyzer into that single
624 port to sniff all traffic. You would have to check the documentation
625 for the switch to see if this is possible and, if so, to see how to do
626 this. See the switch reference page on the Wireshark Wiki for
627 information on some switches. (Note that it's a Wiki, so you can
628 update or fix that information, or add additional information on those
629 switches or information on new switches, yourself.)
631 Note also that many firewall/NAT boxes have a switch built into them;
632 this includes many of the "cable/DSL router" boxes. If you have a box
633 of that sort, that has a switch with some number of Ethernet ports
634 into which you plug machines on your network, and another Ethernet
635 port used to connect to a cable or DSL modem, you can, at least, sniff
636 traffic between the machines on your network and the Internet by
637 plugging the Ethernet port on the router going to the modem, the
638 Ethernet port on the modem, and the machine on which you're running
639 Wireshark into a hub (make sure it's not a switching hub, and that, if
640 it's a dual-speed hub, all three of those ports are running at the
643 If your machine is not plugged into a switched network or a dual-speed
644 hub, or it is plugged into a switched network but the port is set up
645 to have all traffic replicated to it, the problem might be that the
646 network interface on which you're capturing doesn't support
647 "promiscuous" mode, or because your OS can't put the interface into
648 promiscuous mode. Normally, network interfaces supply to the host
650 * packets sent to one of that host's link-layer addresses;
652 * multicast packets sent to a multicast address that the host has
653 configured the interface to accept.
655 Most network interfaces can also be put in "promiscuous" mode, in
656 which they supply to the host all network packets they see. Wireshark
657 will try to put the interface on which it's capturing into promiscuous
658 mode unless the "Capture packets in promiscuous mode" option is turned
659 off in the "Capture Options" dialog box, and TShark will try to put
660 the interface on which it's capturing into promiscuous mode unless the
661 -p option was specified. However, some network interfaces don't
662 support promiscuous mode, and some OSes might not allow interfaces to
663 be put into promiscuous mode.
665 If the interface is not running in promiscuous mode, it won't see any
666 traffic that isn't intended to be seen by your machine. It will see
667 broadcast packets, and multicast packets sent to a multicast MAC
668 address the interface is set up to receive.
670 You should ask the vendor of your network interface whether it
671 supports promiscuous mode. If it does, you should ask whoever supplied
672 the driver for the interface (the vendor, or the supplier of the OS
673 you're running on your machine) whether it supports promiscuous mode
674 with that network interface.
676 In the case of token ring interfaces, the drivers for some of them, on
677 Windows, may require you to enable promiscuous mode in order to
678 capture in promiscuous mode. See the Wireshark Wiki item on Token Ring
679 capturing for details.
681 In the case of wireless LAN interfaces, it appears that, when those
682 interfaces are promiscuously sniffing, they're running in a
683 significantly different mode from the mode that they run in when
684 they're just acting as network interfaces (to the extent that it would
685 be a significant effor for those drivers to support for promiscuously
686 sniffing and acting as regular network interfaces at the same time),
687 so it may be that Windows drivers for those interfaces don't support
690 Q 7.2: When I capture with Wireshark, why can't I see any TCP packets
691 other than packets to and from my machine, even though another
692 analyzer on the network sees those packets?
694 A: You're probably not seeing any packets other than unicast packets
695 to or from your machine, and broadcast and multicast packets; a switch
696 will normally send to a port only unicast traffic sent to the MAC
697 address for the interface on that port, and broadcast and multicast
698 traffic - it won't send to that port unicast traffic sent to a MAC
699 address for some other interface - and a network interface not in
700 promiscuous mode will receive only unicast traffic sent to the MAC
701 address for that interface, broadcast traffic, and multicast traffic
702 sent to a multicast MAC address the interface is set up to receive.
704 TCP doesn't use broadcast or multicast, so you will only see your own
705 TCP traffic, but UDP services may use broadcast or multicast so you'll
706 see some UDP traffic - however, this is not a problem with TCP
707 traffic, it's a problem with unicast traffic, as you also won't see
708 all UDP traffic between other machines.
710 I.e., this is probably the same question as this earlier one; see the
711 response to that question.
713 Q 7.3: Why am I only seeing ARP packets when I try to capture traffic?
715 A: You're probably on a switched network, and running Wireshark on a
716 machine that's not sending traffic to the switch and not being sent
717 any traffic from other machines on the switch. ARP packets are often
718 broadcast packets, which are sent to all switch ports.
720 I.e., this is probably the same question as this earlier one; see the
721 response to that question.
723 Q 7.4: Why am I not seeing any traffic when I try to capture traffic?
725 A: Is the machine running Wireshark sending out any traffic on the
726 network interface on which you're capturing, or receiving any traffic
727 on that network, or is there any broadcast traffic on the network or
728 multicast traffic to a multicast group to which the machine running
731 If not, this may just be a problem with promiscuous sniffing, either
732 due to running on a switched network or a dual-speed hub, or due to
733 problems with the interface not supporting promiscuous mode; see the
734 response to this earlier question.
736 Otherwise, on Windows, see the response to this question and, on a
737 UNIX-flavored OS, see the response to this question.
739 Q 7.5: Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?
741 A: Wireshark can only capture on devices supported by libpcap/WinPcap.
742 On most OSes, only devices that can act as network interfaces of the
743 type that support IP are supported as capture devices for
744 libpcap/WinPcap, although the device doesn't necessarily have to be
745 running as an IP interface in order to support traffic capture.
747 On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
748 Measurement Systems' DAG cards, so that a system with one of those
749 cards, and its driver and libraries, installed can capture traffic
750 with those cards with libpcap-based applications. You would either
751 have to have a version of Wireshark built with that version of
752 libpcap, or a dynamically-linked version of Wireshark and a shared
753 libpcap library with DAG support, in order to do so with Wireshark.
754 You should ask Endace whether that could be used to capture traffic
755 on, for example, your T1/E1 link. See the SS7 capture setup page on
756 the Wireshark Wiki for current information on capturing SS7 traffic on
759 Q 7.6: How do I put an interface into promiscuous mode?
761 A: By not disabling promiscuous mode when running Wireshark or TShark.
764 * the form of promiscuous mode that libpcap (the library that
765 programs such as tcpdump, Wireshark, etc. use to do packet
766 capture) turns on will not necessarily be shown if you run
767 ifconfig on the interface on a UNIX system;
768 * some network interfaces might not support promiscuous mode, and
769 some drivers might not allow promiscuous mode to be turned on -
770 see this earlier question for more information on that;
771 * the fact that you're not seeing any traffic, or are only seeing
772 broadcast traffic, or aren't seeing any non-broadcast traffic
773 other than traffic to or from the machine running Wireshark, does
774 not mean that promiscuous mode isn't on - see this earlier
775 question for more information on that.
777 I.e., this is probably the same question as this earlier one; see the
778 response to that question.
780 Q 7.7: I can set a display filter just fine; why don't capture filters
783 A: Capture filters currently use a different syntax than display
784 filters. Here's the corresponding section from the wireshark(1) man
787 "Display filters in Wireshark are very powerful; more fields are
788 filterable in Wireshark than in other protocol analyzers, and the
789 syntax you can use to create your filters is richer. As Wireshark
790 progresses, expect more and more protocol fields to be allowed in
793 Packet capturing is performed with the pcap library. The capture
794 filter syntax follows the rules of the pcap library. This syntax is
795 different from the display filter syntax."
797 The capture filter syntax used by libpcap can be found in the
800 Q 7.8: I'm entering valid capture filters; why do I still get "parse
803 A: There is a bug in some versions of libpcap/WinPcap that cause it to
804 report parse errors even for valid expressions if a previous filter
805 expression was invalid and got a parse error.
807 Try exiting and restarting Wireshark; if you are using a version of
808 libpcap/WinPcap with this bug, this will "erase" its memory of the
809 previous parse error. If the capture filter that got the "parse error"
810 now works, the earlier error with that filter was probably due to this
813 The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of
814 libpcap have this bug, but 0.6[.x] and later versions don't.
816 Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of
817 libpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and
818 doesn't have this bug.
820 If you are running Wireshark on a UNIX-flavored platform, run
821 "wireshark -v", or select "About Wireshark..." from the "Help" menu in
822 Wireshark, to see what version of libpcap it's using. If it's not 0.6
823 or later, you will need either to upgrade your OS to get a later
824 version of libpcap, or will need to build and install a later version
825 of libpcap from the tcpdump.org Web site and then recompile Wireshark
826 from source with that later version of libpcap.
828 If you are running Wireshark on Windows with a pre-2.3 version of
829 WinPcap, you will need to un-install WinPcap and then download and
832 Q 7.9: How can I capture packets with CRC errors?
834 A: Wireshark can capture only the packets that the packet capture
835 library - libpcap on UNIX-flavored OSes, and the WinPcap port to
836 Windows of libpcap on Windows - can capture, and libpcap/WinPcap can
837 capture only the packets that the OS's raw packet capture mechanism
838 (or the WinPcap driver, and the underlying OS networking code and
839 network interface drivers, on Windows) will allow it to capture.
841 Unless the OS always supplies packets with errors such as invalid CRCs
842 to the raw packet capture mechanism, or can be configured to do so,
843 invalid CRCs to the raw packet capture mechanism, Wireshark - and
844 other programs that capture raw packets, such as tcpdump - cannot
845 capture those packets. You will have to determine whether your OS
846 needs to be so configured and, if so, can be so configured, configure
847 it if necessary and possible, and make whatever changes to libpcap and
848 the packet capture program you're using are necessary, if any, to
849 support capturing those packets.
851 Most OSes probably do not support capturing packets with invalid CRCs
852 on Ethernet, and probably do not support it on most other link-layer
853 types. Some drivers on some OSes do support it, such as some Ethernet
854 drivers on FreeBSD; in those OSes, you might always get those packets,
855 or you might only get them if you capture in promiscuous mode (you'd
856 have to determine which is the case).
858 Note that libpcap does not currently supply to programs that use it an
859 indication of whether the packet's CRC was invalid (because the
860 drivers themselves do not supply that information to the raw packet
861 capture mechanism); therefore, Wireshark will not indicate which
862 packets had CRC errors unless the FCS was captured (see the next
863 question) and you're using Wireshark 0.9.15 and later, in which case
864 Wireshark will check the CRC and indicate whether it's correct or not.
866 Q 7.10: How can I capture entire frames, including the FCS?
868 A: Wireshark can only capture data that the packet capture library -
869 libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of
870 libpcap on Windows - can capture, and libpcap/WinPcap can capture only
871 the data that the OS's raw packet capture mechanism (or the WinPcap
872 driver, and the underlying OS networking code and network interface
873 drivers, on Windows) will allow it to capture.
875 For any particular link-layer network type, unless the OS supplies the
876 FCS of a frame as part of the frame, or can be configured to do so,
877 Wireshark - and other programs that capture raw packets, such as
878 tcpdump - cannot capture the FCS of a frame. You will have to
879 determine whether your OS needs to be so configured and, if so, can be
880 so configured, configure it if necessary and possible, and make
881 whatever changes to libpcap and the packet capture program you're
882 using are necessary, if any, to support capturing the FCS of a frame.
884 Most OSes do not support capturing the FCS of a frame on Ethernet, and
885 probably do not support it on most other link-layer types. Some
886 drivres on some OSes do support it, such as some (all?) Ethernet
887 drivers on NetBSD and possibly the driver for Apple's gigabit Ethernet
888 interface in Mac OS X; in those OSes, you might always get the FCS, or
889 you might only get the FCS if you capture in promiscuous mode (you'd
890 have to determine which is the case).
892 Versions of Wireshark prior to 0.9.15 will not treat an Ethernet FCS
893 in a captured packet as an FCS. 0.9.15 and later will attempt to
894 determine whether there's an FCS at the end of the frame and, if it
895 thinks there is, will display it as such, and will check whether it's
896 the correct CRC-32 value or not.
898 Q 7.11: I'm capturing packets on a machine on a VLAN; why don't the
899 packets I'm capturing have VLAN tags?
901 A: You might be capturing on what might be called a "VLAN interface" -
902 the way a particular OS makes VLANs plug into the networking stack
903 might, for example, be to have a network device object for the
904 physical interface, which takes VLAN packets, strips off the VLAN
905 header and constructs an Ethernet header, and passes that packet to an
906 internal network device object for the VLAN, which then passes the
907 packets onto various higher-level protocol implementations.
909 In order to see the raw Ethernet packets, rather than "de-VLANized"
910 packets, you would have to capture not on the virtual interface for
911 the VLAN, but on the interface corresponding to the physical network
912 device, if possible. See the Wireshark Wiki item on VLAN capturing for
915 Q 7.12: Why does Wireshark hang after I stop a capture?
917 A: The most likely reason for this is that Wireshark is trying to look
918 up an IP address in the capture to convert it to a name (so that, for
919 example, it can display the name in the source address or destination
920 address columns), and that lookup process is taking a very long time.
922 Wireshark calls a routine in the OS of the machine on which it's
923 running to convert of IP addresses to the corresponding names. That
924 routine probably does one or more of:
925 * a search of a system file listing IP addresses and names;
926 * a lookup using DNS;
927 * on UNIX systems, a lookup using NIS;
928 * on Windows systems, a NetBIOS-over-TCP query.
930 If a DNS server that's used in an address lookup is not responding,
931 the lookup will fail, but will only fail after a timeout while the
932 system routine waits for a reply.
934 In addition, on Windows systems, if the DNS lookup of the address
935 fails, either because the server isn't responding or because there are
936 no records in the DNS that could be used to map the address to a name,
937 a NetBIOS-over-TCP query will be made. That query involves sending a
938 message to the NetBIOS-over-TCP name service on that machine, asking
939 for the name and other information about the machine. If the machine
940 isn't running software that responds to those queries - for example,
941 many non-Windows machines wouldn't be running that software - the
942 lookup will only fail after a timeout. Those timeouts can cause the
943 lookup to take a long time.
945 If you disable network address-to-name translation - for example, by
946 turning off the "Enable network name resolution" option in the
947 "Capture Options" dialog box for starting a network capture - the
948 lookups of the address won't be done, which may speed up the process
949 of reading the capture file after the capture is stopped. You can make
950 that setting the default by selecting "Preferences" from the "Edit"
951 menu, turning off the "Enable network name resolution" option in the
952 "Name resolution" options in the preferences disalog box, and using
953 the "Save" button in that dialog box; note that this will save all
954 your current preference settings.
956 If Wireshark hangs when reading a capture even with network name
957 resolution turned off, there might, for example, be a bug in one of
958 Wireshark's dissectors for a protocol causing it to loop infinitely.
959 If you're not running the most recent release of Wireshark, you should
960 first upgrade to that release, as, if there's a bug of that sort, it
961 might've been fixed in a release after the one you're running. If the
962 hang occurs in the most recent release of Wireshark, the bug should be
963 reported to the Wireshark developers' mailing list at
964 wireshark-dev@wireshark.org.
966 On UNIX-flavored OSes, please try to force Wireshark to dump core, by
967 sending it a SIGABRT signal (usually signal 6) with the kill command,
968 and then get a stack trace if you have a debugger installed. A stack
969 trace can be obtained by using your debugger (gdb in this example),
970 the Wireshark binary, and the resulting core file. Here's an example
971 of how to use the gdb command backtrace to do so.
974 ..... prints the stack trace
978 The core dump file may be named "wireshark.core" rather than "core" on
979 some platforms (e.g., BSD systems).
981 Also, if at all possible, please send a copy of the capture file that
982 caused the problem; when capturing packets, Wireshark normally writes
983 captured packets to a temporary file, which will probably be in /tmp
984 or /var/tmp on UNIX-flavored OSes, \TEMP on the main system disk
985 (normally C:) on Windows 9x/Me/NT 4.0, and \Documents and
986 Settings\your login name\Local Settings\Temp on the main system disk
987 on Windows 2000/Windows XP/Windows Server 2003, so the capture file
988 will probably be there. It will have a name beginning with ether, with
989 some mixture of letters and numbers after that. Please don't send a
990 trace file greater than 1 MB when compressed; instead, make it
991 available via FTP or HTTP, or say it's available but leave it up to a
992 developer to ask for it. If the trace file contains sensitive
993 information (e.g., passwords), then please do not send it.
995 8. Capturing packets on Windows
997 Q 8.1: I'm running Wireshark on Windows; why does some network
998 interface on my machine not show up in the list of interfaces in the
999 "Interface:" field in the dialog box popped up by "Capture->Start",
1000 and/or why does Wireshark give me an error if I try to capture on that
1003 A: If you are running Wireshark on Windows NT 4.0, Windows 2000,
1004 Windows XP, or Windows Server 2003, and this is the first time you
1005 have run a WinPcap-based program (such as Wireshark, or TShark, or
1006 WinDump, or Analyzer, or...) since the machine was rebooted, you need
1007 to run that program from an account with administrator privileges;
1008 once you have run such a program, you will not need administrator
1009 privileges to run any such programs until you reboot.
1011 If you are running on Windows 95/98/Me, or if you are running on
1012 Windows NT 4.0/Windows 2000/Windows XP/Windows Server 2003 and have
1013 administrator privileges or a WinPcap-based program has been run with
1014 those privileges since the machine rebooted, this problem might clear
1015 up if you completely un-install WinPcap and then re-install it.
1017 If that doesn't work, then note that Wireshark relies on the WinPcap
1018 library, on the WinPcap device driver, and on the facilities that come
1019 with the OS on which it's running in order to do captures.
1021 Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
1022 support capturing on a particular network interface device, Wireshark
1023 won't be able to capture on that device.
1026 1. 2.02 and earlier versions of the WinPcap driver and library that
1027 Wireshark uses for packet capture didn't support Token Ring
1028 interfaces; versions 2.1 and later support Token Ring, and the
1029 current version of Wireshark works with (and, in fact, requires)
1030 WinPcap 2.1 or later.
1031 If you are having problems capturing on Token Ring interfaces, and
1032 you have WinPcap 2.02 or an earlier version of WinPcap installed,
1033 you should uninstall WinPcap, download and install the current
1034 version of WinPcap, and then install the latest version of
1036 2. On Windows 95, 98, or Me, sometimes more than one interface will
1037 be given the same name; if that is the case, you will only be able
1038 to capture on one of those interfaces - it's not clear to which
1039 one the name, when used in a WinPcap-based application, will
1040 refer. For example, if you have a PPP serial interface and a VPN
1041 interface, they might show up with the same name, for example
1042 "ppp-mac", and if you try to capture on "ppp-mac", it might not
1043 capture on the interface you're currently using. In that case, you
1044 might, for example, have to remove the VPN interface from the
1045 system in order to capture on the PPP serial interface.
1046 3. WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows
1047 NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to
1048 avoid those problems, support for PPP WAN interfaces on those
1049 versions of Windows has been disabled in WinPcap 3.0. Regular
1050 dial-up lines, ISDN lines, ADSL connections using PPPoE or PPPoA,
1051 and various other lines such as T1/E1 lines are all PPP
1052 interfaces, so those interfaces might not show up on the list of
1053 interfaces in the "Capture Options" dialog on those OSes.
1054 On Windows 2000, Windows XP, and Windows Server 2003, but not
1055 Windows NT 4.0 or Windows Vista Beta 1, you should be able to
1056 capture on the "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta
1057 releases called it the "NdisWanAdapter"; if you're using a 3.1
1058 beta release, you should un-install it and install the final 3.1
1059 release.) See the Wireshark Wiki item on PPP capturing for
1061 4. WinPcap prior to 3.0 does not support multiprocessor machines
1062 (note that machines with a single multi-threaded processor, such
1063 as Intel's new multi-threaded x86 processors, are multiprocessor
1064 machines as far as the OS and WinPcap are concerned), and recent
1065 2.x versions of WinPcap refuse to operate if they detect that
1066 they're running on a multiprocessor machine, which means that they
1067 may not show any network interfaces. You will need to use WinPcap
1068 3.0 to capture on a multiprocessor machine.
1070 If an interface doesn't show up in the list of interfaces in the
1071 "Interface:" field, and you know the name of the interface, try
1072 entering that name in the "Interface:" field and capturing on that
1075 If the attempt to capture on it succeeds, the interface is somehow not
1076 being reported by the mechanism Wireshark uses to get a list of
1077 interfaces. Try listing the interfaces with WinDump; see the WinDump
1078 Web site for information on using WinDump.
1080 You would run WinDump with the -D flag; if it lists the interface,
1081 please report this to wireshark-dev@wireshark.org giving full details
1082 of the problem, including
1083 * the operating system you're using, and the version of that
1085 * the type of network device you're using;
1086 * the output of WinDump.
1088 If WinDump does not list the interface, this is almost certainly a
1089 problem with one or more of:
1090 * the operating system you're using;
1091 * the device driver for the interface you're using;
1092 * the WinPcap library and/or the WinPcap device driver;
1094 so first check the WinPcap FAQ or the Wiretapped.net mirror of that
1095 FAQ, to see if your problem is mentioned there. If not, then see the
1096 WinPcap support page - check the "Submitting bugs" section.
1098 If you are having trouble capturing on a particular network interface,
1099 first try capturing on that device with WinDump; see the WinDump Web
1100 site for information on using WinDump.
1102 If you can capture on the interface with WinDump, send mail to
1103 wireshark-users@wireshark.org giving full details of the problem,
1105 * the operating system you're using, and the version of that
1107 * the type of network device you're using;
1108 * the error message you get from Wireshark.
1110 If you cannot capture on the interface with WinDump, this is almost
1111 certainly a problem with one or more of:
1112 * the operating system you're using;
1113 * the device driver for the interface you're using;
1114 * the WinPcap library and/or the WinPcap device driver;
1116 so first check the WinPcap FAQ or the Wiretapped.net mirror of that
1117 FAQ, to see if your problem is mentioned there. If not, then see the
1118 WinPcap support page - check the "Submitting bugs" section.
1120 You may also want to ask the wireshark-users@wireshark.org and the
1121 winpcap-users@winpcap.org mailing lists to see if anybody happens to
1122 know about the problem and know a workaround or fix for the problem.
1123 (Note that you will have to subscribe to that list in order to be
1124 allowed to mail to it; see the WinPcap support page for information on
1125 the mailing list.) In your mail, please give full details of the
1126 problem, as described above, and also indicate that the problem occurs
1127 with WinDump, not just with Wireshark.
1129 Q 8.2: I'm running Wireshark on Windows; why do no network interfaces
1130 show up in the list of interfaces in the "Interface:" field in the
1131 dialog box popped up by "Capture->Start"?
1133 A: This is really the same question as the previous one; see the
1134 response to that question.
1136 Q 8.3: I'm running Wireshark on Windows; why doesn't my serial
1137 port/ADSL modem/ISDN modem show up in the list of interfaces in the
1138 "Interface:" field in the dialog box popped up by "Capture->Start"?
1140 A: Internet access on those devices is often done with the
1141 Point-to-Point (PPP) protocol; WinPcap 2.3 has problems supporting PPP
1142 WAN interfaces on Windows NT 4.0, Windows 2000, Windows XP, and
1143 Windows Server 2003, and, to avoid those problems, support for PPP WAN
1144 interfaces on those versions of Windows has been disabled in WinPcap
1147 On Windows 2000, Windows XP, and Windows Server 2003, but not Windows
1148 NT 4.0 or Windows Vista Beta 1, you should be able to capture on the
1149 "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it
1150 the "NdisWanAdapter"; if you're using a 3.1 beta release, you should
1151 un-install it and install the final 3.1 release.) See the Wireshark
1152 Wiki item on PPP capturing for details.
1154 Q 8.4: I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows
1155 XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN,
1156 etc.) interface, and it shows up in the "Interface" item in the
1157 "Capture Options" dialog box. Why can no packets be sent on or
1158 received from that network while I'm trying to capture traffic on that
1161 A: Some versions of WinPcap have problems with PPP WAN interfaces on
1162 Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; one
1163 symptom that may be seen is that attempts to capture in promiscuous
1164 mode on the interface cause the interface to be incapable of sending
1165 or receiving packets. You can disable promiscuous mode using the -p
1166 command-line flag or the item in the "Capture Preferences" dialog box,
1167 but this may mean that outgoing packets, or incoming packets, won't be
1168 seen in the capture.
1170 On Windows 2000, Windows XP, and Windows Server 2003, but not Windows
1171 NT 4.0 or Windows Vista Beta 1, you should be able to capture on the
1172 "GenericDialupAdapter" with WinPcap 3.1. (3.1 beta releases called it
1173 the "NdisWanAdapter"; if you're using a 3.1 beta release, you should
1174 un-install it and install the final 3.1 release.) See the Wireshark
1175 Wiki item on PPP capturing for details.
1177 Q 8.5: I'm running Wireshark on Windows 95/98/Me, on a machine with
1178 more than one network adapter of the same type; why does Wireshark
1179 show all of those adapters with the same name, not letting me use any
1180 of those adapters other than the first one?
1182 A: Unfortunately, Windows 95/98/Me gives the same name to multiple
1183 instances of the type of same network adapter. Therefore, WinPcap
1184 cannot distinguish between them, so a WinPcap-based application can
1185 capture only on the first such interface; Wireshark is a
1186 libpcap/WinPcap-based application.
1188 Q 8.6: I'm running Wireshark on Windows; why am I not seeing any
1189 traffic being sent by the machine running Wireshark?
1191 A: If you are running some form of VPN client software, it might be
1192 causing this problem; people have seen this problem when they have
1193 Check Point's VPN software installed on their machine. If that's the
1194 cause of the problem, you will have to remove the VPN software in
1195 order to have Wireshark (or any other application using WinPcap) see
1196 outgoing packets; unfortunately, neither we nor the WinPcap developers
1197 know any way to make WinPcap and the VPN software work well together.
1199 Also, some drivers for Windows (especially some wireless network
1200 interface drivers) apparently do not, when running in promiscuous
1201 mode, arrange that outgoing packets are delivered to the software that
1202 requested that the interface run promiscuously; try turning
1203 promiscuous mode off.
1205 Q 8.7: When I capture on Windows in promiscuous mode, I can see
1206 packets other than those sent to or from my machine; however, those
1207 packets show up with a "Short Frame" indication, unlike packets to or
1208 from my machine. What should I do to arrange that I see those packets
1211 A: In at least some cases, this appears to be the result of PGPnet
1212 running on the network interface on which you're capturing; turn it
1213 off on that interface.
1215 Q 8.8: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
1216 why are the time stamps on packets wrong?
1218 A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap
1219 3.0 and later releases.
1221 Q 8.9: I'm trying to capture 802.11 traffic on Windows; why am I not
1224 A: At least some 802.11 card drivers on Windows appear not to see any
1225 packets if they're running in promiscuous mode. Try turning
1226 promiscuous mode off; you'll only be able to see packets sent by and
1227 received by your machine, not third-party traffic, and it'll look like
1228 Ethernet traffic and won't include any management or control frames,
1229 but that's a limitation of the card drivers.
1231 See MicroLogix's list of cards supported with WinPcap for information
1232 on support of various adapters and drivers with WinPcap.
1234 Q 8.10: I'm trying to capture 802.11 traffic on Windows; why am I
1235 seeing packets received by the machine on which I'm capturing traffic,
1236 but not packets sent by that machine?
1238 A: This appears to be another problem with promiscuous mode; try
1241 Q 8.11: I'm trying to capture Ethernet VLAN traffic on Windows, and
1242 I'm capturing on a "raw" Ethernet device rather than a "VLAN
1243 interface", so that I can see the VLAN headers; why am I seeing
1244 packets received by the machine on which I'm capturing traffic, but
1245 not packets sent by that machine?
1247 A: The way the Windows networking code works probably means that
1248 packets are sent on a "VLAN interface" rather than the "raw" device,
1249 so packets sent by the machine will only be seen when you capture on
1250 the "VLAN interface". If so, you will be unable to see outgoing
1251 packets when capturing on the "raw" device, so you are stuck with a
1252 choice between seeing VLAN headers and seeing outgoing packets.
1254 9. Capturing packets on UN*Xes
1256 Q 9.1: I'm running Wireshark on a UNIX-flavored OS; why does some
1257 network interface on my machine not show up in the list of interfaces
1258 in the "Interface:" field in the dialog box popped up by
1259 "Capture->Start", and/or why does Wireshark give me an error if I try
1260 to capture on that interface?
1262 A: You may need to run Wireshark from an account with sufficient
1263 privileges to capture packets, such as the super-user account, or may
1264 need to give your account sufficient privileges to capture packets.
1265 Only those interfaces that Wireshark can open for capturing show up in
1266 that list; if you don't have sufficient privileges to capture on any
1267 interfaces, no interfaces will show up in the list. See the Wireshark
1268 Wiki item on capture privileges for details on how to give a
1269 particular account or account group capture privileges on platforms
1270 where that can be done.
1272 If you are running Wireshark from an account with sufficient
1273 privileges, then note that Wireshark relies on the libpcap library,
1274 and on the facilities that come with the OS on which it's running in
1275 order to do captures. On some OSes, those facilities aren't present by
1276 default; see the Wireshark Wiki item on adding capture support for
1279 And, even if you're running with an account that has sufficient
1280 privileges to capture, and capture support is present in your OS, if
1281 the OS or the libpcap library don't support capturing on a particular
1282 network interface device or particular types of devices, Wireshark
1283 won't be able to capture on that device.
1285 On Solaris, note that libpcap 0.6.2 and earlier didn't support Token
1286 Ring interfaces; the current version, 0.7.2, does support Token Ring,
1287 and the current version of Wireshark works with libcap 0.7.2 and
1290 If an interface doesn't show up in the list of interfaces in the
1291 "Interface:" field, and you know the name of the interface, try
1292 entering that name in the "Interface:" field and capturing on that
1295 If the attempt to capture on it succeeds, the interface is somehow not
1296 being reported by the mechanism Wireshark uses to get a list of
1297 interfaces; please report this to wireshark-dev@wireshark.org giving
1298 full details of the problem, including
1299 * the operating system you're using, and the version of that
1300 operating system (for Linux, give both the version number of the
1301 kernel and the name and version number of the distribution you're
1303 * the type of network device you're using.
1305 If you are having trouble capturing on a particular network interface,
1306 and you've made sure that (on platforms that require it) you've
1307 arranged that packet capture support is present, as per the above,
1308 first try capturing on that device with tcpdump.
1310 If you can capture on the interface with tcpdump, send mail to
1311 wireshark-users@wireshark.org giving full details of the problem,
1313 * the operating system you're using, and the version of that
1314 operating system (for Linux, give both the version number of the
1315 kernel and the name and version number of the distribution you're
1317 * the type of network device you're using;
1318 * the error message you get from Wireshark.
1320 If you cannot capture on the interface with tcpdump, this is almost
1321 certainly a problem with one or more of:
1322 * the operating system you're using;
1323 * the device driver for the interface you're using;
1324 * the libpcap library;
1326 so you should report the problem to the company or organization that
1327 produces the OS (in the case of a Linux distribution, report the
1328 problem to whoever produces the distribution).
1330 You may also want to ask the wireshark-users@wireshark.org and the
1331 tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to
1332 know about the problem and know a workaround or fix for the problem.
1333 In your mail, please give full details of the problem, as described
1334 above, and also indicate that the problem occurs with tcpdump not just
1337 Q 9.2: I'm running Wireshark on a UNIX-flavored OS; why do no network
1338 interfaces show up in the list of interfaces in the "Interface:" field
1339 in the dialog box popped up by "Capture->Start"?
1341 A: This is really the same question as the previous one; see the
1342 response to that question.
1344 Q 9.3: I'm capturing packets on Linux; why do the time stamps have
1345 only 100ms resolution, rather than 1us resolution?
1347 A: Wireshark gets time stamps from libpcap/WinPcap, and
1348 libpcap/WinPcap get them from the OS kernel, so Wireshark - and any
1349 other program using libpcap, such as tcpdump - is at the mercy of the
1350 time stamping code in the OS for time stamps.
1352 At least on x86-based machines, Linux can get high-resolution time
1353 stamps on newer processors with the Time Stamp Counter (TSC) register;
1354 for example, Intel x86 processors, starting with the Pentium Pro, and
1355 including all x86 processors since then, have had a TSC, and other
1356 vendors probably added the TSC at some point to their families of x86
1359 The Linux kernel must be configured with the CONFIG_X86_TSC option
1360 enabled in order to use the TSC. Make sure this option is enabled in
1363 In addition, some Linux distributions may have bugs in their versions
1364 of the kernel that cause packets not to be given high-resolution time
1365 stamps even if the TSC is enabled. See, for example, bug 61111 for Red
1366 Hat Linux 7.2. If your distribution has a bug such as this, you may
1367 have to run a standard kernel from kernel.org in order to get
1368 high-resolution time stamps.
1370 10. Capturing packets on wireless LANs
1372 Q 10.1: How can I capture raw 802.11 frames, including non-data
1373 (management, beacon) frames?
1375 A: That depends on the operating system on which you're running, and
1376 on the 802.11 interface on which you're capturing.
1378 This would probably require that you capture in promiscuous mode or in
1379 the mode called "monitor mode" or "RFMON mode". On some platforms, or
1380 with some cards, this might require that you capture in monitor mode -
1381 promiscuous mode might not be sufficient. If you want to capture
1382 traffic on networks other than the one with which you're associated,
1383 you will have to capture in monitor mode.
1385 Not all operating systems support capturing non-data packets and, even
1386 on operating systems that do support it, not all drivers, and thus not
1387 all interfaces, support it. Even on those that do, monitor mode might
1388 not be supported by the operating system or by the drivers for all
1391 NOTE: an interface running in monitor mode will, on most if not all
1392 platforms, not be able to act as a regular network interface; putting
1393 it into monitor mode will, in effect, take your machine off of
1394 whatever network it's on as long as the interface is in monitor mode,
1395 allowing it only to passively capture packets.
1397 This means that you should disable name resolution when capturing in
1398 monitor mode; otherwise, when Wireshark (or TShark, or tcpdump) tries
1399 to display IP addresses as host names, it will probably block for a
1400 long time trying to resolve the name because it will not be able to
1401 communicate with any DNS or NIS servers.
1403 See the Wireshark Wiki item on 802.11 capturing for details.
1405 Q 10.2: How do I capture on an 802.11 device in monitor mode?
1407 A: Whether you will be able to capture in monitor mode depends on the
1408 operating system, adapter, and driver you're using. See the previous
1409 question for information on monitor mode, including a link to the
1410 Wireshark Wiki page that gives details on 802.11 capturing.
1414 Q 11.1: Why am I seeing lots of packets with incorrect TCP checksums?
1416 A: If the packets that have incorrect TCP checksums are all being sent
1417 by the machine on which Wireshark is running, this is probably because
1418 the network interface on which you're capturing does TCP checksum
1419 offloading. That means that the TCP checksum is added to the packet by
1420 the network interface, not by the OS's TCP/IP stack; when capturing on
1421 an interface, packets being sent by the host on which you're capturing
1422 are directly handed to the capture interface by the OS, which means
1423 that they are handed to the capture interface without a TCP checksum
1424 being added to them.
1426 The only way to prevent this from happening would be to disable TCP
1427 checksum offloading, but
1428 1. that might not even be possible on some OSes;
1429 2. that could reduce networking performance significantly.
1431 However, you can disable the check that Wireshark does of the TCP
1432 checksum, so that it won't report any packets as having TCP checksum
1433 errors, and so that it won't refuse to do TCP reassembly due to a
1434 packet having an incorrect TCP checksum. That can be set as an
1435 Wireshark preference by selecting "Preferences" from the "Edit" menu,
1436 opening up the "Protocols" list in the left-hand pane of the
1437 "Preferences" dialog box, selecting "TCP", from that list, turning off
1438 the "Check the validity of the TCP checksum when possible" option,
1439 clicking "Save" if you want to save that setting in your preference
1440 file, and clicking "OK".
1442 It can also be set on the Wireshark or TShark command line with a -o
1443 tcp.check_checksum:false command-line flag, or manually set in your
1444 preferences file by adding a tcp.check_checksum:false line.
1446 Q 11.2: I've just installed Wireshark, and the traffic on my local LAN
1447 is boring. Where can I find more interesting captures?
1449 A: We have a collection of strange and exotic sample capture files at
1450 http://wiki.wireshark.org/SampleCaptures
1452 Q 11.3: Why doesn't Wireshark correctly identify RTP packets? It shows
1455 A: Wireshark can identify a UDP datagram as containing a packet of a
1456 particular protocol running atop UDP only if
1457 1. The protocol in question has a particular standard port number,
1458 and the UDP source or destination port number is that port
1459 2. Packets of that protocol can be identified by looking for a
1460 "signature" of some type in the packet - i.e., some data that, if
1461 Wireshark finds it in some particular part of a packet, means that
1462 the packet is almost certainly a packet of that type.
1463 3. Some other traffic earlier in the capture indicated that, for
1464 example, UDP traffic between two particular addresses and ports
1465 will be RTP traffic.
1467 RTP doesn't have a standard port number, so 1) doesn't work; it
1468 doesn't, as far as I know, have any "signature", so 2) doesn't work.
1470 That leaves 3). If there's RTSP traffic that sets up an RTP session,
1471 then, at least in some cases, the RTSP dissector will set things up so
1472 that subsequent RTP traffic will be identified. Currently, that's the
1473 only place we do that; there may be other places.
1475 However, there will always be places where Wireshark is simply
1476 incapable of deducing that a given UDP flow is RTP; a mechanism would
1477 be needed to allow the user to specify that a given conversation
1478 should be treated as RTP. As of Wireshark 0.8.16, such a mechanism
1479 exists; if you select a UDP or TCP packet, the right mouse button menu
1480 will have a "Decode As..." menu item, which will pop up a dialog box
1481 letting you specify that the source port, the destination port, or
1482 both the source and destination ports of the packet should be
1483 dissected as some particular protocol.
1485 Q 11.4: Why doesn't Wireshark show Yahoo Messenger packets in captures
1486 that contain Yahoo Messenger traffic?
1488 A: Wireshark only recognizes as Yahoo Messenger traffic packets to or
1489 from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP
1490 segments that start with the middle of a Yahoo Messenger packet that
1491 takes more than one TCP segment will not be recognized as Yahoo
1492 Messenger packets (even if the TCP segment also contains the beginning
1493 of another Yahoo Messenger packet).
1495 12. Filtering traffic
1497 Q 12.1: I saved a filter and tried to use its name to filter the
1498 display; why do I get an "Unexpected end of filter string" error?
1500 A: You cannot use the name of a saved display filter as a filter. To
1501 filter the display, you can enter a display filter expression - not
1502 the name of a saved display filter - in the "Filter:" box at the
1503 bottom of the display, and type the key or press the "Apply" button
1504 (that does not require you to have a saved filter), or, if you want to
1505 use a saved filter, you can press the "Filter:" button, select the
1506 filter in the dialog box that pops up, and press the "OK" button.
1508 Q 12.2: How can I search for, or filter, packets that have a
1509 particular string anywhere in them?
1511 A: If you want to do this when capturing, you can't. That's a feature
1512 that would be hard to implement in capture filters without changes to
1513 the capture filter code, which, on many platforms, is in the OS kernel
1514 and, on other platforms, is in the libpcap library.
1516 In releases prior to 0.9.14, you also can't search for, or filter,
1517 packets containing a particular string even after you've captured
1520 In 0.9.14, you can search for, but not filter, packets that have a
1521 particular string; this has been added to the "Find Frame" dialog
1522 ("Find Frame" under the "Edit" menu, or control-F).
1524 In 0.9.15 and later, you can search for those packets using either the
1525 mechanism introduced in 0.9.14 or using the new "contains" operator in
1526 filter expressions, which lets you search the entire packet or text
1527 string or byte string fields in the packet; the "contains" operator
1528 can also be used in expressions used to filter the display.
1530 Q 12.3: How do I filter a capture to see traffic for virus XXX?
1532 A: For some viruses/worms there might be a capture filter to recognize
1533 the virus traffic. Check the CaptureFilters page on the Wireshark Wiki
1534 to see if anybody's added such a filter.
1536 Note that Wireshark was not designed to be an intrusion detection
1537 system; you might be able to use it as an IDS, but in most cases
1538 software designed to be an IDS, such as Snort or Prelude, will
1539 probably work better.
1541 The Bleeding Edge of Snort has a collection of signatures for Snort to
1542 detect various viruses, worms, and the like.