Unix-like operating systems. It uses GTK+, a graphical user interface
library, and libpcap, a packet capture and filtering library.
-The Wireshark distribution also comes with Tshark, which is a
+The Wireshark distribution also comes with TShark, which is a
line-oriented sniffer (similar to Sun's snoop, or tcpdump) that uses the
same dissection, capture-file reading and writing, and packet filtering
code as Wireshark, and with editcap, which is a program to read capture
The latest distribution can be found in the subdirectory
- http://www.wireshark.org/distribution
+ http://www.wireshark.org/download
Installation
- Tru64 UNIX (formerly Digital UNIX) (3.2 and later)
- Irix (6.5)
- AIX (4.3.2, with a bit of work)
- - Win32 (NT, 2000, 2003, XP)
+ - Windows (2000, 2003, XP, Vista)
and possibly on other versions of those OSes. It should run on other
Unix-ish systems without too much trouble.
+If you have an older version of the operating systems listed above, it
+might be supported by an older version of Wireshark. In particular,
+Windows NT 4.0 is supported by Wireshark 0.99.4, and Windows 95, 98, and
+ME are supported by Ethereal 0.99.0.
+
NOTE: the Makefile appears to depend on GNU "make"; it doesn't appear to
work with the "make" that comes with Solaris 7 nor the BSD "make".
Perl is also needed to create the man page.
Usage
-----
-In order to capture packets from the network, you need to be running as
-root, or have access to the appropriate entry under /dev if your system
-is so inclined (BSD-derived systems, and systems such as Solaris and
-HP-UX that support DLPI, typically fall into this category). Although
-it might be tempting to make the Wireshark executable setuid root, please
-don't - alpha code is by nature not very robust, and liable to contain
-security holes.
+In order to capture packets from the network, you need to make the
+dumpcap program set-UID to root, or you need to have access to the
+appropriate entry under /dev if your system is so inclined (BSD-derived
+systems, and systems such as Solaris and HP-UX that support DLPI,
+typically fall into this category). Although it might be tempting to
+make the Wireshark and TShark executables setuid root, or to run them as
+root please don't. The capture process has been isolated in dumpcap;
+this simple program is less likely to contain security holes, and thus
+safer to run as root.
Please consult the man page for a description of each command-line
option and interface feature.
Support for Lucent/Ascend products is limited to the debug trace output
generated by the MAX and Pipline series of products. Wireshark can read
the output of the "wandsession" "wandisplay", "wannext", and "wdd"
-commands. For detailed information on use of these commands, please refer
-the following pages:
-
-"wandsession", "wandisplay", and "wannext" on the Pipeline series:
- http://aos.ascend.com/aos:/gennavviewer.html?doc_id=0900253d80006c79
-
-"wandsession", "wandisplay", and "wannext" on the MAX series:
- http://aos.ascend.com/aos:/gennavviewer.html?doc_id=0900253d80006972
-
-"wdd" on the Pipeline series:
- http://aos.ascend.com/aos:/gennavviewer.html?doc_id=0900253d80006877
+commands.
Wireshark can also read dump trace output from the Toshiba "Compact Router"
line of ISDN routers (TR-600 and TR-650). You can telnet to the router
SNMP
----
Wireshark can do some basic decoding of SNMP packets; it can also use
-the Net-SNMP library to do more sophisticated decoding, by reading MIB
+the libsmi library to do more sophisticated decoding, by reading MIB
files and using the information in those files to display OIDs and
variable binding values in a friendlier fashion. The configure script
-will automatically determine whether you have the Net-SNMP library on
-your system. If you have the Net-SNMP library but _do not_ want to have
-wireshark use it, you can run configure with the "--without-net-snmp"
+will automatically determine whether you have the libsmi library on
+your system. If you have the libsmi library but _do not_ want to have
+Wireshark use it, you can run configure with the "--without-libsmi"
option.
How to Report a Bug
-------------------
Wireshark is still under constant development, so it is possible that you will
-encounter a bug while using it. Please report bugs to wireshark-dev@wireshark.org.
-Be sure you tell us:
-
- 1) Operating System and version (the command 'uname -sr' may
- tell you this, although on Linux systems it will probably
- tell you only the version number of the Linux kernel, not of
- the distribution as a whole; on Linux systems, please tell us
- both the version number of the kernel, and which version of
- which distribution you're running)
- 2) Version of GTK+ (the command 'gtk-config --version' will tell you)
- 3) Version of Wireshark (the command 'wireshark -v' will tell you,
- unless the bug is so severe as to prevent that from working,
- and should also tell you the versions of libraries with which
- it was built)
- 4) The command you used to invoke Wireshark, and the sequence of
- operations you performed that caused the bug to appear
-
-If the bug is produced by a particular trace file, please be sure to send
-a trace file along with your bug description. Please don't send a trace file
-greater than 1 MB when compressed. If the trace file contains sensitive
-information (e.g., passwords), then please do not send it.
+encounter a bug while using it. Please report bugs at http://bugs.wireshark.org.
+Be sure you enter into the bug:
+
+ 1) the complete build information from the "About Wireshark"
+ item in the Help menu or the output of "wireshark -v" for
+ Wireshark bugs and the output of "tshark -v" for TShark bugs;
+
+ 2) if the bug happened on Linux, the Linux distribution you were
+ using, and the version of that distribution;
+
+ 3) the command you used to invoke Wireshark, if you ran
+ Wireshark from the command line, or TShark, if you ran
+ TShark, and the sequence of operations you performed that
+ caused the bug to appear.
+
+If the bug is produced by a particular trace file, please be sure to
+attach to the bug a trace file along with your bug description. If the
+trace file contains sensitive information (e.g., passwords), then please
+do not send it.
If Wireshark died on you with a 'segmentation violation', 'bus error',
'abort', or other error that produces a UNIX core dump file, you can
The core dump file may be named "wireshark.core" rather than "core" on
some platforms (e.g., BSD systems). If you got a core dump with
-Tshark rather than Wireshark, use "tshark" as the first argument to
+TShark rather than Wireshark, use "tshark" as the first argument to
the debugger; the core dump may be named "tshark.core".
Disclaimer