As with all things, there must be a beginning, and so it is with Wireshark. To use Wireshark, you must: Obtain a binary package for your operating system, or Obtain the source and build Wireshark for your operating system. Currently, only two or three Linux distributions ship Wireshark, and they are commonly shipping an out-of-date version. No other versions of UNIX ship Wireshark so far, and Microsoft does not ship it with any version of Windows. For that reason, you will need to know where to get the latest version of Wireshark and how to install it. This chapter shows you how to obtain source and binary packages, and how to build Wireshark from source, should you choose to do so. The following are the general steps you would use: Download the relevant package for your needs, e.g. source or binary distribution. Build the source into a binary, if you have downloaded the source. This may involve building and/or installing other necessary packages. Install the binaries into their final destinations.

You can obtain both source and binary distributions from the Wireshark web site: &WiresharkWebSite;. Simply select the download link, and then select either the source package or binary package of your choice from the mirror site closest to you. In general, unless you have already downloaded Wireshark before, you will most likely need to download several source packages if you are building Wireshark from source. This is covered in more detail below. Once you have downloaded the relevant files, you can go on to the next step. While you will find a number of binary packages available on the Wireshark web site, you might not find one for your platform, and they often tend to be several versions behind the current released version, as they are contributed by people who have the platforms they are built for. For this reason, you might want to pull down the source distribution and build it, as the process is relatively simple.

Before you build Wireshark from sources, or install a binary package, you must ensure that you have the following other packages installed: GTK+, The GIMP Tool Kit. You will also need Glib. Both can be obtained from www.gtk.org libpcap, the packet capture software that Wireshark uses. You can obtain libpcap from www.tcpdump.org Depending on your system, you may be able to install these from binaries, e.g. RPMs, or you may need to obtain them in source code form and build them. If you have downloaded the source for GTK+, the instructions shown in may provide some help in building it: gzip -dc gtk+-1.2.10.tar.gz | tar xvf - <much output removed> cd gtk+-1.2.10 ./configure <much output removed> make <much output removed> make install <much output removed> You may need to change the version number of gtk+ in to match the version of GTK+ you have downloaded. The directory you change to will change if the version of GTK+ changes, and in all cases, tar xvf - will show you the name of the directory you should change to. If you use Linux, or have GNU tar installed, you can use tar zxvf gtk+-1.2.10.tar.gz. It is also possible to use gunzip -c or gzcat rather than gzip -dc on many UNIX systems. If you downloaded gtk+ or any other tar file using Windows, you may find your file called gtk+-1_2_8_tar.gz. You should consult the GTK+ web site if any errors occur in carrying out the instructions in . If you have downloaded the source to libpcap, the general instructions shown in will assist in building it. Also, if your operating system does not support tcpdump, you might also want to download it from the tcpdump web site and install it. gzip -dc libpcap-0.9.4.tar.Z | tar xvf - <much output removed> cd libpcap-0.9.4 ./configure <much output removed> make <much output removed> make install <much output removed> The directory you should change to will depend on the version of libpcap you have downloaded. In all cases, tar xvf - will show you the name of the directory that has been unpacked. Under Red Hat 6.x and beyond (and distributions based on it, like Mandrake) you can simply install each of the packages you need from RPMs. Most Linux systems will install GTK+ and GLib in any case, however you will probably need to install the devel versions of each of these packages. The commands shown in will install all the needed RPMs if they are not already installed. cd /mnt/cdrom/RedHat/RPMS rpm -ivh glib-1.2.6-3.i386.rpm rpm -ivh glib-devel-1.2.6-3.i386.rpm rpm -ivh gtk+-1.2.6-7.i386.rpm rpm -ivh gtk+-devel-1.2.6-7.i386.rpm rpm -ivh libpcap-0.4-19.i386.rpm If you are using a version of Red Hat later than 6.2, the required RPMs have most likely changed. Simply use the correct RPMs from your distribution. Under Debian you can install Wireshark using aptitude. aptitude will handle any dependency issues for you. shows how to do this. aptitude install wireshark-dev

Use the following general steps if you are building Wireshark from source under a UNIX operating system: Unpack the source from its gzip'd tar file. If you are using Linux, or your version of UNIX uses GNU tar, you can use the following command: tar zxvf wireshark-&WiresharkCurrentVersion;-tar.gz For other versions of UNIX, you will want to use the following commands: gzip -d wireshark-&WiresharkCurrentVersion;-tar.gz tar xvf wireshark-&WiresharkCurrentVersion;-tar The pipeline gzip -dc wireshark-&WiresharkCurrentVersion;-tar.gz | tar xvf - will work here as well. If you have downloaded the Wireshark tarball under Windows, you may find that your browser has created a file with underscores rather than periods in its file name. Change directory to the Wireshark source directory. Configure your source so it will build correctly for your version of UNIX. You can do this with the following command: ./configure If this step fails, you will have to rectify the problems and rerun configure. Troubleshooting hints are provided in . Build the sources into a binary, with the make command. For example: make Install the software in its final destination, using the command: make install Once you have installed Wireshark with make install above, you should be able to run it by entering wireshark.

In general, installing the binary under your version of UNIX will be specific to the installation methods used with your version of UNIX. For example, under AIX, you would use smit to install the Wireshark binary package, while under Tru64 UNIX (formerly Digital UNIX) you would use setld.

Use the following command to install the Wireshark RPM that you have downloaded from the Wireshark web site: rpm -ivh wireshark-&WiresharkCurrentVersion;.i386.rpm If the above step fails because of missing dependencies, install the dependencies first, and then retry the step above. See for information on what RPMs you will need to have installed.

Use the following command to install Wireshark under Debian: aptitude install wireshark aptitude should take care of all of the dependency issues for you.

Use the following command to install Wireshark under Gentoo Linux with all of the extra features: USE="adns gtk ipv6 portaudio snmp ssl kerberos threads selinux" emerge wireshark

Use the following command to install Wireshark under FreeBSD: pkg_add -r wireshark pkg_add should take care of all of the dependency issues for you.

A number of errors can occur during the installation process. Some hints on solving these are provided here. If the configure stage fails, you will need to find out why. You can check the file config.log in the source directory to find out what failed. The last few lines of this file should help in determining the problem. The standard problems are that you do not have GTK+ on your system, or you do not have a recent enough version of GTK+. The configure will also fail if you do not have libpcap (at least the required include files) on your system. Another common problem is for the final compile and link stage to terminate with a complaint of: Output too long. This is likely to be caused by an antiquated sed (such as the one shipped with Solaris). Since sed is used by the libtool script to construct the final link command, this leads to mysterious problems. This can be resolved by downloading a recent version of sed from . If you cannot determine what the problems are, send mail to the wireshark-dev mailing list explaining your problem, and including the output from config.log and anything else you think is relevant, like a trace of the make stage.

It is recommended to use the binary installer for Windows, until you want to start developing Wireshark on the Windows platform. For further information how to build Wireshark for Windows from the sources, have a look at the Development Wiki: &WiresharkWikiPage;/Development for the latest available development documentation.

In this section we explore installing Wireshark under Windows from the binary packages.

You may acquire a binary installer of Wireshark named something like: wireshark-setup-x.y.z.exe. The Wireshark installer includes WinPcap, so you don't need to download and install two separate packages. Simply download the Wireshark installer from: &WiresharkBinariesPage; and execute it. Beside the usual installer options like where to install the program, there are several optional components. If you are unsure which settings to select, just keep the defaults.

Wireshark Wireshark GTK - Wireshark is a GUI network protocol analyzer. GTK MS Windows Engine - GTK MS Windows Engine (native Win32 look and feel, recommended). TShark - TShark is a command-line based network protocol analyzer. Plugins / Extensions (for the Wireshark and TShark dissection engines): Dissector Plugins - Plugins with some extended dissections. Tree Statistics Plugins - Plugins with some extended statistics. Mate - Meta Analysis and Tracing Engine (experimental) - user configurable extension(s) of the display filter engine, see &WiresharkWikiPage;/Mate for details. SNMP MIBs - SNMP MIBs for a more detailed SNMP dissection. Tools (additional command line tools to work with capture files): Editcap - Editcap is a program that reads a capture file and writes some or all of the packets into another capture file. Text2Pcap - Text2pcap is a program that reads in an ASCII hex dump and writes the data into a libpcap-style capture file. Mergecap - Mergecap is a program that combines multiple saved capture files into a single output file. Capinfos - Capinfos is a program that provides information on capture files. User's Guide - Local installation of the User's Guide. The Help buttons on most dialogs will require an internet connection to show help pages if the User's Guide is not installed locally.

Start Menu Shortcuts - add some start menu shortcuts. Desktop Icon - add a Wireshark icon to the desktop. Quick Launch Icon - add a Wireshark icon to the Explorer quick launch toolbar. Associate file extensions to Wireshark - Associate standard network trace files to Wireshark.

The Wireshark installer contains the latest released WinPcap installer. If you don't have WinPcap installed, you won't be able to capture live network traffic, but you will still be able to open saved capture files. Currently installed WinPcap version - the Wireshark installer detects the currently installed WinPcap version. Install WinPcap x.x - if the currently installed version is older than the one which comes with the Wireshark installer (or WinPcap is not installed at all), this will be selected by default. Start WinPcap service "NPF" at startup - so users without administrative privileges can capture. More WinPcap info: Wireshark related: &WiresharkWikiPage;/WinPcap General WinPcap info: &WinPcapWebsite;

You can simply start the Wireshark installer without any command line parameters, it will show you the usual interactive installer. For special cases, there are some command line parameters available: /NCRC disables the CRC check /S runs the installer or uninstaller silently with default values. Please note: The silent installer won't install WinPCap! /desktopicon installation of the desktop icon, =yes - force installation, =no - don't install, otherwise use defaults / user settings. This option can be useful for a silent installer. /quicklaunchicon installation of the quick launch icon, =yes - force installation, =no - don't install, otherwise use defaults / user settings. /D sets the default installation directory ($INSTDIR), overriding InstallDir and InstallDirRegKey. It must be the last parameter used in the command line and must not contain any quotes, even if the path contains spaces. Example: wireshark-setup-&WiresharkCurrentVersion;.exe /NCRC /S /desktopicon=yes /quicklaunchicon=no /D=C:\Program Files\Foo

As mentioned above, the Wireshark installer takes care of the installation of WinPcap, so usually you don't have to worry about WinPcap at all! The following is only necessary if you want to try a different version than the one included in the Wireshark installer, e.g. because a new WinPcap (beta) version was released. Additional WinPcap versions (including newer alpha or beta releases) can be downloaded from the following locations: The main WinPcap site: &WinPcapWebsite; The Wiretapped.net mirror: http://www.mirrors.wiretapped.net/security/packet-capture/winpcap At the download page you will find a single installer exe called something like "auto-installer", which can be installed under various Windows systems, including NT4.0/2000/XP/Vista.

From time to time you may want to update your installed Wireshark to a more recent version. If you join Wireshark's announce mailing list, you will be informed about new Wireshark versions, see for details how to subscribe to this list. New versions of Wireshark usually become available every 4 to 8 months. Updating Wireshark is done the same way as installing it, you simply download and start the installer exe. A reboot is usually not required and all your personal settings remain unchanged.

New versions of WinPcap are less frequently available, maybe only once in a year. You will find WinPcap update instructions where you can download new WinPcap versions. Usually you have to reboot the machine after installing a new WinPcap version. If you have an older version of WinPcap installed, you must uninstall it before installing the current version. Recent versions of the WinPcap installer will take care of this.

You can uninstall Wireshark the usual way, using the "Add or Remove Programs" option inside the Control Panel. Select the "Wireshark" entry to start the uninstallation procedure. The Wireshark uninstaller will provide several options as to which things are to be uninstalled; the default is to remove the core components but keep the personal settings, WinPcap and alike. WinPcap won't be uninstalled by default, as other programs than Wireshark may use it as well.

You can uninstall WinPcap independently of Wireshark, using the "WinPcap" entry in the "Add or Remove Programs" of the Control Panel. After uninstallation of WinPcap you can't capture anything with Wireshark. It might be a good idea to reboot Windows afterwards.