4 Note: This is just an ASCII snapshot of the faq and may not be up to
5 date. Please go to http://www.ethereal.com/faq.html for the up
6 to date version. The version of this snapshot can be found at
7 the end of this document.
14 1.1 Where can I get help?
16 1.2 How much does Ethereal cost?
18 1.3 Can I use Ethereal commercially?
20 1.4 Can I use Ethereal as part of my commercial product?
22 1.5 What protocols are currently supported?
24 1.6 Are there any plans to support {your favorite protocol}?
26 1.7 Can Ethereal read capture files from {your favorite network
29 1.8 What devices can Ethereal use to capture packets?
31 1.9 How do you pronounce Ethereal? Where did the name come from?
35 2.1 I downloaded the Win32 installer, but when I try to run it, I get
38 2.2 When I try to download the WinPcap driver and library, I can't get
39 to the WinPcap Web site.
43 3.1 I installed an Ethereal RPM, but Ethereal doesn't seem to be
44 installed; only Tethereal is installed.
48 4.1 The configure script can't find pcap.h or bpf.h, but I have
51 4.2 Why do I get the error
53 dftest_DEPENDENCIES was already defined in condition TRUE, which
54 implies condition HAVE_PLUGINS_TRUE
56 when I try to build Ethereal from SVN or a SVN snapshot?
58 4.3 The link fails with a number of "Output line too long." messages
59 followed by linker errors.
61 4.4 The link fails on Solaris because plugin_list is undefined.
63 4.5 The build fails on Windows because of conflicts between winsock.h
68 5.1 When I use Ethereal to capture packets, I see only packets to and
69 from my machine, or I'm not seeing all the traffic I'm expecting to
70 see from or to the machine I'm trying to monitor.
72 5.2 I can't see any TCP packets other than packets to and from my
73 machine, even though another analyzer on the network sees those
76 5.3 I'm only seeing ARP packets when I try to capture traffic.
78 5.4 I'm running Ethereal on Windows; why does some network interface
79 on my machine not show up in the list of interfaces in the
80 "Interface:" field in the dialog box popped up by "Capture->Start",
81 and/or why does Ethereal give me an error if I try to capture on that
84 5.5 I'm running Ethereal on Windows; why do no network interfaces show
85 up in the list of interfaces in the "Interface:" field in the dialog
86 box popped up by "Capture->Start"?
88 5.6 I'm running Ethereal on Windows; why doesn't my serial port/ADSL
89 modem/ISDN modem/show up in the list of interfaces in the "Interface:"
90 field in the dialog box popped up by "Capture->Start"?
92 5.7 I'm running Ethereal on a UNIX-flavored OS; why does some network
93 interface on my machine not show up in the list of interfaces in the
94 "Interface:" field in the dialog box popped up by "Capture->Start",
95 and/or why does Ethereal give me an error if I try to capture on that
98 5.8 I'm running Ethereal on a UNIX-flavored OS; why do no network
99 interfaces show up in the list of interfaces in the "Interface:" field
100 in the dialog box popped up by "Capture->Start"?
102 5.9 Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
104 5.10 How do I put an interface into promiscuous mode?
106 5.11 I can set a display filter just fine, but capture filters don't
109 5.12 I'm entering valid capture filters, but I still get "parse error"
112 5.13 I saved a filter and tried to use its name to filter the display,
113 but I got an "Unexpected end of filter string" error.
115 5.14 Why am I seeing lots of packets with incorrect TCP checksums?
117 5.15 I've just installed Ethereal, and the traffic on my local LAN is
120 5.16 When I run Ethereal on Solaris 8, it dies with a Bus Error when I
123 5.17 When I run Ethereal, I get an error
125 Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_resize):
126 assertion `height > 0' failed.
128 5.18 When I run Tethereal with the "-x" option, it crashes with an
131 "** ERROR **: file print.c: line 691 (print_line): should not be
134 5.19 When I run Ethereal on Windows NT, it dies with a Dr. Watson
135 error, reporting an "Integer division by zero" exception, when I start
138 5.20 When I try to run Ethereal, it complains about
139 sprint_realloc_objid being undefined.
141 5.21 I'm running Ethereal on Linux; why do my time stamps have only
142 100ms resolution, rather than 1us resolution?
144 5.22 I'm capturing packets on {Windows 95, Windows 98, Windows Me};
145 why are the time stamps on packets wrong?
147 5.23 When I try to run Ethereal on Windows, it fails to run because it
148 can't find packet.dll.
150 5.24 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has
151 a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
152 "Interface" item in the "Capture Options" dialog box. Why can no
153 packets be sent on or received from that network while I'm trying to
154 capture traffic on that interface?
156 5.25 I'm running Ethereal on Windows 95/98/Me, on a machine with more
157 than one network adapter of the same type; Ethereal shows all of those
158 adapters with the same name, but I can't use any of those adapters
159 other than the first one.
161 5.26 I'm running Ethereal on Windows, and I'm not seeing any traffic
162 being sent by the machine running Ethereal.
164 5.27 I'm trying to capture traffic but I'm not seeing any.
166 5.28 I have an XXX network card on my machine; if I try to capture on
167 it, my machine crashes or resets itself.
169 5.29 My machine crashes or resets itself when I select "Start" from
170 the "Capture" menu or select "Preferences" from the "Edit" menu.
172 5.30 Does Ethereal work on Windows Me?
174 5.31 Does Ethereal work on Windows XP?
176 5.32 Why doesn't Ethereal correctly identify RTP packets? It shows
179 5.33 Why doesn't Ethereal show Yahoo Messenger packets in captures
180 that contain Yahoo Messenger traffic?
182 5.34 Why do I get the error
184 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
188 when I try to run Ethereal on Windows?
190 5.35 When I capture on Windows in promiscuous mode, I can see packets
191 other than those sent to or from my machine; however, those packets
192 show up with a "Short Frame" indication, unlike packets to or from my
193 machine. What should I do to arrange that I see those packets in their
196 5.36 I'm capturing packets on a machine on a VLAN; why don't the
197 packets I'm capturing have VLAN tags?
199 5.37 How can I capture raw 802.11 packets, including non-data
200 (management, beacon) packets?
202 5.38 How do I capture on an 802.11 device in monitor mode on Linux?
204 5.39 How do I capture on an 802.11 device in monitor mode on FreeBSD?
206 5.40 How do I capture on an 802.11 device in monitor mode on NetBSD?
208 5.41 I'm trying to capture 802.11 traffic on Windows; why am I not
211 5.42 I'm trying to capture 802.11 traffic on Windows; why am I seeing
212 packets received by the machine on which I'm capturing traffic, but
213 not packets sent by that machine?
215 5.43 How can I capture packets with CRC errors?
217 5.44 How can I capture entire frames, including the FCS?
219 5.45 Why does Ethereal hang after I stop a capture?
221 5.46 How can I search for, or filter, packets that have a particular
222 string anywhere in them?
224 5.47 How do I filter a capture to see traffic for virus XXX?
228 Q 1.1: Where can I get help?
230 A: Support is available on the ethereal-users mailing list.
231 Subscription information and archives for all of Ethereal's mailing
232 lists can be found at http://www.ethereal.com/lists
234 Q 1.2: How much does Ethereal cost?
236 A: Ethereal is "free software"; you can download it without paying any
237 license fee. The version of Ethereal you download isn't a "demo"
238 version, with limitations not present in a "full" version; it is the
241 The license under which Ethereal is issued is the GNU General Public
242 License. See the GNU GPL FAQ for some more information.
244 Q 1.3: Can I use Ethereal commercially?
246 A: Yes, if, for example, you mean "I work for a commercial
247 organization; can I use Ethereal to capture and analyze network
248 traffic in our company's networks or in our customer's networks?"
250 If you mean "Can I use Ethereal as part of my commercial product?",
251 see the next entry in the FAQ.
253 Q 1.4: Can I use Ethereal as part of my commercial product?
255 A: As noted, Ethereal is licended under the GNU General Public
256 License. The GPL imposes conditions on your use of GPL'ed code in your
257 own products; you cannot, for example, make a "derived work" from
258 Ethereal, by making modifications to it, and then sell the resulting
259 derived work and not allow recipients to give away the resulting work.
260 You must also make the changes you've made to the Ethereal source
261 available to all recipients of your modified version; those changes
262 must also be licensed under the terms of the GPL. See the GPL FAQ for
263 more details; in particular, note the answer to the question about
264 modifying a GPLed program and selling it commercially, and the
265 question about linking GPLed code with other code to make a
268 You can combine a GPLed program such as Ethereal and a commercial
269 program as long as they communicate "at arm's length", as per this
272 Q 1.5: What protocols are currently supported?
274 A: There are currently 620 supported protocols and media, listed
275 below. Descriptions can be found in the ethereal(1) man page.
279 802.1x Authentication
280 AAL type 2 signalling protocol - Capability set 1 (Q.2630.1)
282 AFS (4.0) Replication Server call declarations
285 AIM Buddylist Service
292 AIM Invitation Service
297 AIM Privacy Management Service
299 AIM Server Side Themes
306 ANSI IS-637-A (SMS) Teleservice Layer
307 ANSI IS-637-A (SMS) Transport Layer
308 ANSI IS-683-A (OTA (Mobile))
309 ANSI IS-801 (Location Services (PLD))
310 ANSI Mobile Application Part
311 AOL Instant Messenger
320 AVS WLAN Capture header
322 Ad hoc On-demand Distance Vector Routing Protocol
323 Address Resolution Protocol
324 Aggregate Server Access Protocol
326 Alteon - Transparent Proxy Cache Protocol
327 Andrew File System (AFS)
328 Apache JServ Protocol v1.3
329 Apple IP-over-IEEE 1394
330 AppleTalk Filing Protocol
331 AppleTalk Session Protocol
332 AppleTalk Transaction Protocol packet
333 Appletalk Address Resolution Protocol
334 Application Configuration Access Protocol
336 Async data over ISDN (V.120)
337 Authentication Header
338 BACnet Virtual Link Control
343 Banyan Vines Fragmentation Protocol
350 Base Station Subsystem GPRS Protocol
351 Basic Encoding Rules (ASN.1 X.690)
352 Bearer Independent Call Control
353 Bi-directional Fault Detection Control Message
355 Blocks Extensible Exchange Protocol
356 Blubster/Piolet MANOLITO Protocol
360 Border Gateway Protocol
361 Building Automation and Control Network APDU
362 Building Automation and Control Network NPDU
364 CDS Clerk Server Calls
365 Cast Client Control Protocol
366 Check Point High Availability Protocol
369 Cisco Discovery Protocol
370 Cisco Group Management Protocol
372 Cisco Hot Standby Router Protocol
374 Cisco Interior Gateway Routing Protocol
377 Cisco Session Management
379 CoSine IPNOS L2 debug output
380 Common Industrial Protocol
381 Common Open Policy Service
382 Common Unix Printing System (CUPS) Browsing Protocol
384 Configuration Test Protocol (loopback)
385 Connectionless Lightweight Directory Access Protocol
386 Coseventcomm Dissector Using GIOP API
387 Cosnaming Dissector Using GIOP API
388 Cross Point Frame Injector
389 Cryptographic Message Syntax
390 DCE Distributed Time Service Local Server
391 DCE Distributed Time Service Provider
394 DCE Security ID Mapper
398 DCE/RPC CDS Solicitation
399 DCE/RPC Conversation Manager
400 DCE/RPC Directory Acl Interface
401 DCE/RPC Endpoint Mapper
402 DCE/RPC Endpoint Mapper4
404 DCE/RPC FLDB UBIK TRANSFER
405 DCE/RPC FLDB UBIKVOTE
408 DCE/RPC NCS 1.5.1 Local Location Broker
409 DCE/RPC Operations between registry server replicas
416 DCE/RPC Registry Password Management
417 DCE/RPC Registry Server Attributes Schema
418 DCE/RPC Registry server propagation interface - ACLs.
419 DCE/RPC Registry server propagation interface - PGO items
420 DCE/RPC Registry server propagation interface - properties and poli
422 DCE/RPC Remote Management
423 DCE/RPC Repserver Calls
424 DCE/RPC TokenServer Calls
427 DCOM Remote Activation
428 DEC Spanning Tree Protocol
434 DNS Control Program Server
436 DOCSIS Appendix C TLV's
437 DOCSIS Baseline Privacy Key Management Attributes
438 DOCSIS Baseline Privacy Key Management Request
439 DOCSIS Baseline Privacy Key Management Response
440 DOCSIS Dynamic Service Addition Acknowledge
441 DOCSIS Dynamic Service Addition Request
442 DOCSIS Dynamic Service Addition Response
443 DOCSIS Dynamic Service Change Acknowledgement
444 DOCSIS Dynamic Service Change Request
445 DOCSIS Dynamic Service Change Response
446 DOCSIS Dynamic Service Delete Request
447 DOCSIS Dynamic Service Delete Response
448 DOCSIS Initial Ranging Message
449 DOCSIS Mac Management
450 DOCSIS Range Request Message
451 DOCSIS Ranging Response
452 DOCSIS Registration Acknowledge
453 DOCSIS Registration Requests
454 DOCSIS Registration Responses
455 DOCSIS Upstream Bandwidth Allocation
456 DOCSIS Upstream Channel Change Request
457 DOCSIS Upstream Channel Change Response
458 DOCSIS Upstream Channel Descriptor
459 DOCSIS Upstream Channel Descriptor Type 29
460 DOCSIS Vendor Specific Endodings
463 Data Stream Interface
464 Datagram Delivery Protocol
465 Decompressed SigComp message as raw text
467 Digital Audio Access Protocol
468 Distance Vector Multicast Routing Protocol
469 Distcc Distributed Compiler
470 Distributed Checksum Clearinghouse Protocol
471 Distributed Network Protocol 3.0
473 Dynamic DNS Tools Protocol
476 Encapsulating Security Payload
477 Endpoint Name Resolution Protocol
478 Enhanced Interior Gateway Routing Protocol
479 EtherNet/IP (Industrial Protocol)
483 Extended Security Services
484 Extensible Authentication Protocol
486 FC Fabric Configuration Server
490 Fiber Distributed Data Interface
492 Fibre Channel Common Transport
493 Fibre Channel Fabric Zone Server
494 Fibre Channel Name Server
495 Fibre Channel Protocol for SCSI
497 Fibre Channel Security Protocol
498 Fibre Channel Single Byte Command
499 File Transfer Protocol (FTP)
500 Financial Information eXchange Protocol
503 GARP Multicast Registration Protocol
504 GARP VLAN Registration Protocol
506 GPRS Tunneling Protocol
510 GSM SMS TPDU (GSM 03.40)
511 GSM Short Message Service User Data
512 GSM_MobileAPplication
513 General Inter-ORB Protocol
514 Generic Routing Encapsulation
515 Generic Security Service Application Program Interface
519 H235-SECURITY-MESSAGES
522 HP Extended Local-Link Control
523 HP Remote Maintenance Protocol
524 Hummingbird NFS Daemon
526 Hypertext Transfer Protocol
528 IEEE 802.11 Radiotap Capture header
529 IEEE 802.11 wireless LAN
530 IEEE 802.11 wireless LAN management frame
532 IP Device Control (SS7 over IP)
534 IP Payload Compression
535 IP Virtual Services Sync Daemon
537 IPX Routing Information Protocol
539 IRemUnknown IRemUnknown Resolver
540 IRemUnknown2 IRemUnknown2 Resolver
542 ISDN Q.921-User Adaptation Layer
544 ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol
545 ISO 8073 COTP Connection-Oriented Transport Protocol
546 ISO 8327-1 OSI Session Protocol
547 ISO 8473 CLNP ConnectionLess Network Protocol
548 ISO 8602 CLTP ConnectionLess Transport Protocol
549 ISO 8823 OSI Presentation Protocol
550 ISO 9542 ESIS Routeing Information Exchange Protocol
551 ISystemActivator ISystemActivator Resolver
553 ITU-T Recommendation H.261
554 ITU-T Recommendation H.263 RTP Payload header (RFC2190)
556 Information Access Protocol
558 Intelligent Platform Management Interface
559 Inter-Access-Point Protocol
560 Inter-Asterisk eXchange v2
561 InterSwitch Message Protocol
563 Internet Cache Protocol
564 Internet Communications Engine Protocol
565 Internet Content Adaptation Protocol
566 Internet Control Message Protocol
567 Internet Control Message Protocol v6
568 Internet Group Management Protocol
569 Internet Group membership Authentication Protocol
570 Internet Message Access Protocol
571 Internet Printing Protocol
573 Internet Protocol Version 6
575 Internet Security Association and Key Management Protocol
576 Internetwork Packet eXchange
578 IrDA Link Access Protocol
579 IrDA Link Management Protocol
580 JPEG File Interchange Format
585 Kerberos Administration
589 LWAPP Encapsulated Packet
591 Label Distribution Protocol
593 Layer 2 Tunneling Protocol
594 Light Weight DNS RESolver (BIND9)
595 Lightweight Directory Access Protocol
596 Line Printer Daemon Protocol
598 Link Access Procedure Balanced (LAPB)
599 Link Access Procedure Balanced Ethernet (LAPBETHER)
600 Link Access Procedure, Channel D (LAPD)
601 Link Aggregation Control Protocol
602 Link Management Protocol (LMP)
603 Linux cooked-mode capture
604 Local Management Interface
605 LocalTalk Link Access Protocol
607 Logical Link Control GPRS
609 Logotype Certificate Extensions
610 Lucent/Ascend debug output
615 MIME Multipart Media Encapsulation
616 MMS Message Encapsulation
619 MSN Messenger Service
620 MSNIP: Multicast Source Notification of Interest Protocol
621 MTP 2 Transparent Proxy
622 MTP 2 User Adaptation Layer
623 MTP 3 User Adaptation Layer
624 MTP2 Peer Adaptation Layer
625 Media Gateway Control Protocol
627 Media Type: message/http
628 Message Transfer Part Level 2
629 Message Transfer Part Level 3
630 Message Transfer Part Level 3 Management
631 Microsoft Directory Replication Service
632 Microsoft Distributed File System
633 Microsoft Distributed Link Tracking Server Service
634 Microsoft Encrypted File System Service
635 Microsoft Eventlog Service
636 Microsoft Exchange MAPI
637 Microsoft File Replication Service
638 Microsoft File Replication Service API
639 Microsoft Local Security Architecture
640 Microsoft Local Security Architecture (Directory Services)
641 Microsoft Messenger Service
642 Microsoft Network Logon
644 Microsoft Security Account Manager
645 Microsoft Server Service
646 Microsoft Service Control
647 Microsoft Spool Subsystem
648 Microsoft Task Scheduler Service
649 Microsoft Telephony API Service
650 Microsoft Windows Browser Protocol
651 Microsoft Windows Lanman Remote API Protocol
652 Microsoft Windows Logon Protocol
653 Microsoft Workstation Service
658 MultiProtocol Label Switching Header
659 Multicast Router DISCovery protocol
660 Multicast Source Discovery Protocol
661 Multiprotocol Label Switching Echo
668 NTLM Secure Service Provider
669 Name Binding Protocol
670 Name Management Protocol over IPX
672 NetBIOS Datagram Service
674 NetBIOS Session Service
676 NetScape Certificate Extensions
677 NetWare Core Protocol
678 NetWare Link Services Protocol
679 NetWare Serialization Protocol
680 Network Data Management Protocol
682 Network Lock Manager Protocol
683 Network News Transfer Protocol
684 Network Service Over IP
685 Network Status Monitor CallBack Protocol
686 Network Status Monitor Protocol
687 Network Time Protocol
689 Novell Distributed Print System
690 Novell Modular Authentication Service
692 OSI ISO 8571 FTAM Protocol
693 OSI ISO/IEC 10035-1 ACSE Protocol
694 Online Certificate Status Protocol
695 Open Policy Service Interface
696 Open Shortest Path First
697 OpenBSD Encapsulating device
698 OpenBSD Packet Filter log file
699 OpenBSD Packet Filter log file, pre 3.4
700 Optimized Link State Routing Protocol
704 PKIX CERT File Format
706 PKIX Time Stamp Protocol
711 PPP Bandwidth Allocation Control Protocol
712 PPP Bandwidth Allocation Protocol
713 PPP CDP Control Protocol
714 PPP Callback Control Protocol
715 PPP Challenge Handshake Authentication Protocol
716 PPP Compressed Datagram
717 PPP Compression Control Protocol
718 PPP IP Control Protocol
719 PPP IPv6 Control Protocol
720 PPP Link Control Protocol
721 PPP MPLS Control Protocol
722 PPP Multilink Protocol
724 PPP OSI Control Protocol
725 PPP Password Authentication Protocol
727 PPP-over-Ethernet Discovery
728 PPP-over-Ethernet Session
729 PPPMux Control Protocol
732 PROFINET Real-Time Protocol
733 Packed Encoding Rules (ASN.1 X.691)
734 Packet Cable Lawful Intercept
736 Point-to-Point Protocol
737 Point-to-Point Tunnelling Protocol
738 Port Aggregation Protocol
741 Pragmatic General Multicast
742 Precision Time Protocol (IEEE1588)
744 Privilege Server operations
745 Protocol Independent Multicast
749 Quake II Network Protocol
750 Quake III Arena Network Protocol
751 Quake Network Protocol
752 QuakeWorld Network Protocol
753 Qualified Logical Link Control
759 RS Interface properties
761 RSYNC File Synchroniser
764 Radio Access Network Application Part
767 Real Time Streaming Protocol
768 Real-Time Media Access Control
769 Real-Time Publish-Subscribe Wire Protocol
770 Real-Time Transport Protocol
771 Real-time Transport Control Protocol
772 Redundant Link Management Protocol
773 Registry Server Attributes Manipulation Interface
774 Registry server administration operations.
776 Remote Management Control Protocol
777 Remote Override interface
778 Remote Procedure Call
784 Remote sec_login preauth interface.
785 Resource ReserVation Protocol (RSVP)
787 Routing Information Protocol
788 Routing Table Maintenance Protocol
791 SEBEK - Kernel Data Capture
793 SMB (Server Message Block Protocol)
794 SMB MailSlot Protocol
797 SNMP Multiplex Protocol
800 SS7 SCCP-User Adaptation Layer
805 Sequenced Packet eXchange
807 Service Advertisement Protocol
808 Service Location Protocol
809 Session Announcement Protocol
810 Session Description Protocol
811 Session Initiation Protocol
812 Session Initiation Protocol (SIP as raw text)
813 Short Message Peer to Peer
814 Short Message Relaying Service
815 Signaling Compression
816 Signalling Connection Control Part
817 Signalling Connection Control Part Management
818 Simple Mail Transfer Protocol
819 Simple Network Management Protocol
820 Simple Traversal of UDP Through NAT
823 Skinny Client Control Protocol
824 SliMP3 Communication Protocol
827 Spanning Tree Protocol
829 Stream Control Transmission Protocol
830 Subnetwork Dependent Convergence Protocol
831 Symantec Enterprise Firewall
832 Synchronous Data Link Control (SDLC)
834 Systems Network Architecture
835 Systems Network Architecture XID
839 TDMA RTmac Discipline
840 TEI Management Procedure, Channel D (LAPD)
843 Tazmen Sniffer Protocol
845 Teredo IPv6 over UDP tunneling
847 Time Synchronization Protocol
848 Tiny Transport Protocol
850 Token-Ring Media Access Control
851 Transaction Capabilities Application Part
852 Transmission Control Protocol
853 Transparent Network Substrate Protocol
854 Transport Adapter Layer Interface v1.0, RFC 3094
855 Trivial File Transfer Protocol
856 UDP Encapsulation of IPsec Packets
857 Universal Computer Protocol
858 User Datagram Protocol
859 V5.2-User Adaptation Layer
860 Virtual Router Redundancy Protocol
861 Virtual Trunking Protocol
863 WAP Session Initiation Request
864 Web Cache Coordination Protocol
866 WebSphere MQ Programmable Command Formats
867 Wellfleet Breath of Life
868 Wellfleet Compression
872 Wireless Session Protocol
873 Wireless Transaction Protocol
874 Wireless Transport Layer Security
875 X Display Manager Control Protocol
879 X.509 Authentication Framework
880 X.509 Certificate Extensions
881 X.509 Information Framework
882 X.509 Selected Attribute Types
886 Yahoo Messenger Protocol
887 Yahoo YMSG Messenger Protocol
891 Yellow Pages Transfer
893 Zone Information Protocol
895 giFT Internet File Transfer
899 Q 1.6: Are there any plans to support {your favorite protocol}?
901 A: Support for particular protocols is added to Ethereal as a result
902 of people contributing that support; no formal plans for adding
903 support for particular protocols in particular future releases exist.
905 Q 1.7: Can Ethereal read capture files from {your favorite network
908 A: Support for particular protocols is added to Ethereal as a result
909 of people contributing that support; no formal plans for adding
910 support for particular protocols in particular future releases exist.
912 If a network analyzer writes out files in a format already supported
913 by Ethereal (e.g., in libpcap format), Ethereal may already be able to
914 read them, unless the analyzer has added its own proprietary
915 extensions to that format.
917 If a network analyzer writes out files in its own format, or has added
918 proprietary extensions to another format, in order to make Ethereal
919 read captures from that network analyzer, we would either have to have
920 a specification for the file format, or the extensions, sufficient to
921 give us enough information to read the parts of the file relevant to
922 Ethereal, or would need at least one capture file in that format AND a
923 detailed textual analysis of the packets in that capture file (showing
924 packet time stamps, packet lengths, and the top-level packet header)
925 in order to reverse-engineer the file format.
927 Note that there is no guarantee that we will be able to
928 reverse-engineer a capture file format.
930 Q 1.8: What devices can Ethereal use to capture packets?
932 A: Ethereal can read live data from Ethernet, Token-Ring, FDDI, serial
933 (PPP and SLIP) (if the OS on which it's running allows Ethereal to do
934 so), 802.11 wireless LAN (if the OS on which it's running allows
935 Ethereal to do so), ATM connections (if the OS on which it's running
936 allows Ethereal to do so), and the "any" device supported on Linux by
937 recent versions of libpcap. See the list of supported capture media on
938 various OSes for details (several items in there say "Unknown", which
939 doesn't mean "Ethereal can't capture on them", it means "we don't know
940 whether it can capture on them"; we expect that it will be able to
941 capture on many of them, but we haven't tried it ourselves - if you
942 try one of those types and it works, please send an update to
943 ethereal-web[AT]ethereal.com ).
945 It can also read a variety of capture file formats, including:
946 * AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet
948 * AIX's iptrace captures
949 * Accellent's 5Views LAN agent output
950 * Cinco Networks NetXRay captures
951 * Cisco Secure Intrusion Detection System IPLog output
952 * CoSine L2 debug output
953 * DBS Etherwatch VMS text output
954 * Endace Measurement Systems' ERF format captures
955 * EyeSDN USB S0 traces
956 * HP-UX nettl captures
957 * ISDN4BSD project i4btrace captures
958 * Linux Bluez Bluetooth stack hcidump -w traces
959 * Lucent/Ascend router debug output
960 * Microsoft Network Monitor captures
961 * Network Associates Windows-based Sniffer captures
962 * Network General/Network Associates DOS-based Sniffer (compressed
963 or uncompressed) captures
964 * Network Instruments Observer version 9 captures
965 * Novell LANalyzer captures
966 * RADCOM's WAN/LAN analyzer captures
967 * Shomiti/Finisar Surveyor captures
968 * Toshiba's ISDN routers dump output
969 * VMS TCPIPtrace/TCPtrace/UCX$TRACE output
970 * Visual Networks' Visual UpTime traffic capture
971 * libpcap, tcpdump and various other tools using tcpdump's capture
973 * snoop and atmsnoop output
975 so that it can read traces from various network types, as captured by
976 other applications or equipment, even if it cannot itself capture on
979 Q 1.9: How do you pronounce Ethereal? Where did the name come from?
981 A: The English pronunciation can be found in Merriam-Webster's online
983 http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=ethereal.
985 According to the book "Computer Networks" by Andrew Tannenbaum,
986 Ethernet was named after the "luminiferous ether" which was once
987 thought to carry electromagnetic radiation. Taking that into
988 consideration, Ethereal seemed like an appropriate name for something
989 that started out as an Ethernet analyzer.
993 Q 2.1: I downloaded the Win32 installer, but when I try to run it, I
996 A: The program you used to download it may have downloaded it
997 incorrectly. Web browsers sometimes may do this.
999 Try downloading it with, for example:
1000 * Wget, for which Windows binaries are available on the SunSITE FTP
1001 server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI
1002 offers a GUI interface that uses wget;
1003 * WS_FTP from Ipswitch,
1004 * the ftp command that comes with Windows.
1006 If you use the ftp command, make sure you do the transfer in binary
1007 mode rather than ASCII mode, by using the binary command before
1008 transferring the file.
1010 Q 2.2: When I try to download the WinPcap driver and library, I can't
1011 get to the WinPcap Web site.
1013 A: As is the case with all Web sites, that site won't necessarily
1014 always be accessible; the server may be down due to a problem or down
1015 for maintenance, or there may be a networking problem between you and
1016 the server. You should try again later, or try the local mirror or the
1017 Wiretapped.net mirror.
1021 Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be
1022 installed; only Tethereal is installed.
1024 A: Older versions of the Red Hat RPMs for Ethereal put only the
1025 non-GUI components into the ethereal RPM, the fact that Ethereal is a
1026 GUI program nonwithstanding; newer versions make it a bit clearer by
1027 giving that RPM a name starting with ethereal-base.
1029 In those older versions, there's a separate ethereal-gnome RPM that
1030 includes GUI components such as Ethereal itself, the fact that
1031 Ethereal doesn't use GNOME nonwithstanding; newer versions make it a
1032 bit clearer by giving that RPM a name starting with ethereal-gtk+.
1034 Find the ethereal-gnome or ethereal-gtk+ RPM, and install that also.
1038 Q 4.1: The configure script can't find pcap.h or bpf.h, but I have
1041 A: Are you sure pcap.h and bpf.h are installed? The official
1042 distribution of libpcap only installs the libpcap.a library file when
1043 "make install" is run. To install pcap.h and bpf.h, you must run "make
1044 install-incl". If you're running Debian or Redhat, make sure you have
1045 the "libpcap-dev" or "libpcap-devel" packages installed.
1047 It's also possible that pcap.h and bpf.h have been installed in a
1048 strange location. If this is the case, you may have to tweak
1051 Q 4.2: Why do I get the error
1053 dftest_DEPENDENCIES was already defined in condition TRUE, which
1054 implies condition HAVE_PLUGINS_TRUE
1056 when I try to build Ethereal from SVN or a SVN snapshot?
1058 A: You probably have automake 1.5 installed on your machine (the
1059 command automake --version will report the version of automake on your
1060 machine). There is a bug in that version of automake that causes this
1061 problem; upgrade to a later version of automake (1.6 or later).
1063 Q 4.3: The link fails with a number of "Output line too long."
1064 messages followed by linker errors.
1066 A: The version of the sed command on your system is incapable of
1067 handling very long lines. On Solaris, for example, /usr/bin/sed has a
1068 line length limit too low to allow libtool to work; /usr/xpg4/bin/sed
1069 can handle it, as can GNU sed if you have it installed.
1071 On Solaris, changing your command search path to search /usr/xpg4/bin
1072 before /usr/bin should make the problem go away; on any platform on
1073 which you have this problem, installing GNU sed and changing your
1074 command path to search the directory in which it is installed before
1075 searching the directory with the version of sed that came with the OS
1076 should make the problem go away.
1078 Q 4.4: The link fails on Solaris because plugin_list is undefined.
1080 A: This appears to be due to a problem with some versions of the GTK+
1081 and GLib packages from www.sunfreeware.org; un-install those packages,
1082 and try getting the 1.2.10 versions from that site, or the versions
1083 from The Written Word, or the versions from Sun's GNOME distribution,
1084 or the versions from the supplemental software CD that comes with the
1085 Solaris media kit, or build them from source from the GTK Web site.
1086 Then re-run the configuration script, and try rebuilding Ethereal. (If
1087 you get the 1.2.10 versions from www.sunfreeware.org, and the problem
1088 persists, un-install them and try installing one of the other versions
1091 Q 4.5: The build fails on Windows because of conflicts between
1092 winsock.h and winsock2.h.
1094 A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and
1095 the corresponding version of the developer's pack, in order to be able
1096 to compile Ethereal; it will not compile with older versions of the
1097 developer's pack. The symptoms of this failure are conflicts between
1098 definitions in winsock.h and in winsock2.h; Ethereal uses winsock2.h,
1099 but pre-2.3 versions of the WinPcap developer's packet use winsock.h.
1100 (2.3 uses winsock2.h, so if Ethereal were to use winsock.h, it would
1101 not be able to build with current versions of the WinPcap developer's
1104 Note that the installed version of the developer's pack should be the
1105 same version as the version of WinPcap you have installed.
1109 Q 5.1: When I use Ethereal to capture packets, I see only packets to
1110 and from my machine, or I'm not seeing all the traffic I'm expecting
1111 to see from or to the machine I'm trying to monitor.
1113 A: This might be because the interface on which you're capturing is
1114 plugged into a switch; on a switched network, unicast traffic between
1115 two ports will not necessarily appear on other ports - only broadcast
1116 and multicast traffic will be sent to all ports.
1118 Note that even if your machine is plugged into a hub, the "hub" may be
1119 a switched hub, in which case you're still on a switched network.
1121 Note also that on the Linksys Web site, they say that their
1122 auto-sensing hubs "broadcast the 10Mb packets to the port that operate
1123 at 10Mb only and broadcast the 100Mb packets to the ports that operate
1124 at 100Mb only", which would indicate that if you sniff on a 10Mb port,
1125 you will not see traffic coming sent to a 100Mb port, and vice versa.
1126 This problem has also been reported for Netgear dual-speed hubs, and
1127 may exist for other "auto-sensing" or "dual-speed" hubs.
1129 Some switches have the ability to replicate all traffic on all ports
1130 to a single port so that you can plug your analyzer into that single
1131 port to sniff all traffic. You would have to check the documentation
1132 for the switch to see if this is possible and, if so, to see how to do
1133 this. See the switch reference page on the Ethereal Wiki for
1134 information on some switches. (Note that it's a Wiki, so you can
1135 update or fix that information, or add additional information on those
1136 switches or information on new switches, yourself.)
1138 Note also that many firewall/NAT boxes have a switch built into them;
1139 this includes many of the "cable/DSL router" boxes. If you have a box
1140 of that sort, that has a switch with some number of Ethernet ports
1141 into which you plug machines on your network, and another Ethernet
1142 port used to connect to a cable or DSL modem, you can, at least, sniff
1143 traffic between the machines on your network and the Internet by
1144 plugging the Ethernet port on the router going to the modem, the
1145 Ethernet port on the modem, and the machine on which you're running
1146 Ethereal into a hub (make sure it's not a switching hub, and that, if
1147 it's a dual-speed hub, all three of those ports are running at the
1150 If your machine is not plugged into a switched network or a dual-speed
1151 hub, or it is plugged into a switched network but the port is set up
1152 to have all traffic replicated to it, the problem might be that the
1153 network interface on which you're capturing doesn't support
1154 "promiscuous" mode, or because your OS can't put the interface into
1155 promiscuous mode. Normally, network interfaces supply to the host
1157 * packets sent to one of that host's link-layer addresses;
1158 * broadcast packets;
1159 * multicast packets sent to a multicast address that the host has
1160 configured the interface to accept.
1162 Most network interfaces can also be put in "promiscuous" mode, in
1163 which they supply to the host all network packets they see. Ethereal
1164 will try to put the interface on which it's capturing into promiscuous
1165 mode unless the "Capture packets in promiscuous mode" option is turned
1166 off in the "Capture Options" dialog box, and Tethereal will try to put
1167 the interface on which it's capturing into promiscuous mode unless the
1168 -p option was specified. However, some network interfaces don't
1169 support promiscuous mode, and some OSes might not allow interfaces to
1170 be put into promiscuous mode.
1172 If the interface is not running in promiscuous mode, it won't see any
1173 traffic that isn't intended to be seen by your machine. It will see
1174 broadcast packets, and multicast packets sent to a multicast MAC
1175 address the interface is set up to receive.
1177 You should ask the vendor of your network interface whether it
1178 supports promiscuous mode. If it does, you should ask whoever supplied
1179 the driver for the interface (the vendor, or the supplier of the OS
1180 you're running on your machine) whether it supports promiscuous mode
1181 with that network interface.
1183 In the case of token ring interfaces, the drivers for some of them, on
1184 Windows, may require you to enable promiscuous mode in order to
1185 capture in promiscuous mode. Ask the vendor of the card how to do
1186 this, or see, for example, this information on promiscuous mode on
1187 some Madge token ring adapters (note that those cards can have
1188 promiscuous mode disabled permanently, in which case you can't enable
1191 In the case of wireless LAN interfaces, it appears that, when those
1192 interfaces are promiscuously sniffing, they're running in a
1193 significantly different mode from the mode that they run in when
1194 they're just acting as network interfaces (to the extent that it would
1195 be a significant effor for those drivers to support for promiscuously
1196 sniffing and acting as regular network interfaces at the same time),
1197 so it may be that Windows drivers for those interfaces don't support
1200 Q 5.2: I can't see any TCP packets other than packets to and from my
1201 machine, even though another analyzer on the network sees those
1204 A: You're probably not seeing any packets other than unicast packets
1205 to or from your machine, and broadcast and multicast packets; a switch
1206 will normally send to a port only unicast traffic sent to the MAC
1207 address for the interface on that port, and broadcast and multicast
1208 traffic - it won't send to that port unicast traffic sent to a MAC
1209 address for some other interface - and a network interface not in
1210 promiscuous mode will receive only unicast traffic sent to the MAC
1211 address for that interface, broadcast traffic, and multicast traffic
1212 sent to a multicast MAC address the interface is set up to receive.
1214 TCP doesn't use broadcast or multicast, so you will only see your own
1215 TCP traffic, but UDP services may use broadcast or multicast so you'll
1216 see some UDP traffic - however, this is not a problem with TCP
1217 traffic, it's a problem with unicast traffic, as you also won't see
1218 all UDP traffic between other machines.
1220 I.e., this is probably the same question as this earlier one; see the
1221 response to that question.
1223 Q 5.3: I'm only seeing ARP packets when I try to capture traffic.
1225 A: You're probably on a switched network, and running Ethereal on a
1226 machine that's not sending traffic to the switch and not being sent
1227 any traffic from other machines on the switch. ARP packets are often
1228 broadcast packets, which are sent to all switch ports.
1230 I.e., this is probably the same question as this earlier one; see the
1231 response to that question.
1233 Q 5.4: I'm running Ethereal on Windows; why does some network
1234 interface on my machine not show up in the list of interfaces in the
1235 "Interface:" field in the dialog box popped up by "Capture->Start",
1236 and/or why does Ethereal give me an error if I try to capture on that
1239 A: If you are running Ethereal on Windows NT 4.0, Windows 2000,
1240 Windows XP, or Windows Server, and this is the first time you have run
1241 a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump,
1242 or Analyzer, or...) since the machine was rebooted, you need to run
1243 that program from an account with administrator privileges; once you
1244 have run such a program, you will not need administrator privileges to
1245 run any such programs until you reboot.
1247 If you are running on Windows 95/98/Me, or if you are running on
1248 Windows NT 4.0/2000/XP/Server and have administrator privileges or a
1249 WinPcap-based program has been run with those privileges since the
1250 machine rebooted, then note that Ethereal relies on the WinPcap
1251 library, on the WinPcap device driver, and on the facilities that come
1252 with the OS on which it's running in order to do captures.
1254 Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
1255 support capturing on a particular network interface device, Ethereal
1256 won't be able to capture on that device.
1259 1. 2.02 and earlier versions of the WinPcap driver and library that
1260 Ethereal uses for packet capture didn't support Token Ring
1261 interfaces; versions 2.1 and later support Token Ring, and the
1262 current version of Ethereal works with (and, in fact, requires)
1263 WinPcap 2.1 or later.
1264 If you are having problems capturing on Token Ring interfaces, and
1265 you have WinPcap 2.02 or an earlier version of WinPcap installed,
1266 you should uninstall WinPcap, download and install the current
1267 version of WinPcap, and then install the latest version of
1269 2. On Windows 95, 98, or Me, sometimes more than one interface will
1270 be given the same name; if that is the case, you will only be able
1271 to capture on one of those interfaces - it's not clear to which
1272 one the name, when used in a WinPcap-based application, will
1273 refer. For example, if you have a PPP serial interface and a VPN
1274 interface, they might show up with the same name, for example
1275 "ppp-mac", and if you try to capture on "ppp-mac", it might not
1276 capture on the interface you're currently using. In that case, you
1277 might, for example, have to remove the VPN interface from the
1278 system in order to capture on the PPP serial interface.
1279 3. WinPcap 3.0 doesn't support PPP WAN interfaces, and WinPcap 2.3
1280 doesn't support PPP WAN interfaces on Windows NT/2000/XP/Server,
1281 so Ethereal cannot capture packets on those devices with WinPcap
1282 3.0, or with WInPcap 2.x when running on Windows
1283 NT/2000/XP/Server. Regular dial-up lines, ISDN lines, and various
1284 other lines such as T1/E1 lines are all PPP interfaces. This may
1285 cause the interface not to show up on the list of interfaces in
1286 the "Capture Options" dialog.
1287 4. WinPcap prior to 3.0 does not support multiprocessor machines
1288 (note that machines with a single multi-threaded processor, such
1289 as Intel's new multi-threaded x86 processors, are multiprocessor
1290 machines as far as the OS and WinPcap are concerned), and recent
1291 2.x versions of WinPcap refuse to operate if they detect that
1292 they're running on a multiprocessor machine, which means that they
1293 may not show any network interfaces. You will need to use WinPcap
1294 3.0 to capture on a multiprocessor machine.
1296 If an interface doesn't show up in the list of interfaces in the
1297 "Interface:" field, and you know the name of the interface, try
1298 entering that name in the "Interface:" field and capturing on that
1301 If the attempt to capture on it succeeds, the interface is somehow not
1302 being reported by the mechanism Ethereal uses to get a list of
1303 interfaces. Try listing the interfaces with WinDump; see the WinDump
1304 Web site or the local mirror of the WinDump Web site for information
1307 You would run WinDump with the -D flag; if it lists the interface,
1308 please report this to ethereal-dev@ethereal.com giving full details of
1309 the problem, including
1310 * the operating system you're using, and the version of that
1312 * the type of network device you're using;
1313 * the output of WinDump.
1315 If WinDump does not list the interface, this is almost certainly a
1316 problem with one or more of:
1317 * the operating system you're using;
1318 * the device driver for the interface you're using;
1319 * the WinPcap library and/or the WinPcap device driver;
1321 so first check the WinPcap FAQ, the local mirror of that FAQ, or the
1322 Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
1323 there. If not, then see the WinPcap support page (or the local mirror
1324 of that page) - check the "Submitting bugs" section.
1326 If you are having trouble capturing on a particular network interface,
1327 first try capturing on that device with WinDump; see the WinDump Web
1328 site or the local mirror of the WinDump Web site for information on
1331 If you can capture on the interface with WinDump, send mail to
1332 ethereal-users@ethereal.com giving full details of the problem,
1334 * the operating system you're using, and the version of that
1336 * the type of network device you're using;
1337 * the error message you get from Ethereal.
1339 If you cannot capture on the interface with WinDump, this is almost
1340 certainly a problem with one or more of:
1341 * the operating system you're using;
1342 * the device driver for the interface you're using;
1343 * the WinPcap library and/or the WinPcap device driver;
1345 so first check the WinPcap FAQ, the local mirror of that FAQ, or the
1346 Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
1347 there. If not, then see the WinPcap support page (or the local mirror
1348 of that page) - check the "Submitting bugs" section.
1350 You may also want to ask the ethereal-users@ethereal.com and the
1351 winpcap-users@winpcap.polito.it mailing lists to see if anybody
1352 happens to know about the problem and know a workaround or fix for the
1353 problem. (Note that you will have to subscribe to that list in order
1354 to be allowed to mail to it; see the WinPcap support page, or the
1355 local mirror of that page, for information on the mailing list.) In
1356 your mail, please give full details of the problem, as described
1357 above, and also indicate that the problem occurs with WinDump, not
1360 Q 5.5: I'm running Ethereal on Windows; why do no network interfaces
1361 show up in the list of interfaces in the "Interface:" field in the
1362 dialog box popped up by "Capture->Start"?
1364 A: This is really the same question as the previous one; see the
1365 response to that question.
1367 Q 5.6: I'm running Ethereal on Windows; why doesn't my serial
1368 port/ADSL modem/ISDN modem/show up in the list of interfaces in the
1369 "Interface:" field in the dialog box popped up by "Capture->Start"?
1371 A: All of those devices support Internet access using the
1372 Point-to-Point (PPP) protocol; WinPcap 3.0 doesn't support PPP
1373 interfaces, and WinPcap 2.x doesn't support PPP interfaces on Windows
1374 NT/2000/XP/Server, so Ethereal cannot capture packets on those devices
1375 with WinPcap 3.0, or with WinPcap 2.x when running on Windows
1376 NT/2000/XP/Server. This may cause the interface not to show up on the
1377 list of interfaces in the "Capture Options" dialog.
1379 Q 5.7: I'm running Ethereal on a UNIX-flavored OS; why does some
1380 network interface on my machine not show up in the list of interfaces
1381 in the "Interface:" field in the dialog box popped up by
1382 "Capture->Start", and/or why does Ethereal give me an error if I try
1383 to capture on that interface?
1385 A: You may need to run Ethereal from an account with sufficient
1386 privileges to capture packets, such as the super-user account. Only
1387 those interfaces that Ethereal can open for capturing show up in that
1388 list; if you don't have sufficient privileges to capture on any
1389 interfaces, no interfaces will show up in the list.
1391 If you are running Ethereal from an account with sufficient
1392 privileges, then note that Ethereal relies on the libpcap library, and
1393 on the facilities that come with the OS on which it's running in order
1396 Therefore, if the OS or the libpcap library don't support capturing on
1397 a particular network interface device, Ethereal won't be able to
1398 capture on that device.
1400 On Linux, note that you need to have "packet socket" support enabled
1401 in your kernel; see the "Packet socket" item in the Linux
1402 "Configure.help" file.
1404 On BSD, note that you need to have BPF support enabled in your kernel;
1405 see the documentation for your system for information on how to enable
1406 BPF support (if it's not enabled by default on your system).
1408 On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have
1409 packet filtering support in your kernel; the doconfig command will
1410 allow you to configure and build a new kernel with that option.
1412 On Solaris, note that libpcap 0.6.2 and earlier didn't support Token
1413 Ring interfaces; the current version, 0.7.2, does support Token Ring,
1414 and the current version of Ethereal works with libcap 0.7.2 and later.
1416 If an interface doesn't show up in the list of interfaces in the
1417 "Interface:" field, and you know the name of the interface, try
1418 entering that name in the "Interface:" field and capturing on that
1421 If the attempt to capture on it succeeds, the interface is somehow not
1422 being reported by the mechanism Ethereal uses to get a list of
1423 interfaces; please report this to ethereal-dev@ethereal.com giving
1424 full details of the problem, including
1425 * the operating system you're using, and the version of that
1426 operating system (for Linux, give both the version number of the
1427 kernel and the name and version number of the distribution you're
1429 * the type of network device you're using.
1431 If you are having trouble capturing on a particular network interface,
1432 and you've made sure that (on platforms that require it) you've
1433 arranged that packet capture support is present, as per the above,
1434 first try capturing on that device with tcpdump.
1436 If you can capture on the interface with tcpdump, send mail to
1437 ethereal-users@ethereal.com giving full details of the problem,
1439 * the operating system you're using, and the version of that
1440 operating system (for Linux, give both the version number of the
1441 kernel and the name and version number of the distribution you're
1443 * the type of network device you're using;
1444 * the error message you get from Ethereal.
1446 If you cannot capture on the interface with tcpdump, this is almost
1447 certainly a problem with one or more of:
1448 * the operating system you're using;
1449 * the device driver for the interface you're using;
1450 * the libpcap library;
1452 so you should report the problem to the company or organization that
1453 produces the OS (in the case of a Linux distribution, report the
1454 problem to whoever produces the distribution).
1456 You may also want to ask the ethereal-users@ethereal.com and the
1457 tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to
1458 know about the problem and know a workaround or fix for the problem.
1459 In your mail, please give full details of the problem, as described
1460 above, and also indicate that the problem occurs with tcpdump not just
1463 Q 5.8: I'm running Ethereal on a UNIX-flavored OS; why do no network
1464 interfaces show up in the list of interfaces in the "Interface:" field
1465 in the dialog box popped up by "Capture->Start"?
1467 A: This is really the same question as the previous one; see the
1468 response to that question.
1470 Q 5.9: Can Ethereal capture on (my T1/E1 line, SS7 links, etc.)?
1472 A: Ethereal can only capture on devices supported by libpcap/WinPcap.
1473 On most OSes, only devices that can act as network interfaces of the
1474 type that support IP are supported as capture devices for
1475 libpcap/WinPcap, although the device doesn't necessarily have to be
1476 running as an IP interface in order to support traffic capture.
1478 On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace
1479 Measurement Systems' DAG cards, so that a system with one of those
1480 cards, and its driver and libraries, installed can capture traffic
1481 with those cards with libpcap-based applications. You would either
1482 have to have a version of Ethereal built with that version of libpcap,
1483 or a dynamically-linked version of Ethereal and a shared libpcap
1484 library with DAG support, in order to do so with Ethereal. You should
1485 ask Endace whether that could be used to capture traffic on, for
1486 example, your T1/E1 link.
1487 There is currently no hardware to support capturing on SS7 links with
1488 libpcap. (Note that the fact that Ethereal includes dissectors for
1489 many SS7 protocols doesn't imply that it can capture traffic from SS7
1490 links; those protocols can be run over Internet protocols.)
1492 Q 5.10: How do I put an interface into promiscuous mode?
1494 A: By not disabling promiscuous mode when running Ethereal or
1497 Note, however, that:
1498 * the form of promiscuous mode that libpcap (the library that
1499 programs such as tcpdump, Ethereal, etc. use to do packet capture)
1500 turns on will not necessarily be shown if you run ifconfig on the
1501 interface on a UNIX system;
1502 * some network interfaces might not support promiscuous mode, and
1503 some drivers might not allow promiscuous mode to be turned on -
1504 see this earlier question for more information on that;
1505 * the fact that you're not seeing any traffic, or are only seeing
1506 broadcast traffic, or aren't seeing any non-broadcast traffic
1507 other than traffic to or from the machine running Ethereal, does
1508 not mean that promiscuous mode isn't on - see this earlier
1509 question for more information on that.
1511 I.e., this is probably the same question as this earlier one; see the
1512 response to that question.
1514 Q 5.11: I can set a display filter just fine, but capture filters
1517 A: Capture filters currently use a different syntax than display
1518 filters. Here's the corresponding section from the ethereal(1) man
1521 "Display filters in Ethereal are very powerful; more fields are
1522 filterable in Ethereal than in other protocol analyzers, and the
1523 syntax you can use to create your filters is richer. As Ethereal
1524 progresses, expect more and more protocol fields to be allowed in
1527 Packet capturing is performed with the pcap library. The capture
1528 filter syntax follows the rules of the pcap library. This syntax is
1529 different from the display filter syntax."
1531 The capture filter syntax used by libpcap can be found in the
1532 tcpdump(8) man page.
1534 Q 5.12: I'm entering valid capture filters, but I still get "parse
1537 A: There is a bug in some versions of libpcap/WinPcap that cause it to
1538 report parse errors even for valid expressions if a previous filter
1539 expression was invalid and got a parse error.
1541 Try exiting and restarting Ethereal; if you are using a version of
1542 libpcap/WinPcap with this bug, this will "erase" its memory of the
1543 previous parse error. If the capture filter that got the "parse error"
1544 now works, the earlier error with that filter was probably due to this
1547 The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of
1548 libpcap have this bug, but 0.6[.x] and later versions don't.
1550 Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of
1551 libpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and
1552 doesn't have this bug.
1554 If you are running Ethereal on a UNIX-flavored platform, run "ethereal
1555 -v", or select "About Ethereal..." from the "Help" menu in Ethereal,
1556 to see what version of libpcap it's using. If it's not 0.6 or later,
1557 you will need either to upgrade your OS to get a later version of
1558 libpcap, or will need to build and install a later version of libpcap
1559 from the tcpdump.org Web site and then recompile Ethereal from source
1560 with that later version of libpcap.
1562 If you are running Ethereal on Windows with a pre-2.3 version of
1563 WinPcap, you will need to un-install WinPcap and then download and
1564 install WinPcap 2.3.
1566 Q 5.13: I saved a filter and tried to use its name to filter the
1567 display, but I got an "Unexpected end of filter string" error.
1569 A: You cannot use the name of a saved display filter as a filter. To
1570 filter the display, you can enter a display filter expression - not
1571 the name of a saved display filter - in the "Filter:" box at the
1572 bottom of the display, and type the key or press the "Apply" button
1573 (that does not require you to have a saved filter), or, if you want to
1574 use a saved filter, you can press the "Filter:" button, select the
1575 filter in the dialog box that pops up, and press the "OK" button.
1577 Q 5.14: Why am I seeing lots of packets with incorrect TCP checksums?
1579 A: If the packets that have incorrect TCP checksums are all being sent
1580 by the machine on which Ethereal is running, this is probably because
1581 the network interface on which you're capturing does TCP checksum
1582 offloading. That means that the TCP checksum is added to the packet by
1583 the network interface, not by the OS's TCP/IP stack; when capturing on
1584 an interface, packets being sent by the host on which you're capturing
1585 are directly handed to the capture interface by the OS, which means
1586 that they are handed to the capture interface without a TCP checksum
1587 being added to them.
1589 The only way to prevent this from happening would be to disable TCP
1590 checksum offloading, but
1591 1. that might not even be possible on some OSes;
1592 2. that could reduce networking performance significantly.
1594 However, you can disable the check that Ethereal does of the TCP
1595 checksum, so that it won't report any packets as having TCP checksum
1596 errors, and so that it won't refuse to do TCP reassembly due to a
1597 packet having an incorrect TCP checksum. That can be set as an
1598 Ethereal preference by selecting "Preferences" from the "Edit" menu,
1599 opening up the "Protocols" list in the left-hand pane of the
1600 "Preferences" dialog box, selecting "TCP", from that list, turning off
1601 the "Check the validity of the TCP checksum when possible" option,
1602 clicking "Save" if you want to save that setting in your preference
1603 file, and clicking "OK".
1605 It can also be set on the Ethereal or Tethereal command line with a -o
1606 tcp.check_checksum:false command-line flag, or manually set in your
1607 preferences file by adding a tcp.check_checksum:false line.
1609 Q 5.15: I've just installed Ethereal, and the traffic on my local LAN
1612 A: We have a collection of strange and exotic sample capture files at
1613 http://wiki.ethereal.com/SampleCaptures
1615 Q 5.16: When I run Ethereal on Solaris 8, it dies with a Bus Error
1618 A: Some versions of the GTK+ library from www.sunfreeware.org appear
1619 to be buggy, causing Ethereal to drop core with a Bus Error.
1620 Un-install those packages, and try getting the 1.2.10 version from
1621 that site, or the version from The Written Word, or the version from
1622 Sun's GNOME distribution, or the version from the supplemental
1623 software CD that comes with the Solaris media kit, or build it from
1624 source from the GTK Web site. Update the GLib library to the 1.2.10
1625 version, from the same source, as well. (If you get the 1.2.10
1626 versions from www.sunfreeware.org, and the problem persists,
1627 un-install them and try installing one of the other versions
1630 Similar problems may exist with older versions of GTK+ for earlier
1631 versions of Solaris.
1633 Q 5.17: When I run Ethereal, I get an error
1635 Gtk-CRITICAL **: file gtkwindow.c: line 3107 (gtk_window_resize):
1636 assertion `height > 0' failed.
1638 A: This is a bug in Ethereal 0.10.5 and 0.10.5a, which is fixed in
1639 Ethereal 0.10.6 and later releases.
1641 Q 5.18: When I run Tethereal with the "-x" option, it crashes with an
1644 "** ERROR **: file print.c: line 691 (print_line): should not be
1647 A: This is a bug in Ethereal 0.10.0a, which is fixed in 0.10.1 and
1648 later releases. To work around the bug, don't use "-x" unless you're
1649 also using "-V"; note that "-V" produces a full dissection of each
1650 packet, so you might not want to use it.
1652 Q 5.19: When I run Ethereal on Windows NT, it dies with a Dr. Watson
1653 error, reporting an "Integer division by zero" exception, when I start
1656 A: In at least some case, this appears to be due to using the default
1657 VGA driver; if that's not the correct driver for your video card, try
1658 running the correct driver for your video card.
1660 Q 5.20: When I try to run Ethereal, it complains about
1661 sprint_realloc_objid being undefined.
1663 A: Ethereal can only be linked with version 4.2.2 or later of UCD
1664 SNMP. Your version of Ethereal was dynamically linked with such a
1665 version of UCD SNMP; however, you have an older version of UCD SNMP
1666 installed, which means that when Ethereal is run, it tries to link to
1667 the older version, and fails. You will have to replace that version of
1668 UCD SNMP with version 4.2.2 or a later version.
1670 Q 5.21: I'm running Ethereal on Linux; why do my time stamps have only
1671 100ms resolution, rather than 1us resolution?
1673 A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap
1674 get them from the OS kernel, so Ethereal - and any other program using
1675 libpcap, such as tcpdump - is at the mercy of the time stamping code
1676 in the OS for time stamps.
1678 At least on x86-based machines, Linux can get high-resolution time
1679 stamps on newer processors with the Time Stamp Counter (TSC) register;
1680 for example, Intel x86 processors, starting with the Pentium Pro, and
1681 including all x86 processors since then, have had a TSC, and other
1682 vendors probably added the TSC at some point to their families of x86
1685 The Linux kernel must be configured with the CONFIG_X86_TSC option
1686 enabled in order to use the TSC. Make sure this option is enabled in
1689 In addition, some Linux distributions may have bugs in their versions
1690 of the kernel that cause packets not to be given high-resolution time
1691 stamps even if the TSC is enabled. See, for example, bug 61111 for Red
1692 Hat Linux 7.2. If your distribution has a bug such as this, you may
1693 have to run a standard kernel from kernel.org in order to get
1694 high-resolution time stamps.
1696 Q 5.22: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
1697 why are the time stamps on packets wrong?
1699 A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap
1702 Q 5.23: When I try to run Ethereal on Windows, it fails to run because
1703 it can't find packet.dll.
1705 A: In older versions of Ethereal, there were two binary distributions
1706 available for Windows, one that supported capturing packets, and one
1707 that didn't. The version that supported capturing packets required
1708 that you install the WinPcap driver; if you didn't install it, it
1709 would fail to run because it couldn't find packet.dll.
1711 The current version of Ethereal has only one binary distribution for
1712 Windows; that version will check whether WinPcap is installed and, if
1713 it's not, will disable support for packet capture.
1715 The WinPcap driver and libraries can be downloaded from the WinPcap
1716 Web site, the local mirror of the WinPcap Web site, or the
1717 Wiretapped.net mirror of the WinPcap site.
1719 Q 5.24: I'm running Ethereal on Windows NT/2000/XP/Server; my machine
1720 has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
1721 "Interface" item in the "Capture Options" dialog box. Why can no
1722 packets be sent on or received from that network while I'm trying to
1723 capture traffic on that interface?
1725 A: WinPcap doesn't support PPP WAN interfaces on Windows
1726 NT/2000/XP/Server; one symptom that may be seen is that attempts to
1727 capture in promiscuous mode on the interface cause the interface to be
1728 incapable of sending or receiving packets. You can disable promiscuous
1729 mode using the -p command-line flag or the item in the "Capture
1730 Preferences" dialog box, but this may mean that outgoing packets, or
1731 incoming packets, won't be seen in the capture.
1733 Q 5.25: I'm running Ethereal on Windows 95/98/Me, on a machine with
1734 more than one network adapter of the same type; Ethereal shows all of
1735 those adapters with the same name, but I can't use any of those
1736 adapters other than the first one.
1738 A: Unfortunately, Windows 95/98/Me gives the same name to multiple
1739 instances of the type of same network adapter. Therefore, WinPcap
1740 cannot distinguish between them, so a WinPcap-based application can
1741 capture only on the first such interface; Ethereal is a
1742 libpcap/WinPcap-based application.
1744 Q 5.26: I'm running Ethereal on Windows, and I'm not seeing any
1745 traffic being sent by the machine running Ethereal.
1747 A: If you are running some form of VPN client software, it might be
1748 causing this problem; people have seen this problem when they have
1749 Check Point's VPN software installed on their machine. If that's the
1750 cause of the problem, you will have to remove the VPN software in
1751 order to have Ethereal (or any other application using WinPcap) see
1752 outgoing packets; unfortunately, neither we nor the WinPcap developers
1753 know any way to make WinPcap and the VPN software work well together.
1755 Also, some drivers for Windows (especially some wireless network
1756 interface drivers) apparently do not, when running in promiscuous
1757 mode, arrange that outgoing packets are delivered to the software that
1758 requested that the interface run promiscuously; try turning
1759 promiscuous mode off.
1761 Q 5.27: I'm trying to capture traffic but I'm not seeing any.
1763 A: Is the machine running Ethereal sending out any traffic on the
1764 network interface on which you're capturing, or receiving any traffic
1765 on that network, or is there any broadcast traffic on the network or
1766 multicast traffic to a multicast group to which the machine running
1769 If not, this may just be a problem with promiscuous sniffing, either
1770 due to running on a switched network or a dual-speed hub, or due to
1771 problems with the interface not supporting promiscuous mode; see the
1772 response to this earlier question.
1774 Otherwise, on Windows, see the response to this question and, on a
1775 UNIX-flavored OS, see the response to this question.
1777 Q 5.28: I have an XXX network card on my machine; if I try to capture
1778 on it, my machine crashes or resets itself.
1780 A: This is almost certainly a problem with one or more of:
1781 * the operating system you're using;
1782 * the device driver for the interface you're using;
1783 * the libpcap/WinPcap library and, if this is Windows, the WinPcap
1787 * if you are using Windows, see the WinPcap support page (or the
1788 local mirror of that page) - check the "Submitting bugs" section;
1789 * if you are using some Linux distribution, some version of BSD, or
1790 some other UNIX-flavored OS, you should report the problem to the
1791 company or organization that produces the OS (in the case of a
1792 Linux distribution, report the problem to whoever produces the
1795 Q 5.29: My machine crashes or resets itself when I select "Start" from
1796 the "Capture" menu or select "Preferences" from the "Edit" menu.
1798 A: Both of those operations cause Ethereal to try to build a list of
1799 the interfaces that it can open; it does so by getting a list of
1800 interfaces and trying to open them. There is probably an OS, driver,
1801 or, for Windows, WinPcap bug that causes the system to crash when this
1802 happens; see the previous question.
1804 Q 5.30: Does Ethereal work on Windows Me?
1806 A: Yes, but if you want to capture packets, you will need to install
1807 the latest version of WinPcap, as 2.02 and earlier versions of WinPcap
1808 didn't support Windows Me. You should also install the latest version
1809 of Ethereal as well.
1811 Q 5.31: Does Ethereal work on Windows XP?
1813 A: Yes, but if you want to capture packets, you will need to install
1814 the latest version of WinPcap, as 2.2 and earlier versions of WinPcap
1815 didn't support Windows XP.
1817 Q 5.32: Why doesn't Ethereal correctly identify RTP packets? It shows
1820 A: Ethereal can identify a UDP datagram as containing a packet of a
1821 particular protocol running atop UDP only if
1822 1. The protocol in question has a particular standard port number,
1823 and the UDP source or destination port number is that port
1824 2. Packets of that protocol can be identified by looking for a
1825 "signature" of some type in the packet - i.e., some data that, if
1826 Ethereal finds it in some particular part of a packet, means that
1827 the packet is almost certainly a packet of that type.
1828 3. Some other traffic earlier in the capture indicated that, for
1829 example, UDP traffic between two particular addresses and ports
1830 will be RTP traffic.
1832 RTP doesn't have a standard port number, so 1) doesn't work; it
1833 doesn't, as far as I know, have any "signature", so 2) doesn't work.
1835 That leaves 3). If there's RTSP traffic that sets up an RTP session,
1836 then, at least in some cases, the RTSP dissector will set things up so
1837 that subsequent RTP traffic will be identified. Currently, that's the
1838 only place we do that; there may be other places.
1840 However, there will always be places where Ethereal is simply
1841 incapable of deducing that a given UDP flow is RTP; a mechanism would
1842 be needed to allow the user to specify that a given conversation
1843 should be treated as RTP. As of Ethereal 0.8.16, such a mechanism
1844 exists; if you select a UDP or TCP packet, the right mouse button menu
1845 will have a "Decode As..." menu item, which will pop up a dialog box
1846 letting you specify that the source port, the destination port, or
1847 both the source and destination ports of the packet should be
1848 dissected as some particular protocol.
1850 Q 5.33: Why doesn't Ethereal show Yahoo Messenger packets in captures
1851 that contain Yahoo Messenger traffic?
1853 A: Ethereal only recognizes as Yahoo Messenger traffic packets to or
1854 from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP
1855 segments that start with the middle of a Yahoo Messenger packet that
1856 takes more than one TCP segment will not be recognized as Yahoo
1857 Messenger packets (even if the TCP segment also contains the beginning
1858 of another Yahoo Messenger packet).
1860 Q 5.34: Why do I get the error
1862 Gdk-ERROR **: Palettized display (256-colour) mode not supported on
1866 when I try to run Ethereal on Windows?
1868 A: Ethereal is built using the GTK+ toolkit, which supports most
1869 UNIX-flavored OSes, and also supports Windows.
1871 Windows versions of Ethereal before 0.9.14 were built with an older
1872 version of that toolkit, which didn't support 256-color mode on
1873 Windows - it required HiColor (16-bit colors) or more.
1875 Windows versions of Ethereal 0.9.14 and later are built with a version
1876 of that toolkit that supports 256-color mode; upgrade to the current
1877 version of Ethereal if you want to run on a display in 256-color mode.
1879 Q 5.35: When I capture on Windows in promiscuous mode, I can see
1880 packets other than those sent to or from my machine; however, those
1881 packets show up with a "Short Frame" indication, unlike packets to or
1882 from my machine. What should I do to arrange that I see those packets
1885 A: In at least some cases, this appears to be the result of PGPnet
1886 running on the network interface on which you're capturing; turn it
1887 off on that interface.
1889 Q 5.36: I'm capturing packets on a machine on a VLAN; why don't the
1890 packets I'm capturing have VLAN tags?
1892 A: You might be capturing on what might be called a "VLAN interface" -
1893 the way a particular OS makes VLANs plug into the networking stack
1894 might, for example, be to have a network device object for the
1895 physical interface, which takes VLAN packets, strips off the VLAN
1896 header and constructs an Ethernet header, and passes that packet to an
1897 internal network device object for the VLAN, which then passes the
1898 packets onto various higher-level protocol implementations.
1900 In order to see the raw Ethernet packets, rather than "de-VLANized"
1901 packets, you would have to capture not on the virtual interface for
1902 the VLAN, but on the interface corresponding to the physical network
1903 device, if possible.
1905 Q 5.37: How can I capture raw 802.11 packets, including non-data
1906 (management, beacon) packets?
1908 A: That depends on the operating system on which you're running, and
1909 on the 802.11 interface on which you're capturing.
1911 This would probably require that you capture in promiscuous mode or in
1912 the mode called "monitor mode" or "RFMON mode". On some platforms, or
1913 with some cards, this might require that you capture in monitor mode -
1914 promiscuous mode might not be sufficient. If you want to capture
1915 traffic on networks other than the one with which you're associated,
1916 you will have to capture in monitor mode.
1918 Not all operating systems support capturing non-data packets and, even
1919 on operating systems that do support it, not all drivers, and thus not
1920 all interfaces, support it. Even on those that do, monitor mode might
1921 not be supported by the operating system or by the drivers for all
1924 NOTE: an interface running in monitor mode will, on most if not all
1925 platforms, not be able to act as a regular network interface; putting
1926 it into monitor mode will, in effect, take your machine off of
1927 whatever network it's on as long as the interface is in monitor mode,
1928 allowing it only to passively capture packets.
1930 This means that you should disable name resolution when capturing in
1931 monitor mode; otherwise, when Ethereal (or Tethereal, or tcpdump)
1932 tries to display IP addresses as host names, it will probably block
1933 for a long time trying to resolve the name because it will not be able
1934 to communicate with any DNS or NIS servers.
1936 There are FAQ items below with information on capturing in monitor
1937 mode on Linux, FreeBSD, and NetBSD.
1939 On Windows, you will not be able to capture in monitor mode on any
1940 interfaces, and you might not be able to capture in promiscuous mode,
1941 either. You might have some success in promiscuous mode with Centrino
1942 interfaces, although you will need Ethereal 0.10.6 or later in order
1943 to have the non-data packets recognized and properly dissected.
1945 You will not be able to capture in monitor mode on any other platforms
1946 (including Mac OS X). You might be able to capture in promiscuous
1947 mode, but this won't capture non-data packets.
1949 Q 5.38: How do I capture on an 802.11 device in monitor mode on Linux?
1951 A: Whether you will be able to capture in monitor mode depends on the
1952 card and driver you're using. See this page of Linux 802.11b
1953 information for details on 802.11b wireless cards, including
1954 information on the chips they use, and see this page of Linux
1955 802.11b+/a/g information for details on 802.11b+, 802.11a, and 802.11g
1956 wireless cards, including information on the chips they use.
1958 Cisco Aironet cards:
1960 On Linux with the driver in the 2.4.6 through 2.4.19 kernel:
1961 1. Put the card into monitor mode with the command echo "Mode: rfmon"
1962 >/proc/driver/aironet/interface/Config. If you want to capture
1963 traffic for any BSS rather than just the BSS with which the card
1964 is associated, use "Mode: y" rather than "Mode: rfmon".
1965 2. When the capture completes, turn off monitor mode with the command
1966 echo "Mode: ess" >/proc/driver/aironet/interface/Config.
1968 On Linux with the driver in the 2.4.20 or later kernel, or with the
1969 CVS drivers from the airo-linux SourceForge site, you will have to
1970 capture on the wifiN interface if your Aironet card is ethN, after
1971 running the commands listed above.
1973 In all of those cases, Ethereal would have to be linked with libpcap
1974 0.7.1 or later; this means that most Ethereal binary packages won't
1975 work unless they're statically linked with libpcap 0.7.1 or later, or
1976 they're dynamically linked with libpcap and your system has a libpcap
1977 0.7.1 or later shared library installed (note that libpcap source
1978 package from tcpdump.org does not build shared libraries). Some binary
1979 packaging mechanisms might make it difficult to install Ethereal
1980 binary packages built to depend on older libpcap binary packages if
1981 you have a newer libpcap binary package installed; the installer
1982 programs for those packaging mechanisms might support disabling
1983 dependency checking so that they will install Ethereal even though a
1984 newer version of libpcap is installed.
1986 Cards using the Prism II chip set:
1988 You can capture raw 802.11 packets with Prism II cards on Linux
1989 systems with the 0.1.14-pre6 or later version of the linux-wlan-ng
1990 drivers (see the linux-wlan page, and the linux-wlan-ng tarball
1991 directory), or with the hostap driver for Prism II/2.5/3.
1993 Those require either Solomon Peachy's patch to libpcap 0.7.1 (see his
1994 libpcap-0.7.1-prism.diff file, or his RPMs of that version of
1995 libpcap), or the current CVS version of libpcap, which includes his
1996 patch (download it from the "Current Tar files" section of the
1997 tcpdump.org Web site). If you apply his patches to libpcap 0.7.1 and
1998 rebuild and install libpcap, or if you build and install the current
1999 CVS version of libpcap, you would have to rebuild Ethereal from
2000 source, linking it with that new version of libpcap; an Ethereal
2001 binary package would not work. Ethereal binary packages might work if
2002 you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install
2003 a libpcap shared library in place of the one on your system.
2005 With the linux-wlan-ng driver, you should:
2006 1. Put the card into monitor mode with the command wlanctl-ng
2007 interface lnxreq_wlansniffer enable=true. You should request
2008 802.11 headers by adding to that command the option
2009 prismheader=true or, if supported, wlanheader=true; the latter
2010 might require libpcap 0.8.1 or later. You can also set the channel
2011 to monitor by adding the argument channel=channel_number to that
2013 2. When the capture completes, turn off monitor mode with the command
2014 wlanctl-ng interface enable=false. You might also have to turn
2015 802.11 headers off with prismheader=false or wlanheader=false.
2017 See the wlan-ng FAQ for additional information, although note that it
2018 does not appear to be up-to-date.
2020 With the hostap driver, you should:
2021 1. Put the card into monitor mode with the command iwpriv interface
2022 monitor mode, where mode is 2 or 3 (mode 3 would require libpcap
2024 2. When the capture completes, turn off monitor mode with the command
2025 iwpriv interface monitor 0.
2027 Orinoco Silver and Gold cards:
2029 On Linux systems, the current version of the SourceForge orinoco_cs
2030 driver should support monitor mode. There also exist patches to
2031 earlier versions of the Orinoco driver, on the Orinoco Monitor Mode
2032 Patch Page, to add support for monitor mode. You will have to
2033 determine which version of the driver you have, and select the
2034 appropriate patch, if one is necessary.
2036 Note that the page indicates that not all versions of the Orinoco
2037 firmware support this patch. It says, for some versions of the patch,
2038 "This patch should allow monitor mode with v8.10 firmware (untested w/
2039 8.42);" if you have version 8.10 or later firmware on your Orinoco
2040 cards, you might have to use those patches, with the corresponding
2041 versions of the Orinoco driver, in order to run in monitor mode.
2043 That patch is written for the drivers included with the pcmcia-cs
2044 drivers, but works equally well for the Orinoco drivers provided with
2045 Linux kernels up to 2.4.20. To apply a patch to your kernel drivers,
2046 simply copy the orinoco-09b-patch.diff file to the
2047 /usr/src/linux/drivers/net directory and patch according to the
2048 directions on the Orinoco Monitor Mode Patch Page. You can double-
2049 check the version of the Orinoco drivers that shipped with your kernel
2050 by examining the first few lines of the orinoco.c file.
2052 The Orinoco patches and SourceForge driver require either Solomon
2053 Peachy's patch to libpcap 0.7.1 (see his libpcap-0.7.1-prism.diff
2054 file, or his RPMs of that version of libpcap), or the current CVS
2055 version of libpcap, which includes his patch (download it from the
2056 "Current Tar files" section of the tcpdump.org Web site). If you apply
2057 his patches to libpcap 0.7.1 and rebuild and install libpcap, or if
2058 you build and install the current CVS version of libpcap, you would
2059 have to rebuild Ethereal from source, linking it with that new version
2060 of libpcap; an Ethereal binary package would not work. Ethereal binary
2061 packages might work if you install the libpcap-0.7.1-1prism.i386.rpm
2062 RPM, as it might install a libpcap shared library in place of the one
2065 With a driver that supports monitor mode, you should:
2066 1. Put the card into monitor mode with the command iwpriv interface
2067 monitor mode channel_number, where mode is 1 or 2, and
2068 channel_number is the number of the channel to monitor.
2069 2. When the capture completes, turn off monitor mode with the command
2070 iwpriv interface monitor 0.
2072 Cards with the Texas Instruments ACX100 chipset:
2074 You can capture raw 802.11 packets with ACX100 cards on Linux systems
2075 with the ACX100 OSS drivers available from the ACX100 wireless network
2076 driver project SourceForge site.
2080 1. Put the card into monitor mode with the command iwpriv interface
2081 monitor 2 channel_number, where channel_number is the number of
2082 the channel to monitor.
2083 2. When the capture completes, turn off monitor mode with the command
2084 iwpriv interface monitor 0.
2086 Cards with Atheros Communications chipsets:
2088 You can capture raw 802.11 packets with AR5K cards on Linux systems
2089 with the v5_ar5k or madwifi drivers. For the v5ar5k driver you will
2090 need the Linux wireless-tools version 25 or higher to put the card
2091 into monitor mode. If you're using the madwifi driver, you can put the
2092 card into monitor mode using iwconfig interface mode monitor, followed
2093 by iwconfig interface channel channel to select a channel (if needed).
2097 It might be possible to capture in monitor mode on other cards. If so,
2098 please supply us with information on how to do so, so that we can
2099 incorporate that information into this FAQ in the future.
2101 Q 5.39: How do I capture on an 802.11 device in monitor mode on
2104 A: On FreeBSD 5.2 and later, you should be able to capture in monitor
2105 mode on 802.11 interfaces supported by the wi and acx drivers, if
2106 Ethereal is linked with libpcap 0.8.1 or later, and on 802.11
2107 interfaces supported by the an driver, if Ethereal is linked with
2108 libpcap 0.7.1 or later.
2110 For cards supported by the wi and acx drivers, you should:
2111 1. Put the card into monitor mode with the command ifconfig interface
2112 monitor. You can also set the channel to monitor by adding the
2113 argument channel channel_number to that command.
2114 2. When you start the capture, in Ethereal select "802.11" as the
2115 "Link-layer header type", and in Tethereal add the command-line
2117 3. When the capture completes, turn off monitor mode with the command
2118 ifconfig interface -monitor.
2120 For cards supported by the an driver, you should:
2121 1. Put the card into monitor mode with the command ancontrol -i
2122 interface -M flag, where flag should be the sum of:
2123 + 1, to turn monitor mode on;
2124 + 2, if you want to capture traffic from any BSS rather than
2125 just the BSS with which the card is associated;
2126 + 4, if you want to see beacon packets (capturing beacon
2127 packets increases the CPU requirements of capturing).
2128 2. When the capture completes, turn off monitor mode with the command
2129 ancontrol -i interface -M 0.
2131 Don't add 8 in to flag; Ethereal currently doesn't support the full
2134 On FreeBSD 4.6 through 5.1, you should be able to capture in monitor
2135 mode on 802.11 interfaces supported by the an driver, but not on any
2136 other interfaces; see the instructions for FreeBSD 5.2 or later for
2139 In FreeBSD 4.5 and earlier, you will not be able to capture in monitor
2140 mode on 802.11 interfaces (no drivers supported it prior to 4.5, and
2141 in 4.5 the an driver had bugs that caused packets not to be captured
2144 Q 5.40: How do I capture on an 802.11 device in monitor mode on
2147 A: On NetBSD 2.0-beta and later, you should be able to capture in
2148 monitor mode on 802.11 interfaces supported by the wi and acx drivers,
2149 if Ethereal is linked with libpcap 0.8.1 or later. The instructions
2150 are the same as for FreeBSD 5.2 and later.
2152 Q 5.41: I'm trying to capture 802.11 traffic on Windows; why am I not
2155 A: At least some 802.11 card drivers on Windows appear not to see any
2156 packets if they're running in promiscuous mode. Try turning
2157 promiscuous mode off; you'll only be able to see packets sent by and
2158 received by your machine, not third-party traffic, and it'll look like
2159 Ethernet traffic and won't include any management or control frames,
2160 but that's a limitation of the card drivers.
2162 Q 5.42: I'm trying to capture 802.11 traffic on Windows; why am I
2163 seeing packets received by the machine on which I'm capturing traffic,
2164 but not packets sent by that machine?
2166 A: This appears to be another problem with promiscuous mode; try
2169 Q 5.43: How can I capture packets with CRC errors?
2171 A: Ethereal can capture only the packets that the packet capture
2172 library - libpcap on UNIX-flavored OSes, and the WinPcap port to
2173 Windows of libpcap on Windows - can capture, and libpcap/WinPcap can
2174 capture only the packets that the OS's raw packet capture mechanism
2175 (or the WinPcap driver, and the underlying OS networking code and
2176 network interface drivers, on Windows) will allow it to capture.
2178 Unless the OS always supplies packets with errors such as invalid CRCs
2179 to the raw packet capture mechanism, or can be configured to do so,
2180 invalid CRCs to the raw packet capture mechanism, Ethereal - and other
2181 programs that capture raw packets, such as tcpdump - cannot capture
2182 those packets. You will have to determine whether your OS needs to be
2183 so configured and, if so, can be so configured, configure it if
2184 necessary and possible, and make whatever changes to libpcap and the
2185 packet capture program you're using are necessary, if any, to support
2186 capturing those packets.
2188 Most OSes probably do not support capturing packets with invalid CRCs
2189 on Ethernet, and probably do not support it on most other link-layer
2190 types. Some drivers on some OSes do support it, such as some Ethernet
2191 drivers on FreeBSD; in those OSes, you might always get those packets,
2192 or you might only get them if you capture in promiscuous mode (you'd
2193 have to determine which is the case).
2195 Note that libpcap does not currently supply to programs that use it an
2196 indication of whether the packet's CRC was invalid (because the
2197 drivers themselves do not supply that information to the raw packet
2198 capture mechanism); therefore, Ethereal will not indicate which
2199 packets had CRC errors unless the FCS was captured (see the next
2200 question) and you're using Ethereal 0.9.15 and later, in which case
2201 Ethereal will check the CRC and indicate whether it's correct or not.
2203 Q 5.44: How can I capture entire frames, including the FCS?
2205 A: Ethereal can only capture data that the packet capture library -
2206 libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of
2207 libpcap on Windows - can capture, and libpcap/WinPcap can capture only
2208 the data that the OS's raw packet capture mechanism (or the WinPcap
2209 driver, and the underlying OS networking code and network interface
2210 drivers, on Windows) will allow it to capture.
2212 For any particular link-layer network type, unless the OS supplies the
2213 FCS of a frame as part of the frame, or can be configured to do so,
2214 Ethereal - and other programs that capture raw packets, such as
2215 tcpdump - cannot capture the FCS of a frame. You will have to
2216 determine whether your OS needs to be so configured and, if so, can be
2217 so configured, configure it if necessary and possible, and make
2218 whatever changes to libpcap and the packet capture program you're
2219 using are necessary, if any, to support capturing the FCS of a frame.
2221 Most OSes do not support capturing the FCS of a frame on Ethernet, and
2222 probably do not support it on most other link-layer types. Some
2223 drivres on some OSes do support it, such as some (all?) Ethernet
2224 drivers on NetBSD and possibly the driver for Apple's gigabit Ethernet
2225 interface in Mac OS X; in those OSes, you might always get the FCS, or
2226 you might only get the FCS if you capture in promiscuous mode (you'd
2227 have to determine which is the case).
2229 Versions of Ethereal prior to 0.9.15 will not treat an Ethernet FCS in
2230 a captured packet as an FCS. 0.9.15 and later will attempt to
2231 determine whether there's an FCS at the end of the frame and, if it
2232 thinks there is, will display it as such, and will check whether it's
2233 the correct CRC-32 value or not.
2235 Q 5.45: Why does Ethereal hang after I stop a capture?
2237 A: The most likely reason for this is that Ethereal is trying to look
2238 up an IP address in the capture to convert it to a name (so that, for
2239 example, it can display the name in the source address or destination
2240 address columns), and that lookup process is taking a very long time.
2242 Ethereal calls a routine in the OS of the machine on which it's
2243 running to convert of IP addresses to the corresponding names. That
2244 routine probably does one or more of:
2245 * a search of a system file listing IP addresses and names;
2246 * a lookup using DNS;
2247 * on UNIX systems, a lookup using NIS;
2248 * on Windows systems, a NetBIOS-over-TCP query.
2250 If a DNS server that's used in an address lookup is not responding,
2251 the lookup will fail, but will only fail after a timeout while the
2252 system routine waits for a reply.
2254 In addition, on Windows systems, if the DNS lookup of the address
2255 fails, either because the server isn't responding or because there are
2256 no records in the DNS that could be used to map the address to a name,
2257 a NetBIOS-over-TCP query will be made. That query involves sending a
2258 message to the NetBIOS-over-TCP name service on that machine, asking
2259 for the name and other information about the machine. If the machine
2260 isn't running software that responds to those queries - for example,
2261 many non-Windows machines wouldn't be running that software - the
2262 lookup will only fail after a timeout. Those timeouts can cause the
2263 lookup to take a long time.
2265 If you disable network address-to-name translation - for example, by
2266 turning off the "Enable network name resolution" option in the
2267 "Capture Options" dialog box for starting a network capture - the
2268 lookups of the address won't be done, which may speed up the process
2269 of reading the capture file after the capture is stopped. You can make
2270 that setting the default by selecting "Preferences" from the "Edit"
2271 menu, turning off the "Enable network name resolution" option in the
2272 "Name resolution" options in the preferences disalog box, and using
2273 the "Save" button in that dialog box; note that this will save all
2274 your current preference settings.
2276 If Ethereal hangs when reading a capture even with network name
2277 resolution turned off, there might, for example, be a bug in one of
2278 Ethereal's dissectors for a protocol causing it to loop infinitely. If
2279 you're not running the most recent release of Ethereal, you should
2280 first upgrade to that release, as, if there's a bug of that sort, it
2281 might've been fixed in a release after the one you're running. If the
2282 hang occurs in the most recent release of Ethereal, the bug should be
2283 reported to the Ethereal developers' mailing list at
2284 ethereal-dev@ethereal.com.
2286 On UNIX-flavored OSes, please try to force Ethereal to dump core, by
2287 sending it a SIGABRT signal (usually signal 6) with the kill command,
2288 and then get a stack trace if you have a debugger installed. A stack
2289 trace can be obtained by using your debugger (gdb in this example),
2290 the Ethereal binary, and the resulting core file. Here's an example of
2291 how to use the gdb command backtrace to do so.
2294 ..... prints the stack trace
2298 The core dump file may be named "ethereal.core" rather than "core" on
2299 some platforms (e.g., BSD systems).
2301 Also, if at all possible, please send a copy of the capture file that
2302 caused the problem; when capturing packets, Ethereal normally writes
2303 captured packets to a temporary file, which will probably be in /tmp
2304 or /var/tmp on UNIX-flavored OSes, \TEMP on the main system disk
2305 (normally C:) on Windows 9x/Me/NT 4.0, and \Documents and
2306 Settings\your login name\Local Settings\Temp on the main system disk
2307 on Windows 2000/XP/Server 2003, so the capture file will probably be
2308 there. It will have a name beginning with ether, with some mixture of
2309 letters and numbers after that. Please don't send a trace file greater
2310 than 1 MB when compressed; instead, make it available via FTP or HTTP,
2311 or say it's available but leave it up to a developer to ask for it. If
2312 the trace file contains sensitive information (e.g., passwords), then
2313 please do not send it.
2315 Q 5.46: How can I search for, or filter, packets that have a
2316 particular string anywhere in them?
2318 A: If you want to do this when capturing, you can't. That's a feature
2319 that would be hard to implement in capture filters without changes to
2320 the capture filter code, which, on many platforms, is in the OS kernel
2321 and, on other platforms, is in the libpcap library.
2323 In releases prior to 0.9.14, you also can't search for, or filter,
2324 packets containing a particular string even after you've captured
2327 In 0.9.14, you can search for, but not filter, packets that have a
2328 particular string; this has been added to the "Find Frame" dialog
2329 ("Find Frame" under the "Edit" menu, or control-F).
2331 In 0.9.15 and later, you can search for those packets using either the
2332 mechanism introduced in 0.9.14 or using the new "contains" operator in
2333 filter expressions, which lets you search the entire packet or text
2334 string or byte string fields in the packet; the "contains" operator
2335 can also be used in expressions used to filter the display.
2337 Q 5.47: How do I filter a capture to see traffic for virus XXX?
2339 A: For some viruses/worms there might be a capture filter to recognize
2340 the virus traffic. Check the CaptureFilters page on the Ethereal Wiki
2341 to see if anybody's added such a filter.
2343 Note that Ethereal was not designed to be an intrusion detection
2344 system; you might be able to use it as an IDS, but in most cases
2345 software designed to be an IDS, such as Snort or Prelude, will
2346 probably work better.
2348 The Bleeding Edge of Snort has a collection of signatures for Snort to
2349 detect various viruses, worms, and the like.
2351 Please send support questions about Ethereal to the
2352 ethereal-users[AT]ethereal.com mailing list.
2353 For corrections/additions/suggestions for this web page (and not
2354 Ethereal support questions), please send email to
2355 ethereal-web[AT]ethereal.com .
2356 Last modified: Fri, January 14 2005.