/* THIS FILE IS AUTOMATICALLY GENERATED, DO NOT MODIFY!!! */ const char *faq_part[] = { " \n" " The Ethereal FAQ \n" " \n" " Note: This is just an ASCII snapshot of the faq and may not be up to \n" " date. Please go to http://www.ethereal.com/faq for the up to \n" " date version. The version of this snapshot can be found at the \n" " end of this document. \n" " \n" " INDEX \n" " \n" " General Questions: \n" " \n" " 1.1 Where can I get help? \n" " \n" " 1.2 What protocols are currently supported? \n" " \n" " 1.3 Are there any plans to support {your favorite protocol}? \n" " \n" " 1.4 Can Ethereal read capture files from {your favorite network \n" " analyzer}? \n" " \n" " 1.5 What devices can Ethereal use to capture packets? \n" " \n" " 1.6 How do you pronounce Ethereal? Where did the name come from? \n" " \n" " Downloading Ethereal: \n" " \n" " 2.1 I downloaded the Win32 installer, but when I try to run it, I get \n" " an error. \n" " \n" " 2.2 When I try to download the WinPcap driver and library, I can't get \n" " to the WinPcap Web site. \n" " \n" " Installing Ethereal: \n" " \n" " 3.1 I installed an Ethereal RPM, but Ethereal doesn't seem to be \n" " installed; only Tethereal is installed. \n" " \n" " Building Ethereal: \n" " \n" " 4.1 The configure script can't find pcap.h or bpf.h, but I have \n" " libpcap installed. \n" " \n" " 4.2 Why do I get the error \n" " \n" " dftest_DEPENDENCIES was already defined in condition TRUE, which \n" " implies condition HAVE_PLUGINS_TRUE \n" " \n" " when I try to build Ethereal from CVS or a CVS snapshot? \n" " \n" " 4.3 The link fails with a number of \"Output line too long.\" messages \n" " followed by linker errors. \n" " \n" " 4.4 The link fails on Solaris because plugin_list is undefined. \n" " \n" " 4.5 The build fails on Windows because of conflicts between winsock.h \n" " and winsock2.h. \n" " \n" " Using Ethereal: \n" " \n" " 5.1 When I use Ethereal to capture packets, I see only packets to and \n" " from my machine, or I'm not seeing all the traffic I'm expecting to \n" " see from or to the machine I'm trying to monitor. \n" " \n" " 5.2 I can't see any TCP packets other than packets to and from my \n" " machine, even though another analyzer on the network sees those \n" " packets. \n" " \n" " 5.3 I'm only seeing ARP packets when I try to capture traffic. \n" " \n" " 5.4 How do I put an interface into promiscuous mode? \n" " \n" " 5.5 I can set a display filter just fine, but capture filters don't \n" " work. \n" " \n" " 5.6 I'm entering valid capture filters, but I still get \"parse error\" \n" " errors. \n" " \n" " 5.7 I saved a filter and tried to use its name to filter the display, \n" " but I got an \"Unexpected end of filter string\" error. \n" " \n" " 5.8 Why am I seeing lots of packets with incorrect TCP checksums? \n" " \n" " 5.9 I've just installed Ethereal, and the traffic on my local LAN is \n" " boring. \n" " \n" " 5.10 When I run Ethereal on Solaris 8, it dies with a Bus Error when I \n" " start it. \n" " \n" " 5.11 When I run Ethereal on Windows NT, it dies with a Dr. Watson \n" " error, reporting an \"Integer division by zero\" exception, when I start \n" " it. \n" " \n" " 5.12 When I try to run Ethereal, it complains about \n" " sprint_realloc_objid being undefined. \n" " \n" " 5.13 I'm running Ethereal on Linux; why do my time stamps have only \n" " 100ms resolution, rather than 1us resolution? \n" " \n" " 5.14 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n" " why are the time stamps on packets wrong? \n" " \n" " 5.15 When I try to run Ethereal on Windows, it fails to run because it \n" " can't find packet.dll. \n" " \n" " 5.16 I'm running Ethereal on Windows; why does some network interface \n" " on my machine not show up in the list of interfaces in the \n" " \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n" " and/or why does Ethereal give me an error if I try to capture on that \n" " interface? \n" " \n" " 5.17 I'm running on a UNIX-flavored OS; why does some network \n" " interface on my machine not show up in the list of interfaces in the \n" " \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n" " and/or why does Ethereal give me an error if I try to capture on that \n" " interface? \n" " \n" " 5.18 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has \n" " a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the \n" " \"Interface\" item in the \"Capture Options\" dialog box. Why can no \n" " packets be sent on or received from that network while I'm trying to \n" " capture traffic on that interface? \n" " \n" " 5.19 I'm running Ethereal on Windows 95/98/Me, on a machine with more \n" " than one network adapter of the same type; Ethereal shows all of those \n" " adapters with the same name, but I can't use any of those adapters \n" " other than the first one. \n" " \n" " 5.20 I'm running Ethereal on Windows, and I'm not seeing any traffic \n" " being sent by the machine running Ethereal. \n" " \n" " 5.21 I'm trying to capture traffic but I'm not seeing any. \n" " \n" " 5.22 I have an XXX network card on my machine; if I try to capture on \n" " it, my machine crashes or resets itself. \n" " \n" " 5.23 My machine crashes or resets itself when I select \"Start\" from \n" " the \"Capture\" menu or select \"Preferences\" from the \"Edit\" menu. \n" " \n" " 5.24 Does Ethereal work on Windows ME? \n" " \n" " 5.25 Does Ethereal work on Windows XP? \n" " \n" " 5.26 Why doesn't Ethereal correctly identify RTP packets? It shows \n" " them only as UDP. \n" " \n" " 5.27 Why doesn't Ethereal show Yahoo Messenger packets in captures \n" " that contain Yahoo Messenger traffic? \n" " \n" " 5.28 Why do I get the error \n" " \n" " Gdk-ERROR **: Palettized display (256-colour) mode not supported on \n" " Windows. \n" " aborting.... \n" " \n" " when I try to run Ethereal on Windows? \n" " \n" " 5.29 When I capture on Windows in promiscuous mode, I can see packets \n" " other than those sent to or from my machine; however, those packets \n" " show up with a \"Short Frame\" indication, unlike packets to or from my \n" " machine. What should I do to arrange that I see those packets in their \n" " entirety? \n" " \n" " 5.30 How can I capture raw 802.11 packets, including non-data \n" " (management, beacon) packets? \n" " \n" " 5.31 How can I capture packets with CRC errors? \n" " \n" " 5.32 How can I capture entire frames, including the FCS? \n" " \n" " 5.33 Ethereal hangs after I stop a capture. \n" " \n" " 5.34 How can I search for, or filter, packets that have a particular \n" " string anywhere in them? \n" " \n" " GENERAL QUESTIONS \n" " Q 1.1: Where can I get help? \n" " \n" " A: Support is available on the ethereal-users mailing list. \n" " Subscription information and archives for all of Ethereal's mailing \n" " lists can be found at http://www.ethereal.com/lists \n" " \n" " Q 1.2: What protocols are currently supported? \n" " \n" " A: There are currently 393 supported protocols and media, listed \n" " below. Descriptions can be found in the ethereal(1) man page. \n" " \n" " 802.1q Virtual LAN \n" " 802.1x Authentication \n" " AFS (4.0) Replication Server call declarations \n" " AOL Instant Messenger \n" " ARCNET \n" " ATM \n" " ATM AAL1 \n" " ATM AAL3/4 \n" " ATM LAN Emulation \n" " ATM OAM AAL \n" " AVS WLAN Capture header \n" " Ad hoc On-demand Distance Vector Routing Protocol \n" " Address Resolution Protocol \n" " Aggregate Server Access Protocol \n" " Alert Standard Forum \n" " Andrew File System (AFS) \n" " Apache JServ Protocol v1.3 \n" " AppleTalk Filing Protocol \n" " AppleTalk Session Protocol \n" " AppleTalk Transaction Protocol packet \n" " Appletalk Address Resolution Protocol \n" " Application Configuration Access Protocol \n" " Async data over ISDN (V.120) \n" " Authentication Header \n" " BACnet Virtual Link Control \n" " Banyan Vines ARP \n" " Banyan Vines Echo \n" " Banyan Vines Fragmentation Protocol \n" " Banyan Vines ICP \n" " Banyan Vines IP \n" " Banyan Vines IPC \n" " Banyan Vines LLC \n" " Banyan Vines RTP \n" " Banyan Vines SPP \n" " Blocks Extensible Exchange Protocol \n" " Boardwalk \n" " Boot Parameters \n" " Bootstrap Protocol \n" " Border Gateway Protocol \n" " Building Automation and Control Network APDU \n" " Building Automation and Control Network NPDU \n" " CDS Clerk Server Calls \n" " Check Point High Availability Protocol \n" " Checkpoint FW-1 \n" " Cisco Auto-RP \n" " Cisco Discovery Protocol \n" " Cisco Group Management Protocol \n" " Cisco HDLC \n" " Cisco Hot Standby Router Protocol \n" " Cisco ISL \n" " Cisco Interior Gateway Routing Protocol \n" " Cisco NetFlow \n" " Cisco SLARP \n" " Clearcase NFS \n" " CoSine IPNOS L2 debug output \n" " Common Open Policy Service \n" " Common Unix Printing System (CUPS) Browsing Protocol \n" " DCE DFS Calls \n" " DCE Distributed Time Service Local Server \n" " DCE Distributed Time Service Provider \n" " DCE Name Service \n" " DCE RPC \n" " DCE Security ID Mapper \n" " DCE/RPC BOS Server \n" " DCE/RPC CDS Solicitation \n" " DCE/RPC Conversation Manager \n" " DCE/RPC Endpoint Mapper \n" " DCE/RPC FLDB \n" " DCE/RPC FLDB UBIK TRANSFER \n" " DCE/RPC FLDB UBIKVOTE \n" " DCE/RPC Kerberos V \n" " DCE/RPC RS_ACCT \n" " DCE/RPC RS_MISC \n" " DCE/RPC RS_UNIX \n" " DCE/RPC Remote Management \n" " DCE/RPC Repserver Calls \n" " DCE/RPC TokenServer Calls \n" " DCE/RPC UpServer \n" " DCOM OXID Resolver \n" " DCOM Remote Activation \n" " DEC Spanning Tree Protocol \n" " DHCPv6 \n" " DNS Control Program Server \n" " Data \n" " Data Link SWitching \n" " Data Stream Interface \n" " Datagram Delivery Protocol \n" " Diameter Protocol \n" " Distance Vector Multicast Routing Protocol \n" " Distcc Distributed Compiler \n" " Distributed Checksum Clearinghouse Prototocl \n" " Domain Name Service \n" " Dynamic DNS Tools Protocol \n" " Echo \n" " Encapsulating Security Payload \n" " Enhanced Interior Gateway Routing Protocol \n" " EtherNet/IP (Industrial Protocol) \n" " Ethernet \n" " Ethernet over IP \n" " Extensible Authentication Protocol \n" " FC Extended Link Svc \n" " FC Fabric Configuration Server \n" " FCIP \n" " FTP Data \n" " FTServer Operations \n" " Fiber Distributed Data Interface \n" " Fibre Channel \n" " Fibre Channel Common Transport \n" " Fibre Channel Fabric Zone Server \n" " Fibre Channel Name Server \n" " Fibre Channel Protocol for SCSI \n" " Fibre Channel SW_ILS \n" " File Transfer Protocol (FTP) \n" " Financial Information eXchange Protocol \n" " Frame \n" " Frame Relay \n" " GARP Multicast Registration Protocol \n" " GARP VLAN Registration Protocol \n" " GPRS Tunneling Protocol \n" " GPRS Tunnelling Protocol v0 \n" " GPRS Tunnelling Protocol v1 \n" " General Inter-ORB Protocol \n" " Generic Routing Encapsulation \n" " Generic Security Service Application Program Interface \n" " Gnutella Protocol \n" " H245 \n" " HP Extended Local-Link Control \n" " HP Remote Maintenance Protocol \n" " Hummingbird NFS Daemon \n" " HyperSCSI \n" " Hypertext Transfer Protocol \n" " ICQ Protocol \n" " IEEE 802.11 wireless LAN \n" " IEEE 802.11 wireless LAN management frame \n" " ILMI \n" " IP Over FC \n" " IP Payload Compression \n" " IPX Message \n" " IPX Routing Information Protocol \n" " IPX WAN \n" " ISDN \n" " ISDN Q.921-User Adaptation Layer \n" " ISDN User Part \n" " ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol \n" " ISO 8073 COTP Connection-Oriented Transport Protocol \n" " ISO 8473 CLNP ConnectionLess Network Protocol \n" " ISO 8602 CLTP ConnectionLess Transport Protocol \n" " ISO 9542 ESIS Routeing Information Exchange Protocol \n" " ITU-T Recommendation H.261 \n" " InMon sFlow \n" " Intel ANS probe \n" " Intelligent Platform Management Interface \n" " Inter-Access-Point Protocol \n" " Interbase \n" " Internet Cache Protocol \n" " Internet Content Adaptation Protocol \n" " Internet Control Message Protocol \n" " Internet Control Message Protocol v6 \n" " Internet Group Management Protocol \n" " Internet Message Access Protocol \n" " Internet Printing Protocol \n" " Internet Protocol \n" " Internet Protocol Version 6 \n" " Internet Relay Chat \n" " Internet Security Association and Key Management Protocol \n" " Internetwork Packet eXchange \n" " Jabber XML Messaging \n" " Java RMI \n" " Java Serialization \n" " Kerberos \n" " Kerberos Administration \n" " Kernel Lock Manager \n" " Label Distribution Protocol \n" " Layer 2 Tunneling Protocol \n" " Lightweight Directory Access Protocol \n" " Line Printer Daemon Protocol \n" " Link Access Procedure Balanced (LAPB) \n" " Link Access Procedure Balanced Ethernet (LAPBETHER) \n" " Link Access Procedure, Channel D (LAPD) \n" " Link Aggregation Control Protocol \n" " Link Management Protocol (LMP) \n" " Linux cooked-mode capture \n" " Local Management Interface \n" " LocalTalk Link Access Protocol \n" " Logical-Link Control \n" " Lucent/Ascend debug output \n" " MDS Header \n" " MMS Message Encapsulation \n" " MS Proxy Protocol \n" " MSN Messenger Service \n" " MSNIP: Multicast Source Notification of Interest Protocol \n" " MTP 2 Transparent Proxy \n" " MTP 2 User Adaptation Layer \n" " MTP 3 User Adaptation Layer \n" " MTP2 Peer Adaptation Layer \n" " Message Transfer Part Level 2 \n" " Message Transfer Part Level 3 \n" " Message Transfer Part Level 3 Management \n" " Microsoft Distributed File System \n" " Microsoft Exchange MAPI \n" " Microsoft Local Security Architecture \n" " Microsoft Local Security Architecture (Directory Services) \n" " Microsoft Messenger Service \n" " Microsoft Network Logon \n" " Microsoft Registry \n" " Microsoft Security Account Manager \n" " Microsoft Server Service \n" " Microsoft Service Control \n" " Microsoft Spool Subsystem \n" " Microsoft Task Scheduler Service \n" " Microsoft Telephony API Service \n" " Microsoft Windows Browser Protocol \n" " Microsoft Windows Lanman Remote API Protocol \n" , " Microsoft Windows Logon Protocol \n" " Microsoft Workstation Service \n" " Mobile IP \n" " Mobile IPv6 \n" " Modbus/TCP \n" " Mount Service \n" " MultiProtocol Label Switching Header \n" " Multicast Router DISCovery protocol \n" " Multicast Source Discovery Protocol \n" " MySQL Protocol \n" " NFSACL \n" " NFSAUTH \n" " NIS+ \n" " NIS+ Callback \n" " NSPI \n" " NTLM Secure Service Provider \n" " Name Binding Protocol \n" " Name Management Protocol over IPX \n" " NetBIOS \n" " NetBIOS Datagram Service \n" " NetBIOS Name Service \n" " NetBIOS Session Service \n" " NetBIOS over IPX \n" " NetWare Core Protocol \n" " NetWare Link Services Protocol \n" " Network Data Management Protocol \n" " Network File System \n" " Network Lock Manager Protocol \n" " Network News Transfer Protocol \n" " Network Status Monitor CallBack Protocol \n" " Network Status Monitor Protocol \n" " Network Time Protocol \n" " Novell Distributed Print System \n" " Null/Loopback \n" " Open Shortest Path First \n" " OpenBSD Encapsulating device \n" " OpenBSD Packet Filter log file \n" " OpenBSD Packet Filter log file, pre 3.4 \n" " PC NFS \n" " PPP Bandwidth Allocation Control Protocol \n" " PPP Bandwidth Allocation Protocol \n" " PPP CDP Control Protocol \n" " PPP Callback Control Protocol \n" " PPP Challenge Handshake Authentication Protocol \n" " PPP Compressed Datagram \n" " PPP Compression Control Protocol \n" " PPP IP Control Protocol \n" " PPP IPv6 Control Protocol \n" " PPP Link Control Protocol \n" " PPP MPLS Control Protocol \n" " PPP Multilink Protocol \n" " PPP Multiplexing \n" " PPP Password Authentication Protocol \n" " PPP VJ Compression \n" " PPP-over-Ethernet Discovery \n" " PPP-over-Ethernet Session \n" " PPPMux Control Protocol \n" " Packet Encoding Rules (ASN.1 X.691) \n" " Point-to-Point Protocol \n" " Point-to-Point Tunnelling Protocol \n" " Portmap \n" " Post Office Protocol \n" " Pragmatic General Multicast \n" " Prism \n" " Privilege Server operations \n" " Protocol Independent Multicast \n" " Q.2931 \n" " Q.931 \n" " Quake II Network Protocol \n" " Quake III Arena Network Protocol \n" " Quake Network Protocol \n" " QuakeWorld Network Protocol \n" " Qualified Logical Link Control \n" " RFC 2250 MPEG1 \n" " RIPng \n" " RPC Browser \n" " RSTAT \n" " RSYNC File Synchroniser \n" " RX Protocol \n" " Radio Access Network Application Part \n" " Radius Protocol \n" " Raw packet data \n" " Real Time Streaming Protocol \n" " Real-Time Transport Protocol \n" " Real-time Transport Control Protocol \n" " Registry Server Attributes Manipulation Interface \n" " Registry server administration operations. \n" " Remote Management Control Protocol \n" " Remote Override interface \n" " Remote Procedure Call \n" " Remote Program Load \n" " Remote Quota \n" " Remote Shell \n" " Remote Wall protocol \n" " Remote sec_login preauth interface. \n" " Resource ReserVation Protocol (RSVP) \n" " Rlogin Protocol \n" " Routing Information Protocol \n" " Routing Table Maintenance Protocol \n" " SADMIND \n" " SCSI \n" " SGI Mount Service \n" " SMB (Server Message Block Protocol) \n" " SMB MailSlot Protocol \n" " SMB Pipe Protocol \n" " SNA-over-Ethernet \n" " SNMP Multiplex Protocol \n" " SPNEGO-KRB5 \n" " SPRAY \n" " SS7 SCCP-User Adaptation Layer \n" " SSCOP \n" " SSH Protocol \n" " Secure Socket Layer \n" " Sequenced Packet eXchange \n" " Service Advertisement Protocol \n" " Service Location Protocol \n" " Session Announcement Protocol \n" " Session Description Protocol \n" " Session Initiation Protocol \n" " Short Message Peer to Peer \n" " Signalling Connection Control Part \n" " Signalling Connection Control Part Management \n" " Simple Mail Transfer Protocol \n" " Simple Network Management Protocol \n" " Sinec H1 Protocol \n" " Skinny Client Control Protocol \n" " SliMP3 Communication Protocol \n" " Socks Protocol \n" " Spanning Tree Protocol \n" " Spnego \n" " Stream Control Transmission Protocol \n" " Synchronous Data Link Control (SDLC) \n" " Syslog message \n" " Systems Network Architecture \n" " Systems Network Architecture XID \n" " TACACS \n" " TACACS+ \n" " TPKT \n" " Tabular Data Stream \n" " Tazmen Sniffer Protocol \n" " Telnet \n" " Time Protocol \n" " Time Synchronization Protocol \n" " Token-Ring \n" " Token-Ring Media Access Control \n" " Transmission Control Protocol \n" " Transparent Network Substrate Protocol \n" " Trivial File Transfer Protocol \n" " UDP Encapsulation of IPsec Packets \n" " Universal Computer Protocol \n" " User Datagram Protocol \n" " Virtual Router Redundancy Protocol \n" " Virtual Trunking Protocol \n" " WAP Binary XML \n" " Web Cache Coordination Protocol \n" " Wellfleet Breath of Life \n" " Wellfleet Compression \n" " Wellfleet HDLC \n" " Who \n" " Windows 2000 DNS \n" " Wireless Session Protocol \n" " Wireless Transaction Protocol \n" " Wireless Transport Layer Security \n" " X Display Manager Control Protocol \n" " X.25 \n" " X.25 over TCP \n" " X.29 \n" " X11 \n" " Xyplex \n" " Yahoo Messenger Protocol \n" " Yahoo YMSG Messenger Protocol \n" " Yellow Pages Bind \n" " Yellow Pages Passwd \n" " Yellow Pages Service \n" " Yellow Pages Transfer \n" " Zebra Protocol \n" " Zone Information Protocol \n" " eDonkey Protocol \n" " iSCSI \n" " iSNS \n" " \n" " Q 1.3: Are there any plans to support {your favorite protocol}? \n" " \n" " A: Support for particular protocols is added to Ethereal as a result \n" " of people contributing that support; no formal plans for adding \n" " support for particular protocols in particular future releases exist. \n" " \n" " Q 1.4: Can Ethereal read capture files from {your favorite network \n" " analyzer}? \n" " \n" " A: Support for particular protocols is added to Ethereal as a result \n" " of people contributing that support; no formal plans for adding \n" " support for particular protocols in particular future releases exist. \n" " \n" " If a network analyzer writes out files in a format already supported \n" " by Ethereal (e.g., in libpcap format), Ethereal may already be able to \n" " read them, unless the analyzer has added its own proprietary \n" " extensions to that format. \n" " \n" " If a network analyzer writes out files in its own format, or has added \n" " proprietary extensions to another format, in order to make Ethereal \n" " read captures from that network analyzer, we would either have to have \n" " a specification for the file format, or the extensions, sufficient to \n" " give us enough information to read the parts of the file relevant to \n" " Ethereal, or would need at least one capture file in that format AND a \n" " detailed textual analysis of the packets in that capture file (showing \n" " packet time stamps, packet lengths, and the top-level packet header) \n" " in order to reverse-engineer the file format. \n" " \n" " Note that there is no guarantee that we will be able to \n" " reverse-engineer a capture file format. \n" " \n" " Q 1.5: What devices can Ethereal use to capture packets? \n" " \n" " A: Ethereal can read live data from Ethernet, Token-Ring, FDDI, serial \n" " (PPP and SLIP) (if the OS on which it's running allows Ethereal to do \n" " so), 802.11 wireless LAN (if the OS on which it's running allows \n" " Ethereal to do so), ATM connections (if the OS on which it's running \n" " allows Ethereal to do so), and the \"any\" device supported on Linux by \n" " recent versions of libpcap. See the list of supported capture media on \n" " various OSes for details (several items in there say \"Unknown\", which \n" " doesn't mean \"Ethereal can't capture on them\", it means \"we don't know \n" " whether it can capture on them\"; we expect that it will be able to \n" " capture on many of them, but we haven't tried it ourselves - if you \n" " try one of those types and it works, please send an update to \n" " ethereal-web[AT]ethereal.com). \n" " \n" " It can also read a variety of capture file formats, including: \n" " * libpcap/tcpdump \n" " * Sun snoop/atmsnoop \n" " * Shomiti/Finisar Surveyor \n" " * LanAlyzer \n" " * DOS-based Sniffer (compressed and uncompressed) \n" " * MS Network Monitor \n" " * AIX iptrace \n" " * NetXray and Windows-based Sniffer \n" " * EtherPeek/TokenPeek/AiroPeek \n" " * RADCOM WAN/LAN analyzer \n" " * Lucent/Ascend debug output \n" " * Toshiba ISDN router \"snoop\" output \n" " * HPUX nettl \n" " * ISDN4BSD \"i4btrace\" utility. \n" " * Cisco Secure IDS \n" " * pppd log files (pppdump format) \n" " * VMS TCPIPtrace \n" " * DBS Etherwatch \n" " * Visual Networks' Visual UpTime \n" " * CoSine L2 debug \n" " \n" " so that it can read traces from various network types, as captured by \n" " other applications or equipment, even if it cannot itself capture on \n" " those network types. \n" " \n" " Q 1.6: How do you pronounce Ethereal? Where did the name come from? \n" " \n" " A: The English pronunciation can be found in Merriam-Webster's online \n" " dictionary at \n" " http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=ethereal. \n" " \n" " According to the book \"Computer Networks\" by Andrew Tannenbaum, \n" " Ethernet was named after the \"luminiferous ether\" which was once \n" " thought to carry electromagnetic radiation. Taking that into \n" " consideration, Ethereal seemed like an appropriate name for an \n" " Ethernet analyzer. \n" " \n" " DOWNLOADING ETHEREAL \n" " Q 2.1: I downloaded the Win32 installer, but when I try to run it, I \n" " get an error. \n" " \n" " A: The program you used to download it may have downloaded it \n" " incorrectly. Web browsers sometimes may do this. \n" " \n" " Try downloading it with, for example: \n" " * Wget, for which Windows binaries are available on the SunSITE FTP \n" " server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI \n" " offers a GUI interface that uses wget; \n" " * WS_FTP from Ipswitch, \n" " * the ftp command that comes with Windows. \n" " \n" " If you use the ftp command, make sure you do the transfer in binary \n" " mode rather than ASCII mode, by using the binary command before \n" " transferring the file. \n" " \n" " Q 2.2: When I try to download the WinPcap driver and library, I can't \n" " get to the WinPcap Web site. \n" " \n" " A: As is the case with all Web sites, that site won't necessarily \n" " always be accessible; the server may be down due to a problem or down \n" " for maintenance, or there may be a networking problem between you and \n" " the server. You should try again later, or try the local mirror or the \n" " Wiretapped.net mirror. \n" " \n" " INSTALLING ETHEREAL \n" " Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be \n" " installed; only Tethereal is installed. \n" " \n" " A: Red Hat RPMs for Ethereal put only the non-GUI components into the \n" " ethereal RPM, the fact that Ethereal is a GUI program nonwithstanding; \n" " there's a separate ethereal-gnome RPM that includes GUI components \n" " such as Ethereal itself, the fact that Ethereal doesn't use GNOME \n" " nonwithstanding. Find the ethereal-gnome RPM, and install that also. \n" " \n" " BUILDING ETHEREAL \n" " Q 4.1: The configure script can't find pcap.h or bpf.h, but I have \n" " libpcap installed. \n" " \n" " A: Are you sure pcap.h and bpf.h are installed? The official \n" " distribution of libpcap only installs the libpcap.a library file when \n" " \"make install\" is run. To install pcap.h and bpf.h, you must run \"make \n" " install-incl\". If you're running Debian or Redhat, make sure you have \n" " the \"libpcap-dev\" or \"libpcap-devel\" packages installed. \n" " \n" " It's also possible that pcap.h and bpf.h have been installed in a \n" " strange location. If this is the case, you may have to tweak \n" " aclocal.m4. \n" " \n" " Q 4.2: Why do I get the error \n" " \n" " dftest_DEPENDENCIES was already defined in condition TRUE, which \n" " implies condition HAVE_PLUGINS_TRUE \n" " \n" " when I try to build Ethereal from CVS or a CVS snapshot? \n" " \n" " A: You probably have automake 1.5 installed on your machine (the \n" " command automake --version will report the version of automake on your \n" " machine). There is a bug in that version of automake that causes this \n" " problem; upgrade to a later version of automake (1.6 or later). \n" " \n" " Q 4.3: The link fails with a number of \"Output line too long.\" \n" " messages followed by linker errors. \n" " \n" " A: The version of the sed command on your system is incapable of \n" " handling very long lines. On Solaris, for example, /usr/bin/sed has a \n" " line length limit too low to allow libtool to work; /usr/xpg4/bin/sed \n" " can handle it, as can GNU sed if you have it installed. \n" " \n" " On Solaris, changing your command search path to search /usr/xpg4/bin \n" " before /usr/bin should make the problem go away; on any platform on \n" " which you have this problem, installing GNU sed and changing your \n" " command path to search the directory in which it is installed before \n" " searching the directory with the version of sed that came with the OS \n" " should make the problem go away. \n" " \n" " Q 4.4: The link fails on Solaris because plugin_list is undefined. \n" " \n" " A: This appears to be due to a problem with some versions of the GTK+ \n" " and GLib packages from www.sunfreeware.org; un-install those packages, \n" " and try getting the 1.2.10 versions from that site, or the versions \n" " from The Written Word, or the versions from Sun's GNOME distribution, \n" " or the versions from the supplemental software CD that comes with the \n" " Solaris media kit, or build them from source from the GTK Web site. \n" " Then re-run the configuration script, and try rebuilding Ethereal. (If \n" " you get the 1.2.10 versions from www.sunfreeware.org, and the problem \n" " persists, un-install them and try installing one of the other versions \n" " mentioned.) \n" " \n" " Q 4.5: The build fails on Windows because of conflicts between \n" " winsock.h and winsock2.h. \n" " \n" " A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and \n" " the corresponding version of the developer's pack, in order to be able \n" " to compile Ethereal; it will not compile with older versions of the \n" " developer's pack. The symptoms of this failure are conflicts between \n" " definitions in winsock.h and in winsock2.h; Ethereal uses winsock2.h, \n" " but pre-2.3 versions of the WinPcap developer's packet use winsock.h. \n" " (2.3 uses winsock2.h, so if Ethereal were to use winsock.h, it would \n" " not be able to build with current versions of the WinPcap developer's \n" " pack.) \n" " \n" " Note that the installed version of the developer's pack should be the \n" " same version as the version of WinPcap you have installed. \n" " \n" " USING ETHEREAL \n" " Q 5.1: When I use Ethereal to capture packets, I see only packets to \n" " and from my machine, or I'm not seeing all the traffic I'm expecting \n" " to see from or to the machine I'm trying to monitor. \n" " \n" " A: This might be because the interface on which you're capturing is \n" " plugged into a switch; on a switched network, unicast traffic between \n" " two ports will not necessarily appear on other ports - only broadcast \n" " and multicast traffic will be sent to all ports. \n" " \n" " Note that even if your machine is plugged into a hub, the \"hub\" may be \n" " a switched hub, in which case you're still on a switched network. \n" " \n" " Note also that on the Linksys Web site, they say that their \n" " auto-sensing hubs \"broadcast the 10Mb packets to the port that operate \n" " at 10Mb only and broadcast the 100Mb packets to the ports that operate \n" " at 100Mb only\", which would indicate that if you sniff on a 10Mb port, \n" " you will not see traffic coming sent to a 100Mb port, and vice versa. \n" " This problem has also been reported for Netgear dual-speed hubs, and \n" " may exist for other \"auto-sensing\" or \"dual-speed\" hubs. \n" " \n" " Some switches have the ability to replicate all traffic on all ports \n" " to a single port so that you can plug your analyzer into that single \n" " port to sniff all traffic. You would have to check the documentation \n" " for the switch to see if this is possible and, if so, to see how to do \n" " this. See, for example: \n" " * this documentation from Cisco on the Switched Port Analyzer (SPAN) \n" " feature on Catalyst switches; \n" , " * documentation from HP on how to set \"monitoring\"/\"mirroring\" on \n" " ports on the console for HP Advancestack Switch 208 and 224; \n" " * the \"Network Monitoring Port Features\" section of chapter 6 of \n" " documentation from HP for HP ProCurve Switches 1600M, 2424M, \n" " 4000M, and 8000M. \n" " \n" " Note also that many firewall/NAT boxes have a switch built into them; \n" " this includes many of the \"cable/DSL router\" boxes. If you have a box \n" " of that sort, that has a switch with some number of Ethernet ports \n" " into which you plug machines on your network, and another Ethernet \n" " port used to connect to a cable or DSL modem, you can, at least, sniff \n" " traffic between the machines on your network and the Internet by \n" " plugging the Ethernet port on the router going to the modem, the \n" " Ethernet port on the modem, and the machine on which you're running \n" " Ethereal into a hub (make sure it's not a switching hub, and that, if \n" " it's a dual-speed hub, all three of those ports are running at the \n" " same speed. \n" " \n" " If your machine is not plugged into a switched network or a dual-speed \n" " hub, or it is plugged into a switched network but the port is set up \n" " to have all traffic replicated to it, the problem might be that the \n" " network interface on which you're capturing doesn't support \n" " \"promiscuous\" mode, or because your OS can't put the interface into \n" " promiscuous mode. Normally, network interfaces supply to the host \n" " only: \n" " * packets sent to one of that host's link-layer addresses; \n" " * broadcast packets; \n" " * multicast packets sent to a multicast address that the host has \n" " configured the interface to accept. \n" " \n" " Most network interfaces can also be put in \"promiscuous\" mode, in \n" " which they supply to the host all network packets they see. Ethereal \n" " will try to put the interface on which it's capturing into promiscuous \n" " mode unless the \"Capture packets in promiscuous mode\" option is turned \n" " off in the \"Capture Options\" dialog box, and Tethereal will try to put \n" " the interface on which it's capturing into promiscuous mode unless the \n" " -p option was specified. However, some network interfaces don't \n" " support promiscuous mode, and some OSes might not allow interfaces to \n" " be put into promiscuous mode. \n" " \n" " If the interface is not running in promiscuous mode, it won't see any \n" " traffic that isn't intended to be seen by your machine. It will see \n" " broadcast packets, and multicast packets sent to a multicast MAC \n" " address the interface is set up to receive. \n" " \n" " You should ask the vendor of your network interface whether it \n" " supports promiscuous mode. If it does, you should ask whoever supplied \n" " the driver for the interface (the vendor, or the supplier of the OS \n" " you're running on your machine) whether it supports promiscuous mode \n" " with that network interface. \n" " \n" " In the case of token ring interfaces, the drivers for some of them, on \n" " Windows, may require you to enable promiscuous mode in order to \n" " capture in promiscuous mode. Ask the vendor of the card how to do \n" " this, or see, for example, this information on promiscuous mode on \n" " some Madge token ring adapters (note that those cards can have \n" " promiscuous mode disabled permanently, in which case you can't enable \n" " it). \n" " \n" " In the case of wireless LAN interfaces, it appears that, when those \n" " interfaces are promiscuously sniffing, they're running in a \n" " significantly different mode from the mode that they run in when \n" " they're just acting as network interfaces (to the extent that it would \n" " be a significant effor for those drivers to support for promiscuously \n" " sniffing and acting as regular network interfaces at the same time), \n" " so it may be that Windows drivers for those interfaces don't support \n" " promiscuous mode. \n" " \n" " Q 5.2: I can't see any TCP packets other than packets to and from my \n" " machine, even though another analyzer on the network sees those \n" " packets. \n" " \n" " A: You're probably not seeing any packets other than unicast packets \n" " to or from your machine, and broadcast and multicast packets; a switch \n" " will normally send to a port only unicast traffic sent to the MAC \n" " address for the interface on that port, and broadcast and multicast \n" " traffic - it won't send to that port unicast traffic sent to a MAC \n" " address for some other interface - and a network interface not in \n" " promiscuous mode will receive only unicast traffic sent to the MAC \n" " address for that interface, broadcast traffic, and multicast traffic \n" " sent to a multicast MAC address the interface is set up to receive. \n" " \n" " TCP doesn't use broadcast or multicast, so you will only see your own \n" " TCP traffic, but UDP services may use broadcast or multicast so you'll \n" " see some UDP traffic - however, this is not a problem with TCP \n" " traffic, it's a problem with unicast traffic, as you also won't see \n" " all UDP traffic between other machines. \n" " \n" " I.e., this is probably the same question as this earlier one; see the \n" " response to that question. \n" " \n" " Q 5.3: I'm only seeing ARP packets when I try to capture traffic. \n" " \n" " A: You're probably on a switched network, and running Ethereal on a \n" " machine that's not sending traffic to the switch and not being sent \n" " any traffic from other machines on the switch. ARP packets are often \n" " broadcast packets, which are sent to all switch ports. \n" " \n" " I.e., this is probably the same question as this earlier one; see the \n" " response to that question. \n" " \n" " Q 5.4: How do I put an interface into promiscuous mode? \n" " \n" " A: By not disabling promiscuous mode when running Ethereal or \n" " Tethereal. \n" " \n" " Note, however, that: \n" " * the form of promiscuous mode that libpcap (the library that \n" " programs such as tcpdump, Ethereal, etc. use to do packet capture) \n" " turns on will not necessarily be shown if you run ifconfig on the \n" " interface on a UNIX system; \n" " * some network interfaces might not support promiscuous mode, and \n" " some drivers might not allow promiscuous mode to be turned on - \n" " see this earlier question for more information on that; \n" " * the fact that you're not seeing any traffic, or are only seeing \n" " broadcast traffic, or aren't seeing any non-broadcast traffic \n" " other than traffic to or from the machine running Ethereal, does \n" " not mean that promiscuous mode isn't on - see this earlier \n" " question for more information on that. \n" " \n" " I.e., this is probably the same question as this earlier one; see the \n" " response to that question. \n" " \n" " Q 5.5: I can set a display filter just fine, but capture filters don't \n" " work. \n" " \n" " A: Capture filters currently use a different syntax than display \n" " filters. Here's the corresponding section from the ethereal(1) man \n" " page: \n" " \n" " \"Display filters in Ethereal are very powerful; more fields are \n" " filterable in Ethereal than in other protocol analyzers, and the \n" " syntax you can use to create your filters is richer. As Ethereal \n" " progresses, expect more and more protocol fields to be allowed in \n" " display filters. \n" " \n" " Packet capturing is performed with the pcap library. The capture \n" " filter syntax follows the rules of the pcap library. This syntax is \n" " different from the display filter syntax.\" \n" " \n" " The capture filter syntax used by libpcap can be found in the \n" " tcpdump(8) man page. \n" " \n" " Q 5.6: I'm entering valid capture filters, but I still get \"parse \n" " error\" errors. \n" " \n" " A: There is a bug in some versions of libpcap/WinPcap that cause it to \n" " report parse errors even for valid expressions if a previous filter \n" " expression was invalid and got a parse error. \n" " \n" " Try exiting and restarting Ethereal; if you are using a version of \n" " libpcap/WinPcap with this bug, this will \"erase\" its memory of the \n" " previous parse error. If the capture filter that got the \"parse error\" \n" " now works, the earlier error with that filter was probably due to this \n" " bug. \n" " \n" " The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of \n" " libpcap have this bug, but 0.6[.x] and later versions don't. \n" " \n" " Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of \n" " libpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and \n" " doesn't have this bug. \n" " \n" " If you are running Ethereal on a UNIX-flavored platform, run \"ethereal \n" " -v\", or select \"About Ethereal...\" from the \"Help\" menu in Ethereal, \n" " to see what version of libpcap it's using. If it's not 0.6 or later, \n" " you will need either to upgrade your OS to get a later version of \n" " libpcap, or will need to build and install a later version of libpcap \n" " from the tcpdump.org Web site and then recompile Ethereal from source \n" " with that later version of libpcap. \n" " \n" " If you are running Ethereal on Windows with a pre-2.3 version of \n" " WinPcap, you will need to un-install WinPcap and then download and \n" " install WinPcap 2.3. \n" " \n" " Q 5.7: I saved a filter and tried to use its name to filter the \n" " display, but I got an \"Unexpected end of filter string\" error. \n" " \n" " A: You cannot use the name of a saved display filter as a filter. To \n" " filter the display, you can enter a display filter expression - not \n" " the name of a saved display filter - in the \"Filter:\" box at the \n" " bottom of the display, and type the key or press the \"Apply\" button \n" " (that does not require you to have a saved filter), or, if you want to \n" " use a saved filter, you can press the \"Filter:\" button, select the \n" " filter in the dialog box that pops up, and press the \"OK\" button. \n" " \n" " Q 5.8: Why am I seeing lots of packets with incorrect TCP checksums? \n" " \n" " A: If the packets that have incorrect TCP checksums are all being sent \n" " by the machine on which Ethereal is running, this is probably because \n" " the network interface on which you're capturing does TCP checksum \n" " offloading. That means that the TCP checksum is added to the packet by \n" " the network interface, not by the OS's TCP/IP stack; when capturing on \n" " an interface, packets being sent by the host on which you're capturing \n" " are directly handed to the capture interface by the OS, which means \n" " that they are handed to the capture interface without a TCP checksum \n" " being added to them. \n" " \n" " The only way to prevent this from happening would be to disable TCP \n" " checksum offloading, but \n" " 1. that might not even be possible on some OSes; \n" " 2. that could reduce networking performance significantly. \n" " \n" " However, you can disable the check that Ethereal does of the TCP \n" " checksum, so that it won't report any packets as having TCP checksum \n" " errors, and so that it won't refuse to do TCP reassembly due to a \n" " packet having an incorrect TCP checksum. That can be set as an \n" " Ethereal preference by selecting \"Preferences\" from the \"Edit\" menu, \n" " opening up the \"Protocols\" list in the left-hand pane of the \n" " \"Preferences\" dialog box, selecting \"TCP\", from that list, turning off \n" " the \"Check the validity of the TCP checksum when possible\" option, \n" " clicking \"Save\" if you want to save that setting in your preference \n" " file, and clicking \"OK\". \n" " \n" " It can also be set on the Ethereal or Tethereal command line with a -o \n" " tcp.check_checksum:false command-line flag, or manually set in your \n" " preferences file by adding a tcp.check_checksum:false line. \n" " \n" " Q 5.9: I've just installed Ethereal, and the traffic on my local LAN \n" " is boring. \n" " \n" " A: We have a collection of strange and exotic sample capture files at \n" " http://www.ethereal.com/sample/ \n" " \n" " Q 5.10: When I run Ethereal on Solaris 8, it dies with a Bus Error \n" " when I start it. \n" " \n" " A: Some versions of the GTK+ library from www.sunfreeware.org appear \n" " to be buggy, causing Ethereal to drop core with a Bus Error. \n" " Un-install those packages, and try getting the 1.2.10 version from \n" " that site, or the version from The Written Word, or the version from \n" " Sun's GNOME distribution, or the version from the supplemental \n" " software CD that comes with the Solaris media kit, or build it from \n" " source from the GTK Web site. Update the GLib library to the 1.2.10 \n" " version, from the same source, as well. (If you get the 1.2.10 \n" " versions from www.sunfreeware.org, and the problem persists, \n" " un-install them and try installing one of the other versions \n" " mentioned.) \n" " \n" " Similar problems may exist with older versions of GTK+ for earlier \n" " versions of Solaris. \n" " \n" " Q 5.11: When I run Ethereal on Windows NT, it dies with a Dr. Watson \n" " error, reporting an \"Integer division by zero\" exception, when I start \n" " it. \n" " \n" " A: In at least some case, this appears to be due to using the default \n" " VGA driver; if that's not the correct driver for your video card, try \n" " running the correct driver for your video card. \n" " \n" " Q 5.12: When I try to run Ethereal, it complains about \n" " sprint_realloc_objid being undefined. \n" " \n" " A: Ethereal can only be linked with version 4.2.2 or later of UCD \n" " SNMP. Your version of Ethereal was dynamically linked with such a \n" " version of UCD SNMP; however, you have an older version of UCD SNMP \n" " installed, which means that when Ethereal is run, it tries to link to \n" " the older version, and fails. You will have to replace that version of \n" " UCD SNMP with version 4.2.2 or a later version. \n" " \n" " Q 5.13: I'm running Ethereal on Linux; why do my time stamps have only \n" " 100ms resolution, rather than 1us resolution? \n" " \n" " A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap \n" " get them from the OS kernel, so Ethereal - and any other program using \n" " libpcap, such as tcpdump - is at the mercy of the time stamping code \n" " in the OS for time stamps. \n" " \n" " At least on x86-based machines, Linux can get high-resolution time \n" " stamps on newer processors with the Time Stamp Counter (TSC) register; \n" " for example, Intel x86 processors, starting with the Pentium Pro, and \n" " including all x86 processors since then, have had a TSC, and other \n" " vendors probably added the TSC at some point to their families of x86 \n" " processors. \n" " \n" " The Linux kernel must be configured with the CONFIG_X86_TSC option \n" " enabled in order to use the TSC. Make sure this option is enabled in \n" " your kernel. \n" " \n" " In addition, some Linux distributions may have bugs in their versions \n" " of the kernel that cause packets not to be given high-resolution time \n" " stamps even if the TSC is enabled. See, for example, bug 61111 for Red \n" " Hat Linux 7.2. If your distribution has a bug such as this, you may \n" " have to run a standard kernel from kernel.org in order to get \n" " high-resolution time stamps. \n" " \n" " Q 5.14: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n" " why are the time stamps on packets wrong? \n" " \n" " A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap \n" " 3.0. \n" " \n" " Q 5.15: When I try to run Ethereal on Windows, it fails to run because \n" " it can't find packet.dll. \n" " \n" " A: In older versions of Ethereal, there were two binary distributions \n" " available for Windows, one that supported capturing packets, and one \n" " that didn't. The version that supported capturing packets required \n" " that you install the WinPcap driver; if you didn't install it, it \n" " would fail to run because it couldn't find packet.dll. \n" " \n" " The current version of Ethereal has only one binary distribution for \n" " Windows; that version will check whether WinPcap is installed and, if \n" " it's not, will disable support for packet capture. \n" " \n" " The WinPcap driver and libraries can be downloaded from the WinPcap \n" " Web site, the local mirror of the WinPcap Web site, or the \n" " Wiretapped.net mirror of the WinPcap site. \n" " \n" " Q 5.16: I'm running Ethereal on Windows; why does some network \n" " interface on my machine not show up in the list of interfaces in the \n" " \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n" " and/or why does Ethereal give me an error if I try to capture on that \n" " interface? \n" " \n" " A: If you are running Ethereal on Windows NT 4.0, Windows 2000, \n" " Windows XP, or Windows Server, and this is the first time you have run \n" " a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, \n" " or Analyzer, or...) since the machine was rebooted, you need to run \n" " that program from an account with administrator privileges; once you \n" " have run such a program, you will not need administrator privileges to \n" " run any such programs until you reboot. \n" " \n" " If you are running on Windows 95/98/Me, or if you are running on \n" " Windows NT 4.0/2000/XP/Server and have administrator privileges or a \n" " WinPcap-based program has been run with those privileges since the \n" " machine rebooted, then note that Ethereal relies on the WinPcap \n" " library, on the WinPcap device driver, and on the facilities that come \n" " with the OS on which it's running in order to do captures. \n" " \n" " Therefore, if the OS, the WinPcap library, or the WinPcap driver don't \n" " support capturing on a particular network interface device, Ethereal \n" " won't be able to capture on that device. \n" " \n" " Note that: \n" " * 2.02 and earlier versions of the WinPcap driver and library that \n" " Ethereal uses for packet capture didn't support Token Ring \n" " interfaces; the current version, 2.3, does support Token Ring, and \n" " the current version of Ethereal works with (and, in fact, \n" " requires) WinPcap 2.1 or later. \n" " If you are having problems capturing on Token Ring interfaces, and \n" " you have WinPcap 2.02 or an earlier version of WinPcap installed, \n" " you should uninstall WinPcap, download and install the current \n" " version of WinPcap, and then install the latest version of \n" " Ethereal. \n" " * On Windows 95, 98, or Me, sometimes more than one interface will \n" " be given the same name; if that is the case, you will only be able \n" " to capture on one of those interfaces - it's not clear to which \n" " one the name, when used in a WinPcap-based application, will \n" " refer. For example, if you have a PPP serial interface and a VPN \n" " interface, they might show up with the same name, for example \n" " \"ppp-mac\", and if you try to capture on \"ppp-mac\", it might not \n" " capture on the interface you're currently using. In that case, you \n" " might, for example, have to remove the VPN interface from the \n" " system in order to capture on the PPP serial interface. \n" " * WinPcap doesn't support PPP WAN interfaces on Windows \n" " NT/2000/XP/Server, so Ethereal cannot capture packets on those \n" " devices when running on Windows NT/2000/XP/Server. Regular dial-up \n" " lines, ISDN lines, and various other lines such as T1/E1 lines are \n" " all PPP interfaces. This may cause the interface not to show up on \n" " the list of interfaces in the \"Capture Options\" dialog. \n" " * WinPcap prior to 3.0 does not support multiprocessor machines \n" " (note that machines with a single multi-threaded processor, such \n" " as Intel's new multi-threaded x86 processors, are multiprocessor \n" " machines as far as the OS and WinPcap are concerned), and recent \n" " 2.x versions of WinPcap refuse to operate if they detect that \n" " they're running on a multiprocessor machine, which means that they \n" " may not show any network interfaces. You will need to use WinPcap \n" " 3.0 to capture on a multiprocessor machine. \n" " \n" " If an interface doesn't show up in the list of interfaces in the \n" " \"Interface:\" field, and you know the name of the interface, try \n" " entering that name in the \"Interface:\" field and capturing on that \n" " device. \n" " \n" " If the attempt to capture on it succeeds, the interface is somehow not \n" " being reported by the mechanism Ethereal uses to get a list of \n" " interfaces; please report this to ethereal-dev@ethereal.com giving \n" " full details of the problem, including \n" " * the operating system you're using, and the version of that \n" " operating system; \n" " * the type of network device you're using. \n" " \n" " If you are having trouble capturing on a particular network interface, \n" " and you've made sure that (on platforms that require it) you've \n" " arranged that packet capture support is present, as per the above, \n" " first try capturing on that device with WinDump; see the WinDump Web \n" " site or the local mirror of the WinDump Web site for information on \n" " using WinDump. \n" " \n" " If you can capture on the interface with WinDump, send mail to \n" " ethereal-users@ethereal.com giving full details of the problem, \n" " including \n" " * the operating system you're using, and the version of that \n" " operating system; \n" " * the type of network device you're using; \n" " * the error message you get from Ethereal. \n" " \n" " If you cannot capture on the interface with WinDump, this is almost \n" " certainly a problem with one or more of: \n" , " * the operating system you're using; \n" " * the device driver for the interface you're using; \n" " * the WinPcap library and/or the WinPcap device driver; \n" " \n" " so first check the WinPcap FAQ, the local mirror of that FAQ, or the \n" " Wiretapped.net mirror of that FAQ, to see if your problem is mentioned \n" " there. If not, then see the WinPcap support page (or the local mirror \n" " of that page) - check the \"Submitting bugs\" section. \n" " \n" " You may also want to ask the ethereal-users@ethereal.com and the \n" " winpcap-users@winpcap.polito.it mailing lists to see if anybody \n" " happens to know about the problem and know a workaround or fix for the \n" " problem. (Note that you will have to subscribe to that list in order \n" " to be allowed to mail to it; see the WinPcap support page, or the \n" " local mirror of that page, for information on the mailing list.) In \n" " your mail, please give full details of the problem, as described \n" " above, and also indicate that the problem occurs with WinDump, not \n" " just with Ethereal. \n" " \n" " Q 5.17: I'm running on a UNIX-flavored OS; why does some network \n" " interface on my machine not show up in the list of interfaces in the \n" " \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n" " and/or why does Ethereal give me an error if I try to capture on that \n" " interface? \n" " \n" " A: You may need to run Ethereal from an account with sufficient \n" " privileges to capture packets, such as the super-user account. Only \n" " those interfaces that Ethereal can open for capturing show up in that \n" " list; if you don't have sufficient privileges to capture on any \n" " interfaces, no interfaces will show up in the list. \n" " \n" " If you are running Ethereal from an account with sufficient \n" " privileges, then note that Ethereal relies on the libpcap library, and \n" " on the facilities that come with the OS on which it's running in order \n" " to do captures. \n" " \n" " Therefore, if the OS or the libpcap library don't support capturing on \n" " a particular network interface device, Ethereal won't be able to \n" " capture on that device. \n" " \n" " On Linux, note that you need to have \"packet socket\" support enabled \n" " in your kernel; see the \"Packet socket\" item in the Linux \n" " \"Configure.help\" file. \n" " \n" " On BSD, note that you need to have BPF support enabled in your kernel; \n" " see the documentation for your system for information on how to enable \n" " BPF support (if it's not enabled by default on your system). \n" " \n" " On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have \n" " packet filtering support in your kernel; the doconfig command will \n" " allow you to configure and build a new kernel with that option. \n" " \n" " On Solaris, note that libpcap 0.6.2 and earlier didn't support Token \n" " Ring interfaces; the current version, 0.7.2, does support Token Ring, \n" " and the current version of Ethereal works with libcap 0.7.2 and later. \n" " \n" " If an interface doesn't show up in the list of interfaces in the \n" " \"Interface:\" field, and you know the name of the interface, try \n" " entering that name in the \"Interface:\" field and capturing on that \n" " device. \n" " \n" " If the attempt to capture on it succeeds, the interface is somehow not \n" " being reported by the mechanism Ethereal uses to get a list of \n" " interfaces; please report this to ethereal-dev@ethereal.com giving \n" " full details of the problem, including \n" " * the operating system you're using, and the version of that \n" " operating system (for Linux, give both the version number of the \n" " kernel and the name and version number of the distribution you're \n" " using); \n" " * the type of network device you're using. \n" " \n" " If you are having trouble capturing on a particular network interface, \n" " and you've made sure that (on platforms that require it) you've \n" " arranged that packet capture support is present, as per the above, \n" " first try capturing on that device with tcpdump. \n" " \n" " If you can capture on the interface with tcpdump, send mail to \n" " ethereal-users@ethereal.com giving full details of the problem, \n" " including \n" " * the operating system you're using, and the version of that \n" " operating system (for Linux, give both the version number of the \n" " kernel and the name and version number of the distribution you're \n" " using); \n" " * the type of network device you're using; \n" " * the error message you get from Ethereal. \n" " \n" " If you cannot capture on the interface with tcpdump, this is almost \n" " certainly a problem with one or more of: \n" " * the operating system you're using; \n" " * the device driver for the interface you're using; \n" " * the libpcap library; \n" " \n" " so you should report the problem to the company or organization that \n" " produces the OS (in the case of a Linux distribution, report the \n" " problem to whoever produces the distribution). \n" " \n" " You may also want to ask the ethereal-users@ethereal.com and the \n" " tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to \n" " know about the problem and know a workaround or fix for the problem. \n" " In your mail, please give full details of the problem, as described \n" " above, and also indicate that the problem occurs with tcpdump not just \n" " with Ethereal. \n" " \n" " Q 5.18: I'm running Ethereal on Windows NT/2000/XP/Server; my machine \n" " has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the \n" " \"Interface\" item in the \"Capture Options\" dialog box. Why can no \n" " packets be sent on or received from that network while I'm trying to \n" " capture traffic on that interface? \n" " \n" " A: WinPcap doesn't support PPP WAN interfaces on Windows \n" " NT/2000/XP/Server; one symptom that may be seen is that attempts to \n" " capture in promiscuous mode on the interface cause the interface to be \n" " incapable of sending or receiving packets. You can disable promiscuous \n" " mode using the -p command-line flag or the item in the \"Capture \n" " Preferences\" dialog box, but this may mean that outgoing packets, or \n" " incoming packets, won't be seen in the capture. \n" " \n" " Q 5.19: I'm running Ethereal on Windows 95/98/Me, on a machine with \n" " more than one network adapter of the same type; Ethereal shows all of \n" " those adapters with the same name, but I can't use any of those \n" " adapters other than the first one. \n" " \n" " A: Unfortunately, Windows 95/98/Me gives the same name to multiple \n" " instances of the type of same network adapter. Therefore, WinPcap \n" " cannot distinguish between them, so a WinPcap-based application can \n" " capture only on the first such interface; Ethereal is a \n" " libpcap/WinPcap-based application. \n" " \n" " Q 5.20: I'm running Ethereal on Windows, and I'm not seeing any \n" " traffic being sent by the machine running Ethereal. \n" " \n" " A: If you are running some form of VPN client software, it might be \n" " causing this problem; people have seen this problem when they have \n" " Check Point's VPN software installed on their machine. If that's the \n" " cause of the problem, you will have to remove the VPN software in \n" " order to have Ethereal (or any other application using WinPcap) see \n" " outgoing packets; unfortunately, neither we nor the WinPcap developers \n" " know any way to make WinPcap and the VPN software work well together. \n" " \n" " Also, some drivers for Windows (especially some wireless network \n" " interface drivers) apparently do not, when running in promiscuous \n" " mode, arrange that outgoing packets are delivered to the software that \n" " requested that the interface run promiscuously; try turning \n" " promiscuous mode off. \n" " \n" " Q 5.21: I'm trying to capture traffic but I'm not seeing any. \n" " \n" " A: Is the machine running Ethereal sending out any traffic on the \n" " network interface on which you're capturing, or receiving any traffic \n" " on that network, or is there any broadcast traffic on the network or \n" " multicast traffic to a multicast group to which the machine running \n" " Ethereal belongs? \n" " \n" " If not, this may just be a problem with promiscuous sniffing, either \n" " due to running on a switched network or a dual-speed hub, or due to \n" " problems with the interface not supporting promiscuous mode; see the \n" " response to this earlier question. \n" " \n" " Otherwise, on Windows, see the response to this question and, on a \n" " UNIX-flavored OS, see the response to this question. \n" " \n" " Q 5.22: I have an XXX network card on my machine; if I try to capture \n" " on it, my machine crashes or resets itself. \n" " \n" " A: This is almost certainly a problem with one or more of: \n" " * the operating system you're using; \n" " * the device driver for the interface you're using; \n" " * the libpcap/WinPcap library and, if this is Windows, the WinPcap \n" " device driver; \n" " \n" " so: \n" " * if you are using Windows, see the WinPcap support page (or the \n" " local mirror of that page) - check the \"Submitting bugs\" section; \n" " * if you are using some Linux distribution, some version of BSD, or \n" " some other UNIX-flavored OS, you should report the problem to the \n" " company or organization that produces the OS (in the case of a \n" " Linux distribution, report the problem to whoever produces the \n" " distribution). \n" " \n" " Q 5.23: My machine crashes or resets itself when I select \"Start\" from \n" " the \"Capture\" menu or select \"Preferences\" from the \"Edit\" menu. \n" " \n" " A: Both of those operations cause Ethereal to try to build a list of \n" " the interfaces that it can open; it does so by getting a list of \n" " interfaces and trying to open them. There is probably an OS, driver, \n" " or, for Windows, WinPcap bug that causes the system to crash when this \n" " happens; see the previous question. \n" " \n" " Q 5.24: Does Ethereal work on Windows ME? \n" " \n" " A: Yes, but if you want to capture packets, you will need to install \n" " the latest version of WinPcap, as 2.02 and earlier versions of WinPcap \n" " didn't support Windows ME. You should also install the latest version \n" " of Ethereal as well. \n" " \n" " Q 5.25: Does Ethereal work on Windows XP? \n" " \n" " A: Yes, but if you want to capture packets, you will need to install \n" " the latest version of WinPcap, as 2.2 and earlier versions of WinPcap \n" " didn't support Windows XP. \n" " \n" " Q 5.26: Why doesn't Ethereal correctly identify RTP packets? It shows \n" " them only as UDP. \n" " \n" " A: Ethereal can identify a UDP datagram as containing a packet of a \n" " particular protocol running atop UDP only if \n" " 1. The protocol in question has a particular standard port number, \n" " and the UDP source or destination port number is that port \n" " 2. Packets of that protocol can be identified by looking for a \n" " \"signature\" of some type in the packet - i.e., some data that, if \n" " Ethereal finds it in some particular part of a packet, means that \n" " the packet is almost certainly a packet of that type. \n" " 3. Some other traffic earlier in the capture indicated that, for \n" " example, UDP traffic between two particular addresses and ports \n" " will be RTP traffic. \n" " \n" " RTP doesn't have a standard port number, so 1) doesn't work; it \n" " doesn't, as far as I know, have any \"signature\", so 2) doesn't work. \n" " \n" " That leaves 3). If there's RTSP traffic that sets up an RTP session, \n" " then, at least in some cases, the RTSP dissector will set things up so \n" " that subsequent RTP traffic will be identified. Currently, that's the \n" " only place we do that; there may be other places. \n" " \n" " However, there will always be places where Ethereal is simply \n" " incapable of deducing that a given UDP flow is RTP; a mechanism would \n" " be needed to allow the user to specify that a given conversation \n" " should be treated as RTP. As of Ethereal 0.8.16, such a mechanism \n" " exists; if you select a UDP or TCP packet, the right mouse button menu \n" " will have a \"Decode As...\" menu item, which will pop up a dialog box \n" " letting you specify that the source port, the destination port, or \n" " both the source and destination ports of the packet should be \n" " dissected as some particular protocol. \n" " \n" " Q 5.27: Why doesn't Ethereal show Yahoo Messenger packets in captures \n" " that contain Yahoo Messenger traffic? \n" " \n" " A: Ethereal only recognizes as Yahoo Messenger traffic packets to or \n" " from TCP port 3050 that begin with \"YPNS\", \"YHOO\", or \"YMSG\". TCP \n" " segments that start with the middle of a Yahoo Messenger packet that \n" " takes more than one TCP segment will not be recognized as Yahoo \n" " Messenger packets (even if the TCP segment also contains the beginning \n" " of another Yahoo Messenger packet). \n" " \n" " Q 5.28: Why do I get the error \n" " \n" " Gdk-ERROR **: Palettized display (256-colour) mode not supported on \n" " Windows. \n" " aborting.... \n" " \n" " when I try to run Ethereal on Windows? \n" " \n" " A: Ethereal is built using the GTK+ toolkit, which supports most \n" " UNIX-flavored OSes, and also supports Windows. \n" " \n" " Windows versions of Ethereal before 0.9.14 were built with an older \n" " version of that toolkit, which didn't support 256-color mode on \n" " Windows - it required HiColor (16-bit colors) or more. \n" " \n" " Windows versions of Ethereal 0.9.14 and later are built with a version \n" " of that toolkit that supports 256-color mode; upgrade to the current \n" " version of Ethereal if you want to run on a display in 256-color mode. \n" " \n" " Q 5.29: When I capture on Windows in promiscuous mode, I can see \n" " packets other than those sent to or from my machine; however, those \n" " packets show up with a \"Short Frame\" indication, unlike packets to or \n" " from my machine. What should I do to arrange that I see those packets \n" " in their entirety? \n" " \n" " A: In at least some cases, this appears to be the result of PGPnet \n" " running on the network interface on which you're capturing; turn it \n" " off on that interface. \n" " \n" " Q 5.30: How can I capture raw 802.11 packets, including non-data \n" " (management, beacon) packets? \n" " \n" " A: That would require that your 802.11 interface run in the mode \n" " called \"monitor mode\" or \"RFMON mode\". Not all operating systems \n" " support that and, even on operating systems that do support it, not \n" " all drivers, and thus not all cards, support it. \n" " \n" " Cisco Aironet cards: \n" " \n" " The only platforms that allow Ethereal to capture raw 802.11 packets \n" " on Cisco Aironet cards are: \n" " * Linux, with a 2.4.6 or later kernel; \n" " * FreeBSD 4.6 or later, as the driver in FreeBSD 4.5 has bugs that \n" " cause packets not to be captured correctly, and the driver in \n" " releases prior to 4.5 didn't support capturing raw packets. \n" " \n" " On FreeBSD, the ancontrol utility must be used; do not enable the full \n" " Aironet header via BPF, as Ethereal doesn't currently support that. \n" " \n" " On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will \n" " need to do \n" " \n" "echo \"Mode: rfmon\" >/proc/driver/aironet/ethN/Config \n" " \n" " if your Aironet card is ethN. To capture traffic from any BSS, do \n" " \n" "echo \"Mode: y\" >/proc/driver/aironet/ethN/Config \n" " \n" " and to return to the normal mode, do \n" " \n" "echo \"Mode: ess\" >/proc/driver/aironet/ethN/Config \n" " \n" " On Linux with the driver in the 2.4.20 kernel, or with the CVS drivers \n" " from the airo-linux SourceForge site, you will have to capture on the \n" " wifiN interface if your Aironet card is ethN, after running the \n" " commands listed above. \n" " \n" " In all of those cases, Ethereal would have to be linked with libpcap \n" " 0.7.1 or later; this means that most Ethereal binary packages won't \n" " work unless they're statically linked with libpcap 0.7.1 or later, or \n" " they're dynamically linked with libpcap and your system has a libpcap \n" " 0.7.1 or later shared library installed (note that libpcap source \n" " package from tcpdump.org does not build shared libraries). Some binary \n" " packaging mechanisms might make it difficult to install Ethereal \n" " binary packages built to depend on older libpcap binary packages if \n" " you have a newer libpcap binary package installed; the installer \n" " programs for those packaging mechanisms might support disabling \n" " dependency checking so that they will install Ethereal even though a \n" " newer version of libpcap is installed. \n" " \n" " Cards using the Prism II chip set (see this page of Linux 802.11 \n" " information for details on wireless cards, including information on \n" " the chips they use): \n" " \n" " You can capture raw 802.11 packets with Prism II cards on Linux \n" " systems with the 0.1.14-pre6 or later version of the linux-wlan-ng \n" " drivers (see the linux-wlan page, and the linux-wlan-ng tarball \n" " directory). \n" " \n" " Those require either Solomon Peachy's patch to libpcap 0.7.1 (see his \n" " libpcap-0.7.1-prism.diff file, or his RPMs of that version of \n" " libpcap), or the current CVS version of libpcap, which includes his \n" " patch (download it from the \"Current Tar files\" section of the \n" " tcpdump.org Web site). If you apply his patches to libpcap 0.7.1 and \n" " rebuild and install libpcap, or if you build and install the current \n" " CVS version of libpcap, you would have to rebuild Ethereal from \n" " source, linking it with that new version of libpcap; an Ethereal \n" " binary package would not work. Ethereal binary packages might work if \n" " you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install \n" " a libpcap shared library in place of the one on your system. \n" " \n" " You may have to run a command to put the interface into monitor mode, \n" " or to change other interface settings, and you might have to capture \n" " on a wlanN interface rather than a ethN interface, in order to capture \n" " raw 802.11 packets. The interface settings are available in your \n" " wlan-ng.conf file. See the wlan-ng FAQ for additional information. \n" " \n" " On other platforms, capturing raw 802.11 packets on Prism II cards is \n" " not currently supported. \n" " \n" " Orinoco Silver and Gold cards: \n" " \n" " On Linux systems, there are patches on the Orinoco Monitor Mode Patch \n" " Page that should allow you to do capture raw 802.11 packets. You will \n" " have to determine which version of the driver you have, and select the \n" " appropriate patch. \n" " \n" " Note that the page indicates that not all versions of the Orinoco \n" " firmware support this patch. It says, for some versions of the patch, \n" " \"This patch should allow monitor mode with v8.10 firmware (untested w/ \n" " 8.42);\" if you have version 8.10 or later firmware on your Orinoco \n" " cards, you might have to use those patches, with the corresponding \n" " versions of the Orinoco driver, in order to run in monitor mode. \n" " \n" " That patch is written for the drivers included with the pcmcia-cs \n" " drivers, but works equally well for the Orinoco drivers provided with \n" " Linux kernels up to 2.4.20. To apply a patch to your kernel drivers, \n" " simply copy the orinoco-09b-patch.diff file to the \n" " /usr/src/linux/drivers/net directory and patch according to the \n" " directions on the Orinoco Monitor Mode Patch Page. You can double- \n" " check the version of the Orinoco drivers that shipped with your kernel \n" " by examining the first few lines of the orinoco.c file. \n" " \n" " Te Orinoco patches require either Solomon Peachy's patch to libpcap \n" " 0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that \n" " version of libpcap), or the current CVS version of libpcap, which \n" " includes his patch (download it from the \"Current Tar files\" section \n" " of the tcpdump.org Web site). If you apply his patches to libpcap \n" " 0.7.1 and rebuild and install libpcap, or if you build and install the \n" " current CVS version of libpcap, you would have to rebuild Ethereal \n" " from source, linking it with that new version of libpcap; an Ethereal \n" " binary package would not work. Ethereal binary packages might work if \n" " you install the libpcap-0.7.1-1prism.i386.rpm RPM, as it might install \n" " a libpcap shared library in place of the one on your system. \n" " \n" " On other platforms, capturing raw 802.11 packets on Orinoco cards is \n" " not currently supported. \n" " \n" " Other 802.11 interfaces: \n" " \n" " With other 802.11 interfaces, no platform allows Ethereal to capture \n" " raw 802.11 packets, as far as we know. If you know of other 802.11 \n" " interfaces that are supported (note that there are many \"Prism II \n" " cards\", so your card might be a Prism II card), please let us know, \n" " and include URLs for sites containing any necessary patches to add \n" " this support. \n" , " \n" " On platforms that don't allow Ethereal to capture raw 802.11 packets, \n" " the 802.11 network will appear like an Ethernet to Ethereal. \n" " \n" " Q 5.31: How can I capture packets with CRC errors? \n" " \n" " A: Ethereal can capture only the packets that the packet capture \n" " library - libpcap on UNIX-flavored OSes, and the WinPcap port to \n" " Windows of libpcap on Windows - can capture, and libpcap/WinPcap can \n" " capture only the packets that the OS's raw packet capture mechanism \n" " (or the WinPcap driver, and the underlying OS networking code and \n" " network interface drivers, on Windows) will allow it to capture. \n" " \n" " Unless the OS can be configured to supply packets with errors such as \n" " invalid CRCs to the raw packet capture mechanism, Ethereal - and other \n" " programs that capture raw packets, such as tcpdump - cannot capture \n" " those packets. You will have to determine whether your OS can be so \n" " configured, configure it if possible, and make whatever changes to \n" " libpcap and the packet capture program you're using are necessary to \n" " support capturing those packets. \n" " \n" " Q 5.32: How can I capture entire frames, including the FCS? \n" " \n" " A: Ethereal can't capture any data that the packet capture library - \n" " libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of \n" " libpcap on Windows - can capture, and libpcap/WinPcap can capture only \n" " the data that the OS's raw packet capture mechanism (or the WinPcap \n" " driver, and the underlying OS networking code and network interface \n" " drivers, on Windows) will allow it to capture. \n" " \n" " For any particular link-layer network type, unless the OS supplies the \n" " FCS of a frame as part of the frame, or can be configured to supply \n" " the FCS of a frame as part of the frame, Ethereal - and other programs \n" " that capture raw packets, such as tcpdump - cannot capture the FCS of \n" " a frame. You will have to determine whether your OS can be so \n" " configured, configure it if possible, and make whatever changes to \n" " libpcap and the packet capture program you're using are necessary to \n" " support capturing the FCS of a frame. Most if not all OSes probably do \n" " not support capturing the FCS of a frame on Ethernet, and probably do \n" " not support it on most other link-layer types. \n" " \n" " Q 5.33: Ethereal hangs after I stop a capture. \n" " \n" " A: The most likely reason for this is that Ethereal is trying to look \n" " up an IP address in the capture to convert it to a name (so that, for \n" " example, it can display the name in the source address or destination \n" " address columns), and that lookup process is taking a very long time. \n" " \n" " Ethereal calls a routine in the OS of the machine on which it's \n" " running to convert of IP addresses to the corresponding names. That \n" " routine probably does one or more of: \n" " * a search of a system file listing IP addresses and names; \n" " * a lookup using DNS; \n" " * on UNIX systems, a lookup using NIS; \n" " * on Windows systems, a NetBIOS-over-TCP query. \n" " \n" " If a DNS server that's used in an address lookup is not responding, \n" " the lookup will fail, but will only fail after a timeout while the \n" " system routine waits for a reply. \n" " \n" " In addition, on Windows systems, if the DNS lookup of the address \n" " fails, either because the server isn't responding or because there are \n" " no records in the DNS that could be used to map the address to a name, \n" " a NetBIOS-over-TCP query will be made. That query involves sending a \n" " message to the NetBIOS-over-TCP name service on that machine, asking \n" " for the name and other information about the machine. If the machine \n" " isn't running software that responds to those queries - for example, \n" " many non-Windows machines wouldn't be running that software - the \n" " lookup will only fail after a timeout. Those timeouts can cause the \n" " lookup to take a long time. \n" " \n" " If you disable network address-to-name translation - for example, by \n" " turning off the \"Enable network name resolution\" option in the \"Name \n" " resolution\" options in the dialog box you get by selecting \n" " \"Preferences\" from the \"Edit\" menu - the lookups of the address won't \n" " be done, which may speed up the process of reading the capture file \n" " after the capture is stopped. You can make that setting the default by \n" " using the \"Save\" button in that dialog box; note that this will save \n" " all your current preference settings. \n" " \n" " If Ethereal hangs when reading a capture even with network name \n" " resolution turned off, there might, for example, be a bug in one of \n" " Ethereal's dissectors for a protocol causing it to loop infinitely. \n" " The bug should be reported to the Ethereal developers' mailing list at \n" " ethereal-dev@ethereal.com. \n" " \n" " On UNIX-flavored OSes, please try to force Ethereal to dump core, by \n" " sending it a SIGABRT signal (usually signal 6) with the kill command, \n" " and then get a stack trace if you have a debugger installed. A stack \n" " trace can be obtained by using your debugger (gdb in this example), \n" " the Ethereal binary, and the resulting core file. Here's an example of \n" " how to use the gdb command backtrace to do so. \n" " $ gdb ethereal core \n" " (gdb) backtrace \n" " ..... prints the stack trace \n" " (gdb) quit \n" " $ \n" " \n" " The core dump file may be named \"ethereal.core\" rather than \"core\" on \n" " some platforms (e.g., BSD systems) \n" " \n" " Also, if at all possible, please send a copy of the capture file that \n" " caused the problem; when capturing packets, Ethereal normally writes \n" " captured packets to a temporary file, which will probably be in /tmp \n" " or /var/tmp on UNIX-flavored OSes and \\TEMP on Windows, so the capture \n" " file will probably be there. It will have a name beginning with ether, \n" " with some mixture of letters and numbers after that. Please don't send \n" " a trace file greater than 1 MB when compressed. If the trace file \n" " contains sensitive information (e.g., passwords), then please do not \n" " send it. \n" " \n" " Q 5.34: How can I search for, or filter, packets that have a \n" " particular string anywhere in them? \n" " \n" " A: If you want to do this when capturing, you can't. That's a feature \n" " that would be hard to implement in capture filters without changes to \n" " the capture filter code, which, on many platforms, is in the OS kernel \n" " and, on other platforms, is in the libpcap library. \n" " \n" " In releases prior to 0.9.14, you also can't search for, or filter, \n" " packets containing a particular string even after you've captured \n" " them. \n" " \n" " In 0.9.14, you can search for, but not filter, packets that have a \n" " particular string; this has been added to the \"Find Frame\" dialog \n" " (\"Find Frame\" under the \"Edit\" menu, or control-F). \n" " \n" " \n" " Support can be found on the ethereal-users[AT]ethereal.com mailing \n" " list. \n" " For corrections/additions/suggestions for this page, please send email \n" " to: ethereal-web[AT]ethereal.com \n" " Last modified: Tue, August 19 2003. \n" }; #define FAQ_PARTS 5 #define FAQ_SIZE 80384