diff options
author | Jörg Mayer <jmayer@loplof.de> | 2003-12-21 03:20:35 +0000 |
---|---|---|
committer | Jörg Mayer <jmayer@loplof.de> | 2003-12-21 03:20:35 +0000 |
commit | f1218206e31463eb4a29f7dc0f7e0f6d03f45634 (patch) | |
tree | 84164203ca506361039c230e923e6669996814a3 /help | |
parent | 9345308925bf112e2cc59fc975af02d934f2b323 (diff) |
Update FAQ to December 12 2003
svn path=/trunk/; revision=9375
Diffstat (limited to 'help')
-rw-r--r-- | help/faq.h | 736 | ||||
-rw-r--r-- | help/faq.txt | 718 |
2 files changed, 893 insertions, 561 deletions
diff --git a/help/faq.h b/help/faq.h index 4506c9a5ee..0ff71cab84 100644 --- a/help/faq.h +++ b/help/faq.h @@ -70,53 +70,53 @@ const char *faq_part[] = { " \n" " 5.3 I'm only seeing ARP packets when I try to capture traffic. \n" " \n" -" 5.4 How do I put an interface into promiscuous mode? \n" +" 5.4 I'm running Ethereal on Windows; why does some network interface \n" +" on my machine not show up in the list of interfaces in the \n" +" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n" +" and/or why does Ethereal give me an error if I try to capture on that \n" +" interface? \n" +" \n" +" 5.5 I'm running on a UNIX-flavored OS; why does some network interface \n" +" on my machine not show up in the list of interfaces in the \n" +" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n" +" and/or why does Ethereal give me an error if I try to capture on that \n" +" interface? \n" " \n" -" 5.5 I can set a display filter just fine, but capture filters don't \n" +" 5.6 How do I put an interface into promiscuous mode? \n" +" \n" +" 5.7 I can set a display filter just fine, but capture filters don't \n" " work. \n" " \n" -" 5.6 I'm entering valid capture filters, but I still get \"parse error\" \n" +" 5.8 I'm entering valid capture filters, but I still get \"parse error\" \n" " errors. \n" " \n" -" 5.7 I saved a filter and tried to use its name to filter the display, \n" +" 5.9 I saved a filter and tried to use its name to filter the display, \n" " but I got an \"Unexpected end of filter string\" error. \n" " \n" -" 5.8 Why am I seeing lots of packets with incorrect TCP checksums? \n" +" 5.10 Why am I seeing lots of packets with incorrect TCP checksums? \n" " \n" -" 5.9 I've just installed Ethereal, and the traffic on my local LAN is \n" +" 5.11 I've just installed Ethereal, and the traffic on my local LAN is \n" " boring. \n" " \n" -" 5.10 When I run Ethereal on Solaris 8, it dies with a Bus Error when I \n" +" 5.12 When I run Ethereal on Solaris 8, it dies with a Bus Error when I \n" " start it. \n" " \n" -" 5.11 When I run Ethereal on Windows NT, it dies with a Dr. Watson \n" +" 5.13 When I run Ethereal on Windows NT, it dies with a Dr. Watson \n" " error, reporting an \"Integer division by zero\" exception, when I start \n" " it. \n" " \n" -" 5.12 When I try to run Ethereal, it complains about \n" +" 5.14 When I try to run Ethereal, it complains about \n" " sprint_realloc_objid being undefined. \n" " \n" -" 5.13 I'm running Ethereal on Linux; why do my time stamps have only \n" +" 5.15 I'm running Ethereal on Linux; why do my time stamps have only \n" " 100ms resolution, rather than 1us resolution? \n" " \n" -" 5.14 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n" +" 5.16 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n" " why are the time stamps on packets wrong? \n" " \n" -" 5.15 When I try to run Ethereal on Windows, it fails to run because it \n" +" 5.17 When I try to run Ethereal on Windows, it fails to run because it \n" " can't find packet.dll. \n" " \n" -" 5.16 I'm running Ethereal on Windows; why does some network interface \n" -" on my machine not show up in the list of interfaces in the \n" -" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n" -" and/or why does Ethereal give me an error if I try to capture on that \n" -" interface? \n" -" \n" -" 5.17 I'm running on a UNIX-flavored OS; why does some network \n" -" interface on my machine not show up in the list of interfaces in the \n" -" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n" -" and/or why does Ethereal give me an error if I try to capture on that \n" -" interface? \n" -" \n" " 5.18 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has \n" " a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the \n" " \"Interface\" item in the \"Capture Options\" dialog box. Why can no \n" @@ -139,7 +139,7 @@ const char *faq_part[] = { " 5.23 My machine crashes or resets itself when I select \"Start\" from \n" " the \"Capture\" menu or select \"Preferences\" from the \"Edit\" menu. \n" " \n" -" 5.24 Does Ethereal work on Windows ME? \n" +" 5.24 Does Ethereal work on Windows Me? \n" " \n" " 5.25 Does Ethereal work on Windows XP? \n" " \n" @@ -166,13 +166,20 @@ const char *faq_part[] = { " 5.30 How can I capture raw 802.11 packets, including non-data \n" " (management, beacon) packets? \n" " \n" -" 5.31 How can I capture packets with CRC errors? \n" +" 5.31 I'm trying to capture 802.11 traffic on Windows; why am I not \n" +" seeing any packets? \n" +" \n" +" 5.32 I'm trying to capture 802.11 traffic on Windows; why am I seeing \n" +" packets received by the machine on which I'm capturing traffic, but \n" +" not packets sent by that machine? \n" " \n" -" 5.32 How can I capture entire frames, including the FCS? \n" +" 5.33 How can I capture packets with CRC errors? \n" " \n" -" 5.33 Ethereal hangs after I stop a capture. \n" +" 5.34 How can I capture entire frames, including the FCS? \n" " \n" -" 5.34 How can I search for, or filter, packets that have a particular \n" +" 5.35 Ethereal hangs after I stop a capture. \n" +" \n" +" 5.36 How can I search for, or filter, packets that have a particular \n" " string anywhere in them? \n" " \n" " GENERAL QUESTIONS \n" @@ -184,12 +191,19 @@ const char *faq_part[] = { " \n" " Q 1.2: What protocols are currently supported? \n" " \n" -" A: There are currently 393 supported protocols and media, listed \n" +" A: There are currently 442 supported protocols and media, listed \n" " below. Descriptions can be found in the ethereal(1) man page. \n" " \n" " 802.1q Virtual LAN \n" " 802.1x Authentication \n" +" AAL type 2 signalling protocol - Capability set 1 (Q.2630.1) \n" " AFS (4.0) Replication Server call declarations \n" +" ANSI A-I/F BSMAP \n" +" ANSI A-I/F DTAP \n" +" ANSI IS-637-A (SMS) Teleservice Layer \n" +" ANSI IS-637-A (SMS) Transport Layer \n" +" ANSI IS-683-A (OTA (Mobile)) \n" +" ANSI Mobile Application Part \n" " AOL Instant Messenger \n" " ARCNET \n" " ATM \n" @@ -202,6 +216,7 @@ const char *faq_part[] = { " Address Resolution Protocol \n" " Aggregate Server Access Protocol \n" " Alert Standard Forum \n" +" Alteon - Transparent Proxy Cache Protocol \n" " Andrew File System (AFS) \n" " Apache JServ Protocol v1.3 \n" " AppleTalk Filing Protocol \n" @@ -212,6 +227,8 @@ const char *faq_part[] = { " Async data over ISDN (V.120) \n" " Authentication Header \n" " BACnet Virtual Link Control \n" +" BSS GPRS Protocol \n" +" BSSAP/BSAP \n" " Banyan Vines ARP \n" " Banyan Vines Echo \n" " Banyan Vines Fragmentation Protocol \n" @@ -221,6 +238,8 @@ const char *faq_part[] = { " Banyan Vines LLC \n" " Banyan Vines RTP \n" " Banyan Vines SPP \n" +" Bearer Independent Call Control \n" +" Bi-directional Fault Detection Control Message \n" " Blocks Extensible Exchange Protocol \n" " Boardwalk \n" " Boot Parameters \n" @@ -228,6 +247,7 @@ const char *faq_part[] = { " Border Gateway Protocol \n" " Building Automation and Control Network APDU \n" " Building Automation and Control Network NPDU \n" +" CCSDS \n" " CDS Clerk Server Calls \n" " Check Point High Availability Protocol \n" " Checkpoint FW-1 \n" @@ -244,6 +264,8 @@ const char *faq_part[] = { " CoSine IPNOS L2 debug output \n" " Common Open Policy Service \n" " Common Unix Printing System (CUPS) Browsing Protocol \n" +" Connectionless Lightweight Directory Access Protocol \n" +" Cross Point Frame Injector \n" " DCE DFS Calls \n" " DCE Distributed Time Service Local Server \n" " DCE Distributed Time Service Provider \n" @@ -251,15 +273,21 @@ const char *faq_part[] = { " DCE RPC \n" " DCE Security ID Mapper \n" " DCE/RPC BOS Server \n" +" DCE/RPC BUDB \n" +" DCE/RPC BUTC \n" " DCE/RPC CDS Solicitation \n" " DCE/RPC Conversation Manager \n" " DCE/RPC Endpoint Mapper \n" +" DCE/RPC Endpoint Mapper4 \n" " DCE/RPC FLDB \n" " DCE/RPC FLDB UBIK TRANSFER \n" " DCE/RPC FLDB UBIKVOTE \n" +" DCE/RPC ICL RPC \n" " DCE/RPC Kerberos V \n" " DCE/RPC RS_ACCT \n" +" DCE/RPC RS_BIND \n" " DCE/RPC RS_MISC \n" +" DCE/RPC RS_PROP_ACCT \n" " DCE/RPC RS_UNIX \n" " DCE/RPC Remote Management \n" " DCE/RPC Repserver Calls \n" @@ -299,20 +327,28 @@ const char *faq_part[] = { " Fibre Channel Name Server \n" " Fibre Channel Protocol for SCSI \n" " Fibre Channel SW_ILS \n" +" Fibre Channel Security Protocol \n" +" Fibre Channel Single Byte Command \n" " File Transfer Protocol (FTP) \n" " Financial Information eXchange Protocol \n" " Frame \n" " Frame Relay \n" " GARP Multicast Registration Protocol \n" " GARP VLAN Registration Protocol \n" +" GPRS Network service \n" " GPRS Tunneling Protocol \n" -" GPRS Tunnelling Protocol v0 \n" -" GPRS Tunnelling Protocol v1 \n" +" GSM A-I/F BSSMAP \n" +" GSM A-I/F DTAP \n" +" GSM A-I/F RP \n" +" GSM Mobile Application Part \n" +" GSM SMS TPDU (GSM 03.40) \n" " General Inter-ORB Protocol \n" " Generic Routing Encapsulation \n" " Generic Security Service Application Program Interface \n" " Gnutella Protocol \n" +" H225 \n" " H245 \n" +" H4501 \n" " HP Extended Local-Link Control \n" " HP Remote Maintenance Protocol \n" " Hummingbird NFS Daemon \n" @@ -332,10 +368,12 @@ const char *faq_part[] = { " ISDN User Part \n" " ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol \n" " ISO 8073 COTP Connection-Oriented Transport Protocol \n" +" ISO 8327-1 OSI Session Protocol \n" " ISO 8473 CLNP ConnectionLess Network Protocol \n" " ISO 8602 CLTP ConnectionLess Transport Protocol \n" " ISO 9542 ESIS Routeing Information Exchange Protocol \n" " ITU-T Recommendation H.261 \n" +" ITU-T Recommendation H.263 RTP Payload header (RFC2190) \n" " InMon sFlow \n" " Intel ANS probe \n" " Intelligent Platform Management Interface \n" @@ -346,6 +384,7 @@ const char *faq_part[] = { " Internet Control Message Protocol \n" " Internet Control Message Protocol v6 \n" " Internet Group Management Protocol \n" +" Internet Group membership Authentication Protocol \n" " Internet Message Access Protocol \n" " Internet Printing Protocol \n" " Internet Protocol \n" @@ -359,7 +398,13 @@ const char *faq_part[] = { " Kerberos \n" " Kerberos Administration \n" " Kernel Lock Manager \n" +" LWAP Control Message \n" +" LWAPP Encapsulated Packet \n" +, + +" LWAPP Layer 3 Packet \n" " Label Distribution Protocol \n" +" Laplink \n" " Layer 2 Tunneling Protocol \n" " Lightweight Directory Access Protocol \n" " Line Printer Daemon Protocol \n" @@ -375,6 +420,7 @@ const char *faq_part[] = { " Lucent/Ascend debug output \n" " MDS Header \n" " MMS Message Encapsulation \n" +" MS Kpasswd \n" " MS Proxy Protocol \n" " MSN Messenger Service \n" " MSNIP: Multicast Source Notification of Interest Protocol \n" @@ -385,6 +431,7 @@ const char *faq_part[] = { " Message Transfer Part Level 2 \n" " Message Transfer Part Level 3 \n" " Message Transfer Part Level 3 Management \n" +" Microsoft Directory Replication Service \n" " Microsoft Distributed File System \n" " Microsoft Exchange MAPI \n" " Microsoft Local Security Architecture \n" @@ -400,8 +447,6 @@ const char *faq_part[] = { " Microsoft Telephony API Service \n" " Microsoft Windows Browser Protocol \n" " Microsoft Windows Lanman Remote API Protocol \n" -, - " Microsoft Windows Logon Protocol \n" " Microsoft Workstation Service \n" " Mobile IP \n" @@ -434,6 +479,7 @@ const char *faq_part[] = { " Network Status Monitor CallBack Protocol \n" " Network Status Monitor Protocol \n" " Network Time Protocol \n" +" Nortel SONMP \n" " Novell Distributed Print System \n" " Null/Loopback \n" " Open Shortest Path First \n" @@ -459,7 +505,7 @@ const char *faq_part[] = { " PPP-over-Ethernet Discovery \n" " PPP-over-Ethernet Session \n" " PPPMux Control Protocol \n" -" Packet Encoding Rules (ASN.1 X.691) \n" +" Packed Encoding Rules (ASN.1 X.691) \n" " Point-to-Point Protocol \n" " Point-to-Point Tunnelling Protocol \n" " Portmap \n" @@ -470,14 +516,17 @@ const char *faq_part[] = { " Protocol Independent Multicast \n" " Q.2931 \n" " Q.931 \n" +" Q.933 \n" " Quake II Network Protocol \n" " Quake III Arena Network Protocol \n" " Quake Network Protocol \n" " QuakeWorld Network Protocol \n" " Qualified Logical Link Control \n" " RFC 2250 MPEG1 \n" +" RFC 2833 RTP Event \n" " RIPng \n" " RPC Browser \n" +" RS Interface properties \n" " RSTAT \n" " RSYNC File Synchroniser \n" " RX Protocol \n" @@ -495,6 +544,7 @@ const char *faq_part[] = { " Remote Program Load \n" " Remote Quota \n" " Remote Shell \n" +" Remote Shutdown \n" " Remote Wall protocol \n" " Remote sec_login preauth interface. \n" " Resource ReserVation Protocol (RSVP) \n" @@ -503,6 +553,7 @@ const char *faq_part[] = { " Routing Table Maintenance Protocol \n" " SADMIND \n" " SCSI \n" +" SEBEK - Kernel Data Capture \n" " SGI Mount Service \n" " SMB (Server Message Block Protocol) \n" " SMB MailSlot Protocol \n" @@ -521,11 +572,13 @@ const char *faq_part[] = { " Session Announcement Protocol \n" " Session Description Protocol \n" " Session Initiation Protocol \n" +" Session Initiation Protocol (SIP as raw text) \n" " Short Message Peer to Peer \n" " Signalling Connection Control Part \n" " Signalling Connection Control Part Management \n" " Simple Mail Transfer Protocol \n" " Simple Network Management Protocol \n" +" Simple Traversal of UDP Through NAT \n" " Sinec H1 Protocol \n" " Skinny Client Control Protocol \n" " SliMP3 Communication Protocol \n" @@ -537,8 +590,10 @@ const char *faq_part[] = { " Syslog message \n" " Systems Network Architecture \n" " Systems Network Architecture XID \n" +" T38 \n" " TACACS \n" " TACACS+ \n" +" TEREDO Tunneling IPv6 over UDP through NATs \n" " TPKT \n" " Tabular Data Stream \n" " Tazmen Sniffer Protocol \n" @@ -547,6 +602,7 @@ const char *faq_part[] = { " Time Synchronization Protocol \n" " Token-Ring \n" " Token-Ring Media Access Control \n" +" Transaction Capabilities Application Part \n" " Transmission Control Protocol \n" " Transparent Network Substrate Protocol \n" " Trivial File Transfer Protocol \n" @@ -698,11 +754,17 @@ const char *faq_part[] = { " Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be \n" " installed; only Tethereal is installed. \n" " \n" -" A: Red Hat RPMs for Ethereal put only the non-GUI components into the \n" -" ethereal RPM, the fact that Ethereal is a GUI program nonwithstanding; \n" -" there's a separate ethereal-gnome RPM that includes GUI components \n" -" such as Ethereal itself, the fact that Ethereal doesn't use GNOME \n" -" nonwithstanding. Find the ethereal-gnome RPM, and install that also. \n" +" A: Older versions of the Red Hat RPMs for Ethereal put only the \n" +" non-GUI components into the ethereal RPM, the fact that Ethereal is a \n" +" GUI program nonwithstanding; newer versions make it a bit clearer by \n" +" giving that RPM a name starting with ethereal-base. \n" +" \n" +" In those older versions, there's a separate ethereal-gnome RPM that \n" +" includes GUI components such as Ethereal itself, the fact that \n" +" Ethereal doesn't use GNOME nonwithstanding; newer versions make it a \n" +" bit clearer by giving that RPM a name starting with ethereal-gtk+. \n" +" \n" +" Find the ethereal-gnome or ethereal-gtk+ RPM, and install that also. \n" " \n" " BUILDING ETHEREAL \n" " Q 4.1: The configure script can't find pcap.h or bpf.h, but I have \n" @@ -740,6 +802,8 @@ const char *faq_part[] = { " \n" " On Solaris, changing your command search path to search /usr/xpg4/bin \n" " before /usr/bin should make the problem go away; on any platform on \n" +, + " which you have this problem, installing GNU sed and changing your \n" " command path to search the directory in which it is installed before \n" " searching the directory with the version of sed that came with the OS \n" @@ -802,13 +866,28 @@ const char *faq_part[] = { " this. See, for example: \n" " * this documentation from Cisco on the Switched Port Analyzer (SPAN) \n" " feature on Catalyst switches; \n" -, - " * documentation from HP on how to set \"monitoring\"/\"mirroring\" on \n" " ports on the console for HP Advancestack Switch 208 and 224; \n" " * the \"Network Monitoring Port Features\" section of chapter 6 of \n" " documentation from HP for HP ProCurve Switches 1600M, 2424M, \n" -" 4000M, and 8000M. \n" +" 4000M, and 8000M; \n" +" * the \"Switch Port-Mirroring\" section of chapter 6 of documentation \n" +" from Extreme Networks for their Summit 200 switches; \n" +" * the documentation on \"Configuring Port Mirroring and Monitoring\" \n" +" in Foundry Networks' documentation for their FastIron Edge \n" +" Switches; \n" +" * the documentation on \"Configuring Port Mirroring and Monitoring\" \n" +" in Foundry Networks' documentation for their BigIron MG8 Layer 3 \n" +" Switches; \n" +" * the \"Port Monitor\" subsection of the \"Status Monitor and \n" +" Statistics\" section of the documentation from Foundry Networks for \n" +" their EdgeIron 4802F and 10GC2F switches; \n" +" * the \"Configuring Port Mirroring\" section of chapter 3 of the \n" +" documentation from Foundry Networks for their EdgeIron 24G, \n" +" 2402CF, and 4802CF switches; \n" +" * the documentation on \"Configuring Port Mirroring and Monitoring\" \n" +" in Foundry Networks' documentation for their other switches and \n" +" metro routers. \n" " \n" " Note also that many firewall/NAT boxes have a switch built into them; \n" " this includes many of the \"cable/DSL router\" boxes. If you have a box \n" @@ -905,7 +984,199 @@ const char *faq_part[] = { " I.e., this is probably the same question as this earlier one; see the \n" " response to that question. \n" " \n" -" Q 5.4: How do I put an interface into promiscuous mode? \n" +" Q 5.4: I'm running Ethereal on Windows; why does some network \n" +" interface on my machine not show up in the list of interfaces in the \n" +" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n" +" and/or why does Ethereal give me an error if I try to capture on that \n" +" interface? \n" +" \n" +" A: If you are running Ethereal on Windows NT 4.0, Windows 2000, \n" +" Windows XP, or Windows Server, and this is the first time you have run \n" +" a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, \n" +" or Analyzer, or...) since the machine was rebooted, you need to run \n" +" that program from an account with administrator privileges; once you \n" +" have run such a program, you will not need administrator privileges to \n" +" run any such programs until you reboot. \n" +" \n" +" If you are running on Windows 95/98/Me, or if you are running on \n" +" Windows NT 4.0/2000/XP/Server and have administrator privileges or a \n" +" WinPcap-based program has been run with those privileges since the \n" +" machine rebooted, then note that Ethereal relies on the WinPcap \n" +" library, on the WinPcap device driver, and on the facilities that come \n" +" with the OS on which it's running in order to do captures. \n" +" \n" +" Therefore, if the OS, the WinPcap library, or the WinPcap driver don't \n" +" support capturing on a particular network interface device, Ethereal \n" +" won't be able to capture on that device. \n" +" \n" +" Note that: \n" +" 1. 2.02 and earlier versions of the WinPcap driver and library that \n" +" Ethereal uses for packet capture didn't support Token Ring \n" +" interfaces; versions 2.1 and later support Token Ring, and the \n" +" current version of Ethereal works with (and, in fact, requires) \n" +" WinPcap 2.1 or later. \n" +" If you are having problems capturing on Token Ring interfaces, and \n" +" you have WinPcap 2.02 or an earlier version of WinPcap installed, \n" +" you should uninstall WinPcap, download and install the current \n" +" version of WinPcap, and then install the latest version of \n" +" Ethereal. \n" +" 2. On Windows 95, 98, or Me, sometimes more than one interface will \n" +" be given the same name; if that is the case, you will only be able \n" +" to capture on one of those interfaces - it's not clear to which \n" +" one the name, when used in a WinPcap-based application, will \n" +" refer. For example, if you have a PPP serial interface and a VPN \n" +" interface, they might show up with the same name, for example \n" +" \"ppp-mac\", and if you try to capture on \"ppp-mac\", it might not \n" +" capture on the interface you're currently using. In that case, you \n" +" might, for example, have to remove the VPN interface from the \n" +" system in order to capture on the PPP serial interface. \n" +" 3. WinPcap doesn't support PPP WAN interfaces on Windows \n" +" NT/2000/XP/Server, so Ethereal cannot capture packets on those \n" +" devices when running on Windows NT/2000/XP/Server. Regular dial-up \n" +" lines, ISDN lines, and various other lines such as T1/E1 lines are \n" +" all PPP interfaces. This may cause the interface not to show up on \n" +" the list of interfaces in the \"Capture Options\" dialog. \n" +" 4. WinPcap prior to 3.0 does not support multiprocessor machines \n" +" (note that machines with a single multi-threaded processor, such \n" +" as Intel's new multi-threaded x86 processors, are multiprocessor \n" +" machines as far as the OS and WinPcap are concerned), and recent \n" +" 2.x versions of WinPcap refuse to operate if they detect that \n" +" they're running on a multiprocessor machine, which means that they \n" +" may not show any network interfaces. You will need to use WinPcap \n" +" 3.0 to capture on a multiprocessor machine. \n" +" \n" +" If an interface doesn't show up in the list of interfaces in the \n" +" \"Interface:\" field, and you know the name of the interface, try \n" +" entering that name in the \"Interface:\" field and capturing on that \n" +" device. \n" +" \n" +" If the attempt to capture on it succeeds, the interface is somehow not \n" +" being reported by the mechanism Ethereal uses to get a list of \n" +" interfaces; please report this to ethereal-dev@ethereal.com giving \n" +" full details of the problem, including \n" +" * the operating system you're using, and the version of that \n" +" operating system; \n" +" * the type of network device you're using. \n" +" \n" +" If you are having trouble capturing on a particular network interface, \n" +" first try capturing on that device with WinDump; see the WinDump Web \n" +" site or the local mirror of the WinDump Web site for information on \n" +" using WinDump. \n" +" \n" +" If you can capture on the interface with WinDump, send mail to \n" +" ethereal-users@ethereal.com giving full details of the problem, \n" +" including \n" +" * the operating system you're using, and the version of that \n" +" operating system; \n" +" * the type of network device you're using; \n" +" * the error message you get from Ethereal. \n" +" \n" +" If you cannot capture on the interface with WinDump, this is almost \n" +" certainly a problem with one or more of: \n" +" * the operating system you're using; \n" +" * the device driver for the interface you're using; \n" +" * the WinPcap library and/or the WinPcap device driver; \n" +" \n" +" so first check the WinPcap FAQ, the local mirror of that FAQ, or the \n" +" Wiretapped.net mirror of that FAQ, to see if your problem is mentioned \n" +" there. If not, then see the WinPcap support page (or the local mirror \n" +" of that page) - check the \"Submitting bugs\" section. \n" +" \n" +" You may also want to ask the ethereal-users@ethereal.com and the \n" +" winpcap-users@winpcap.polito.it mailing lists to see if anybody \n" +" happens to know about the problem and know a workaround or fix for the \n" +" problem. (Note that you will have to subscribe to that list in order \n" +" to be allowed to mail to it; see the WinPcap support page, or the \n" +" local mirror of that page, for information on the mailing list.) In \n" +" your mail, please give full details of the problem, as described \n" +" above, and also indicate that the problem occurs with WinDump, not \n" +" just with Ethereal. \n" +" \n" +" Q 5.5: I'm running on a UNIX-flavored OS; why does some network \n" +" interface on my machine not show up in the list of interfaces in the \n" +" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n" +" and/or why does Ethereal give me an error if I try to capture on that \n" +" interface? \n" +" \n" +" A: You may need to run Ethereal from an account with sufficient \n" +" privileges to capture packets, such as the super-user account. Only \n" +" those interfaces that Ethereal can open for capturing show up in that \n" +" list; if you don't have sufficient privileges to capture on any \n" +" interfaces, no interfaces will show up in the list. \n" +" \n" +" If you are running Ethereal from an account with sufficient \n" +" privileges, then note that Ethereal relies on the libpcap library, and \n" +" on the facilities that come with the OS on which it's running in order \n" +" to do captures. \n" +" \n" +" Therefore, if the OS or the libpcap library don't support capturing on \n" +" a particular network interface device, Ethereal won't be able to \n" +" capture on that device. \n" +" \n" +" On Linux, note that you need to have \"packet socket\" support enabled \n" +" in your kernel; see the \"Packet socket\" item in the Linux \n" +" \"Configure.help\" file. \n" +" \n" +" On BSD, note that you need to have BPF support enabled in your kernel; \n" +" see the documentation for your system for information on how to enable \n" +" BPF support (if it's not enabled by default on your system). \n" +" \n" +" On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have \n" +" packet filtering support in your kernel; the doconfig command will \n" +" allow you to configure and build a new kernel with that option. \n" +" \n" +" On Solaris, note that libpcap 0.6.2 and earlier didn't support Token \n" +" Ring interfaces; the current version, 0.7.2, does support Token Ring, \n" +" and the current version of Ethereal works with libcap 0.7.2 and later. \n" +" \n" +" If an interface doesn't show up in the list of interfaces in the \n" +" \"Interface:\" field, and you know the name of the interface, try \n" +" entering that name in the \"Interface:\" field and capturing on that \n" +" device. \n" +" \n" +" If the attempt to capture on it succeeds, the interface is somehow not \n" +" being reported by the mechanism Ethereal uses to get a list of \n" +" interfaces; please report this to ethereal-dev@ethereal.com giving \n" +" full details of the problem, including \n" +" * the operating system you're using, and the version of that \n" +" operating system (for Linux, give both the version number of the \n" +" kernel and the name and version number of the distribution you're \n" +" using); \n" +" * the type of network device you're using. \n" +" \n" +" If you are having trouble capturing on a particular network interface, \n" +" and you've made sure that (on platforms that require it) you've \n" +" arranged that packet capture support is present, as per the above, \n" +" first try capturing on that device with tcpdump. \n" +" \n" +" If you can capture on the interface with tcpdump, send mail to \n" +" ethereal-users@ethereal.com giving full details of the problem, \n" +" including \n" +" * the operating system you're using, and the version of that \n" +" operating system (for Linux, give both the version number of the \n" +" kernel and the name and version number of the distribution you're \n" +" using); \n" +" * the type of network device you're using; \n" +" * the error message you get from Ethereal. \n" +" \n" +" If you cannot capture on the interface with tcpdump, this is almost \n" +" certainly a problem with one or more of: \n" +" * the operating system you're using; \n" +" * the device driver for the interface you're using; \n" +" * the libpcap library; \n" +" \n" +" so you should report the problem to the company or organization that \n" +" produces the OS (in the case of a Linux distribution, report the \n" +" problem to whoever produces the distribution). \n" +" \n" +" You may also want to ask the ethereal-users@ethereal.com and the \n" +" tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to \n" +" know about the problem and know a workaround or fix for the problem. \n" +" In your mail, please give full details of the problem, as described \n" +" above, and also indicate that the problem occurs with tcpdump not just \n" +" with Ethereal. \n" +" \n" +" Q 5.6: How do I put an interface into promiscuous mode? \n" " \n" " A: By not disabling promiscuous mode when running Ethereal or \n" " Tethereal. \n" @@ -927,12 +1198,14 @@ const char *faq_part[] = { " I.e., this is probably the same question as this earlier one; see the \n" " response to that question. \n" " \n" -" Q 5.5: I can set a display filter just fine, but capture filters don't \n" +" Q 5.7: I can set a display filter just fine, but capture filters don't \n" " work. \n" " \n" " A: Capture filters currently use a different syntax than display \n" " filters. Here's the corresponding section from the ethereal(1) man \n" " page: \n" +, + " \n" " \"Display filters in Ethereal are very powerful; more fields are \n" " filterable in Ethereal than in other protocol analyzers, and the \n" @@ -947,7 +1220,7 @@ const char *faq_part[] = { " The capture filter syntax used by libpcap can be found in the \n" " tcpdump(8) man page. \n" " \n" -" Q 5.6: I'm entering valid capture filters, but I still get \"parse \n" +" Q 5.8: I'm entering valid capture filters, but I still get \"parse \n" " error\" errors. \n" " \n" " A: There is a bug in some versions of libpcap/WinPcap that cause it to \n" @@ -979,7 +1252,7 @@ const char *faq_part[] = { " WinPcap, you will need to un-install WinPcap and then download and \n" " install WinPcap 2.3. \n" " \n" -" Q 5.7: I saved a filter and tried to use its name to filter the \n" +" Q 5.9: I saved a filter and tried to use its name to filter the \n" " display, but I got an \"Unexpected end of filter string\" error. \n" " \n" " A: You cannot use the name of a saved display filter as a filter. To \n" @@ -990,7 +1263,7 @@ const char *faq_part[] = { " use a saved filter, you can press the \"Filter:\" button, select the \n" " filter in the dialog box that pops up, and press the \"OK\" button. \n" " \n" -" Q 5.8: Why am I seeing lots of packets with incorrect TCP checksums? \n" +" Q 5.10: Why am I seeing lots of packets with incorrect TCP checksums? \n" " \n" " A: If the packets that have incorrect TCP checksums are all being sent \n" " by the machine on which Ethereal is running, this is probably because \n" @@ -1022,13 +1295,13 @@ const char *faq_part[] = { " tcp.check_checksum:false command-line flag, or manually set in your \n" " preferences file by adding a tcp.check_checksum:false line. \n" " \n" -" Q 5.9: I've just installed Ethereal, and the traffic on my local LAN \n" +" Q 5.11: I've just installed Ethereal, and the traffic on my local LAN \n" " is boring. \n" " \n" " A: We have a collection of strange and exotic sample capture files at \n" " http://www.ethereal.com/sample/ \n" " \n" -" Q 5.10: When I run Ethereal on Solaris 8, it dies with a Bus Error \n" +" Q 5.12: When I run Ethereal on Solaris 8, it dies with a Bus Error \n" " when I start it. \n" " \n" " A: Some versions of the GTK+ library from www.sunfreeware.org appear \n" @@ -1046,7 +1319,7 @@ const char *faq_part[] = { " Similar problems may exist with older versions of GTK+ for earlier \n" " versions of Solaris. \n" " \n" -" Q 5.11: When I run Ethereal on Windows NT, it dies with a Dr. Watson \n" +" Q 5.13: When I run Ethereal on Windows NT, it dies with a Dr. Watson \n" " error, reporting an \"Integer division by zero\" exception, when I start \n" " it. \n" " \n" @@ -1054,7 +1327,7 @@ const char *faq_part[] = { " VGA driver; if that's not the correct driver for your video card, try \n" " running the correct driver for your video card. \n" " \n" -" Q 5.12: When I try to run Ethereal, it complains about \n" +" Q 5.14: When I try to run Ethereal, it complains about \n" " sprint_realloc_objid being undefined. \n" " \n" " A: Ethereal can only be linked with version 4.2.2 or later of UCD \n" @@ -1064,7 +1337,7 @@ const char *faq_part[] = { " the older version, and fails. You will have to replace that version of \n" " UCD SNMP with version 4.2.2 or a later version. \n" " \n" -" Q 5.13: I'm running Ethereal on Linux; why do my time stamps have only \n" +" Q 5.15: I'm running Ethereal on Linux; why do my time stamps have only \n" " 100ms resolution, rather than 1us resolution? \n" " \n" " A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap \n" @@ -1090,13 +1363,13 @@ const char *faq_part[] = { " have to run a standard kernel from kernel.org in order to get \n" " high-resolution time stamps. \n" " \n" -" Q 5.14: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n" +" Q 5.16: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n" " why are the time stamps on packets wrong? \n" " \n" " A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap \n" " 3.0. \n" " \n" -" Q 5.15: When I try to run Ethereal on Windows, it fails to run because \n" +" Q 5.17: When I try to run Ethereal on Windows, it fails to run because \n" " it can't find packet.dll. \n" " \n" " A: In older versions of Ethereal, there were two binary distributions \n" @@ -1113,202 +1386,6 @@ const char *faq_part[] = { " Web site, the local mirror of the WinPcap Web site, or the \n" " Wiretapped.net mirror of the WinPcap site. \n" " \n" -" Q 5.16: I'm running Ethereal on Windows; why does some network \n" -" interface on my machine not show up in the list of interfaces in the \n" -" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n" -" and/or why does Ethereal give me an error if I try to capture on that \n" -" interface? \n" -" \n" -" A: If you are running Ethereal on Windows NT 4.0, Windows 2000, \n" -" Windows XP, or Windows Server, and this is the first time you have run \n" -" a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, \n" -" or Analyzer, or...) since the machine was rebooted, you need to run \n" -" that program from an account with administrator privileges; once you \n" -" have run such a program, you will not need administrator privileges to \n" -" run any such programs until you reboot. \n" -" \n" -" If you are running on Windows 95/98/Me, or if you are running on \n" -" Windows NT 4.0/2000/XP/Server and have administrator privileges or a \n" -" WinPcap-based program has been run with those privileges since the \n" -" machine rebooted, then note that Ethereal relies on the WinPcap \n" -" library, on the WinPcap device driver, and on the facilities that come \n" -" with the OS on which it's running in order to do captures. \n" -" \n" -" Therefore, if the OS, the WinPcap library, or the WinPcap driver don't \n" -" support capturing on a particular network interface device, Ethereal \n" -" won't be able to capture on that device. \n" -" \n" -" Note that: \n" -" * 2.02 and earlier versions of the WinPcap driver and library that \n" -" Ethereal uses for packet capture didn't support Token Ring \n" -" interfaces; the current version, 2.3, does support Token Ring, and \n" -" the current version of Ethereal works with (and, in fact, \n" -" requires) WinPcap 2.1 or later. \n" -" If you are having problems capturing on Token Ring interfaces, and \n" -" you have WinPcap 2.02 or an earlier version of WinPcap installed, \n" -" you should uninstall WinPcap, download and install the current \n" -" version of WinPcap, and then install the latest version of \n" -" Ethereal. \n" -" * On Windows 95, 98, or Me, sometimes more than one interface will \n" -" be given the same name; if that is the case, you will only be able \n" -" to capture on one of those interfaces - it's not clear to which \n" -" one the name, when used in a WinPcap-based application, will \n" -" refer. For example, if you have a PPP serial interface and a VPN \n" -" interface, they might show up with the same name, for example \n" -" \"ppp-mac\", and if you try to capture on \"ppp-mac\", it might not \n" -" capture on the interface you're currently using. In that case, you \n" -" might, for example, have to remove the VPN interface from the \n" -" system in order to capture on the PPP serial interface. \n" -" * WinPcap doesn't support PPP WAN interfaces on Windows \n" -" NT/2000/XP/Server, so Ethereal cannot capture packets on those \n" -" devices when running on Windows NT/2000/XP/Server. Regular dial-up \n" -" lines, ISDN lines, and various other lines such as T1/E1 lines are \n" -" all PPP interfaces. This may cause the interface not to show up on \n" -" the list of interfaces in the \"Capture Options\" dialog. \n" -" * WinPcap prior to 3.0 does not support multiprocessor machines \n" -" (note that machines with a single multi-threaded processor, such \n" -" as Intel's new multi-threaded x86 processors, are multiprocessor \n" -" machines as far as the OS and WinPcap are concerned), and recent \n" -" 2.x versions of WinPcap refuse to operate if they detect that \n" -" they're running on a multiprocessor machine, which means that they \n" -" may not show any network interfaces. You will need to use WinPcap \n" -" 3.0 to capture on a multiprocessor machine. \n" -" \n" -" If an interface doesn't show up in the list of interfaces in the \n" -" \"Interface:\" field, and you know the name of the interface, try \n" -" entering that name in the \"Interface:\" field and capturing on that \n" -" device. \n" -" \n" -" If the attempt to capture on it succeeds, the interface is somehow not \n" -" being reported by the mechanism Ethereal uses to get a list of \n" -" interfaces; please report this to ethereal-dev@ethereal.com giving \n" -" full details of the problem, including \n" -" * the operating system you're using, and the version of that \n" -" operating system; \n" -" * the type of network device you're using. \n" -" \n" -" If you are having trouble capturing on a particular network interface, \n" -" and you've made sure that (on platforms that require it) you've \n" -" arranged that packet capture support is present, as per the above, \n" -" first try capturing on that device with WinDump; see the WinDump Web \n" -" site or the local mirror of the WinDump Web site for information on \n" -" using WinDump. \n" -" \n" -" If you can capture on the interface with WinDump, send mail to \n" -" ethereal-users@ethereal.com giving full details of the problem, \n" -" including \n" -" * the operating system you're using, and the version of that \n" -" operating system; \n" -" * the type of network device you're using; \n" -" * the error message you get from Ethereal. \n" -" \n" -" If you cannot capture on the interface with WinDump, this is almost \n" -" certainly a problem with one or more of: \n" -, - -" * the operating system you're using; \n" -" * the device driver for the interface you're using; \n" -" * the WinPcap library and/or the WinPcap device driver; \n" -" \n" -" so first check the WinPcap FAQ, the local mirror of that FAQ, or the \n" -" Wiretapped.net mirror of that FAQ, to see if your problem is mentioned \n" -" there. If not, then see the WinPcap support page (or the local mirror \n" -" of that page) - check the \"Submitting bugs\" section. \n" -" \n" -" You may also want to ask the ethereal-users@ethereal.com and the \n" -" winpcap-users@winpcap.polito.it mailing lists to see if anybody \n" -" happens to know about the problem and know a workaround or fix for the \n" -" problem. (Note that you will have to subscribe to that list in order \n" -" to be allowed to mail to it; see the WinPcap support page, or the \n" -" local mirror of that page, for information on the mailing list.) In \n" -" your mail, please give full details of the problem, as described \n" -" above, and also indicate that the problem occurs with WinDump, not \n" -" just with Ethereal. \n" -" \n" -" Q 5.17: I'm running on a UNIX-flavored OS; why does some network \n" -" interface on my machine not show up in the list of interfaces in the \n" -" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n" -" and/or why does Ethereal give me an error if I try to capture on that \n" -" interface? \n" -" \n" -" A: You may need to run Ethereal from an account with sufficient \n" -" privileges to capture packets, such as the super-user account. Only \n" -" those interfaces that Ethereal can open for capturing show up in that \n" -" list; if you don't have sufficient privileges to capture on any \n" -" interfaces, no interfaces will show up in the list. \n" -" \n" -" If you are running Ethereal from an account with sufficient \n" -" privileges, then note that Ethereal relies on the libpcap library, and \n" -" on the facilities that come with the OS on which it's running in order \n" -" to do captures. \n" -" \n" -" Therefore, if the OS or the libpcap library don't support capturing on \n" -" a particular network interface device, Ethereal won't be able to \n" -" capture on that device. \n" -" \n" -" On Linux, note that you need to have \"packet socket\" support enabled \n" -" in your kernel; see the \"Packet socket\" item in the Linux \n" -" \"Configure.help\" file. \n" -" \n" -" On BSD, note that you need to have BPF support enabled in your kernel; \n" -" see the documentation for your system for information on how to enable \n" -" BPF support (if it's not enabled by default on your system). \n" -" \n" -" On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have \n" -" packet filtering support in your kernel; the doconfig command will \n" -" allow you to configure and build a new kernel with that option. \n" -" \n" -" On Solaris, note that libpcap 0.6.2 and earlier didn't support Token \n" -" Ring interfaces; the current version, 0.7.2, does support Token Ring, \n" -" and the current version of Ethereal works with libcap 0.7.2 and later. \n" -" \n" -" If an interface doesn't show up in the list of interfaces in the \n" -" \"Interface:\" field, and you know the name of the interface, try \n" -" entering that name in the \"Interface:\" field and capturing on that \n" -" device. \n" -" \n" -" If the attempt to capture on it succeeds, the interface is somehow not \n" -" being reported by the mechanism Ethereal uses to get a list of \n" -" interfaces; please report this to ethereal-dev@ethereal.com giving \n" -" full details of the problem, including \n" -" * the operating system you're using, and the version of that \n" -" operating system (for Linux, give both the version number of the \n" -" kernel and the name and version number of the distribution you're \n" -" using); \n" -" * the type of network device you're using. \n" -" \n" -" If you are having trouble capturing on a particular network interface, \n" -" and you've made sure that (on platforms that require it) you've \n" -" arranged that packet capture support is present, as per the above, \n" -" first try capturing on that device with tcpdump. \n" -" \n" -" If you can capture on the interface with tcpdump, send mail to \n" -" ethereal-users@ethereal.com giving full details of the problem, \n" -" including \n" -" * the operating system you're using, and the version of that \n" -" operating system (for Linux, give both the version number of the \n" -" kernel and the name and version number of the distribution you're \n" -" using); \n" -" * the type of network device you're using; \n" -" * the error message you get from Ethereal. \n" -" \n" -" If you cannot capture on the interface with tcpdump, this is almost \n" -" certainly a problem with one or more of: \n" -" * the operating system you're using; \n" -" * the device driver for the interface you're using; \n" -" * the libpcap library; \n" -" \n" -" so you should report the problem to the company or organization that \n" -" produces the OS (in the case of a Linux distribution, report the \n" -" problem to whoever produces the distribution). \n" -" \n" -" You may also want to ask the ethereal-users@ethereal.com and the \n" -" tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to \n" -" know about the problem and know a workaround or fix for the problem. \n" -" In your mail, please give full details of the problem, as described \n" -" above, and also indicate that the problem occurs with tcpdump not just \n" -" with Ethereal. \n" -" \n" " Q 5.18: I'm running Ethereal on Windows NT/2000/XP/Server; my machine \n" " has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the \n" " \"Interface\" item in the \"Capture Options\" dialog box. Why can no \n" @@ -1394,11 +1471,11 @@ const char *faq_part[] = { " or, for Windows, WinPcap bug that causes the system to crash when this \n" " happens; see the previous question. \n" " \n" -" Q 5.24: Does Ethereal work on Windows ME? \n" +" Q 5.24: Does Ethereal work on Windows Me? \n" " \n" " A: Yes, but if you want to capture packets, you will need to install \n" " the latest version of WinPcap, as 2.02 and earlier versions of WinPcap \n" -" didn't support Windows ME. You should also install the latest version \n" +" didn't support Windows Me. You should also install the latest version \n" " of Ethereal as well. \n" " \n" " Q 5.25: Does Ethereal work on Windows XP? \n" @@ -1487,6 +1564,18 @@ const char *faq_part[] = { " support that and, even on operating systems that do support it, not \n" " all drivers, and thus not all cards, support it. \n" " \n" +" NOTE: an interface running in monitor mode will, on most if not all \n" +" platforms, not be able to act as a regular network interface; putting \n" +" it into monitor mode will, in effect, take your machine off of \n" +" whatever network it's on as long as the interface is in monitor mode, \n" +" allowing it only to passively capture packets. \n" +" \n" +" This means that you should disable name resolution when capturing in \n" +" monitor mode; otherwise, when Ethereal (or Tethereal, or tcpdump) \n" +" tries to display IP addresses as host names, it will probably block \n" +" for a long time trying to resolve the name because it will not be able \n" +" to communicate with any DNS or NIS servers. \n" +" \n" " Cisco Aironet cards: \n" " \n" " The only platforms that allow Ethereal to capture raw 802.11 packets \n" @@ -1496,15 +1585,30 @@ const char *faq_part[] = { " cause packets not to be captured correctly, and the driver in \n" " releases prior to 4.5 didn't support capturing raw packets. \n" " \n" -" On FreeBSD, the ancontrol utility must be used; do not enable the full \n" -" Aironet header via BPF, as Ethereal doesn't currently support that. \n" +" On FreeBSD, the ancontrol utility must be used. The command \n" +" \n" +"ancontrol -i anN -M flag \n" +" \n" +" is used to enable or disable monitor mode. If flag is 0, monitor mode \n" +" will be turned off; otherwise, flag should be the sum of: \n" +" * 1, to turn monitor mode on; \n" +" * 2, if you want to capture traffic from any BSS rather than just \n" +" the BSS with which the card is associated; \n" +" * 4, if you want to see beacon packets (capturing beacon packets \n" +" increases the CPU requirements of capturing). \n" +" \n" +" Don't add 8 in; Ethereal currently doesn't support the full Aironet \n" +" header. \n" " \n" " On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will \n" " need to do \n" " \n" "echo \"Mode: rfmon\" >/proc/driver/aironet/ethN/Config \n" " \n" -" if your Aironet card is ethN. To capture traffic from any BSS, do \n" +" if your Aironet card is ethN. To capture traffic from any BSS rather \n" +, + +" than just the BSS with which the card is associated, do \n" " \n" "echo \"Mode: y\" >/proc/driver/aironet/ethN/Config \n" " \n" @@ -1512,10 +1616,10 @@ const char *faq_part[] = { " \n" "echo \"Mode: ess\" >/proc/driver/aironet/ethN/Config \n" " \n" -" On Linux with the driver in the 2.4.20 kernel, or with the CVS drivers \n" -" from the airo-linux SourceForge site, you will have to capture on the \n" -" wifiN interface if your Aironet card is ethN, after running the \n" -" commands listed above. \n" +" On Linux with the driver in the 2.4.20 or later kernel, or with the \n" +" CVS drivers from the airo-linux SourceForge site, you will have to \n" +" capture on the wifiN interface if your Aironet card is ethN, after \n" +" running the commands listed above. \n" " \n" " In all of those cases, Ethereal would have to be linked with libpcap \n" " 0.7.1 or later; this means that most Ethereal binary packages won't \n" @@ -1583,7 +1687,7 @@ const char *faq_part[] = { " check the version of the Orinoco drivers that shipped with your kernel \n" " by examining the first few lines of the orinoco.c file. \n" " \n" -" Te Orinoco patches require either Solomon Peachy's patch to libpcap \n" +" The Orinoco patches require either Solomon Peachy's patch to libpcap \n" " 0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that \n" " version of libpcap), or the current CVS version of libpcap, which \n" " includes his patch (download it from the \"Current Tar files\" section \n" @@ -1598,6 +1702,18 @@ const char *faq_part[] = { " On other platforms, capturing raw 802.11 packets on Orinoco cards is \n" " not currently supported. \n" " \n" +" Cards with the Atheros Communications AR5000 or AR5001 chipsets: \n" +" \n" +" You can capture raw 802.11 packets with AR5K cards on Linux systems \n" +" with the v5_ar5k drivers. You will need the Linux wireless-tools \n" +" version 25 or higher to put the card into monitor mode. \n" +" \n" +" Cards with the Texas Instruments ACX100 chipset: \n" +" \n" +" You can capture raw 802.11 packets with ACX100 cards on Linux systems \n" +" with the ACX100 OSS drivers available from the ACX100 wireless network \n" +" driver project SourceForge site. \n" +" \n" " Other 802.11 interfaces: \n" " \n" " With other 802.11 interfaces, no platform allows Ethereal to capture \n" @@ -1606,13 +1722,28 @@ const char *faq_part[] = { " cards\", so your card might be a Prism II card), please let us know, \n" " and include URLs for sites containing any necessary patches to add \n" " this support. \n" -, - " \n" " On platforms that don't allow Ethereal to capture raw 802.11 packets, \n" " the 802.11 network will appear like an Ethernet to Ethereal. \n" " \n" -" Q 5.31: How can I capture packets with CRC errors? \n" +" Q 5.31: I'm trying to capture 802.11 traffic on Windows; why am I not \n" +" seeing any packets? \n" +" \n" +" A: At least some 802.11 card drivers on Windows appear not to see any \n" +" packets if they're running in promiscuous mode. Try turning \n" +" promiscuous mode off; you'll only be able to see packets sent by and \n" +" received by your machine, not third-party traffic, and it'll look like \n" +" Ethernet traffic and won't include any management or control frames, \n" +" but that's a limitation of the card drivers. \n" +" \n" +" Q 5.32: I'm trying to capture 802.11 traffic on Windows; why am I \n" +" seeing packets received by the machine on which I'm capturing traffic, \n" +" but not packets sent by that machine? \n" +" \n" +" A: This appears to be another problem with promiscuous mode; try \n" +" turning it off. \n" +" \n" +" Q 5.33: How can I capture packets with CRC errors? \n" " \n" " A: Ethereal can capture only the packets that the packet capture \n" " library - libpcap on UNIX-flavored OSes, and the WinPcap port to \n" @@ -1621,15 +1752,32 @@ const char *faq_part[] = { " (or the WinPcap driver, and the underlying OS networking code and \n" " network interface drivers, on Windows) will allow it to capture. \n" " \n" -" Unless the OS can be configured to supply packets with errors such as \n" +" Unless the OS always supplies packets with errors such as invalid CRCs \n" +" to the raw packet capture mechanism, or can be configured to do so, \n" " invalid CRCs to the raw packet capture mechanism, Ethereal - and other \n" " programs that capture raw packets, such as tcpdump - cannot capture \n" -" those packets. You will have to determine whether your OS can be so \n" -" configured, configure it if possible, and make whatever changes to \n" -" libpcap and the packet capture program you're using are necessary to \n" -" support capturing those packets. \n" -" \n" -" Q 5.32: How can I capture entire frames, including the FCS? \n" +" those packets. You will have to determine whether your OS needs to be \n" +" so configured and, if so, can be so configured, configure it if \n" +" necessary and possible, and make whatever changes to libpcap and the \n" +" packet capture program you're using are necessary, if any, to support \n" +" capturing those packets. \n" +" \n" +" Most OSes probably do not support capturing packets with invalid CRCs \n" +" on Ethernet, and probably do not support it on most other link-layer \n" +" types. Some drivers on some OSes do support it, such as some Ethernet \n" +" drivers on FreeBSD; in those OSes, you might always get those packets, \n" +" or you might only get them if you capture in promiscuous mode (you'd \n" +" have to determine which is the case). \n" +" \n" +" Note that libpcap does not currently supply to programs that use it an \n" +" indication of whether the packet's CRC was invalid (because the \n" +" drivers themselves do not supply that information to the raw packet \n" +" capture mechanism); therefore, Ethereal will not indicate which \n" +" packets had CRC errors unless the FCS was captured (see the next \n" +" question) and you're using Ethereal 0.9.15 and later, in which case \n" +" Ethereal will check the CRC and indicate whether it's correct or not. \n" +" \n" +" Q 5.34: How can I capture entire frames, including the FCS? \n" " \n" " A: Ethereal can't capture any data that the packet capture library - \n" " libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of \n" @@ -1639,17 +1787,29 @@ const char *faq_part[] = { " drivers, on Windows) will allow it to capture. \n" " \n" " For any particular link-layer network type, unless the OS supplies the \n" -" FCS of a frame as part of the frame, or can be configured to supply \n" -" the FCS of a frame as part of the frame, Ethereal - and other programs \n" -" that capture raw packets, such as tcpdump - cannot capture the FCS of \n" -" a frame. You will have to determine whether your OS can be so \n" -" configured, configure it if possible, and make whatever changes to \n" -" libpcap and the packet capture program you're using are necessary to \n" -" support capturing the FCS of a frame. Most if not all OSes probably do \n" -" not support capturing the FCS of a frame on Ethernet, and probably do \n" -" not support it on most other link-layer types. \n" -" \n" -" Q 5.33: Ethereal hangs after I stop a capture. \n" +" FCS of a frame as part of the frame, or can be configured to do so, \n" +" Ethereal - and other programs that capture raw packets, such as \n" +" tcpdump - cannot capture the FCS of a frame. You will have to \n" +" determine whether your OS needs to be so configured and, if so, can be \n" +" so configured, configure it if necessary and possible, and make \n" +" whatever changes to libpcap and the packet capture program you're \n" +" using are necessary, if any, to support capturing the FCS of a frame. \n" +" \n" +" Most OSes do not support capturing the FCS of a frame on Ethernet, and \n" +" probably do not support it on most other link-layer types. Some \n" +" drivres on some OSes do support it, such as some (all?) Ethernet \n" +" drivers on NetBSD and possibly the driver for Apple's gigabit Ethernet \n" +" interface in Mac OS X; in those OSes, you might always get the FCS, or \n" +" you might only get the FCS if you capture in promiscuous mode (you'd \n" +" have to determine which is the case). \n" +" \n" +" Versions of Ethereal prior to 0.9.15 will not treat an Ethernet FCS in \n" +" a captured packet as an FCS. 0.9.15 and later will attempt to \n" +" determine whether there's an FCS at the end of the frame and, if it \n" +" thinks there is, will display it as such, and will check whether it's \n" +" the correct CRC-32 value or not. \n" +" \n" +" Q 5.35: Ethereal hangs after I stop a capture. \n" " \n" " A: The most likely reason for this is that Ethereal is trying to look \n" " up an IP address in the capture to convert it to a name (so that, for \n" @@ -1719,7 +1879,7 @@ const char *faq_part[] = { " contains sensitive information (e.g., passwords), then please do not \n" " send it. \n" " \n" -" Q 5.34: How can I search for, or filter, packets that have a \n" +" Q 5.36: How can I search for, or filter, packets that have a \n" " particular string anywhere in them? \n" " \n" " A: If you want to do this when capturing, you can't. That's a feature \n" @@ -1735,12 +1895,18 @@ const char *faq_part[] = { " particular string; this has been added to the \"Find Frame\" dialog \n" " (\"Find Frame\" under the \"Edit\" menu, or control-F). \n" " \n" +" In 0.9.15 and later, you can search for those packets using either the \n" +" mechanism introduced in 0.9.14 or using the new \"contains\" operator in \n" +" filter expressions, which lets you search the entire packet or text \n" +" string or byte string fields in the packet; the \"contains\" operator \n" +" can also be used in expressions used to filter the display. \n" +" \n" " \n" " Support can be found on the ethereal-users[AT]ethereal.com mailing \n" " list. \n" " For corrections/additions/suggestions for this page, please send email \n" " to: ethereal-web[AT]ethereal.com \n" -" Last modified: Tue, August 19 2003. \n" +" Last modified: Fri, December 12 2003. \n" }; #define FAQ_PARTS 5 -#define FAQ_SIZE 80384 +#define FAQ_SIZE 86361 diff --git a/help/faq.txt b/help/faq.txt index 5a63b00468..4b0750e7f7 100644 --- a/help/faq.txt +++ b/help/faq.txt @@ -68,53 +68,53 @@ 5.3 I'm only seeing ARP packets when I try to capture traffic. - 5.4 How do I put an interface into promiscuous mode? + 5.4 I'm running Ethereal on Windows; why does some network interface + on my machine not show up in the list of interfaces in the + "Interface:" field in the dialog box popped up by "Capture->Start", + and/or why does Ethereal give me an error if I try to capture on that + interface? - 5.5 I can set a display filter just fine, but capture filters don't + 5.5 I'm running on a UNIX-flavored OS; why does some network interface + on my machine not show up in the list of interfaces in the + "Interface:" field in the dialog box popped up by "Capture->Start", + and/or why does Ethereal give me an error if I try to capture on that + interface? + + 5.6 How do I put an interface into promiscuous mode? + + 5.7 I can set a display filter just fine, but capture filters don't work. - 5.6 I'm entering valid capture filters, but I still get "parse error" + 5.8 I'm entering valid capture filters, but I still get "parse error" errors. - 5.7 I saved a filter and tried to use its name to filter the display, + 5.9 I saved a filter and tried to use its name to filter the display, but I got an "Unexpected end of filter string" error. - 5.8 Why am I seeing lots of packets with incorrect TCP checksums? + 5.10 Why am I seeing lots of packets with incorrect TCP checksums? - 5.9 I've just installed Ethereal, and the traffic on my local LAN is + 5.11 I've just installed Ethereal, and the traffic on my local LAN is boring. - 5.10 When I run Ethereal on Solaris 8, it dies with a Bus Error when I + 5.12 When I run Ethereal on Solaris 8, it dies with a Bus Error when I start it. - 5.11 When I run Ethereal on Windows NT, it dies with a Dr. Watson + 5.13 When I run Ethereal on Windows NT, it dies with a Dr. Watson error, reporting an "Integer division by zero" exception, when I start it. - 5.12 When I try to run Ethereal, it complains about + 5.14 When I try to run Ethereal, it complains about sprint_realloc_objid being undefined. - 5.13 I'm running Ethereal on Linux; why do my time stamps have only + 5.15 I'm running Ethereal on Linux; why do my time stamps have only 100ms resolution, rather than 1us resolution? - 5.14 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; + 5.16 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; why are the time stamps on packets wrong? - 5.15 When I try to run Ethereal on Windows, it fails to run because it + 5.17 When I try to run Ethereal on Windows, it fails to run because it can't find packet.dll. - 5.16 I'm running Ethereal on Windows; why does some network interface - on my machine not show up in the list of interfaces in the - "Interface:" field in the dialog box popped up by "Capture->Start", - and/or why does Ethereal give me an error if I try to capture on that - interface? - - 5.17 I'm running on a UNIX-flavored OS; why does some network - interface on my machine not show up in the list of interfaces in the - "Interface:" field in the dialog box popped up by "Capture->Start", - and/or why does Ethereal give me an error if I try to capture on that - interface? - 5.18 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the "Interface" item in the "Capture Options" dialog box. Why can no @@ -137,7 +137,7 @@ 5.23 My machine crashes or resets itself when I select "Start" from the "Capture" menu or select "Preferences" from the "Edit" menu. - 5.24 Does Ethereal work on Windows ME? + 5.24 Does Ethereal work on Windows Me? 5.25 Does Ethereal work on Windows XP? @@ -164,13 +164,20 @@ 5.30 How can I capture raw 802.11 packets, including non-data (management, beacon) packets? - 5.31 How can I capture packets with CRC errors? + 5.31 I'm trying to capture 802.11 traffic on Windows; why am I not + seeing any packets? - 5.32 How can I capture entire frames, including the FCS? + 5.32 I'm trying to capture 802.11 traffic on Windows; why am I seeing + packets received by the machine on which I'm capturing traffic, but + not packets sent by that machine? - 5.33 Ethereal hangs after I stop a capture. + 5.33 How can I capture packets with CRC errors? - 5.34 How can I search for, or filter, packets that have a particular + 5.34 How can I capture entire frames, including the FCS? + + 5.35 Ethereal hangs after I stop a capture. + + 5.36 How can I search for, or filter, packets that have a particular string anywhere in them? GENERAL QUESTIONS @@ -182,12 +189,19 @@ Q 1.2: What protocols are currently supported? - A: There are currently 393 supported protocols and media, listed + A: There are currently 442 supported protocols and media, listed below. Descriptions can be found in the ethereal(1) man page. 802.1q Virtual LAN 802.1x Authentication + AAL type 2 signalling protocol - Capability set 1 (Q.2630.1) AFS (4.0) Replication Server call declarations + ANSI A-I/F BSMAP + ANSI A-I/F DTAP + ANSI IS-637-A (SMS) Teleservice Layer + ANSI IS-637-A (SMS) Transport Layer + ANSI IS-683-A (OTA (Mobile)) + ANSI Mobile Application Part AOL Instant Messenger ARCNET ATM @@ -200,6 +214,7 @@ Address Resolution Protocol Aggregate Server Access Protocol Alert Standard Forum + Alteon - Transparent Proxy Cache Protocol Andrew File System (AFS) Apache JServ Protocol v1.3 AppleTalk Filing Protocol @@ -210,6 +225,8 @@ Async data over ISDN (V.120) Authentication Header BACnet Virtual Link Control + BSS GPRS Protocol + BSSAP/BSAP Banyan Vines ARP Banyan Vines Echo Banyan Vines Fragmentation Protocol @@ -219,6 +236,8 @@ Banyan Vines LLC Banyan Vines RTP Banyan Vines SPP + Bearer Independent Call Control + Bi-directional Fault Detection Control Message Blocks Extensible Exchange Protocol Boardwalk Boot Parameters @@ -226,6 +245,7 @@ Border Gateway Protocol Building Automation and Control Network APDU Building Automation and Control Network NPDU + CCSDS CDS Clerk Server Calls Check Point High Availability Protocol Checkpoint FW-1 @@ -242,6 +262,8 @@ CoSine IPNOS L2 debug output Common Open Policy Service Common Unix Printing System (CUPS) Browsing Protocol + Connectionless Lightweight Directory Access Protocol + Cross Point Frame Injector DCE DFS Calls DCE Distributed Time Service Local Server DCE Distributed Time Service Provider @@ -249,15 +271,21 @@ DCE RPC DCE Security ID Mapper DCE/RPC BOS Server + DCE/RPC BUDB + DCE/RPC BUTC DCE/RPC CDS Solicitation DCE/RPC Conversation Manager DCE/RPC Endpoint Mapper + DCE/RPC Endpoint Mapper4 DCE/RPC FLDB DCE/RPC FLDB UBIK TRANSFER DCE/RPC FLDB UBIKVOTE + DCE/RPC ICL RPC DCE/RPC Kerberos V DCE/RPC RS_ACCT + DCE/RPC RS_BIND DCE/RPC RS_MISC + DCE/RPC RS_PROP_ACCT DCE/RPC RS_UNIX DCE/RPC Remote Management DCE/RPC Repserver Calls @@ -297,20 +325,28 @@ Fibre Channel Name Server Fibre Channel Protocol for SCSI Fibre Channel SW_ILS + Fibre Channel Security Protocol + Fibre Channel Single Byte Command File Transfer Protocol (FTP) Financial Information eXchange Protocol Frame Frame Relay GARP Multicast Registration Protocol GARP VLAN Registration Protocol + GPRS Network service GPRS Tunneling Protocol - GPRS Tunnelling Protocol v0 - GPRS Tunnelling Protocol v1 + GSM A-I/F BSSMAP + GSM A-I/F DTAP + GSM A-I/F RP + GSM Mobile Application Part + GSM SMS TPDU (GSM 03.40) General Inter-ORB Protocol Generic Routing Encapsulation Generic Security Service Application Program Interface Gnutella Protocol + H225 H245 + H4501 HP Extended Local-Link Control HP Remote Maintenance Protocol Hummingbird NFS Daemon @@ -330,10 +366,12 @@ ISDN User Part ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol ISO 8073 COTP Connection-Oriented Transport Protocol + ISO 8327-1 OSI Session Protocol ISO 8473 CLNP ConnectionLess Network Protocol ISO 8602 CLTP ConnectionLess Transport Protocol ISO 9542 ESIS Routeing Information Exchange Protocol ITU-T Recommendation H.261 + ITU-T Recommendation H.263 RTP Payload header (RFC2190) InMon sFlow Intel ANS probe Intelligent Platform Management Interface @@ -344,6 +382,7 @@ Internet Control Message Protocol Internet Control Message Protocol v6 Internet Group Management Protocol + Internet Group membership Authentication Protocol Internet Message Access Protocol Internet Printing Protocol Internet Protocol @@ -357,7 +396,11 @@ Kerberos Kerberos Administration Kernel Lock Manager + LWAP Control Message + LWAPP Encapsulated Packet + LWAPP Layer 3 Packet Label Distribution Protocol + Laplink Layer 2 Tunneling Protocol Lightweight Directory Access Protocol Line Printer Daemon Protocol @@ -373,6 +416,7 @@ Lucent/Ascend debug output MDS Header MMS Message Encapsulation + MS Kpasswd MS Proxy Protocol MSN Messenger Service MSNIP: Multicast Source Notification of Interest Protocol @@ -383,6 +427,7 @@ Message Transfer Part Level 2 Message Transfer Part Level 3 Message Transfer Part Level 3 Management + Microsoft Directory Replication Service Microsoft Distributed File System Microsoft Exchange MAPI Microsoft Local Security Architecture @@ -430,6 +475,7 @@ Network Status Monitor CallBack Protocol Network Status Monitor Protocol Network Time Protocol + Nortel SONMP Novell Distributed Print System Null/Loopback Open Shortest Path First @@ -455,7 +501,7 @@ PPP-over-Ethernet Discovery PPP-over-Ethernet Session PPPMux Control Protocol - Packet Encoding Rules (ASN.1 X.691) + Packed Encoding Rules (ASN.1 X.691) Point-to-Point Protocol Point-to-Point Tunnelling Protocol Portmap @@ -466,14 +512,17 @@ Protocol Independent Multicast Q.2931 Q.931 + Q.933 Quake II Network Protocol Quake III Arena Network Protocol Quake Network Protocol QuakeWorld Network Protocol Qualified Logical Link Control RFC 2250 MPEG1 + RFC 2833 RTP Event RIPng RPC Browser + RS Interface properties RSTAT RSYNC File Synchroniser RX Protocol @@ -491,6 +540,7 @@ Remote Program Load Remote Quota Remote Shell + Remote Shutdown Remote Wall protocol Remote sec_login preauth interface. Resource ReserVation Protocol (RSVP) @@ -499,6 +549,7 @@ Routing Table Maintenance Protocol SADMIND SCSI + SEBEK - Kernel Data Capture SGI Mount Service SMB (Server Message Block Protocol) SMB MailSlot Protocol @@ -517,11 +568,13 @@ Session Announcement Protocol Session Description Protocol Session Initiation Protocol + Session Initiation Protocol (SIP as raw text) Short Message Peer to Peer Signalling Connection Control Part Signalling Connection Control Part Management Simple Mail Transfer Protocol Simple Network Management Protocol + Simple Traversal of UDP Through NAT Sinec H1 Protocol Skinny Client Control Protocol SliMP3 Communication Protocol @@ -533,8 +586,10 @@ Syslog message Systems Network Architecture Systems Network Architecture XID + T38 TACACS TACACS+ + TEREDO Tunneling IPv6 over UDP through NATs TPKT Tabular Data Stream Tazmen Sniffer Protocol @@ -543,6 +598,7 @@ Time Synchronization Protocol Token-Ring Token-Ring Media Access Control + Transaction Capabilities Application Part Transmission Control Protocol Transparent Network Substrate Protocol Trivial File Transfer Protocol @@ -694,11 +750,17 @@ Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be installed; only Tethereal is installed. - A: Red Hat RPMs for Ethereal put only the non-GUI components into the - ethereal RPM, the fact that Ethereal is a GUI program nonwithstanding; - there's a separate ethereal-gnome RPM that includes GUI components - such as Ethereal itself, the fact that Ethereal doesn't use GNOME - nonwithstanding. Find the ethereal-gnome RPM, and install that also. + A: Older versions of the Red Hat RPMs for Ethereal put only the + non-GUI components into the ethereal RPM, the fact that Ethereal is a + GUI program nonwithstanding; newer versions make it a bit clearer by + giving that RPM a name starting with ethereal-base. + + In those older versions, there's a separate ethereal-gnome RPM that + includes GUI components such as Ethereal itself, the fact that + Ethereal doesn't use GNOME nonwithstanding; newer versions make it a + bit clearer by giving that RPM a name starting with ethereal-gtk+. + + Find the ethereal-gnome or ethereal-gtk+ RPM, and install that also. BUILDING ETHEREAL Q 4.1: The configure script can't find pcap.h or bpf.h, but I have @@ -802,7 +864,24 @@ ports on the console for HP Advancestack Switch 208 and 224; * the "Network Monitoring Port Features" section of chapter 6 of documentation from HP for HP ProCurve Switches 1600M, 2424M, - 4000M, and 8000M. + 4000M, and 8000M; + * the "Switch Port-Mirroring" section of chapter 6 of documentation + from Extreme Networks for their Summit 200 switches; + * the documentation on "Configuring Port Mirroring and Monitoring" + in Foundry Networks' documentation for their FastIron Edge + Switches; + * the documentation on "Configuring Port Mirroring and Monitoring" + in Foundry Networks' documentation for their BigIron MG8 Layer 3 + Switches; + * the "Port Monitor" subsection of the "Status Monitor and + Statistics" section of the documentation from Foundry Networks for + their EdgeIron 4802F and 10GC2F switches; + * the "Configuring Port Mirroring" section of chapter 3 of the + documentation from Foundry Networks for their EdgeIron 24G, + 2402CF, and 4802CF switches; + * the documentation on "Configuring Port Mirroring and Monitoring" + in Foundry Networks' documentation for their other switches and + metro routers. Note also that many firewall/NAT boxes have a switch built into them; this includes many of the "cable/DSL router" boxes. If you have a box @@ -899,7 +978,199 @@ I.e., this is probably the same question as this earlier one; see the response to that question. - Q 5.4: How do I put an interface into promiscuous mode? + Q 5.4: I'm running Ethereal on Windows; why does some network + interface on my machine not show up in the list of interfaces in the + "Interface:" field in the dialog box popped up by "Capture->Start", + and/or why does Ethereal give me an error if I try to capture on that + interface? + + A: If you are running Ethereal on Windows NT 4.0, Windows 2000, + Windows XP, or Windows Server, and this is the first time you have run + a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, + or Analyzer, or...) since the machine was rebooted, you need to run + that program from an account with administrator privileges; once you + have run such a program, you will not need administrator privileges to + run any such programs until you reboot. + + If you are running on Windows 95/98/Me, or if you are running on + Windows NT 4.0/2000/XP/Server and have administrator privileges or a + WinPcap-based program has been run with those privileges since the + machine rebooted, then note that Ethereal relies on the WinPcap + library, on the WinPcap device driver, and on the facilities that come + with the OS on which it's running in order to do captures. + + Therefore, if the OS, the WinPcap library, or the WinPcap driver don't + support capturing on a particular network interface device, Ethereal + won't be able to capture on that device. + + Note that: + 1. 2.02 and earlier versions of the WinPcap driver and library that + Ethereal uses for packet capture didn't support Token Ring + interfaces; versions 2.1 and later support Token Ring, and the + current version of Ethereal works with (and, in fact, requires) + WinPcap 2.1 or later. + If you are having problems capturing on Token Ring interfaces, and + you have WinPcap 2.02 or an earlier version of WinPcap installed, + you should uninstall WinPcap, download and install the current + version of WinPcap, and then install the latest version of + Ethereal. + 2. On Windows 95, 98, or Me, sometimes more than one interface will + be given the same name; if that is the case, you will only be able + to capture on one of those interfaces - it's not clear to which + one the name, when used in a WinPcap-based application, will + refer. For example, if you have a PPP serial interface and a VPN + interface, they might show up with the same name, for example + "ppp-mac", and if you try to capture on "ppp-mac", it might not + capture on the interface you're currently using. In that case, you + might, for example, have to remove the VPN interface from the + system in order to capture on the PPP serial interface. + 3. WinPcap doesn't support PPP WAN interfaces on Windows + NT/2000/XP/Server, so Ethereal cannot capture packets on those + devices when running on Windows NT/2000/XP/Server. Regular dial-up + lines, ISDN lines, and various other lines such as T1/E1 lines are + all PPP interfaces. This may cause the interface not to show up on + the list of interfaces in the "Capture Options" dialog. + 4. WinPcap prior to 3.0 does not support multiprocessor machines + (note that machines with a single multi-threaded processor, such + as Intel's new multi-threaded x86 processors, are multiprocessor + machines as far as the OS and WinPcap are concerned), and recent + 2.x versions of WinPcap refuse to operate if they detect that + they're running on a multiprocessor machine, which means that they + may not show any network interfaces. You will need to use WinPcap + 3.0 to capture on a multiprocessor machine. + + If an interface doesn't show up in the list of interfaces in the + "Interface:" field, and you know the name of the interface, try + entering that name in the "Interface:" field and capturing on that + device. + + If the attempt to capture on it succeeds, the interface is somehow not + being reported by the mechanism Ethereal uses to get a list of + interfaces; please report this to ethereal-dev@ethereal.com giving + full details of the problem, including + * the operating system you're using, and the version of that + operating system; + * the type of network device you're using. + + If you are having trouble capturing on a particular network interface, + first try capturing on that device with WinDump; see the WinDump Web + site or the local mirror of the WinDump Web site for information on + using WinDump. + + If you can capture on the interface with WinDump, send mail to + ethereal-users@ethereal.com giving full details of the problem, + including + * the operating system you're using, and the version of that + operating system; + * the type of network device you're using; + * the error message you get from Ethereal. + + If you cannot capture on the interface with WinDump, this is almost + certainly a problem with one or more of: + * the operating system you're using; + * the device driver for the interface you're using; + * the WinPcap library and/or the WinPcap device driver; + + so first check the WinPcap FAQ, the local mirror of that FAQ, or the + Wiretapped.net mirror of that FAQ, to see if your problem is mentioned + there. If not, then see the WinPcap support page (or the local mirror + of that page) - check the "Submitting bugs" section. + + You may also want to ask the ethereal-users@ethereal.com and the + winpcap-users@winpcap.polito.it mailing lists to see if anybody + happens to know about the problem and know a workaround or fix for the + problem. (Note that you will have to subscribe to that list in order + to be allowed to mail to it; see the WinPcap support page, or the + local mirror of that page, for information on the mailing list.) In + your mail, please give full details of the problem, as described + above, and also indicate that the problem occurs with WinDump, not + just with Ethereal. + + Q 5.5: I'm running on a UNIX-flavored OS; why does some network + interface on my machine not show up in the list of interfaces in the + "Interface:" field in the dialog box popped up by "Capture->Start", + and/or why does Ethereal give me an error if I try to capture on that + interface? + + A: You may need to run Ethereal from an account with sufficient + privileges to capture packets, such as the super-user account. Only + those interfaces that Ethereal can open for capturing show up in that + list; if you don't have sufficient privileges to capture on any + interfaces, no interfaces will show up in the list. + + If you are running Ethereal from an account with sufficient + privileges, then note that Ethereal relies on the libpcap library, and + on the facilities that come with the OS on which it's running in order + to do captures. + + Therefore, if the OS or the libpcap library don't support capturing on + a particular network interface device, Ethereal won't be able to + capture on that device. + + On Linux, note that you need to have "packet socket" support enabled + in your kernel; see the "Packet socket" item in the Linux + "Configure.help" file. + + On BSD, note that you need to have BPF support enabled in your kernel; + see the documentation for your system for information on how to enable + BPF support (if it's not enabled by default on your system). + + On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have + packet filtering support in your kernel; the doconfig command will + allow you to configure and build a new kernel with that option. + + On Solaris, note that libpcap 0.6.2 and earlier didn't support Token + Ring interfaces; the current version, 0.7.2, does support Token Ring, + and the current version of Ethereal works with libcap 0.7.2 and later. + + If an interface doesn't show up in the list of interfaces in the + "Interface:" field, and you know the name of the interface, try + entering that name in the "Interface:" field and capturing on that + device. + + If the attempt to capture on it succeeds, the interface is somehow not + being reported by the mechanism Ethereal uses to get a list of + interfaces; please report this to ethereal-dev@ethereal.com giving + full details of the problem, including + * the operating system you're using, and the version of that + operating system (for Linux, give both the version number of the + kernel and the name and version number of the distribution you're + using); + * the type of network device you're using. + + If you are having trouble capturing on a particular network interface, + and you've made sure that (on platforms that require it) you've + arranged that packet capture support is present, as per the above, + first try capturing on that device with tcpdump. + + If you can capture on the interface with tcpdump, send mail to + ethereal-users@ethereal.com giving full details of the problem, + including + * the operating system you're using, and the version of that + operating system (for Linux, give both the version number of the + kernel and the name and version number of the distribution you're + using); + * the type of network device you're using; + * the error message you get from Ethereal. + + If you cannot capture on the interface with tcpdump, this is almost + certainly a problem with one or more of: + * the operating system you're using; + * the device driver for the interface you're using; + * the libpcap library; + + so you should report the problem to the company or organization that + produces the OS (in the case of a Linux distribution, report the + problem to whoever produces the distribution). + + You may also want to ask the ethereal-users@ethereal.com and the + tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to + know about the problem and know a workaround or fix for the problem. + In your mail, please give full details of the problem, as described + above, and also indicate that the problem occurs with tcpdump not just + with Ethereal. + + Q 5.6: How do I put an interface into promiscuous mode? A: By not disabling promiscuous mode when running Ethereal or Tethereal. @@ -921,7 +1192,7 @@ I.e., this is probably the same question as this earlier one; see the response to that question. - Q 5.5: I can set a display filter just fine, but capture filters don't + Q 5.7: I can set a display filter just fine, but capture filters don't work. A: Capture filters currently use a different syntax than display @@ -941,7 +1212,7 @@ The capture filter syntax used by libpcap can be found in the tcpdump(8) man page. - Q 5.6: I'm entering valid capture filters, but I still get "parse + Q 5.8: I'm entering valid capture filters, but I still get "parse error" errors. A: There is a bug in some versions of libpcap/WinPcap that cause it to @@ -973,7 +1244,7 @@ WinPcap, you will need to un-install WinPcap and then download and install WinPcap 2.3. - Q 5.7: I saved a filter and tried to use its name to filter the + Q 5.9: I saved a filter and tried to use its name to filter the display, but I got an "Unexpected end of filter string" error. A: You cannot use the name of a saved display filter as a filter. To @@ -984,7 +1255,7 @@ use a saved filter, you can press the "Filter:" button, select the filter in the dialog box that pops up, and press the "OK" button. - Q 5.8: Why am I seeing lots of packets with incorrect TCP checksums? + Q 5.10: Why am I seeing lots of packets with incorrect TCP checksums? A: If the packets that have incorrect TCP checksums are all being sent by the machine on which Ethereal is running, this is probably because @@ -1016,13 +1287,13 @@ tcp.check_checksum:false command-line flag, or manually set in your preferences file by adding a tcp.check_checksum:false line. - Q 5.9: I've just installed Ethereal, and the traffic on my local LAN + Q 5.11: I've just installed Ethereal, and the traffic on my local LAN is boring. A: We have a collection of strange and exotic sample capture files at http://www.ethereal.com/sample/ - Q 5.10: When I run Ethereal on Solaris 8, it dies with a Bus Error + Q 5.12: When I run Ethereal on Solaris 8, it dies with a Bus Error when I start it. A: Some versions of the GTK+ library from www.sunfreeware.org appear @@ -1040,7 +1311,7 @@ Similar problems may exist with older versions of GTK+ for earlier versions of Solaris. - Q 5.11: When I run Ethereal on Windows NT, it dies with a Dr. Watson + Q 5.13: When I run Ethereal on Windows NT, it dies with a Dr. Watson error, reporting an "Integer division by zero" exception, when I start it. @@ -1048,7 +1319,7 @@ VGA driver; if that's not the correct driver for your video card, try running the correct driver for your video card. - Q 5.12: When I try to run Ethereal, it complains about + Q 5.14: When I try to run Ethereal, it complains about sprint_realloc_objid being undefined. A: Ethereal can only be linked with version 4.2.2 or later of UCD @@ -1058,7 +1329,7 @@ the older version, and fails. You will have to replace that version of UCD SNMP with version 4.2.2 or a later version. - Q 5.13: I'm running Ethereal on Linux; why do my time stamps have only + Q 5.15: I'm running Ethereal on Linux; why do my time stamps have only 100ms resolution, rather than 1us resolution? A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap @@ -1084,13 +1355,13 @@ have to run a standard kernel from kernel.org in order to get high-resolution time stamps. - Q 5.14: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; + Q 5.16: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; why are the time stamps on packets wrong? A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap 3.0. - Q 5.15: When I try to run Ethereal on Windows, it fails to run because + Q 5.17: When I try to run Ethereal on Windows, it fails to run because it can't find packet.dll. A: In older versions of Ethereal, there were two binary distributions @@ -1107,200 +1378,6 @@ Web site, the local mirror of the WinPcap Web site, or the Wiretapped.net mirror of the WinPcap site. - Q 5.16: I'm running Ethereal on Windows; why does some network - interface on my machine not show up in the list of interfaces in the - "Interface:" field in the dialog box popped up by "Capture->Start", - and/or why does Ethereal give me an error if I try to capture on that - interface? - - A: If you are running Ethereal on Windows NT 4.0, Windows 2000, - Windows XP, or Windows Server, and this is the first time you have run - a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, - or Analyzer, or...) since the machine was rebooted, you need to run - that program from an account with administrator privileges; once you - have run such a program, you will not need administrator privileges to - run any such programs until you reboot. - - If you are running on Windows 95/98/Me, or if you are running on - Windows NT 4.0/2000/XP/Server and have administrator privileges or a - WinPcap-based program has been run with those privileges since the - machine rebooted, then note that Ethereal relies on the WinPcap - library, on the WinPcap device driver, and on the facilities that come - with the OS on which it's running in order to do captures. - - Therefore, if the OS, the WinPcap library, or the WinPcap driver don't - support capturing on a particular network interface device, Ethereal - won't be able to capture on that device. - - Note that: - * 2.02 and earlier versions of the WinPcap driver and library that - Ethereal uses for packet capture didn't support Token Ring - interfaces; the current version, 2.3, does support Token Ring, and - the current version of Ethereal works with (and, in fact, - requires) WinPcap 2.1 or later. - If you are having problems capturing on Token Ring interfaces, and - you have WinPcap 2.02 or an earlier version of WinPcap installed, - you should uninstall WinPcap, download and install the current - version of WinPcap, and then install the latest version of - Ethereal. - * On Windows 95, 98, or Me, sometimes more than one interface will - be given the same name; if that is the case, you will only be able - to capture on one of those interfaces - it's not clear to which - one the name, when used in a WinPcap-based application, will - refer. For example, if you have a PPP serial interface and a VPN - interface, they might show up with the same name, for example - "ppp-mac", and if you try to capture on "ppp-mac", it might not - capture on the interface you're currently using. In that case, you - might, for example, have to remove the VPN interface from the - system in order to capture on the PPP serial interface. - * WinPcap doesn't support PPP WAN interfaces on Windows - NT/2000/XP/Server, so Ethereal cannot capture packets on those - devices when running on Windows NT/2000/XP/Server. Regular dial-up - lines, ISDN lines, and various other lines such as T1/E1 lines are - all PPP interfaces. This may cause the interface not to show up on - the list of interfaces in the "Capture Options" dialog. - * WinPcap prior to 3.0 does not support multiprocessor machines - (note that machines with a single multi-threaded processor, such - as Intel's new multi-threaded x86 processors, are multiprocessor - machines as far as the OS and WinPcap are concerned), and recent - 2.x versions of WinPcap refuse to operate if they detect that - they're running on a multiprocessor machine, which means that they - may not show any network interfaces. You will need to use WinPcap - 3.0 to capture on a multiprocessor machine. - - If an interface doesn't show up in the list of interfaces in the - "Interface:" field, and you know the name of the interface, try - entering that name in the "Interface:" field and capturing on that - device. - - If the attempt to capture on it succeeds, the interface is somehow not - being reported by the mechanism Ethereal uses to get a list of - interfaces; please report this to ethereal-dev@ethereal.com giving - full details of the problem, including - * the operating system you're using, and the version of that - operating system; - * the type of network device you're using. - - If you are having trouble capturing on a particular network interface, - and you've made sure that (on platforms that require it) you've - arranged that packet capture support is present, as per the above, - first try capturing on that device with WinDump; see the WinDump Web - site or the local mirror of the WinDump Web site for information on - using WinDump. - - If you can capture on the interface with WinDump, send mail to - ethereal-users@ethereal.com giving full details of the problem, - including - * the operating system you're using, and the version of that - operating system; - * the type of network device you're using; - * the error message you get from Ethereal. - - If you cannot capture on the interface with WinDump, this is almost - certainly a problem with one or more of: - * the operating system you're using; - * the device driver for the interface you're using; - * the WinPcap library and/or the WinPcap device driver; - - so first check the WinPcap FAQ, the local mirror of that FAQ, or the - Wiretapped.net mirror of that FAQ, to see if your problem is mentioned - there. If not, then see the WinPcap support page (or the local mirror - of that page) - check the "Submitting bugs" section. - - You may also want to ask the ethereal-users@ethereal.com and the - winpcap-users@winpcap.polito.it mailing lists to see if anybody - happens to know about the problem and know a workaround or fix for the - problem. (Note that you will have to subscribe to that list in order - to be allowed to mail to it; see the WinPcap support page, or the - local mirror of that page, for information on the mailing list.) In - your mail, please give full details of the problem, as described - above, and also indicate that the problem occurs with WinDump, not - just with Ethereal. - - Q 5.17: I'm running on a UNIX-flavored OS; why does some network - interface on my machine not show up in the list of interfaces in the - "Interface:" field in the dialog box popped up by "Capture->Start", - and/or why does Ethereal give me an error if I try to capture on that - interface? - - A: You may need to run Ethereal from an account with sufficient - privileges to capture packets, such as the super-user account. Only - those interfaces that Ethereal can open for capturing show up in that - list; if you don't have sufficient privileges to capture on any - interfaces, no interfaces will show up in the list. - - If you are running Ethereal from an account with sufficient - privileges, then note that Ethereal relies on the libpcap library, and - on the facilities that come with the OS on which it's running in order - to do captures. - - Therefore, if the OS or the libpcap library don't support capturing on - a particular network interface device, Ethereal won't be able to - capture on that device. - - On Linux, note that you need to have "packet socket" support enabled - in your kernel; see the "Packet socket" item in the Linux - "Configure.help" file. - - On BSD, note that you need to have BPF support enabled in your kernel; - see the documentation for your system for information on how to enable - BPF support (if it's not enabled by default on your system). - - On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have - packet filtering support in your kernel; the doconfig command will - allow you to configure and build a new kernel with that option. - - On Solaris, note that libpcap 0.6.2 and earlier didn't support Token - Ring interfaces; the current version, 0.7.2, does support Token Ring, - and the current version of Ethereal works with libcap 0.7.2 and later. - - If an interface doesn't show up in the list of interfaces in the - "Interface:" field, and you know the name of the interface, try - entering that name in the "Interface:" field and capturing on that - device. - - If the attempt to capture on it succeeds, the interface is somehow not - being reported by the mechanism Ethereal uses to get a list of - interfaces; please report this to ethereal-dev@ethereal.com giving - full details of the problem, including - * the operating system you're using, and the version of that - operating system (for Linux, give both the version number of the - kernel and the name and version number of the distribution you're - using); - * the type of network device you're using. - - If you are having trouble capturing on a particular network interface, - and you've made sure that (on platforms that require it) you've - arranged that packet capture support is present, as per the above, - first try capturing on that device with tcpdump. - - If you can capture on the interface with tcpdump, send mail to - ethereal-users@ethereal.com giving full details of the problem, - including - * the operating system you're using, and the version of that - operating system (for Linux, give both the version number of the - kernel and the name and version number of the distribution you're - using); - * the type of network device you're using; - * the error message you get from Ethereal. - - If you cannot capture on the interface with tcpdump, this is almost - certainly a problem with one or more of: - * the operating system you're using; - * the device driver for the interface you're using; - * the libpcap library; - - so you should report the problem to the company or organization that - produces the OS (in the case of a Linux distribution, report the - problem to whoever produces the distribution). - - You may also want to ask the ethereal-users@ethereal.com and the - tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to - know about the problem and know a workaround or fix for the problem. - In your mail, please give full details of the problem, as described - above, and also indicate that the problem occurs with tcpdump not just - with Ethereal. - Q 5.18: I'm running Ethereal on Windows NT/2000/XP/Server; my machine has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the "Interface" item in the "Capture Options" dialog box. Why can no @@ -1386,11 +1463,11 @@ or, for Windows, WinPcap bug that causes the system to crash when this happens; see the previous question. - Q 5.24: Does Ethereal work on Windows ME? + Q 5.24: Does Ethereal work on Windows Me? A: Yes, but if you want to capture packets, you will need to install the latest version of WinPcap, as 2.02 and earlier versions of WinPcap - didn't support Windows ME. You should also install the latest version + didn't support Windows Me. You should also install the latest version of Ethereal as well. Q 5.25: Does Ethereal work on Windows XP? @@ -1479,6 +1556,18 @@ support that and, even on operating systems that do support it, not all drivers, and thus not all cards, support it. + NOTE: an interface running in monitor mode will, on most if not all + platforms, not be able to act as a regular network interface; putting + it into monitor mode will, in effect, take your machine off of + whatever network it's on as long as the interface is in monitor mode, + allowing it only to passively capture packets. + + This means that you should disable name resolution when capturing in + monitor mode; otherwise, when Ethereal (or Tethereal, or tcpdump) + tries to display IP addresses as host names, it will probably block + for a long time trying to resolve the name because it will not be able + to communicate with any DNS or NIS servers. + Cisco Aironet cards: The only platforms that allow Ethereal to capture raw 802.11 packets @@ -1488,15 +1577,28 @@ cause packets not to be captured correctly, and the driver in releases prior to 4.5 didn't support capturing raw packets. - On FreeBSD, the ancontrol utility must be used; do not enable the full - Aironet header via BPF, as Ethereal doesn't currently support that. + On FreeBSD, the ancontrol utility must be used. The command + +ancontrol -i anN -M flag + + is used to enable or disable monitor mode. If flag is 0, monitor mode + will be turned off; otherwise, flag should be the sum of: + * 1, to turn monitor mode on; + * 2, if you want to capture traffic from any BSS rather than just + the BSS with which the card is associated; + * 4, if you want to see beacon packets (capturing beacon packets + increases the CPU requirements of capturing). + + Don't add 8 in; Ethereal currently doesn't support the full Aironet + header. On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will need to do echo "Mode: rfmon" >/proc/driver/aironet/ethN/Config - if your Aironet card is ethN. To capture traffic from any BSS, do + if your Aironet card is ethN. To capture traffic from any BSS rather + than just the BSS with which the card is associated, do echo "Mode: y" >/proc/driver/aironet/ethN/Config @@ -1504,10 +1606,10 @@ echo "Mode: y" >/proc/driver/aironet/ethN/Config echo "Mode: ess" >/proc/driver/aironet/ethN/Config - On Linux with the driver in the 2.4.20 kernel, or with the CVS drivers - from the airo-linux SourceForge site, you will have to capture on the - wifiN interface if your Aironet card is ethN, after running the - commands listed above. + On Linux with the driver in the 2.4.20 or later kernel, or with the + CVS drivers from the airo-linux SourceForge site, you will have to + capture on the wifiN interface if your Aironet card is ethN, after + running the commands listed above. In all of those cases, Ethereal would have to be linked with libpcap 0.7.1 or later; this means that most Ethereal binary packages won't @@ -1575,7 +1677,7 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config check the version of the Orinoco drivers that shipped with your kernel by examining the first few lines of the orinoco.c file. - Te Orinoco patches require either Solomon Peachy's patch to libpcap + The Orinoco patches require either Solomon Peachy's patch to libpcap 0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that version of libpcap), or the current CVS version of libpcap, which includes his patch (download it from the "Current Tar files" section @@ -1590,6 +1692,18 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config On other platforms, capturing raw 802.11 packets on Orinoco cards is not currently supported. + Cards with the Atheros Communications AR5000 or AR5001 chipsets: + + You can capture raw 802.11 packets with AR5K cards on Linux systems + with the v5_ar5k drivers. You will need the Linux wireless-tools + version 25 or higher to put the card into monitor mode. + + Cards with the Texas Instruments ACX100 chipset: + + You can capture raw 802.11 packets with ACX100 cards on Linux systems + with the ACX100 OSS drivers available from the ACX100 wireless network + driver project SourceForge site. + Other 802.11 interfaces: With other 802.11 interfaces, no platform allows Ethereal to capture @@ -1602,7 +1716,24 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config On platforms that don't allow Ethereal to capture raw 802.11 packets, the 802.11 network will appear like an Ethernet to Ethereal. - Q 5.31: How can I capture packets with CRC errors? + Q 5.31: I'm trying to capture 802.11 traffic on Windows; why am I not + seeing any packets? + + A: At least some 802.11 card drivers on Windows appear not to see any + packets if they're running in promiscuous mode. Try turning + promiscuous mode off; you'll only be able to see packets sent by and + received by your machine, not third-party traffic, and it'll look like + Ethernet traffic and won't include any management or control frames, + but that's a limitation of the card drivers. + + Q 5.32: I'm trying to capture 802.11 traffic on Windows; why am I + seeing packets received by the machine on which I'm capturing traffic, + but not packets sent by that machine? + + A: This appears to be another problem with promiscuous mode; try + turning it off. + + Q 5.33: How can I capture packets with CRC errors? A: Ethereal can capture only the packets that the packet capture library - libpcap on UNIX-flavored OSes, and the WinPcap port to @@ -1611,15 +1742,32 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config (or the WinPcap driver, and the underlying OS networking code and network interface drivers, on Windows) will allow it to capture. - Unless the OS can be configured to supply packets with errors such as + Unless the OS always supplies packets with errors such as invalid CRCs + to the raw packet capture mechanism, or can be configured to do so, invalid CRCs to the raw packet capture mechanism, Ethereal - and other programs that capture raw packets, such as tcpdump - cannot capture - those packets. You will have to determine whether your OS can be so - configured, configure it if possible, and make whatever changes to - libpcap and the packet capture program you're using are necessary to - support capturing those packets. - - Q 5.32: How can I capture entire frames, including the FCS? + those packets. You will have to determine whether your OS needs to be + so configured and, if so, can be so configured, configure it if + necessary and possible, and make whatever changes to libpcap and the + packet capture program you're using are necessary, if any, to support + capturing those packets. + + Most OSes probably do not support capturing packets with invalid CRCs + on Ethernet, and probably do not support it on most other link-layer + types. Some drivers on some OSes do support it, such as some Ethernet + drivers on FreeBSD; in those OSes, you might always get those packets, + or you might only get them if you capture in promiscuous mode (you'd + have to determine which is the case). + + Note that libpcap does not currently supply to programs that use it an + indication of whether the packet's CRC was invalid (because the + drivers themselves do not supply that information to the raw packet + capture mechanism); therefore, Ethereal will not indicate which + packets had CRC errors unless the FCS was captured (see the next + question) and you're using Ethereal 0.9.15 and later, in which case + Ethereal will check the CRC and indicate whether it's correct or not. + + Q 5.34: How can I capture entire frames, including the FCS? A: Ethereal can't capture any data that the packet capture library - libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of @@ -1629,17 +1777,29 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config drivers, on Windows) will allow it to capture. For any particular link-layer network type, unless the OS supplies the - FCS of a frame as part of the frame, or can be configured to supply - the FCS of a frame as part of the frame, Ethereal - and other programs - that capture raw packets, such as tcpdump - cannot capture the FCS of - a frame. You will have to determine whether your OS can be so - configured, configure it if possible, and make whatever changes to - libpcap and the packet capture program you're using are necessary to - support capturing the FCS of a frame. Most if not all OSes probably do - not support capturing the FCS of a frame on Ethernet, and probably do - not support it on most other link-layer types. - - Q 5.33: Ethereal hangs after I stop a capture. + FCS of a frame as part of the frame, or can be configured to do so, + Ethereal - and other programs that capture raw packets, such as + tcpdump - cannot capture the FCS of a frame. You will have to + determine whether your OS needs to be so configured and, if so, can be + so configured, configure it if necessary and possible, and make + whatever changes to libpcap and the packet capture program you're + using are necessary, if any, to support capturing the FCS of a frame. + + Most OSes do not support capturing the FCS of a frame on Ethernet, and + probably do not support it on most other link-layer types. Some + drivres on some OSes do support it, such as some (all?) Ethernet + drivers on NetBSD and possibly the driver for Apple's gigabit Ethernet + interface in Mac OS X; in those OSes, you might always get the FCS, or + you might only get the FCS if you capture in promiscuous mode (you'd + have to determine which is the case). + + Versions of Ethereal prior to 0.9.15 will not treat an Ethernet FCS in + a captured packet as an FCS. 0.9.15 and later will attempt to + determine whether there's an FCS at the end of the frame and, if it + thinks there is, will display it as such, and will check whether it's + the correct CRC-32 value or not. + + Q 5.35: Ethereal hangs after I stop a capture. A: The most likely reason for this is that Ethereal is trying to look up an IP address in the capture to convert it to a name (so that, for @@ -1709,7 +1869,7 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config contains sensitive information (e.g., passwords), then please do not send it. - Q 5.34: How can I search for, or filter, packets that have a + Q 5.36: How can I search for, or filter, packets that have a particular string anywhere in them? A: If you want to do this when capturing, you can't. That's a feature @@ -1725,9 +1885,15 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config particular string; this has been added to the "Find Frame" dialog ("Find Frame" under the "Edit" menu, or control-F). + In 0.9.15 and later, you can search for those packets using either the + mechanism introduced in 0.9.14 or using the new "contains" operator in + filter expressions, which lets you search the entire packet or text + string or byte string fields in the packet; the "contains" operator + can also be used in expressions used to filter the display. + Support can be found on the ethereal-users[AT]ethereal.com mailing list. For corrections/additions/suggestions for this page, please send email to: ethereal-web[AT]ethereal.com - Last modified: Tue, August 19 2003. + Last modified: Fri, December 12 2003. |