Unix-like operating systems. It uses GTK+, a graphical user interface
library, and libpcap, a packet capture and filtering library.
-The Wireshark distribution also comes with Tshark, which is a
+The Wireshark distribution also comes with TShark, which is a
line-oriented sniffer (similar to Sun's snoop, or tcpdump) that uses the
same dissection, capture-file reading and writing, and packet filtering
code as Wireshark, and with editcap, which is a program to read capture
The latest distribution can be found in the subdirectory
- http://www.wireshark.org/distribution
+ http://www.wireshark.org/download
Installation
- Tru64 UNIX (formerly Digital UNIX) (3.2 and later)
- Irix (6.5)
- AIX (4.3.2, with a bit of work)
- - Win32 (98, NT, 2000, XP)
+ - Windows (2003, XP, Vista, 7)
and possibly on other versions of those OSes. It should run on other
Unix-ish systems without too much trouble.
+If you have an older version of the operating systems listed above, it
+might be supported by an older version of Wireshark. In particular,
+Windows 2000 is supported by Wireshark 1.2.x, Windows NT 4.0 is supported by
+Wireshark 0.99.4, and Windows 95, 98, and ME are supported by Ethereal 0.99.0.
+
NOTE: the Makefile appears to depend on GNU "make"; it doesn't appear to
work with the "make" that comes with Solaris 7 nor the BSD "make".
Perl is also needed to create the man page.
Usage
-----
-In order to capture packets from the network, you need to be running as
-root, or have access to the appropriate entry under /dev if your system
-is so inclined (BSD-derived systems, and systems such as Solaris and
-HP-UX that support DLPI, typically fall into this category). Although
-it might be tempting to make the Wireshark executable setuid root, please
-don't - alpha code is by nature not very robust, and liable to contain
-security holes.
+In order to capture packets from the network, you need to make the
+dumpcap program set-UID to root, or you need to have access to the
+appropriate entry under /dev if your system is so inclined (BSD-derived
+systems, and systems such as Solaris and HP-UX that support DLPI,
+typically fall into this category). Although it might be tempting to
+make the Wireshark and TShark executables setuid root, or to run them as
+root please don't. The capture process has been isolated in dumpcap;
+this simple program is less likely to contain security holes, and thus
+safer to run as root.
Please consult the man page for a description of each command-line
option and interface feature.
development parallel to wireshark. In the future it is hoped that
wiretap will have more features than libpcap, but wiretap is still in
its infancy. However, wiretap is used in wireshark for its ability
-to read multiple file types. You can read the following file
-formats:
-
-libpcap (tcpdump -w, etc.) - this is Wireshark's native format
-snoop and atmsnoop
-Shomiti/Finisar Surveyor
-Novell LANalyzer
-Network General/Network Associates DOS-based Sniffer (compressed and
- uncompressed)
-Microsoft Network Monitor
-AIX's iptrace
-Cinco Networks NetXRray
-Network Associates Windows-based Sniffer
-AG Group/WildPackets EtherPeek/TokenPeek/AiroPeek/EtherHelp
-RADCOM's WAN/LAN Analyzer
-Lucent/Ascend access products
-HP-UX's nettl
-Toshiba's ISDN routers
-ISDN4BSD "i4btrace" utility
-Cisco Secure Intrustion Detection System iplogging facility
-pppd logs (pppdump-format files)
-VMS's TCPIPtrace utility
-DBS Etherwatch for VMS
-Traffic captures from Visual Networks' Visual UpTime
-CoSine L2 debug output
-Output from Accellent's 5Views LAN agents
-Endace Measurement Systems' ERF format
-Linux Bluez Bluetooth stack "hcidump -w" traces
-Network Instruments Observer version 9
-Trace files for the EyeSDN USB S0
-
-In addition, it can read gzipped versions of any of these files
+to read multiple file types. See the Wireshark man page or the
+Wireshark User's Guide for a list of supported file formats.
+
+In addition, it can read gzipped versions of any of those files
automatically, if you have the zlib library available when compiling
Wireshark. Wireshark needs a modern version of zlib to be able to use
zlib to read gzipped files; version 1.1.3 is known to work. Versions
Support for Lucent/Ascend products is limited to the debug trace output
generated by the MAX and Pipline series of products. Wireshark can read
the output of the "wandsession" "wandisplay", "wannext", and "wdd"
-commands. For detailed information on use of these commands, please refer
-the following pages:
-
-"wandsession", "wandisplay", and "wannext" on the Pipeline series:
- http://aos.ascend.com/aos:/gennavviewer.html?doc_id=0900253d80006c79
-
-"wandsession", "wandisplay", and "wannext" on the MAX series:
- http://aos.ascend.com/aos:/gennavviewer.html?doc_id=0900253d80006972
-
-"wdd" on the Pipeline series:
- http://aos.ascend.com/aos:/gennavviewer.html?doc_id=0900253d80006877
+commands.
Wireshark can also read dump trace output from the Toshiba "Compact Router"
line of ISDN routers (TR-600 and TR-650). You can telnet to the router
SNMP
----
-Wireshark can do some basic decoding of SNMP packets; it can also use the
-UCD SNMP library, version 4.2.2 or later, to do more sophisticated
-decoding, by reading MIB files and using the information in those files
-to display OIDs and variable binding values in a friendlier fashion.
-The configure script will automatically determine whether you have the
-UCD SNMP library on your system, and will use it if it's version 4.2.2
-or later. If you have an SNMP library but _do not_ want to have
-wireshark use it, you can run configure with the "--without-ucd-snmp"
+Wireshark can do some basic decoding of SNMP packets; it can also use
+the libsmi library to do more sophisticated decoding, by reading MIB
+files and using the information in those files to display OIDs and
+variable binding values in a friendlier fashion. The configure script
+will automatically determine whether you have the libsmi library on
+your system. If you have the libsmi library but _do not_ want to have
+Wireshark use it, you can run configure with the "--without-libsmi"
option.
-If you have an earlier version of the UCD SNMP library on your system,
-the configure script will stop, reporting that it can't find the
-"sprint_realloc_objid()" routine; you should either upgrade to version
-4.2.4 or later, as UCD SNMP 4.2.4 fixes some potential buffer overflow
-problems, or should configure with "--without-ucd-snmp".
-
-
How to Report a Bug
-------------------
Wireshark is still under constant development, so it is possible that you will
-encounter a bug while using it. Please report bugs to wireshark-dev@wireshark.org.
-Be sure you tell us:
-
- 1) Operating System and version (the command 'uname -sr' may
- tell you this, although on Linux systems it will probably
- tell you only the version number of the Linux kernel, not of
- the distribution as a whole; on Linux systems, please tell us
- both the version number of the kernel, and which version of
- which distribution you're running)
- 2) Version of GTK+ (the command 'gtk-config --version' will tell you)
- 3) Version of Wireshark (the command 'wireshark -v' will tell you,
- unless the bug is so severe as to prevent that from working,
- and should also tell you the versions of libraries with which
- it was built)
- 4) The command you used to invoke Wireshark, and the sequence of
- operations you performed that caused the bug to appear
-
-If the bug is produced by a particular trace file, please be sure to send
-a trace file along with your bug description. Please don't send a trace file
-greater than 1 MB when compressed. If the trace file contains sensitive
-information (e.g., passwords), then please do not send it.
+encounter a bug while using it. Please report bugs at http://bugs.wireshark.org.
+Be sure you enter into the bug:
+
+ 1) the complete build information from the "About Wireshark"
+ item in the Help menu or the output of "wireshark -v" for
+ Wireshark bugs and the output of "tshark -v" for TShark bugs;
+
+ 2) if the bug happened on Linux, the Linux distribution you were
+ using, and the version of that distribution;
+
+ 3) the command you used to invoke Wireshark, if you ran
+ Wireshark from the command line, or TShark, if you ran
+ TShark, and the sequence of operations you performed that
+ caused the bug to appear.
+
+If the bug is produced by a particular trace file, please be sure to
+attach to the bug a trace file along with your bug description. If the
+trace file contains sensitive information (e.g., passwords), then please
+do not send it.
If Wireshark died on you with a 'segmentation violation', 'bus error',
'abort', or other error that produces a UNIX core dump file, you can
The core dump file may be named "wireshark.core" rather than "core" on
some platforms (e.g., BSD systems). If you got a core dump with
-Tshark rather than Wireshark, use "tshark" as the first argument to
+TShark rather than Wireshark, use "tshark" as the first argument to
the debugger; the core dump may be named "tshark.core".
Disclaimer
git.samba.org / obnox / wireshark / wip.git / blobdiff