when I try to build Ethereal from CVS or a CVS snapshot?
- 4.3 The link failed because of an undefined reference to
- snmp_set_full_objid.
-
- 4.4 The link fails with a number of "Output line too long." messages
+ 4.3 The link fails with a number of "Output line too long." messages
followed by linker errors.
- 4.5 The link fails on Solaris because plugin_list is undefined.
+ 4.4 The link fails on Solaris because plugin_list is undefined.
- 4.6 The build fails on Windows because of conflicts between winsock.h
+ 4.5 The build fails on Windows because of conflicts between winsock.h
and winsock2.h.
Using Ethereal:
machine, even though another sniffer on the network sees those
packets.
- 5.3 I can set a display filter just fine, but capture filters don't
+ 5.3 I'm only seeing ARP packets when I try to capture traffic.
+
+ 5.4 How do I put an interface into promiscuous mode?
+
+ 5.5 I can set a display filter just fine, but capture filters don't
work.
- 5.4 I'm entering valid capture filters, but I still get "parse error"
+ 5.6 I'm entering valid capture filters, but I still get "parse error"
errors.
- 5.5 I saved a filter and tried to use its name to filter the display,
+ 5.7 I saved a filter and tried to use its name to filter the display,
but I got an "Unexpected end of filter string" error.
- 5.6 Why am I seeing lots of packets with incorrect TCP checksums?
+ 5.8 Why am I seeing lots of packets with incorrect TCP checksums?
- 5.7 I've just installed Ethereal, and the traffic on my local LAN is
+ 5.9 I've just installed Ethereal, and the traffic on my local LAN is
boring.
- 5.8 When I run Ethereal on Solaris 8, it dies with a Bus Error when I
+ 5.10 When I run Ethereal on Solaris 8, it dies with a Bus Error when I
start it.
- 5.9 I'm running Ethereal on Linux; why do my time stamps have only
+ 5.11 I'm running Ethereal on Linux; why do my time stamps have only
100ms resolution, rather than 1us resolution?
- 5.10 I'm capturing packets on {Windows 95, Windows 98, Windows Me};
+ 5.12 I'm capturing packets on {Windows 95, Windows 98, Windows Me};
why are the time stamps on packets wrong?
- 5.11 When I try to run Ethereal on Windows, it fails to run because it
+ 5.13 When I try to run Ethereal on Windows, it fails to run because it
can't find packet.dll.
- 5.12 Why does some network interface on my machine not show up in the
+ 5.14 Why does some network interface on my machine not show up in the
list of interfaces in the "Interface:" field in the dialog box popped
up by "Capture->Start", and/or why does Ethereal give me an error if I
try to capture on that interface?
- 5.13 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has
+ 5.15 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has
a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
"Interface" item in the "Capture Options" dialog box. Why can no
packets be sent on or received from that network while I'm trying to
capture traffic on that interface?
- 5.14 I'm running Ethereal on Windows 95/98/Me, on a machine with more
+ 5.16 I'm running Ethereal on Windows 95/98/Me, on a machine with more
than one network adapter of the same type; Ethereal shows all of those
adapters with the same name, but I can't use any of those adapters
other than the first one.
- 5.15 I have an XXX network card on my machine; if I try to capture on
+ 5.17 I have an XXX network card on my machine; if I try to capture on
it, my machine crashes or resets itself.
- 5.16 My machine crashes or resets itself when I select "Start" from
+ 5.18 My machine crashes or resets itself when I select "Start" from
the "Capture" menu or select "Preferences" from the "Edit" menu.
- 5.17 Does Ethereal work on Windows ME?
+ 5.19 Does Ethereal work on Windows ME?
- 5.18 Does Ethereal work on Windows XP?
+ 5.20 Does Ethereal work on Windows XP?
- 5.19 Why doesn't Ethereal correctly identify RTP packets? It shows
+ 5.21 Why doesn't Ethereal correctly identify RTP packets? It shows
them only as UDP.
- 5.20 Why doesn't Ethereal show Yahoo Messenger packets in captures
+ 5.22 Why doesn't Ethereal show Yahoo Messenger packets in captures
that contain Yahoo Messenger traffic?
- 5.21 Why do I get the error
+ 5.23 Why do I get the error
Gdk-ERROR **: Palettized display (256-colour) mode not supported on
Windows.
when I try to run Ethereal on Windows?
- 5.22 When I capture on Windows in promiscuous mode, I can see packets
+ 5.24 When I capture on Windows in promiscuous mode, I can see packets
other than those sent to or from my machine; however, those packets
show up with a "Short Frame" indication, unlike packets to or from my
machine. What should I do to arrange that I see those packets in their
entirety?
- 5.23 How can I capture raw 802.11 packets, including non-data
+ 5.25 How can I capture raw 802.11 packets, including non-data
(management, beacon) packets?
- 5.24 How can I capture packets with CRC errors?
+ 5.26 How can I capture packets with CRC errors?
- 5.25 How can I capture entire frames, including the FCS?
+ 5.27 How can I capture entire frames, including the FCS?
- 5.26 Ethereal hangs after I stop a capture.
+ 5.28 Ethereal hangs after I stop a capture.
- 5.27 How can I search for, or filter, packets that have a particular
+ 5.29 How can I search for, or filter, packets that have a particular
string anywhere in them?
GENERAL QUESTIONS
Q 1.2: What protocols are currently supported?
- A: There are currently 355 supported protocols and media, listed
+ A: There are currently 366 supported protocols and media, listed
below. Descriptions can be found in the ethereal(1) man page.
802.1q Virtual LAN
Distance Vector Multicast Routing Protocol
Distributed Checksum Clearinghouse Prototocl
Domain Name Service
- Dummy Protocol
Dynamic DNS Tools Protocol
Encapsulating Security Payload
Enhanced Interior Gateway Routing Protocol
Ethernet
+ Ethernet over IP
Extensible Authentication Protocol
FC Extended Link Svc
FC Fabric Configuration Server
Generic Routing Encapsulation
Generic Security Service Application Program Interface
Gnutella Protocol
+ HP Extended Local-Link Control
+ HP Remote Maintenance Protocol
Hummingbird NFS Daemon
HyperSCSI
Hypertext Transfer Protocol
MDS Header
MMS Message Encapsulation
MS Proxy Protocol
+ MSN Messenger Service
MSNIP: Multicast Source Notification of Interest Protocol
MTP 2 Transparent Proxy
MTP 2 User Adaptation Layer
Microsoft Windows Logon Protocol
Microsoft Workstation Service
Mobile IP
+ Mobile IPv6
Modbus/TCP
Mount Service
MultiProtocol Label Switching Header
Novell Distributed Print System
Null/Loopback
Open Shortest Path First
+ OpenBSD Encapsulating device
OpenBSD Packet Filter log file
PC NFS
PPP Bandwidth Allocation Control Protocol
RIPng
RPC Browser
RSTAT
+ RSYNC File Synchroniser
RX Protocol
Radio Access Network Application Part
Radius Protocol
SPRAY
SS7 SCCP-User Adaptation Layer
SSCOP
+ SSH Protocol
Secure Socket Layer
Sequenced Packet eXchange
Service Advertisement Protocol
Synchronous Data Link Control (SDLC)
Syslog message
Systems Network Architecture
+ Systems Network Architecture XID
TACACS
TACACS+
TPKT
User Datagram Protocol
Virtual Router Redundancy Protocol
Virtual Trunking Protocol
+ WAP Binary XML
Web Cache Coordination Protocol
+ Wellfleet Breath of Life
Wellfleet Compression
Wellfleet HDLC
Who
X11
Xyplex
Yahoo Messenger Protocol
+ Yahoo YMSG Messenger Protocol
Yellow Pages Bind
Yellow Pages Passwd
Yellow Pages Service
machine). There is a bug in that version of automake that causes this
problem; upgrade to a later version of automake (1.6 or later).
- Q 4.3: The link failed because of an undefined reference to
- snmp_set_full_objid.
-
- A: You probably have the shared library for UCD SNMP 4.1.1 installed
- (so that snmp_set_full_objid is a macro, rather than a routine in the
- SNMP shared library), but the `development' package for an earlier or
- later UCD SNMP library (so that snmp_set_full_objid is not defined as
- a macro, causing Ethereal to attempt to call it as a routine).
-
- If you are on a Linux system that uses RPMs, and the UCD SNMP packages
- are installed as RPMs, the command rpm -qa | grep snmp will report the
- versions of the SNMP packages you have installed; they should all have
- the same version number, such as 4.0.1 or 4.1.1 or 4.1.2. If they
- don't, remove the RPM for the development package (which will probably
- have a name beginning with ucd-snmp-devel) and install the version of
- the development package with the same version number as the other
- ucd-snmp packages have.
-
- After installing the 4.1.1 version of the UCD SNMP header files, do a
- make clean and then rebuild Ethereal.
-
- Q 4.4: The link fails with a number of "Output line too long."
+ Q 4.3: The link fails with a number of "Output line too long."
messages followed by linker errors.
A: The version of the sed command on your system is incapable of
searching the directory with the version of sed that came with the OS
should make the problem go away.
- Q 4.5: The link fails on Solaris because plugin_list is undefined.
+ Q 4.4: The link fails on Solaris because plugin_list is undefined.
A: This appears to be due to a problem with some versions of the GTK+
and GLib packages from www.sunfreeware.org; un-install those packages,
persists, un-install them and try installing one of the other versions
mentioned.)
- Q 4.6: The build fails on Windows because of conflicts between
+ Q 4.5: The build fails on Windows because of conflicts between
winsock.h and winsock2.h.
A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and
this. See, for example:
* this documentation from Cisco on the Switched Port Analyzer (SPAN)
feature on Catalyst switches;
- * documentation from HP on how to set `monitoring'/`mirroring' on
+ * documentation from HP on how to set "monitoring"/"mirroring" on
ports on the console for HP Advancestack Switch 208 and 224;
- * the `Network Monitoring Port Features' section of chapter 6 of
+ * the "Network Monitoring Port Features" section of chapter 6 of
documentation from HP for HP ProCurve Switches 1600M, 2424M,
4000M, and 8000M.
In the case of token ring interfaces, the drivers for some of them, on
Windows, may require you to enable promiscuous mode in order to
capture in promiscuous mode. Ask the vendor of the card how to do
- this.
+ this, or see, for example, this information on promiscuous mode on
+ some Madge token ring adapters (note that those cards can have
+ promiscuous mode disabled permanently, in which case you can't enable
+ it).
In the case of wireless LAN interfaces, it appears that, when those
interfaces are promiscuously sniffing, they're running in a
traffic, it's a problem with unicast traffic, as you also won't see
all UDP traffic between other machines.
- I.e., this is probably the same problem discussed in the previous
- question; see the response to that question.
+ I.e., this is probably the same question as this earlier one; see the
+ response to that question.
+
+ Q 5.3: I'm only seeing ARP packets when I try to capture traffic.
- Q 5.3: I can set a display filter just fine, but capture filters don't
+ A: You're probably on a switched network, and running Ethereal on a
+ machine that's not sending traffic to the switch and not being sent
+ any traffic from other machines on the switch. ARP packets are often
+ broadcast packets, which are sent to all switch ports.
+
+ I.e., this is probably the same question as this earlier one; see the
+ response to that question.
+
+ Q 5.4: How do I put an interface into promiscuous mode?
+
+ A: By not disabling promiscuous mode when running Ethereal or
+ Tethereal.
+
+ Note, however, that:
+ * the form of promiscuous mode that libpcap (the library that
+ programs such as tcpdump, Ethereal, etc. use to do packet capture)
+ turns on will not necessarily be shown if you run ifconfig on the
+ interface on a UNIX system;
+ * some network interfaces might not support promiscuous mode, and
+ some drivers might not allow promiscuous mode to be turned on -
+ see this earlier question for more information on that;
+ * the fact that you're not seeing any traffic, or are only seeing
+ broadcast traffic, or aren't seeing any non-broadcast traffic
+ other than traffic to or from the machine running Ethereal, does
+ not mean that promiscuous mode isn't on - see this earlier
+ question for more information on that.
+
+ I.e., this is probably the same question as this earlier one; see the
+ response to that question.
+
+ Q 5.5: I can set a display filter just fine, but capture filters don't
work.
A: Capture filters currently use a different syntax than display
The capture filter syntax used by libpcap can be found in the
tcpdump(8) man page.
- Q 5.4: I'm entering valid capture filters, but I still get "parse
+ Q 5.6: I'm entering valid capture filters, but I still get "parse
error" errors.
A: There is a bug in some versions of libpcap/WinPcap that cause it to
WinPcap, you will need to un-install WinPcap and then download and
install WinPcap 2.3.
- Q 5.5: I saved a filter and tried to use its name to filter the
+ Q 5.7: I saved a filter and tried to use its name to filter the
display, but I got an "Unexpected end of filter string" error.
A: You cannot use the name of a saved display filter as a filter. To
use a saved filter, you can press the "Filter:" button, select the
filter in the dialog box that pops up, and press the "OK" button.
- Q 5.6: Why am I seeing lots of packets with incorrect TCP checksums?
+ Q 5.8: Why am I seeing lots of packets with incorrect TCP checksums?
A: If the packets that have incorrect TCP checksums are all being sent
by the machine on which Ethereal is running, this is probably because
tcp.check_checksum:false command-line flag, or manually set in your
preferences file by adding a tcp.check_checksum:false line.
- Q 5.7: I've just installed Ethereal, and the traffic on my local LAN
+ Q 5.9: I've just installed Ethereal, and the traffic on my local LAN
is boring.
A: We have a collection of strange and exotic sample capture files at
http://www.ethereal.com/sample/
- Q 5.8: When I run Ethereal on Solaris 8, it dies with a Bus Error when
- I start it.
+ Q 5.10: When I run Ethereal on Solaris 8, it dies with a Bus Error
+ when I start it.
A: Some versions of the GTK+ library from www.sunfreeware.org appear
to be buggy, causing Ethereal to drop core with a Bus Error.
Similar problems may exist with older versions of GTK+ for earlier
versions of Solaris.
- Q 5.9: I'm running Ethereal on Linux; why do my time stamps have only
+ Q 5.11: I'm running Ethereal on Linux; why do my time stamps have only
100ms resolution, rather than 1us resolution?
A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap
have to run a standard kernel from kernel.org in order to get
high-resolution time stamps.
- Q 5.10: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
+ Q 5.12: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
why are the time stamps on packets wrong?
A: This is due to a bug in WinPcap. The bug should be fixed in the
- WinPcap 3.0 alpha release - note that it's an alpha release, so it may
+ WinPcap 3.0 beta release - note that it's an beta release, so it may
be buggier than the current production release of WinPcap; please
report those bugs to the WinPcap developers, and help them try to
track down the problem, so that they can fix it for the final release.
- Q 5.11: When I try to run Ethereal on Windows, it fails to run because
+ Q 5.13: When I try to run Ethereal on Windows, it fails to run because
it can't find packet.dll.
A: In older versions of Ethereal, there were two binary distributions
Web site, the local mirror of the WinPcap Web site, or the
Wiretapped.net mirror of the WinPcap site.
- Q 5.12: Why does some network interface on my machine not show up in
+ Q 5.14: Why does some network interface on my machine not show up in
the list of interfaces in the "Interface:" field in the dialog box
popped up by "Capture->Start", and/or why does Ethereal give me an
error if I try to capture on that interface?
details of the problem, as described above, and also indicate that the
problem occurs with tcpdump/WinDump, not just with Ethereal.
- Q 5.13: I'm running Ethereal on Windows NT/2000/XP/Server; my machine
+ Q 5.15: I'm running Ethereal on Windows NT/2000/XP/Server; my machine
has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
"Interface" item in the "Capture Options" dialog box. Why can no
packets be sent on or received from that network while I'm trying to
Preferences" dialog box, but this may mean that outgoing packets, or
incoming packets, won't be seen in the capture.
- Q 5.14: I'm running Ethereal on Windows 95/98/Me, on a machine with
+ Q 5.16: I'm running Ethereal on Windows 95/98/Me, on a machine with
more than one network adapter of the same type; Ethereal shows all of
those adapters with the same name, but I can't use any of those
adapters other than the first one.
capture only on the first such interface; Ethereal is a
libpcap/WinPcap-based application.
- Q 5.15: I have an XXX network card on my machine; if I try to capture
+ Q 5.17: I have an XXX network card on my machine; if I try to capture
on it, my machine crashes or resets itself.
A: This is almost certainly a problem with one or more of:
Linux distribution, report the problem to whoever produces the
distribution).
- Q 5.16: My machine crashes or resets itself when I select "Start" from
+ Q 5.18: My machine crashes or resets itself when I select "Start" from
the "Capture" menu or select "Preferences" from the "Edit" menu.
A: Both of those operations cause Ethereal to try to build a list of
or, for Windows, WinPcap bug that causes the system to crash when this
happens; see the previous question.
- Q 5.17: Does Ethereal work on Windows ME?
+ Q 5.19: Does Ethereal work on Windows ME?
A: Yes, but if you want to capture packets, you will need to install
the latest version of WinPcap, as 2.02 and earlier versions of WinPcap
didn't support Windows ME. You should also install the latest version
of Ethereal as well.
- Q 5.18: Does Ethereal work on Windows XP?
+ Q 5.20: Does Ethereal work on Windows XP?
A: Yes, but if you want to capture packets, you will need to install
the latest version of WinPcap, as 2.2 and earlier versions of WinPcap
didn't support Windows XP.
- Q 5.19: Why doesn't Ethereal correctly identify RTP packets? It shows
+ Q 5.21: Why doesn't Ethereal correctly identify RTP packets? It shows
them only as UDP.
A: Ethereal can identify a UDP datagram as containing a packet of a
both the source and destination ports of the packet should be
dissected as some particular protocol.
- Q 5.20: Why doesn't Ethereal show Yahoo Messenger packets in captures
+ Q 5.22: Why doesn't Ethereal show Yahoo Messenger packets in captures
that contain Yahoo Messenger traffic?
A: Ethereal only recognizes as Yahoo Messenger traffic packets to or
- from TCP port 3050 that begin with "YPNS" or "YHOO". This means that
- 1. TCP segments that start with the middle of a Yahoo Messenger
- packet that takes more than one TCP segment will not be recognized
- as Yahoo Messenger packets (even if the TCP segment also contains
- the beginning of another Yahoo Messenger packet);
- 2. Yahoo Messenger packets that begin with "YMSG", as packets for
- some versions of the protocol apparently do, will not be
- recognized as Yahoo Messenger packets.
+ from TCP port 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP
+ segments that start with the middle of a Yahoo Messenger packet that
+ takes more than one TCP segment will not be recognized as Yahoo
+ Messenger packets (even if the TCP segment also contains the beginning
+ of another Yahoo Messenger packet).
- Q 5.21: Why do I get the error
+ Q 5.23: Why do I get the error
Gdk-ERROR **: Palettized display (256-colour) mode not supported on
Windows.
to a display mode with more colors; if it doesn't support more than
256 colors, you will be unable to run Ethereal.
- Q 5.22: When I capture on Windows in promiscuous mode, I can see
+ Q 5.24: When I capture on Windows in promiscuous mode, I can see
packets other than those sent to or from my machine; however, those
packets show up with a "Short Frame" indication, unlike packets to or
from my machine. What should I do to arrange that I see those packets
running on the network interface on which you're capturing; turn it
off on that interface.
- Q 5.23: How can I capture raw 802.11 packets, including non-data
+ Q 5.25: How can I capture raw 802.11 packets, including non-data
(management, beacon) packets?
- A: The answer to this depends on the operating system on which you're
- running and the 802.11 interface you're using.
+ A: That would require that your 802.11 interface run in the mode
+ called "monitor mode" or "RFMON mode". Not all operating systems
+ support that and, even on operating systems that do support it, not
+ all drivers, and thus not all cards, support it.
Cisco Aironet cards:
On FreeBSD, the ancontrol utility must be used; do not enable the full
Aironet header via BPF, as Ethereal doesn't currently support that.
- On Linux, you will need to do
+ On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will
+ need to do
echo "Mode: rfmon" >/proc/driver/aironet/ethN/Config
echo "Mode: ess" >/proc/driver/aironet/ethN/Config
- In either case, Ethereal would have to be linked with libpcap 0.7.1 or
- later; this means that most Ethereal binary packages won't work unless
- they're statically linked with libpcap 0.7.1 or later, or they're
- dynamically linked with libpcap and your system has a libpcap 0.7.1 or
- later shared library installed (note that libpcap source package from
- tcpdump.org does not build shared libraries).
+ On Linux with the driver in the 2.4.20 kernel, or with the CVS drivers
+ from the airo-linux SourceForge site, you will have to capture on the
+ wifiN interface if your Aironet card is ethN, after running the
+ commands listed above.
+
+ In all of those cases, Ethereal would have to be linked with libpcap
+ 0.7.1 or later; this means that most Ethereal binary packages won't
+ work unless they're statically linked with libpcap 0.7.1 or later, or
+ they're dynamically linked with libpcap and your system has a libpcap
+ 0.7.1 or later shared library installed (note that libpcap source
+ package from tcpdump.org does not build shared libraries). Some binary
+ packaging mechanisms might make it difficult to install Ethereal
+ binary packages built to depend on older libpcap binary packages if
+ you have a newer libpcap binary package installed; the installer
+ programs for those packaging mechanisms might support disabling
+ dependency checking so that they will install Ethereal even though a
+ newer version of libpcap is installed.
Cards using the Prism II chip set (see this page of Linux 802.11
information for details on wireless cards, including information on
the chips they use):
You can capture raw 802.11 packets with Prism II cards on Linux
- systems with the 0.1.14-pre1 or later version of the linux-wlan-ng
+ systems with the 0.1.14-pre6 or later version of the linux-wlan-ng
drivers (see the linux-wlan page, and the linux-wlan-ng tarball
- directory), or with Solomon Peachy's patches to the linux-wlan-ng
- 0.1.13 drivers (see the `0132-packet-v71.diff' link on his software
- page; the patch speaks of 0.1.13-pre2, but appears to apply to 0.1.13
- as well). If you are using the 0.1.13 drivers, you might also want his
- `0132-promisc-v23.diff' patch as well; if you are using the
- 0.1.14-pre1 drivers, you might also want his
- `014p1-promiscfixes-v1.diff' patches - both of those are already in
- 0.1.14-pre2.
-
- Those require either Solomon's patch to libpcap 0.7.1 (see his
- `libpcap-0.7.1-prism.diff' file, or his RPMs of that version of
+ directory).
+
+ Those require either Solomon Peachy's patch to libpcap 0.7.1 (see his
+ libpcap-0.7.1-prism.diff file, or his RPMs of that version of
libpcap), or the current CVS version of libpcap, which includes his
- patch (download it from the `Current Tar files' section of the
- tcpdump.org Web site).
+ patch (download it from the "Current Tar files" section of the
+ tcpdump.org Web site). If you apply his patches to libpcap 0.7.1 and
+ rebuild and install libpcap, or if you build and install the current
+ CVS version of libpcap, you would have to rebuild Ethereal from
+ source, linking it with that new version of libpcap; an Ethereal
+ binary package would not work. Ethereal binary packages might work if
+ you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install
+ a libpcap shared library in place of the one on your system.
You may have to run a command to put the interface into monitor mode,
- or to change other interface settings.
- Earlier versions of the linux-wlan-ng drivers don't allow Ethereal to
- directly capture raw 802.11 packets on Prism II cards; however, on
- Linux systems with the linux-wlan-ng drivers version 0.1.6, the
- Prismdump utility can be used to capture packets; it saves packets in
- a form that Ethereal can read. Prismdump can be downloaded from this
- page on the developer.axis.com Web site.
+ or to change other interface settings, and you might have to capture
+ on a wlanN interface rather than a ethN interface, in order to capture
+ raw 802.11 packets. The interface settings are available in your
+ wlan-ng.conf file. See the wlan-ng FAQ for additional information.
On other platforms, capturing raw 802.11 packets on Prism II cards is
not currently supported.
Orinoco Silver and Gold cards:
- On Linux systems, when using either the orinoco_cs-0.09b driver or the
- driver in at least some versions of the Linux kernel, the
- `orinoco-09b-packet-1.diff' patch on the Orinoco Monitor Mode Patch
- Page should allow you to do capture raw 802.11 packets.
+ On Linux systems, there are patches on the Orinoco Monitor Mode Patch
+ Page that should allow you to do capture raw 802.11 packets. You will
+ have to determine which version of the driver you have, and select the
+ appropriate patch.
- The patch appears to apply to the driver in the 2.4.18 kernel, but we
- don't know whether it works; the directions on that page are for the
- pcmcia-cs drivers, not for the driver in the kernel itself.
Note that the page indicates that not all versions of the Orinoco
- firmware support this patch. The Orinoco patches require Solomon
- Peachy's libpcap patches.
+ firmware support this patch. It says, for some versions of the patch,
+ "This patch should allow monitor mode with v8.10 firmware (untested w/
+ 8.42);" if you have version 8.10 or later firmware on your Orinoco
+ cards, you might have to use those patches, with the corresponding
+ versions of the Orinoco driver, in order to run in monitor mode.
+
+ That patch is written for the drivers included with the pcmcia-cs
+ drivers, but works equally well for the Orinoco drivers provided with
+ Linux kernels up to 2.4.20. To apply a patch to your kernel drivers,
+ simply copy the orinoco-09b-patch.diff file to the
+ /usr/src/linux/drivers/net directory and patch according to the
+ directions on the Orinoco Monitor Mode Patch Page. You can double-
+ check the version of the Orinoco drivers that shipped with your kernel
+ by examining the first few lines of the orinoco.c file.
+
+ Te Orinoco patches require either Solomon Peachy's patch to libpcap
+ 0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that
+ version of libpcap), or the current CVS version of libpcap, which
+ includes his patch (download it from the "Current Tar files" section
+ of the tcpdump.org Web site). If you apply his patches to libpcap
+ 0.7.1 and rebuild and install libpcap, or if you build and install the
+ current CVS version of libpcap, you would have to rebuild Ethereal
+ from source, linking it with that new version of libpcap; an Ethereal
+ binary package would not work. Ethereal binary packages might work if
+ you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install
+ a libpcap shared library in place of the one on your system.
On other platforms, capturing raw 802.11 packets on Orinoco cards is
not currently supported.
With other 802.11 interfaces, no platform allows Ethereal to capture
raw 802.11 packets, as far as we know. If you know of other 802.11
- interfaces that are supported (note that there are many `Prism II
- cards', so your card might be a Prism II card), please let us know,
+ interfaces that are supported (note that there are many "Prism II
+ cards", so your card might be a Prism II card), please let us know,
and include URLs for sites containing any necessary patches to add
this support.
On platforms that don't allow Ethereal to capture raw 802.11 packets,
the 802.11 network will appear like an Ethernet to Ethereal.
- Q 5.24: How can I capture packets with CRC errors?
+ Q 5.26: How can I capture packets with CRC errors?
A: Ethereal can capture only the packets that the packet capture
library - libpcap on UNIX-flavored OSes, and the WinPcap port to
libpcap and the packet capture program you're using are necessary to
support capturing those packets.
- Q 5.25: How can I capture entire frames, including the FCS?
+ Q 5.27: How can I capture entire frames, including the FCS?
A: Ethereal can't capture any data that the packet capture library -
libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of
not support capturing the FCS of a frame on Ethernet, and probably do
not support it on most other link-layer types.
- Q 5.26: Ethereal hangs after I stop a capture.
+ Q 5.28: Ethereal hangs after I stop a capture.
A: The most likely reason for this is that Ethereal is trying to look
up an IP address in the capture to convert it to a name (so that, for
lookup to take a long time.
If you disable network address-to-name translation - for example, by
- turning off the `Enable network name resolution' option in the `Name
- resolution' options in the dialog box you get by selecting
- `Preferences' from the `Edit' menu - the lookups of the address won't
+ turning off the "Enable network name resolution" option in the "Name
+ resolution" options in the dialog box you get by selecting
+ "Preferences" from the "Edit" menu - the lookups of the address won't
be done, which may speed up the process of reading the capture file
after the capture is stopped. You can make that setting the default by
- using the `Save' button in that dialog box; note that this will save
+ using the "Save" button in that dialog box; note that this will save
all your current preference settings.
If Ethereal hangs when reading a capture even with network name
contains sensitive information (e.g., passwords), then please do not
send it.
- Q 5.27: How can I search for, or filter, packets that have a
+ Q 5.29: How can I search for, or filter, packets that have a
particular string anywhere in them?
A: Currently, you can't.
list.
For corrections/additions/suggestions for this page, please send email
to: ethereal-web[AT]ethereal.com
- Last modified: Wed, March 05 2003.
+ Last modified: Thu, March 20 2003.
"\n"
" when I try to build Ethereal from CVS or a CVS snapshot?\n"
"\n"
-" 4.3 The link failed because of an undefined reference to\n"
-" snmp_set_full_objid.\n"
-"\n"
-" 4.4 The link fails with a number of \"Output line too long.\" messages\n"
+" 4.3 The link fails with a number of \"Output line too long.\" messages\n"
" followed by linker errors. \n"
"\n"
-" 4.5 The link fails on Solaris because plugin_list is undefined. \n"
+" 4.4 The link fails on Solaris because plugin_list is undefined. \n"
"\n"
-" 4.6 The build fails on Windows because of conflicts between winsock.h\n"
+" 4.5 The build fails on Windows because of conflicts between winsock.h\n"
" and winsock2.h. \n"
"\n"
" Using Ethereal:\n"
" machine, even though another sniffer on the network sees those\n"
" packets.\n"
"\n"
-" 5.3 I can set a display filter just fine, but capture filters don't\n"
+" 5.3 I'm only seeing ARP packets when I try to capture traffic.\n"
+"\n"
+" 5.4 How do I put an interface into promiscuous mode?\n"
+"\n"
+" 5.5 I can set a display filter just fine, but capture filters don't\n"
" work.\n"
"\n"
-" 5.4 I'm entering valid capture filters, but I still get \"parse error\"\n"
+" 5.6 I'm entering valid capture filters, but I still get \"parse error\"\n"
" errors.\n"
"\n"
-" 5.5 I saved a filter and tried to use its name to filter the display,\n"
+" 5.7 I saved a filter and tried to use its name to filter the display,\n"
" but I got an \"Unexpected end of filter string\" error.\n"
"\n"
-" 5.6 Why am I seeing lots of packets with incorrect TCP checksums?\n"
+" 5.8 Why am I seeing lots of packets with incorrect TCP checksums?\n"
"\n"
-" 5.7 I've just installed Ethereal, and the traffic on my local LAN is\n"
+" 5.9 I've just installed Ethereal, and the traffic on my local LAN is\n"
" boring.\n"
"\n"
-" 5.8 When I run Ethereal on Solaris 8, it dies with a Bus Error when I\n"
+" 5.10 When I run Ethereal on Solaris 8, it dies with a Bus Error when I\n"
" start it.\n"
"\n"
-" 5.9 I'm running Ethereal on Linux; why do my time stamps have only\n"
+" 5.11 I'm running Ethereal on Linux; why do my time stamps have only\n"
" 100ms resolution, rather than 1us resolution?\n"
"\n"
-" 5.10 I'm capturing packets on {Windows 95, Windows 98, Windows Me};\n"
+" 5.12 I'm capturing packets on {Windows 95, Windows 98, Windows Me};\n"
" why are the time stamps on packets wrong? \n"
"\n"
-" 5.11 When I try to run Ethereal on Windows, it fails to run because it\n"
+" 5.13 When I try to run Ethereal on Windows, it fails to run because it\n"
" can't find packet.dll.\n"
"\n"
-" 5.12 Why does some network interface on my machine not show up in the\n"
+" 5.14 Why does some network interface on my machine not show up in the\n"
" list of interfaces in the \"Interface:\" field in the dialog box popped\n"
" up by \"Capture->Start\", and/or why does Ethereal give me an error if I\n"
" try to capture on that interface? \n"
"\n"
-" 5.13 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has\n"
+" 5.15 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has\n"
" a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the\n"
" \"Interface\" item in the \"Capture Options\" dialog box. Why can no\n"
" packets be sent on or received from that network while I'm trying to\n"
" capture traffic on that interface?\n"
"\n"
-" 5.14 I'm running Ethereal on Windows 95/98/Me, on a machine with more\n"
+" 5.16 I'm running Ethereal on Windows 95/98/Me, on a machine with more\n"
" than one network adapter of the same type; Ethereal shows all of those\n"
" adapters with the same name, but I can't use any of those adapters\n"
" other than the first one.\n"
"\n"
-" 5.15 I have an XXX network card on my machine; if I try to capture on\n"
+" 5.17 I have an XXX network card on my machine; if I try to capture on\n"
" it, my machine crashes or resets itself. \n"
"\n"
-" 5.16 My machine crashes or resets itself when I select \"Start\" from\n"
+" 5.18 My machine crashes or resets itself when I select \"Start\" from\n"
" the \"Capture\" menu or select \"Preferences\" from the \"Edit\" menu. \n"
"\n"
-" 5.17 Does Ethereal work on Windows ME? \n"
+" 5.19 Does Ethereal work on Windows ME? \n"
"\n"
-" 5.18 Does Ethereal work on Windows XP? \n"
+" 5.20 Does Ethereal work on Windows XP? \n"
"\n"
-" 5.19 Why doesn't Ethereal correctly identify RTP packets? It shows\n"
+" 5.21 Why doesn't Ethereal correctly identify RTP packets? It shows\n"
" them only as UDP.\n"
"\n"
-" 5.20 Why doesn't Ethereal show Yahoo Messenger packets in captures\n"
+" 5.22 Why doesn't Ethereal show Yahoo Messenger packets in captures\n"
" that contain Yahoo Messenger traffic?\n"
"\n"
-" 5.21 Why do I get the error \n"
+" 5.23 Why do I get the error \n"
"\n"
" Gdk-ERROR **: Palettized display (256-colour) mode not supported on\n"
" Windows.\n"
"\n"
" when I try to run Ethereal on Windows?\n"
"\n"
-" 5.22 When I capture on Windows in promiscuous mode, I can see packets\n"
+" 5.24 When I capture on Windows in promiscuous mode, I can see packets\n"
" other than those sent to or from my machine; however, those packets\n"
" show up with a \"Short Frame\" indication, unlike packets to or from my\n"
" machine. What should I do to arrange that I see those packets in their\n"
" entirety? \n"
"\n"
-" 5.23 How can I capture raw 802.11 packets, including non-data\n"
+" 5.25 How can I capture raw 802.11 packets, including non-data\n"
" (management, beacon) packets? \n"
"\n"
-" 5.24 How can I capture packets with CRC errors? \n"
+" 5.26 How can I capture packets with CRC errors? \n"
"\n"
-" 5.25 How can I capture entire frames, including the FCS? \n"
+" 5.27 How can I capture entire frames, including the FCS? \n"
"\n"
-" 5.26 Ethereal hangs after I stop a capture. \n"
+" 5.28 Ethereal hangs after I stop a capture. \n"
"\n"
-" 5.27 How can I search for, or filter, packets that have a particular\n"
+" 5.29 How can I search for, or filter, packets that have a particular\n"
" string anywhere in them? \n"
"\n"
" GENERAL QUESTIONS \n"
"\n"
" Q 1.2: What protocols are currently supported?\n"
"\n"
-" A: There are currently 355 supported protocols and media, listed\n"
+" A: There are currently 366 supported protocols and media, listed\n"
" below. Descriptions can be found in the ethereal(1) man page.\n"
"\n"
" 802.1q Virtual LAN\n"
" Distance Vector Multicast Routing Protocol\n"
" Distributed Checksum Clearinghouse Prototocl\n"
" Domain Name Service\n"
-" Dummy Protocol\n"
" Dynamic DNS Tools Protocol\n"
" Encapsulating Security Payload\n"
" Enhanced Interior Gateway Routing Protocol\n"
" Ethernet\n"
+" Ethernet over IP\n"
" Extensible Authentication Protocol\n"
" FC Extended Link Svc\n"
" FC Fabric Configuration Server\n"
" Generic Routing Encapsulation\n"
" Generic Security Service Application Program Interface\n"
" Gnutella Protocol\n"
+" HP Extended Local-Link Control\n"
+" HP Remote Maintenance Protocol\n"
" Hummingbird NFS Daemon\n"
" HyperSCSI\n"
" Hypertext Transfer Protocol\n"
" MDS Header\n"
" MMS Message Encapsulation\n"
" MS Proxy Protocol\n"
+" MSN Messenger Service\n"
" MSNIP: Multicast Source Notification of Interest Protocol\n"
" MTP 2 Transparent Proxy\n"
" MTP 2 User Adaptation Layer\n"
" Microsoft Windows Logon Protocol\n"
" Microsoft Workstation Service\n"
" Mobile IP\n"
+" Mobile IPv6\n"
" Modbus/TCP\n"
" Mount Service\n"
" MultiProtocol Label Switching Header\n"
" Novell Distributed Print System\n"
" Null/Loopback\n"
" Open Shortest Path First\n"
+" OpenBSD Encapsulating device\n"
" OpenBSD Packet Filter log file\n"
" PC NFS\n"
" PPP Bandwidth Allocation Control Protocol\n"
" PPP Bandwidth Allocation Protocol\n"
+,
+
" PPP CDP Control Protocol\n"
" PPP Callback Control Protocol\n"
" PPP Challenge Handshake Authentication Protocol\n"
" PPP Compressed Datagram\n"
" PPP Compression Control Protocol\n"
" PPP IP Control Protocol\n"
-,
-
" PPP IPv6 Control Protocol\n"
" PPP Link Control Protocol\n"
" PPP MPLS Control Protocol\n"
" RIPng\n"
" RPC Browser\n"
" RSTAT\n"
+" RSYNC File Synchroniser\n"
" RX Protocol\n"
" Radio Access Network Application Part\n"
" Radius Protocol\n"
" SPRAY\n"
" SS7 SCCP-User Adaptation Layer\n"
" SSCOP\n"
+" SSH Protocol\n"
" Secure Socket Layer\n"
" Sequenced Packet eXchange\n"
" Service Advertisement Protocol\n"
" Synchronous Data Link Control (SDLC)\n"
" Syslog message\n"
" Systems Network Architecture\n"
+" Systems Network Architecture XID\n"
" TACACS\n"
" TACACS+\n"
" TPKT\n"
" User Datagram Protocol\n"
" Virtual Router Redundancy Protocol\n"
" Virtual Trunking Protocol\n"
+" WAP Binary XML\n"
" Web Cache Coordination Protocol\n"
+" Wellfleet Breath of Life\n"
" Wellfleet Compression\n"
" Wellfleet HDLC\n"
" Who\n"
" X11\n"
" Xyplex\n"
" Yahoo Messenger Protocol\n"
+" Yahoo YMSG Messenger Protocol\n"
" Yellow Pages Bind\n"
" Yellow Pages Passwd\n"
" Yellow Pages Service\n"
" machine). There is a bug in that version of automake that causes this\n"
" problem; upgrade to a later version of automake (1.6 or later).\n"
"\n"
-" Q 4.3: The link failed because of an undefined reference to\n"
-" snmp_set_full_objid.\n"
-"\n"
-" A: You probably have the shared library for UCD SNMP 4.1.1 installed\n"
-" (so that snmp_set_full_objid is a macro, rather than a routine in the\n"
-" SNMP shared library), but the `development' package for an earlier or\n"
-" later UCD SNMP library (so that snmp_set_full_objid is not defined as\n"
-" a macro, causing Ethereal to attempt to call it as a routine).\n"
-"\n"
-" If you are on a Linux system that uses RPMs, and the UCD SNMP packages\n"
-" are installed as RPMs, the command rpm -qa | grep snmp will report the\n"
-" versions of the SNMP packages you have installed; they should all have\n"
-" the same version number, such as 4.0.1 or 4.1.1 or 4.1.2. If they\n"
-" don't, remove the RPM for the development package (which will probably\n"
-" have a name beginning with ucd-snmp-devel) and install the version of\n"
-" the development package with the same version number as the other\n"
-" ucd-snmp packages have.\n"
-"\n"
-" After installing the 4.1.1 version of the UCD SNMP header files, do a\n"
-" make clean and then rebuild Ethereal.\n"
-"\n"
-" Q 4.4: The link fails with a number of \"Output line too long.\"\n"
+" Q 4.3: The link fails with a number of \"Output line too long.\"\n"
" messages followed by linker errors. \n"
"\n"
" A: The version of the sed command on your system is incapable of\n"
" searching the directory with the version of sed that came with the OS\n"
" should make the problem go away.\n"
"\n"
-" Q 4.5: The link fails on Solaris because plugin_list is undefined. \n"
+" Q 4.4: The link fails on Solaris because plugin_list is undefined. \n"
"\n"
" A: This appears to be due to a problem with some versions of the GTK+\n"
" and GLib packages from www.sunfreeware.org; un-install those packages,\n"
" persists, un-install them and try installing one of the other versions\n"
" mentioned.)\n"
"\n"
-" Q 4.6: The build fails on Windows because of conflicts between\n"
+" Q 4.5: The build fails on Windows because of conflicts between\n"
" winsock.h and winsock2.h. \n"
"\n"
" A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and\n"
" this. See, for example:\n"
" * this documentation from Cisco on the Switched Port Analyzer (SPAN)\n"
" feature on Catalyst switches;\n"
-" * documentation from HP on how to set `monitoring'/`mirroring' on\n"
+" * documentation from HP on how to set \"monitoring\"/\"mirroring\" on\n"
" ports on the console for HP Advancestack Switch 208 and 224;\n"
-" * the `Network Monitoring Port Features' section of chapter 6 of\n"
+" * the \"Network Monitoring Port Features\" section of chapter 6 of\n"
" documentation from HP for HP ProCurve Switches 1600M, 2424M,\n"
" 4000M, and 8000M.\n"
"\n"
" off in the \"Capture Options\" dialog box, and Tethereal will try to put\n"
" the interface on which it's capturing into promiscuous mode unless the\n"
" -p option was specified. However, some network interfaces don't\n"
-,
-
" support promiscuous mode, and some OSes might not allow interfaces to\n"
" be put into promiscuous mode.\n"
"\n"
" address the interface is set up to receive.\n"
"\n"
" You should ask the vendor of your network interface whether it\n"
+,
+
" supports promiscuous mode. If it does, you should ask whoever supplied\n"
" the driver for the interface (the vendor, or the supplier of the OS\n"
" you're running on your machine) whether it supports promiscuous mode\n"
" In the case of token ring interfaces, the drivers for some of them, on\n"
" Windows, may require you to enable promiscuous mode in order to\n"
" capture in promiscuous mode. Ask the vendor of the card how to do\n"
-" this.\n"
+" this, or see, for example, this information on promiscuous mode on\n"
+" some Madge token ring adapters (note that those cards can have\n"
+" promiscuous mode disabled permanently, in which case you can't enable\n"
+" it).\n"
"\n"
" In the case of wireless LAN interfaces, it appears that, when those\n"
" interfaces are promiscuously sniffing, they're running in a\n"
" traffic, it's a problem with unicast traffic, as you also won't see\n"
" all UDP traffic between other machines.\n"
"\n"
-" I.e., this is probably the same problem discussed in the previous\n"
-" question; see the response to that question.\n"
+" I.e., this is probably the same question as this earlier one; see the\n"
+" response to that question.\n"
+"\n"
+" Q 5.3: I'm only seeing ARP packets when I try to capture traffic.\n"
+"\n"
+" A: You're probably on a switched network, and running Ethereal on a\n"
+" machine that's not sending traffic to the switch and not being sent\n"
+" any traffic from other machines on the switch. ARP packets are often\n"
+" broadcast packets, which are sent to all switch ports.\n"
+"\n"
+" I.e., this is probably the same question as this earlier one; see the\n"
+" response to that question.\n"
+"\n"
+" Q 5.4: How do I put an interface into promiscuous mode?\n"
+"\n"
+" A: By not disabling promiscuous mode when running Ethereal or\n"
+" Tethereal.\n"
+"\n"
+" Note, however, that:\n"
+" * the form of promiscuous mode that libpcap (the library that\n"
+" programs such as tcpdump, Ethereal, etc. use to do packet capture)\n"
+" turns on will not necessarily be shown if you run ifconfig on the\n"
+" interface on a UNIX system;\n"
+" * some network interfaces might not support promiscuous mode, and\n"
+" some drivers might not allow promiscuous mode to be turned on -\n"
+" see this earlier question for more information on that;\n"
+" * the fact that you're not seeing any traffic, or are only seeing\n"
+" broadcast traffic, or aren't seeing any non-broadcast traffic\n"
+" other than traffic to or from the machine running Ethereal, does\n"
+" not mean that promiscuous mode isn't on - see this earlier\n"
+" question for more information on that.\n"
"\n"
-" Q 5.3: I can set a display filter just fine, but capture filters don't\n"
+" I.e., this is probably the same question as this earlier one; see the\n"
+" response to that question.\n"
+"\n"
+" Q 5.5: I can set a display filter just fine, but capture filters don't\n"
" work.\n"
"\n"
" A: Capture filters currently use a different syntax than display\n"
" The capture filter syntax used by libpcap can be found in the\n"
" tcpdump(8) man page.\n"
"\n"
-" Q 5.4: I'm entering valid capture filters, but I still get \"parse\n"
+" Q 5.6: I'm entering valid capture filters, but I still get \"parse\n"
" error\" errors.\n"
"\n"
" A: There is a bug in some versions of libpcap/WinPcap that cause it to\n"
" WinPcap, you will need to un-install WinPcap and then download and\n"
" install WinPcap 2.3.\n"
"\n"
-" Q 5.5: I saved a filter and tried to use its name to filter the\n"
+" Q 5.7: I saved a filter and tried to use its name to filter the\n"
" display, but I got an \"Unexpected end of filter string\" error.\n"
"\n"
" A: You cannot use the name of a saved display filter as a filter. To\n"
" use a saved filter, you can press the \"Filter:\" button, select the\n"
" filter in the dialog box that pops up, and press the \"OK\" button.\n"
"\n"
-" Q 5.6: Why am I seeing lots of packets with incorrect TCP checksums?\n"
+" Q 5.8: Why am I seeing lots of packets with incorrect TCP checksums?\n"
"\n"
" A: If the packets that have incorrect TCP checksums are all being sent\n"
" by the machine on which Ethereal is running, this is probably because\n"
" tcp.check_checksum:false command-line flag, or manually set in your\n"
" preferences file by adding a tcp.check_checksum:false line.\n"
"\n"
-" Q 5.7: I've just installed Ethereal, and the traffic on my local LAN\n"
+" Q 5.9: I've just installed Ethereal, and the traffic on my local LAN\n"
" is boring.\n"
"\n"
" A: We have a collection of strange and exotic sample capture files at\n"
" http://www.ethereal.com/sample/\n"
"\n"
-" Q 5.8: When I run Ethereal on Solaris 8, it dies with a Bus Error when\n"
-" I start it.\n"
+" Q 5.10: When I run Ethereal on Solaris 8, it dies with a Bus Error\n"
+" when I start it.\n"
"\n"
" A: Some versions of the GTK+ library from www.sunfreeware.org appear\n"
" to be buggy, causing Ethereal to drop core with a Bus Error.\n"
" Similar problems may exist with older versions of GTK+ for earlier\n"
" versions of Solaris.\n"
"\n"
-" Q 5.9: I'm running Ethereal on Linux; why do my time stamps have only\n"
+" Q 5.11: I'm running Ethereal on Linux; why do my time stamps have only\n"
" 100ms resolution, rather than 1us resolution?\n"
"\n"
" A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap\n"
" have to run a standard kernel from kernel.org in order to get\n"
" high-resolution time stamps.\n"
"\n"
-" Q 5.10: I'm capturing packets on {Windows 95, Windows 98, Windows Me};\n"
+" Q 5.12: I'm capturing packets on {Windows 95, Windows 98, Windows Me};\n"
" why are the time stamps on packets wrong? \n"
"\n"
" A: This is due to a bug in WinPcap. The bug should be fixed in the\n"
-" WinPcap 3.0 alpha release - note that it's an alpha release, so it may\n"
+" WinPcap 3.0 beta release - note that it's an beta release, so it may\n"
" be buggier than the current production release of WinPcap; please\n"
" report those bugs to the WinPcap developers, and help them try to\n"
" track down the problem, so that they can fix it for the final release.\n"
"\n"
-" Q 5.11: When I try to run Ethereal on Windows, it fails to run because\n"
+" Q 5.13: When I try to run Ethereal on Windows, it fails to run because\n"
" it can't find packet.dll.\n"
"\n"
" A: In older versions of Ethereal, there were two binary distributions\n"
" Web site, the local mirror of the WinPcap Web site, or the\n"
" Wiretapped.net mirror of the WinPcap site.\n"
"\n"
-" Q 5.12: Why does some network interface on my machine not show up in\n"
+" Q 5.14: Why does some network interface on my machine not show up in\n"
" the list of interfaces in the \"Interface:\" field in the dialog box\n"
" popped up by \"Capture->Start\", and/or why does Ethereal give me an\n"
" error if I try to capture on that interface? \n"
" details of the problem, as described above, and also indicate that the\n"
" problem occurs with tcpdump/WinDump, not just with Ethereal.\n"
"\n"
-" Q 5.13: I'm running Ethereal on Windows NT/2000/XP/Server; my machine\n"
+" Q 5.15: I'm running Ethereal on Windows NT/2000/XP/Server; my machine\n"
" has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the\n"
" \"Interface\" item in the \"Capture Options\" dialog box. Why can no\n"
" packets be sent on or received from that network while I'm trying to\n"
" Preferences\" dialog box, but this may mean that outgoing packets, or\n"
" incoming packets, won't be seen in the capture.\n"
"\n"
-" Q 5.14: I'm running Ethereal on Windows 95/98/Me, on a machine with\n"
+" Q 5.16: I'm running Ethereal on Windows 95/98/Me, on a machine with\n"
" more than one network adapter of the same type; Ethereal shows all of\n"
" those adapters with the same name, but I can't use any of those\n"
" adapters other than the first one.\n"
" capture only on the first such interface; Ethereal is a\n"
" libpcap/WinPcap-based application.\n"
"\n"
-" Q 5.15: I have an XXX network card on my machine; if I try to capture\n"
+" Q 5.17: I have an XXX network card on my machine; if I try to capture\n"
" on it, my machine crashes or resets itself. \n"
+,
+
"\n"
" A: This is almost certainly a problem with one or more of:\n"
" * the operating system you're using;\n"
" Linux distribution, report the problem to whoever produces the\n"
" distribution).\n"
"\n"
-" Q 5.16: My machine crashes or resets itself when I select \"Start\" from\n"
+" Q 5.18: My machine crashes or resets itself when I select \"Start\" from\n"
" the \"Capture\" menu or select \"Preferences\" from the \"Edit\" menu. \n"
"\n"
" A: Both of those operations cause Ethereal to try to build a list of\n"
" or, for Windows, WinPcap bug that causes the system to crash when this\n"
" happens; see the previous question.\n"
"\n"
-" Q 5.17: Does Ethereal work on Windows ME? \n"
-,
-
+" Q 5.19: Does Ethereal work on Windows ME? \n"
"\n"
" A: Yes, but if you want to capture packets, you will need to install\n"
" the latest version of WinPcap, as 2.02 and earlier versions of WinPcap\n"
" didn't support Windows ME. You should also install the latest version\n"
" of Ethereal as well.\n"
"\n"
-" Q 5.18: Does Ethereal work on Windows XP? \n"
+" Q 5.20: Does Ethereal work on Windows XP? \n"
"\n"
" A: Yes, but if you want to capture packets, you will need to install\n"
" the latest version of WinPcap, as 2.2 and earlier versions of WinPcap\n"
" didn't support Windows XP.\n"
"\n"
-" Q 5.19: Why doesn't Ethereal correctly identify RTP packets? It shows\n"
+" Q 5.21: Why doesn't Ethereal correctly identify RTP packets? It shows\n"
" them only as UDP.\n"
"\n"
" A: Ethereal can identify a UDP datagram as containing a packet of a\n"
" both the source and destination ports of the packet should be\n"
" dissected as some particular protocol.\n"
"\n"
-" Q 5.20: Why doesn't Ethereal show Yahoo Messenger packets in captures\n"
+" Q 5.22: Why doesn't Ethereal show Yahoo Messenger packets in captures\n"
" that contain Yahoo Messenger traffic?\n"
"\n"
" A: Ethereal only recognizes as Yahoo Messenger traffic packets to or\n"
-" from TCP port 3050 that begin with \"YPNS\" or \"YHOO\". This means that\n"
-" 1. TCP segments that start with the middle of a Yahoo Messenger\n"
-" packet that takes more than one TCP segment will not be recognized\n"
-" as Yahoo Messenger packets (even if the TCP segment also contains\n"
-" the beginning of another Yahoo Messenger packet);\n"
-" 2. Yahoo Messenger packets that begin with \"YMSG\", as packets for\n"
-" some versions of the protocol apparently do, will not be\n"
-" recognized as Yahoo Messenger packets.\n"
+" from TCP port 3050 that begin with \"YPNS\", \"YHOO\", or \"YMSG\". TCP\n"
+" segments that start with the middle of a Yahoo Messenger packet that\n"
+" takes more than one TCP segment will not be recognized as Yahoo\n"
+" Messenger packets (even if the TCP segment also contains the beginning\n"
+" of another Yahoo Messenger packet).\n"
"\n"
-" Q 5.21: Why do I get the error \n"
+" Q 5.23: Why do I get the error \n"
"\n"
" Gdk-ERROR **: Palettized display (256-colour) mode not supported on\n"
" Windows.\n"
" to a display mode with more colors; if it doesn't support more than\n"
" 256 colors, you will be unable to run Ethereal.\n"
"\n"
-" Q 5.22: When I capture on Windows in promiscuous mode, I can see\n"
+" Q 5.24: When I capture on Windows in promiscuous mode, I can see\n"
" packets other than those sent to or from my machine; however, those\n"
" packets show up with a \"Short Frame\" indication, unlike packets to or\n"
" from my machine. What should I do to arrange that I see those packets\n"
" running on the network interface on which you're capturing; turn it\n"
" off on that interface.\n"
"\n"
-" Q 5.23: How can I capture raw 802.11 packets, including non-data\n"
+" Q 5.25: How can I capture raw 802.11 packets, including non-data\n"
" (management, beacon) packets? \n"
"\n"
-" A: The answer to this depends on the operating system on which you're\n"
-" running and the 802.11 interface you're using.\n"
+" A: That would require that your 802.11 interface run in the mode\n"
+" called \"monitor mode\" or \"RFMON mode\". Not all operating systems\n"
+" support that and, even on operating systems that do support it, not\n"
+" all drivers, and thus not all cards, support it.\n"
"\n"
" Cisco Aironet cards:\n"
"\n"
" On FreeBSD, the ancontrol utility must be used; do not enable the full\n"
" Aironet header via BPF, as Ethereal doesn't currently support that.\n"
"\n"
-" On Linux, you will need to do\n"
+" On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will\n"
+" need to do\n"
"\n"
"echo \"Mode: rfmon\" >/proc/driver/aironet/ethN/Config\n"
"\n"
"\n"
"echo \"Mode: ess\" >/proc/driver/aironet/ethN/Config\n"
"\n"
-" In either case, Ethereal would have to be linked with libpcap 0.7.1 or\n"
-" later; this means that most Ethereal binary packages won't work unless\n"
-" they're statically linked with libpcap 0.7.1 or later, or they're\n"
-" dynamically linked with libpcap and your system has a libpcap 0.7.1 or\n"
-" later shared library installed (note that libpcap source package from\n"
-" tcpdump.org does not build shared libraries).\n"
+" On Linux with the driver in the 2.4.20 kernel, or with the CVS drivers\n"
+" from the airo-linux SourceForge site, you will have to capture on the\n"
+" wifiN interface if your Aironet card is ethN, after running the\n"
+" commands listed above.\n"
+"\n"
+" In all of those cases, Ethereal would have to be linked with libpcap\n"
+" 0.7.1 or later; this means that most Ethereal binary packages won't\n"
+" work unless they're statically linked with libpcap 0.7.1 or later, or\n"
+" they're dynamically linked with libpcap and your system has a libpcap\n"
+" 0.7.1 or later shared library installed (note that libpcap source\n"
+" package from tcpdump.org does not build shared libraries). Some binary\n"
+" packaging mechanisms might make it difficult to install Ethereal\n"
+" binary packages built to depend on older libpcap binary packages if\n"
+" you have a newer libpcap binary package installed; the installer\n"
+" programs for those packaging mechanisms might support disabling\n"
+" dependency checking so that they will install Ethereal even though a\n"
+" newer version of libpcap is installed.\n"
"\n"
" Cards using the Prism II chip set (see this page of Linux 802.11\n"
" information for details on wireless cards, including information on\n"
" the chips they use):\n"
"\n"
" You can capture raw 802.11 packets with Prism II cards on Linux\n"
-" systems with the 0.1.14-pre1 or later version of the linux-wlan-ng\n"
+" systems with the 0.1.14-pre6 or later version of the linux-wlan-ng\n"
" drivers (see the linux-wlan page, and the linux-wlan-ng tarball\n"
-" directory), or with Solomon Peachy's patches to the linux-wlan-ng\n"
-" 0.1.13 drivers (see the `0132-packet-v71.diff' link on his software\n"
-" page; the patch speaks of 0.1.13-pre2, but appears to apply to 0.1.13\n"
-" as well). If you are using the 0.1.13 drivers, you might also want his\n"
-" `0132-promisc-v23.diff' patch as well; if you are using the\n"
-" 0.1.14-pre1 drivers, you might also want his\n"
-" `014p1-promiscfixes-v1.diff' patches - both of those are already in\n"
-" 0.1.14-pre2.\n"
-"\n"
-" Those require either Solomon's patch to libpcap 0.7.1 (see his\n"
-" `libpcap-0.7.1-prism.diff' file, or his RPMs of that version of\n"
+" directory).\n"
+"\n"
+" Those require either Solomon Peachy's patch to libpcap 0.7.1 (see his\n"
+" libpcap-0.7.1-prism.diff file, or his RPMs of that version of\n"
" libpcap), or the current CVS version of libpcap, which includes his\n"
-" patch (download it from the `Current Tar files' section of the\n"
-" tcpdump.org Web site).\n"
+" patch (download it from the \"Current Tar files\" section of the\n"
+" tcpdump.org Web site). If you apply his patches to libpcap 0.7.1 and\n"
+" rebuild and install libpcap, or if you build and install the current\n"
+" CVS version of libpcap, you would have to rebuild Ethereal from\n"
+" source, linking it with that new version of libpcap; an Ethereal\n"
+" binary package would not work. Ethereal binary packages might work if\n"
+" you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install\n"
+" a libpcap shared library in place of the one on your system.\n"
"\n"
" You may have to run a command to put the interface into monitor mode,\n"
-" or to change other interface settings.\n"
-" Earlier versions of the linux-wlan-ng drivers don't allow Ethereal to\n"
-" directly capture raw 802.11 packets on Prism II cards; however, on\n"
-" Linux systems with the linux-wlan-ng drivers version 0.1.6, the\n"
-" Prismdump utility can be used to capture packets; it saves packets in\n"
-" a form that Ethereal can read. Prismdump can be downloaded from this\n"
-" page on the developer.axis.com Web site.\n"
+" or to change other interface settings, and you might have to capture\n"
+" on a wlanN interface rather than a ethN interface, in order to capture\n"
+" raw 802.11 packets. The interface settings are available in your\n"
+" wlan-ng.conf file. See the wlan-ng FAQ for additional information.\n"
"\n"
" On other platforms, capturing raw 802.11 packets on Prism II cards is\n"
" not currently supported.\n"
"\n"
" Orinoco Silver and Gold cards:\n"
"\n"
-" On Linux systems, when using either the orinoco_cs-0.09b driver or the\n"
-" driver in at least some versions of the Linux kernel, the\n"
-" `orinoco-09b-packet-1.diff' patch on the Orinoco Monitor Mode Patch\n"
-" Page should allow you to do capture raw 802.11 packets.\n"
+" On Linux systems, there are patches on the Orinoco Monitor Mode Patch\n"
+" Page that should allow you to do capture raw 802.11 packets. You will\n"
+" have to determine which version of the driver you have, and select the\n"
+" appropriate patch.\n"
"\n"
-" The patch appears to apply to the driver in the 2.4.18 kernel, but we\n"
-" don't know whether it works; the directions on that page are for the\n"
-" pcmcia-cs drivers, not for the driver in the kernel itself.\n"
" Note that the page indicates that not all versions of the Orinoco\n"
-" firmware support this patch. The Orinoco patches require Solomon\n"
-" Peachy's libpcap patches.\n"
+" firmware support this patch. It says, for some versions of the patch,\n"
+" \"This patch should allow monitor mode with v8.10 firmware (untested w/\n"
+" 8.42);\" if you have version 8.10 or later firmware on your Orinoco\n"
+" cards, you might have to use those patches, with the corresponding\n"
+" versions of the Orinoco driver, in order to run in monitor mode.\n"
+"\n"
+" That patch is written for the drivers included with the pcmcia-cs\n"
+" drivers, but works equally well for the Orinoco drivers provided with\n"
+" Linux kernels up to 2.4.20. To apply a patch to your kernel drivers,\n"
+" simply copy the orinoco-09b-patch.diff file to the\n"
+" /usr/src/linux/drivers/net directory and patch according to the\n"
+" directions on the Orinoco Monitor Mode Patch Page. You can double-\n"
+" check the version of the Orinoco drivers that shipped with your kernel\n"
+" by examining the first few lines of the orinoco.c file.\n"
+"\n"
+" Te Orinoco patches require either Solomon Peachy's patch to libpcap\n"
+" 0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that\n"
+" version of libpcap), or the current CVS version of libpcap, which\n"
+" includes his patch (download it from the \"Current Tar files\" section\n"
+" of the tcpdump.org Web site). If you apply his patches to libpcap\n"
+" 0.7.1 and rebuild and install libpcap, or if you build and install the\n"
+" current CVS version of libpcap, you would have to rebuild Ethereal\n"
+" from source, linking it with that new version of libpcap; an Ethereal\n"
+" binary package would not work. Ethereal binary packages might work if\n"
+" you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install\n"
+" a libpcap shared library in place of the one on your system.\n"
"\n"
" On other platforms, capturing raw 802.11 packets on Orinoco cards is\n"
" not currently supported.\n"
"\n"
" With other 802.11 interfaces, no platform allows Ethereal to capture\n"
" raw 802.11 packets, as far as we know. If you know of other 802.11\n"
-" interfaces that are supported (note that there are many `Prism II\n"
-" cards', so your card might be a Prism II card), please let us know,\n"
+" interfaces that are supported (note that there are many \"Prism II\n"
+" cards\", so your card might be a Prism II card), please let us know,\n"
" and include URLs for sites containing any necessary patches to add\n"
" this support.\n"
"\n"
" On platforms that don't allow Ethereal to capture raw 802.11 packets,\n"
" the 802.11 network will appear like an Ethernet to Ethereal.\n"
"\n"
-" Q 5.24: How can I capture packets with CRC errors? \n"
+" Q 5.26: How can I capture packets with CRC errors? \n"
"\n"
" A: Ethereal can capture only the packets that the packet capture\n"
" library - libpcap on UNIX-flavored OSes, and the WinPcap port to\n"
" libpcap and the packet capture program you're using are necessary to\n"
" support capturing those packets.\n"
"\n"
-" Q 5.25: How can I capture entire frames, including the FCS? \n"
+" Q 5.27: How can I capture entire frames, including the FCS? \n"
"\n"
" A: Ethereal can't capture any data that the packet capture library -\n"
" libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of\n"
" not support capturing the FCS of a frame on Ethernet, and probably do\n"
" not support it on most other link-layer types.\n"
"\n"
-" Q 5.26: Ethereal hangs after I stop a capture. \n"
+" Q 5.28: Ethereal hangs after I stop a capture. \n"
"\n"
" A: The most likely reason for this is that Ethereal is trying to look\n"
" up an IP address in the capture to convert it to a name (so that, for\n"
" lookup to take a long time.\n"
"\n"
" If you disable network address-to-name translation - for example, by\n"
-" turning off the `Enable network name resolution' option in the `Name\n"
-" resolution' options in the dialog box you get by selecting\n"
-" `Preferences' from the `Edit' menu - the lookups of the address won't\n"
+" turning off the \"Enable network name resolution\" option in the \"Name\n"
+" resolution\" options in the dialog box you get by selecting\n"
+" \"Preferences\" from the \"Edit\" menu - the lookups of the address won't\n"
" be done, which may speed up the process of reading the capture file\n"
" after the capture is stopped. You can make that setting the default by\n"
-" using the `Save' button in that dialog box; note that this will save\n"
+" using the \"Save\" button in that dialog box; note that this will save\n"
" all your current preference settings.\n"
"\n"
" If Ethereal hangs when reading a capture even with network name\n"
" contains sensitive information (e.g., passwords), then please do not\n"
" send it.\n"
"\n"
-" Q 5.27: How can I search for, or filter, packets that have a\n"
+" Q 5.29: How can I search for, or filter, packets that have a\n"
" particular string anywhere in them? \n"
"\n"
" A: Currently, you can't.\n"
" list. \n"
" For corrections/additions/suggestions for this page, please send email\n"
" to: ethereal-web[AT]ethereal.com\n"
-" Last modified: Wed, March 05 2003.\n"
+" Last modified: Thu, March 20 2003.\n"
};
#define FAQ_PARTS 4
-#define FAQ_SIZE 68530
+#define FAQ_SIZE 71384
git.samba.org / obnox / wireshark / wip.git / commitdiff