aboutsummaryrefslogtreecommitdiffstats
path: root/help
diff options
context:
space:
mode:
authorJörg Mayer <jmayer@loplof.de>2003-12-21 03:20:35 +0000
committerJörg Mayer <jmayer@loplof.de>2003-12-21 03:20:35 +0000
commitf1218206e31463eb4a29f7dc0f7e0f6d03f45634 (patch)
tree84164203ca506361039c230e923e6669996814a3 /help
parent9345308925bf112e2cc59fc975af02d934f2b323 (diff)
Update FAQ to December 12 2003
svn path=/trunk/; revision=9375
Diffstat (limited to 'help')
-rw-r--r--help/faq.h736
-rw-r--r--help/faq.txt718
2 files changed, 893 insertions, 561 deletions
diff --git a/help/faq.h b/help/faq.h
index 4506c9a5ee..0ff71cab84 100644
--- a/help/faq.h
+++ b/help/faq.h
@@ -70,53 +70,53 @@ const char *faq_part[] = {
" \n"
" 5.3 I'm only seeing ARP packets when I try to capture traffic. \n"
" \n"
-" 5.4 How do I put an interface into promiscuous mode? \n"
+" 5.4 I'm running Ethereal on Windows; why does some network interface \n"
+" on my machine not show up in the list of interfaces in the \n"
+" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
+" and/or why does Ethereal give me an error if I try to capture on that \n"
+" interface? \n"
+" \n"
+" 5.5 I'm running on a UNIX-flavored OS; why does some network interface \n"
+" on my machine not show up in the list of interfaces in the \n"
+" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
+" and/or why does Ethereal give me an error if I try to capture on that \n"
+" interface? \n"
" \n"
-" 5.5 I can set a display filter just fine, but capture filters don't \n"
+" 5.6 How do I put an interface into promiscuous mode? \n"
+" \n"
+" 5.7 I can set a display filter just fine, but capture filters don't \n"
" work. \n"
" \n"
-" 5.6 I'm entering valid capture filters, but I still get \"parse error\" \n"
+" 5.8 I'm entering valid capture filters, but I still get \"parse error\" \n"
" errors. \n"
" \n"
-" 5.7 I saved a filter and tried to use its name to filter the display, \n"
+" 5.9 I saved a filter and tried to use its name to filter the display, \n"
" but I got an \"Unexpected end of filter string\" error. \n"
" \n"
-" 5.8 Why am I seeing lots of packets with incorrect TCP checksums? \n"
+" 5.10 Why am I seeing lots of packets with incorrect TCP checksums? \n"
" \n"
-" 5.9 I've just installed Ethereal, and the traffic on my local LAN is \n"
+" 5.11 I've just installed Ethereal, and the traffic on my local LAN is \n"
" boring. \n"
" \n"
-" 5.10 When I run Ethereal on Solaris 8, it dies with a Bus Error when I \n"
+" 5.12 When I run Ethereal on Solaris 8, it dies with a Bus Error when I \n"
" start it. \n"
" \n"
-" 5.11 When I run Ethereal on Windows NT, it dies with a Dr. Watson \n"
+" 5.13 When I run Ethereal on Windows NT, it dies with a Dr. Watson \n"
" error, reporting an \"Integer division by zero\" exception, when I start \n"
" it. \n"
" \n"
-" 5.12 When I try to run Ethereal, it complains about \n"
+" 5.14 When I try to run Ethereal, it complains about \n"
" sprint_realloc_objid being undefined. \n"
" \n"
-" 5.13 I'm running Ethereal on Linux; why do my time stamps have only \n"
+" 5.15 I'm running Ethereal on Linux; why do my time stamps have only \n"
" 100ms resolution, rather than 1us resolution? \n"
" \n"
-" 5.14 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n"
+" 5.16 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n"
" why are the time stamps on packets wrong? \n"
" \n"
-" 5.15 When I try to run Ethereal on Windows, it fails to run because it \n"
+" 5.17 When I try to run Ethereal on Windows, it fails to run because it \n"
" can't find packet.dll. \n"
" \n"
-" 5.16 I'm running Ethereal on Windows; why does some network interface \n"
-" on my machine not show up in the list of interfaces in the \n"
-" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
-" and/or why does Ethereal give me an error if I try to capture on that \n"
-" interface? \n"
-" \n"
-" 5.17 I'm running on a UNIX-flavored OS; why does some network \n"
-" interface on my machine not show up in the list of interfaces in the \n"
-" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
-" and/or why does Ethereal give me an error if I try to capture on that \n"
-" interface? \n"
-" \n"
" 5.18 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has \n"
" a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the \n"
" \"Interface\" item in the \"Capture Options\" dialog box. Why can no \n"
@@ -139,7 +139,7 @@ const char *faq_part[] = {
" 5.23 My machine crashes or resets itself when I select \"Start\" from \n"
" the \"Capture\" menu or select \"Preferences\" from the \"Edit\" menu. \n"
" \n"
-" 5.24 Does Ethereal work on Windows ME? \n"
+" 5.24 Does Ethereal work on Windows Me? \n"
" \n"
" 5.25 Does Ethereal work on Windows XP? \n"
" \n"
@@ -166,13 +166,20 @@ const char *faq_part[] = {
" 5.30 How can I capture raw 802.11 packets, including non-data \n"
" (management, beacon) packets? \n"
" \n"
-" 5.31 How can I capture packets with CRC errors? \n"
+" 5.31 I'm trying to capture 802.11 traffic on Windows; why am I not \n"
+" seeing any packets? \n"
+" \n"
+" 5.32 I'm trying to capture 802.11 traffic on Windows; why am I seeing \n"
+" packets received by the machine on which I'm capturing traffic, but \n"
+" not packets sent by that machine? \n"
" \n"
-" 5.32 How can I capture entire frames, including the FCS? \n"
+" 5.33 How can I capture packets with CRC errors? \n"
" \n"
-" 5.33 Ethereal hangs after I stop a capture. \n"
+" 5.34 How can I capture entire frames, including the FCS? \n"
" \n"
-" 5.34 How can I search for, or filter, packets that have a particular \n"
+" 5.35 Ethereal hangs after I stop a capture. \n"
+" \n"
+" 5.36 How can I search for, or filter, packets that have a particular \n"
" string anywhere in them? \n"
" \n"
" GENERAL QUESTIONS \n"
@@ -184,12 +191,19 @@ const char *faq_part[] = {
" \n"
" Q 1.2: What protocols are currently supported? \n"
" \n"
-" A: There are currently 393 supported protocols and media, listed \n"
+" A: There are currently 442 supported protocols and media, listed \n"
" below. Descriptions can be found in the ethereal(1) man page. \n"
" \n"
" 802.1q Virtual LAN \n"
" 802.1x Authentication \n"
+" AAL type 2 signalling protocol - Capability set 1 (Q.2630.1) \n"
" AFS (4.0) Replication Server call declarations \n"
+" ANSI A-I/F BSMAP \n"
+" ANSI A-I/F DTAP \n"
+" ANSI IS-637-A (SMS) Teleservice Layer \n"
+" ANSI IS-637-A (SMS) Transport Layer \n"
+" ANSI IS-683-A (OTA (Mobile)) \n"
+" ANSI Mobile Application Part \n"
" AOL Instant Messenger \n"
" ARCNET \n"
" ATM \n"
@@ -202,6 +216,7 @@ const char *faq_part[] = {
" Address Resolution Protocol \n"
" Aggregate Server Access Protocol \n"
" Alert Standard Forum \n"
+" Alteon - Transparent Proxy Cache Protocol \n"
" Andrew File System (AFS) \n"
" Apache JServ Protocol v1.3 \n"
" AppleTalk Filing Protocol \n"
@@ -212,6 +227,8 @@ const char *faq_part[] = {
" Async data over ISDN (V.120) \n"
" Authentication Header \n"
" BACnet Virtual Link Control \n"
+" BSS GPRS Protocol \n"
+" BSSAP/BSAP \n"
" Banyan Vines ARP \n"
" Banyan Vines Echo \n"
" Banyan Vines Fragmentation Protocol \n"
@@ -221,6 +238,8 @@ const char *faq_part[] = {
" Banyan Vines LLC \n"
" Banyan Vines RTP \n"
" Banyan Vines SPP \n"
+" Bearer Independent Call Control \n"
+" Bi-directional Fault Detection Control Message \n"
" Blocks Extensible Exchange Protocol \n"
" Boardwalk \n"
" Boot Parameters \n"
@@ -228,6 +247,7 @@ const char *faq_part[] = {
" Border Gateway Protocol \n"
" Building Automation and Control Network APDU \n"
" Building Automation and Control Network NPDU \n"
+" CCSDS \n"
" CDS Clerk Server Calls \n"
" Check Point High Availability Protocol \n"
" Checkpoint FW-1 \n"
@@ -244,6 +264,8 @@ const char *faq_part[] = {
" CoSine IPNOS L2 debug output \n"
" Common Open Policy Service \n"
" Common Unix Printing System (CUPS) Browsing Protocol \n"
+" Connectionless Lightweight Directory Access Protocol \n"
+" Cross Point Frame Injector \n"
" DCE DFS Calls \n"
" DCE Distributed Time Service Local Server \n"
" DCE Distributed Time Service Provider \n"
@@ -251,15 +273,21 @@ const char *faq_part[] = {
" DCE RPC \n"
" DCE Security ID Mapper \n"
" DCE/RPC BOS Server \n"
+" DCE/RPC BUDB \n"
+" DCE/RPC BUTC \n"
" DCE/RPC CDS Solicitation \n"
" DCE/RPC Conversation Manager \n"
" DCE/RPC Endpoint Mapper \n"
+" DCE/RPC Endpoint Mapper4 \n"
" DCE/RPC FLDB \n"
" DCE/RPC FLDB UBIK TRANSFER \n"
" DCE/RPC FLDB UBIKVOTE \n"
+" DCE/RPC ICL RPC \n"
" DCE/RPC Kerberos V \n"
" DCE/RPC RS_ACCT \n"
+" DCE/RPC RS_BIND \n"
" DCE/RPC RS_MISC \n"
+" DCE/RPC RS_PROP_ACCT \n"
" DCE/RPC RS_UNIX \n"
" DCE/RPC Remote Management \n"
" DCE/RPC Repserver Calls \n"
@@ -299,20 +327,28 @@ const char *faq_part[] = {
" Fibre Channel Name Server \n"
" Fibre Channel Protocol for SCSI \n"
" Fibre Channel SW_ILS \n"
+" Fibre Channel Security Protocol \n"
+" Fibre Channel Single Byte Command \n"
" File Transfer Protocol (FTP) \n"
" Financial Information eXchange Protocol \n"
" Frame \n"
" Frame Relay \n"
" GARP Multicast Registration Protocol \n"
" GARP VLAN Registration Protocol \n"
+" GPRS Network service \n"
" GPRS Tunneling Protocol \n"
-" GPRS Tunnelling Protocol v0 \n"
-" GPRS Tunnelling Protocol v1 \n"
+" GSM A-I/F BSSMAP \n"
+" GSM A-I/F DTAP \n"
+" GSM A-I/F RP \n"
+" GSM Mobile Application Part \n"
+" GSM SMS TPDU (GSM 03.40) \n"
" General Inter-ORB Protocol \n"
" Generic Routing Encapsulation \n"
" Generic Security Service Application Program Interface \n"
" Gnutella Protocol \n"
+" H225 \n"
" H245 \n"
+" H4501 \n"
" HP Extended Local-Link Control \n"
" HP Remote Maintenance Protocol \n"
" Hummingbird NFS Daemon \n"
@@ -332,10 +368,12 @@ const char *faq_part[] = {
" ISDN User Part \n"
" ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol \n"
" ISO 8073 COTP Connection-Oriented Transport Protocol \n"
+" ISO 8327-1 OSI Session Protocol \n"
" ISO 8473 CLNP ConnectionLess Network Protocol \n"
" ISO 8602 CLTP ConnectionLess Transport Protocol \n"
" ISO 9542 ESIS Routeing Information Exchange Protocol \n"
" ITU-T Recommendation H.261 \n"
+" ITU-T Recommendation H.263 RTP Payload header (RFC2190) \n"
" InMon sFlow \n"
" Intel ANS probe \n"
" Intelligent Platform Management Interface \n"
@@ -346,6 +384,7 @@ const char *faq_part[] = {
" Internet Control Message Protocol \n"
" Internet Control Message Protocol v6 \n"
" Internet Group Management Protocol \n"
+" Internet Group membership Authentication Protocol \n"
" Internet Message Access Protocol \n"
" Internet Printing Protocol \n"
" Internet Protocol \n"
@@ -359,7 +398,13 @@ const char *faq_part[] = {
" Kerberos \n"
" Kerberos Administration \n"
" Kernel Lock Manager \n"
+" LWAP Control Message \n"
+" LWAPP Encapsulated Packet \n"
+,
+
+" LWAPP Layer 3 Packet \n"
" Label Distribution Protocol \n"
+" Laplink \n"
" Layer 2 Tunneling Protocol \n"
" Lightweight Directory Access Protocol \n"
" Line Printer Daemon Protocol \n"
@@ -375,6 +420,7 @@ const char *faq_part[] = {
" Lucent/Ascend debug output \n"
" MDS Header \n"
" MMS Message Encapsulation \n"
+" MS Kpasswd \n"
" MS Proxy Protocol \n"
" MSN Messenger Service \n"
" MSNIP: Multicast Source Notification of Interest Protocol \n"
@@ -385,6 +431,7 @@ const char *faq_part[] = {
" Message Transfer Part Level 2 \n"
" Message Transfer Part Level 3 \n"
" Message Transfer Part Level 3 Management \n"
+" Microsoft Directory Replication Service \n"
" Microsoft Distributed File System \n"
" Microsoft Exchange MAPI \n"
" Microsoft Local Security Architecture \n"
@@ -400,8 +447,6 @@ const char *faq_part[] = {
" Microsoft Telephony API Service \n"
" Microsoft Windows Browser Protocol \n"
" Microsoft Windows Lanman Remote API Protocol \n"
-,
-
" Microsoft Windows Logon Protocol \n"
" Microsoft Workstation Service \n"
" Mobile IP \n"
@@ -434,6 +479,7 @@ const char *faq_part[] = {
" Network Status Monitor CallBack Protocol \n"
" Network Status Monitor Protocol \n"
" Network Time Protocol \n"
+" Nortel SONMP \n"
" Novell Distributed Print System \n"
" Null/Loopback \n"
" Open Shortest Path First \n"
@@ -459,7 +505,7 @@ const char *faq_part[] = {
" PPP-over-Ethernet Discovery \n"
" PPP-over-Ethernet Session \n"
" PPPMux Control Protocol \n"
-" Packet Encoding Rules (ASN.1 X.691) \n"
+" Packed Encoding Rules (ASN.1 X.691) \n"
" Point-to-Point Protocol \n"
" Point-to-Point Tunnelling Protocol \n"
" Portmap \n"
@@ -470,14 +516,17 @@ const char *faq_part[] = {
" Protocol Independent Multicast \n"
" Q.2931 \n"
" Q.931 \n"
+" Q.933 \n"
" Quake II Network Protocol \n"
" Quake III Arena Network Protocol \n"
" Quake Network Protocol \n"
" QuakeWorld Network Protocol \n"
" Qualified Logical Link Control \n"
" RFC 2250 MPEG1 \n"
+" RFC 2833 RTP Event \n"
" RIPng \n"
" RPC Browser \n"
+" RS Interface properties \n"
" RSTAT \n"
" RSYNC File Synchroniser \n"
" RX Protocol \n"
@@ -495,6 +544,7 @@ const char *faq_part[] = {
" Remote Program Load \n"
" Remote Quota \n"
" Remote Shell \n"
+" Remote Shutdown \n"
" Remote Wall protocol \n"
" Remote sec_login preauth interface. \n"
" Resource ReserVation Protocol (RSVP) \n"
@@ -503,6 +553,7 @@ const char *faq_part[] = {
" Routing Table Maintenance Protocol \n"
" SADMIND \n"
" SCSI \n"
+" SEBEK - Kernel Data Capture \n"
" SGI Mount Service \n"
" SMB (Server Message Block Protocol) \n"
" SMB MailSlot Protocol \n"
@@ -521,11 +572,13 @@ const char *faq_part[] = {
" Session Announcement Protocol \n"
" Session Description Protocol \n"
" Session Initiation Protocol \n"
+" Session Initiation Protocol (SIP as raw text) \n"
" Short Message Peer to Peer \n"
" Signalling Connection Control Part \n"
" Signalling Connection Control Part Management \n"
" Simple Mail Transfer Protocol \n"
" Simple Network Management Protocol \n"
+" Simple Traversal of UDP Through NAT \n"
" Sinec H1 Protocol \n"
" Skinny Client Control Protocol \n"
" SliMP3 Communication Protocol \n"
@@ -537,8 +590,10 @@ const char *faq_part[] = {
" Syslog message \n"
" Systems Network Architecture \n"
" Systems Network Architecture XID \n"
+" T38 \n"
" TACACS \n"
" TACACS+ \n"
+" TEREDO Tunneling IPv6 over UDP through NATs \n"
" TPKT \n"
" Tabular Data Stream \n"
" Tazmen Sniffer Protocol \n"
@@ -547,6 +602,7 @@ const char *faq_part[] = {
" Time Synchronization Protocol \n"
" Token-Ring \n"
" Token-Ring Media Access Control \n"
+" Transaction Capabilities Application Part \n"
" Transmission Control Protocol \n"
" Transparent Network Substrate Protocol \n"
" Trivial File Transfer Protocol \n"
@@ -698,11 +754,17 @@ const char *faq_part[] = {
" Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be \n"
" installed; only Tethereal is installed. \n"
" \n"
-" A: Red Hat RPMs for Ethereal put only the non-GUI components into the \n"
-" ethereal RPM, the fact that Ethereal is a GUI program nonwithstanding; \n"
-" there's a separate ethereal-gnome RPM that includes GUI components \n"
-" such as Ethereal itself, the fact that Ethereal doesn't use GNOME \n"
-" nonwithstanding. Find the ethereal-gnome RPM, and install that also. \n"
+" A: Older versions of the Red Hat RPMs for Ethereal put only the \n"
+" non-GUI components into the ethereal RPM, the fact that Ethereal is a \n"
+" GUI program nonwithstanding; newer versions make it a bit clearer by \n"
+" giving that RPM a name starting with ethereal-base. \n"
+" \n"
+" In those older versions, there's a separate ethereal-gnome RPM that \n"
+" includes GUI components such as Ethereal itself, the fact that \n"
+" Ethereal doesn't use GNOME nonwithstanding; newer versions make it a \n"
+" bit clearer by giving that RPM a name starting with ethereal-gtk+. \n"
+" \n"
+" Find the ethereal-gnome or ethereal-gtk+ RPM, and install that also. \n"
" \n"
" BUILDING ETHEREAL \n"
" Q 4.1: The configure script can't find pcap.h or bpf.h, but I have \n"
@@ -740,6 +802,8 @@ const char *faq_part[] = {
" \n"
" On Solaris, changing your command search path to search /usr/xpg4/bin \n"
" before /usr/bin should make the problem go away; on any platform on \n"
+,
+
" which you have this problem, installing GNU sed and changing your \n"
" command path to search the directory in which it is installed before \n"
" searching the directory with the version of sed that came with the OS \n"
@@ -802,13 +866,28 @@ const char *faq_part[] = {
" this. See, for example: \n"
" * this documentation from Cisco on the Switched Port Analyzer (SPAN) \n"
" feature on Catalyst switches; \n"
-,
-
" * documentation from HP on how to set \"monitoring\"/\"mirroring\" on \n"
" ports on the console for HP Advancestack Switch 208 and 224; \n"
" * the \"Network Monitoring Port Features\" section of chapter 6 of \n"
" documentation from HP for HP ProCurve Switches 1600M, 2424M, \n"
-" 4000M, and 8000M. \n"
+" 4000M, and 8000M; \n"
+" * the \"Switch Port-Mirroring\" section of chapter 6 of documentation \n"
+" from Extreme Networks for their Summit 200 switches; \n"
+" * the documentation on \"Configuring Port Mirroring and Monitoring\" \n"
+" in Foundry Networks' documentation for their FastIron Edge \n"
+" Switches; \n"
+" * the documentation on \"Configuring Port Mirroring and Monitoring\" \n"
+" in Foundry Networks' documentation for their BigIron MG8 Layer 3 \n"
+" Switches; \n"
+" * the \"Port Monitor\" subsection of the \"Status Monitor and \n"
+" Statistics\" section of the documentation from Foundry Networks for \n"
+" their EdgeIron 4802F and 10GC2F switches; \n"
+" * the \"Configuring Port Mirroring\" section of chapter 3 of the \n"
+" documentation from Foundry Networks for their EdgeIron 24G, \n"
+" 2402CF, and 4802CF switches; \n"
+" * the documentation on \"Configuring Port Mirroring and Monitoring\" \n"
+" in Foundry Networks' documentation for their other switches and \n"
+" metro routers. \n"
" \n"
" Note also that many firewall/NAT boxes have a switch built into them; \n"
" this includes many of the \"cable/DSL router\" boxes. If you have a box \n"
@@ -905,7 +984,199 @@ const char *faq_part[] = {
" I.e., this is probably the same question as this earlier one; see the \n"
" response to that question. \n"
" \n"
-" Q 5.4: How do I put an interface into promiscuous mode? \n"
+" Q 5.4: I'm running Ethereal on Windows; why does some network \n"
+" interface on my machine not show up in the list of interfaces in the \n"
+" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
+" and/or why does Ethereal give me an error if I try to capture on that \n"
+" interface? \n"
+" \n"
+" A: If you are running Ethereal on Windows NT 4.0, Windows 2000, \n"
+" Windows XP, or Windows Server, and this is the first time you have run \n"
+" a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, \n"
+" or Analyzer, or...) since the machine was rebooted, you need to run \n"
+" that program from an account with administrator privileges; once you \n"
+" have run such a program, you will not need administrator privileges to \n"
+" run any such programs until you reboot. \n"
+" \n"
+" If you are running on Windows 95/98/Me, or if you are running on \n"
+" Windows NT 4.0/2000/XP/Server and have administrator privileges or a \n"
+" WinPcap-based program has been run with those privileges since the \n"
+" machine rebooted, then note that Ethereal relies on the WinPcap \n"
+" library, on the WinPcap device driver, and on the facilities that come \n"
+" with the OS on which it's running in order to do captures. \n"
+" \n"
+" Therefore, if the OS, the WinPcap library, or the WinPcap driver don't \n"
+" support capturing on a particular network interface device, Ethereal \n"
+" won't be able to capture on that device. \n"
+" \n"
+" Note that: \n"
+" 1. 2.02 and earlier versions of the WinPcap driver and library that \n"
+" Ethereal uses for packet capture didn't support Token Ring \n"
+" interfaces; versions 2.1 and later support Token Ring, and the \n"
+" current version of Ethereal works with (and, in fact, requires) \n"
+" WinPcap 2.1 or later. \n"
+" If you are having problems capturing on Token Ring interfaces, and \n"
+" you have WinPcap 2.02 or an earlier version of WinPcap installed, \n"
+" you should uninstall WinPcap, download and install the current \n"
+" version of WinPcap, and then install the latest version of \n"
+" Ethereal. \n"
+" 2. On Windows 95, 98, or Me, sometimes more than one interface will \n"
+" be given the same name; if that is the case, you will only be able \n"
+" to capture on one of those interfaces - it's not clear to which \n"
+" one the name, when used in a WinPcap-based application, will \n"
+" refer. For example, if you have a PPP serial interface and a VPN \n"
+" interface, they might show up with the same name, for example \n"
+" \"ppp-mac\", and if you try to capture on \"ppp-mac\", it might not \n"
+" capture on the interface you're currently using. In that case, you \n"
+" might, for example, have to remove the VPN interface from the \n"
+" system in order to capture on the PPP serial interface. \n"
+" 3. WinPcap doesn't support PPP WAN interfaces on Windows \n"
+" NT/2000/XP/Server, so Ethereal cannot capture packets on those \n"
+" devices when running on Windows NT/2000/XP/Server. Regular dial-up \n"
+" lines, ISDN lines, and various other lines such as T1/E1 lines are \n"
+" all PPP interfaces. This may cause the interface not to show up on \n"
+" the list of interfaces in the \"Capture Options\" dialog. \n"
+" 4. WinPcap prior to 3.0 does not support multiprocessor machines \n"
+" (note that machines with a single multi-threaded processor, such \n"
+" as Intel's new multi-threaded x86 processors, are multiprocessor \n"
+" machines as far as the OS and WinPcap are concerned), and recent \n"
+" 2.x versions of WinPcap refuse to operate if they detect that \n"
+" they're running on a multiprocessor machine, which means that they \n"
+" may not show any network interfaces. You will need to use WinPcap \n"
+" 3.0 to capture on a multiprocessor machine. \n"
+" \n"
+" If an interface doesn't show up in the list of interfaces in the \n"
+" \"Interface:\" field, and you know the name of the interface, try \n"
+" entering that name in the \"Interface:\" field and capturing on that \n"
+" device. \n"
+" \n"
+" If the attempt to capture on it succeeds, the interface is somehow not \n"
+" being reported by the mechanism Ethereal uses to get a list of \n"
+" interfaces; please report this to ethereal-dev@ethereal.com giving \n"
+" full details of the problem, including \n"
+" * the operating system you're using, and the version of that \n"
+" operating system; \n"
+" * the type of network device you're using. \n"
+" \n"
+" If you are having trouble capturing on a particular network interface, \n"
+" first try capturing on that device with WinDump; see the WinDump Web \n"
+" site or the local mirror of the WinDump Web site for information on \n"
+" using WinDump. \n"
+" \n"
+" If you can capture on the interface with WinDump, send mail to \n"
+" ethereal-users@ethereal.com giving full details of the problem, \n"
+" including \n"
+" * the operating system you're using, and the version of that \n"
+" operating system; \n"
+" * the type of network device you're using; \n"
+" * the error message you get from Ethereal. \n"
+" \n"
+" If you cannot capture on the interface with WinDump, this is almost \n"
+" certainly a problem with one or more of: \n"
+" * the operating system you're using; \n"
+" * the device driver for the interface you're using; \n"
+" * the WinPcap library and/or the WinPcap device driver; \n"
+" \n"
+" so first check the WinPcap FAQ, the local mirror of that FAQ, or the \n"
+" Wiretapped.net mirror of that FAQ, to see if your problem is mentioned \n"
+" there. If not, then see the WinPcap support page (or the local mirror \n"
+" of that page) - check the \"Submitting bugs\" section. \n"
+" \n"
+" You may also want to ask the ethereal-users@ethereal.com and the \n"
+" winpcap-users@winpcap.polito.it mailing lists to see if anybody \n"
+" happens to know about the problem and know a workaround or fix for the \n"
+" problem. (Note that you will have to subscribe to that list in order \n"
+" to be allowed to mail to it; see the WinPcap support page, or the \n"
+" local mirror of that page, for information on the mailing list.) In \n"
+" your mail, please give full details of the problem, as described \n"
+" above, and also indicate that the problem occurs with WinDump, not \n"
+" just with Ethereal. \n"
+" \n"
+" Q 5.5: I'm running on a UNIX-flavored OS; why does some network \n"
+" interface on my machine not show up in the list of interfaces in the \n"
+" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
+" and/or why does Ethereal give me an error if I try to capture on that \n"
+" interface? \n"
+" \n"
+" A: You may need to run Ethereal from an account with sufficient \n"
+" privileges to capture packets, such as the super-user account. Only \n"
+" those interfaces that Ethereal can open for capturing show up in that \n"
+" list; if you don't have sufficient privileges to capture on any \n"
+" interfaces, no interfaces will show up in the list. \n"
+" \n"
+" If you are running Ethereal from an account with sufficient \n"
+" privileges, then note that Ethereal relies on the libpcap library, and \n"
+" on the facilities that come with the OS on which it's running in order \n"
+" to do captures. \n"
+" \n"
+" Therefore, if the OS or the libpcap library don't support capturing on \n"
+" a particular network interface device, Ethereal won't be able to \n"
+" capture on that device. \n"
+" \n"
+" On Linux, note that you need to have \"packet socket\" support enabled \n"
+" in your kernel; see the \"Packet socket\" item in the Linux \n"
+" \"Configure.help\" file. \n"
+" \n"
+" On BSD, note that you need to have BPF support enabled in your kernel; \n"
+" see the documentation for your system for information on how to enable \n"
+" BPF support (if it's not enabled by default on your system). \n"
+" \n"
+" On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have \n"
+" packet filtering support in your kernel; the doconfig command will \n"
+" allow you to configure and build a new kernel with that option. \n"
+" \n"
+" On Solaris, note that libpcap 0.6.2 and earlier didn't support Token \n"
+" Ring interfaces; the current version, 0.7.2, does support Token Ring, \n"
+" and the current version of Ethereal works with libcap 0.7.2 and later. \n"
+" \n"
+" If an interface doesn't show up in the list of interfaces in the \n"
+" \"Interface:\" field, and you know the name of the interface, try \n"
+" entering that name in the \"Interface:\" field and capturing on that \n"
+" device. \n"
+" \n"
+" If the attempt to capture on it succeeds, the interface is somehow not \n"
+" being reported by the mechanism Ethereal uses to get a list of \n"
+" interfaces; please report this to ethereal-dev@ethereal.com giving \n"
+" full details of the problem, including \n"
+" * the operating system you're using, and the version of that \n"
+" operating system (for Linux, give both the version number of the \n"
+" kernel and the name and version number of the distribution you're \n"
+" using); \n"
+" * the type of network device you're using. \n"
+" \n"
+" If you are having trouble capturing on a particular network interface, \n"
+" and you've made sure that (on platforms that require it) you've \n"
+" arranged that packet capture support is present, as per the above, \n"
+" first try capturing on that device with tcpdump. \n"
+" \n"
+" If you can capture on the interface with tcpdump, send mail to \n"
+" ethereal-users@ethereal.com giving full details of the problem, \n"
+" including \n"
+" * the operating system you're using, and the version of that \n"
+" operating system (for Linux, give both the version number of the \n"
+" kernel and the name and version number of the distribution you're \n"
+" using); \n"
+" * the type of network device you're using; \n"
+" * the error message you get from Ethereal. \n"
+" \n"
+" If you cannot capture on the interface with tcpdump, this is almost \n"
+" certainly a problem with one or more of: \n"
+" * the operating system you're using; \n"
+" * the device driver for the interface you're using; \n"
+" * the libpcap library; \n"
+" \n"
+" so you should report the problem to the company or organization that \n"
+" produces the OS (in the case of a Linux distribution, report the \n"
+" problem to whoever produces the distribution). \n"
+" \n"
+" You may also want to ask the ethereal-users@ethereal.com and the \n"
+" tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to \n"
+" know about the problem and know a workaround or fix for the problem. \n"
+" In your mail, please give full details of the problem, as described \n"
+" above, and also indicate that the problem occurs with tcpdump not just \n"
+" with Ethereal. \n"
+" \n"
+" Q 5.6: How do I put an interface into promiscuous mode? \n"
" \n"
" A: By not disabling promiscuous mode when running Ethereal or \n"
" Tethereal. \n"
@@ -927,12 +1198,14 @@ const char *faq_part[] = {
" I.e., this is probably the same question as this earlier one; see the \n"
" response to that question. \n"
" \n"
-" Q 5.5: I can set a display filter just fine, but capture filters don't \n"
+" Q 5.7: I can set a display filter just fine, but capture filters don't \n"
" work. \n"
" \n"
" A: Capture filters currently use a different syntax than display \n"
" filters. Here's the corresponding section from the ethereal(1) man \n"
" page: \n"
+,
+
" \n"
" \"Display filters in Ethereal are very powerful; more fields are \n"
" filterable in Ethereal than in other protocol analyzers, and the \n"
@@ -947,7 +1220,7 @@ const char *faq_part[] = {
" The capture filter syntax used by libpcap can be found in the \n"
" tcpdump(8) man page. \n"
" \n"
-" Q 5.6: I'm entering valid capture filters, but I still get \"parse \n"
+" Q 5.8: I'm entering valid capture filters, but I still get \"parse \n"
" error\" errors. \n"
" \n"
" A: There is a bug in some versions of libpcap/WinPcap that cause it to \n"
@@ -979,7 +1252,7 @@ const char *faq_part[] = {
" WinPcap, you will need to un-install WinPcap and then download and \n"
" install WinPcap 2.3. \n"
" \n"
-" Q 5.7: I saved a filter and tried to use its name to filter the \n"
+" Q 5.9: I saved a filter and tried to use its name to filter the \n"
" display, but I got an \"Unexpected end of filter string\" error. \n"
" \n"
" A: You cannot use the name of a saved display filter as a filter. To \n"
@@ -990,7 +1263,7 @@ const char *faq_part[] = {
" use a saved filter, you can press the \"Filter:\" button, select the \n"
" filter in the dialog box that pops up, and press the \"OK\" button. \n"
" \n"
-" Q 5.8: Why am I seeing lots of packets with incorrect TCP checksums? \n"
+" Q 5.10: Why am I seeing lots of packets with incorrect TCP checksums? \n"
" \n"
" A: If the packets that have incorrect TCP checksums are all being sent \n"
" by the machine on which Ethereal is running, this is probably because \n"
@@ -1022,13 +1295,13 @@ const char *faq_part[] = {
" tcp.check_checksum:false command-line flag, or manually set in your \n"
" preferences file by adding a tcp.check_checksum:false line. \n"
" \n"
-" Q 5.9: I've just installed Ethereal, and the traffic on my local LAN \n"
+" Q 5.11: I've just installed Ethereal, and the traffic on my local LAN \n"
" is boring. \n"
" \n"
" A: We have a collection of strange and exotic sample capture files at \n"
" http://www.ethereal.com/sample/ \n"
" \n"
-" Q 5.10: When I run Ethereal on Solaris 8, it dies with a Bus Error \n"
+" Q 5.12: When I run Ethereal on Solaris 8, it dies with a Bus Error \n"
" when I start it. \n"
" \n"
" A: Some versions of the GTK+ library from www.sunfreeware.org appear \n"
@@ -1046,7 +1319,7 @@ const char *faq_part[] = {
" Similar problems may exist with older versions of GTK+ for earlier \n"
" versions of Solaris. \n"
" \n"
-" Q 5.11: When I run Ethereal on Windows NT, it dies with a Dr. Watson \n"
+" Q 5.13: When I run Ethereal on Windows NT, it dies with a Dr. Watson \n"
" error, reporting an \"Integer division by zero\" exception, when I start \n"
" it. \n"
" \n"
@@ -1054,7 +1327,7 @@ const char *faq_part[] = {
" VGA driver; if that's not the correct driver for your video card, try \n"
" running the correct driver for your video card. \n"
" \n"
-" Q 5.12: When I try to run Ethereal, it complains about \n"
+" Q 5.14: When I try to run Ethereal, it complains about \n"
" sprint_realloc_objid being undefined. \n"
" \n"
" A: Ethereal can only be linked with version 4.2.2 or later of UCD \n"
@@ -1064,7 +1337,7 @@ const char *faq_part[] = {
" the older version, and fails. You will have to replace that version of \n"
" UCD SNMP with version 4.2.2 or a later version. \n"
" \n"
-" Q 5.13: I'm running Ethereal on Linux; why do my time stamps have only \n"
+" Q 5.15: I'm running Ethereal on Linux; why do my time stamps have only \n"
" 100ms resolution, rather than 1us resolution? \n"
" \n"
" A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap \n"
@@ -1090,13 +1363,13 @@ const char *faq_part[] = {
" have to run a standard kernel from kernel.org in order to get \n"
" high-resolution time stamps. \n"
" \n"
-" Q 5.14: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n"
+" Q 5.16: I'm capturing packets on {Windows 95, Windows 98, Windows Me}; \n"
" why are the time stamps on packets wrong? \n"
" \n"
" A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap \n"
" 3.0. \n"
" \n"
-" Q 5.15: When I try to run Ethereal on Windows, it fails to run because \n"
+" Q 5.17: When I try to run Ethereal on Windows, it fails to run because \n"
" it can't find packet.dll. \n"
" \n"
" A: In older versions of Ethereal, there were two binary distributions \n"
@@ -1113,202 +1386,6 @@ const char *faq_part[] = {
" Web site, the local mirror of the WinPcap Web site, or the \n"
" Wiretapped.net mirror of the WinPcap site. \n"
" \n"
-" Q 5.16: I'm running Ethereal on Windows; why does some network \n"
-" interface on my machine not show up in the list of interfaces in the \n"
-" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
-" and/or why does Ethereal give me an error if I try to capture on that \n"
-" interface? \n"
-" \n"
-" A: If you are running Ethereal on Windows NT 4.0, Windows 2000, \n"
-" Windows XP, or Windows Server, and this is the first time you have run \n"
-" a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, \n"
-" or Analyzer, or...) since the machine was rebooted, you need to run \n"
-" that program from an account with administrator privileges; once you \n"
-" have run such a program, you will not need administrator privileges to \n"
-" run any such programs until you reboot. \n"
-" \n"
-" If you are running on Windows 95/98/Me, or if you are running on \n"
-" Windows NT 4.0/2000/XP/Server and have administrator privileges or a \n"
-" WinPcap-based program has been run with those privileges since the \n"
-" machine rebooted, then note that Ethereal relies on the WinPcap \n"
-" library, on the WinPcap device driver, and on the facilities that come \n"
-" with the OS on which it's running in order to do captures. \n"
-" \n"
-" Therefore, if the OS, the WinPcap library, or the WinPcap driver don't \n"
-" support capturing on a particular network interface device, Ethereal \n"
-" won't be able to capture on that device. \n"
-" \n"
-" Note that: \n"
-" * 2.02 and earlier versions of the WinPcap driver and library that \n"
-" Ethereal uses for packet capture didn't support Token Ring \n"
-" interfaces; the current version, 2.3, does support Token Ring, and \n"
-" the current version of Ethereal works with (and, in fact, \n"
-" requires) WinPcap 2.1 or later. \n"
-" If you are having problems capturing on Token Ring interfaces, and \n"
-" you have WinPcap 2.02 or an earlier version of WinPcap installed, \n"
-" you should uninstall WinPcap, download and install the current \n"
-" version of WinPcap, and then install the latest version of \n"
-" Ethereal. \n"
-" * On Windows 95, 98, or Me, sometimes more than one interface will \n"
-" be given the same name; if that is the case, you will only be able \n"
-" to capture on one of those interfaces - it's not clear to which \n"
-" one the name, when used in a WinPcap-based application, will \n"
-" refer. For example, if you have a PPP serial interface and a VPN \n"
-" interface, they might show up with the same name, for example \n"
-" \"ppp-mac\", and if you try to capture on \"ppp-mac\", it might not \n"
-" capture on the interface you're currently using. In that case, you \n"
-" might, for example, have to remove the VPN interface from the \n"
-" system in order to capture on the PPP serial interface. \n"
-" * WinPcap doesn't support PPP WAN interfaces on Windows \n"
-" NT/2000/XP/Server, so Ethereal cannot capture packets on those \n"
-" devices when running on Windows NT/2000/XP/Server. Regular dial-up \n"
-" lines, ISDN lines, and various other lines such as T1/E1 lines are \n"
-" all PPP interfaces. This may cause the interface not to show up on \n"
-" the list of interfaces in the \"Capture Options\" dialog. \n"
-" * WinPcap prior to 3.0 does not support multiprocessor machines \n"
-" (note that machines with a single multi-threaded processor, such \n"
-" as Intel's new multi-threaded x86 processors, are multiprocessor \n"
-" machines as far as the OS and WinPcap are concerned), and recent \n"
-" 2.x versions of WinPcap refuse to operate if they detect that \n"
-" they're running on a multiprocessor machine, which means that they \n"
-" may not show any network interfaces. You will need to use WinPcap \n"
-" 3.0 to capture on a multiprocessor machine. \n"
-" \n"
-" If an interface doesn't show up in the list of interfaces in the \n"
-" \"Interface:\" field, and you know the name of the interface, try \n"
-" entering that name in the \"Interface:\" field and capturing on that \n"
-" device. \n"
-" \n"
-" If the attempt to capture on it succeeds, the interface is somehow not \n"
-" being reported by the mechanism Ethereal uses to get a list of \n"
-" interfaces; please report this to ethereal-dev@ethereal.com giving \n"
-" full details of the problem, including \n"
-" * the operating system you're using, and the version of that \n"
-" operating system; \n"
-" * the type of network device you're using. \n"
-" \n"
-" If you are having trouble capturing on a particular network interface, \n"
-" and you've made sure that (on platforms that require it) you've \n"
-" arranged that packet capture support is present, as per the above, \n"
-" first try capturing on that device with WinDump; see the WinDump Web \n"
-" site or the local mirror of the WinDump Web site for information on \n"
-" using WinDump. \n"
-" \n"
-" If you can capture on the interface with WinDump, send mail to \n"
-" ethereal-users@ethereal.com giving full details of the problem, \n"
-" including \n"
-" * the operating system you're using, and the version of that \n"
-" operating system; \n"
-" * the type of network device you're using; \n"
-" * the error message you get from Ethereal. \n"
-" \n"
-" If you cannot capture on the interface with WinDump, this is almost \n"
-" certainly a problem with one or more of: \n"
-,
-
-" * the operating system you're using; \n"
-" * the device driver for the interface you're using; \n"
-" * the WinPcap library and/or the WinPcap device driver; \n"
-" \n"
-" so first check the WinPcap FAQ, the local mirror of that FAQ, or the \n"
-" Wiretapped.net mirror of that FAQ, to see if your problem is mentioned \n"
-" there. If not, then see the WinPcap support page (or the local mirror \n"
-" of that page) - check the \"Submitting bugs\" section. \n"
-" \n"
-" You may also want to ask the ethereal-users@ethereal.com and the \n"
-" winpcap-users@winpcap.polito.it mailing lists to see if anybody \n"
-" happens to know about the problem and know a workaround or fix for the \n"
-" problem. (Note that you will have to subscribe to that list in order \n"
-" to be allowed to mail to it; see the WinPcap support page, or the \n"
-" local mirror of that page, for information on the mailing list.) In \n"
-" your mail, please give full details of the problem, as described \n"
-" above, and also indicate that the problem occurs with WinDump, not \n"
-" just with Ethereal. \n"
-" \n"
-" Q 5.17: I'm running on a UNIX-flavored OS; why does some network \n"
-" interface on my machine not show up in the list of interfaces in the \n"
-" \"Interface:\" field in the dialog box popped up by \"Capture->Start\", \n"
-" and/or why does Ethereal give me an error if I try to capture on that \n"
-" interface? \n"
-" \n"
-" A: You may need to run Ethereal from an account with sufficient \n"
-" privileges to capture packets, such as the super-user account. Only \n"
-" those interfaces that Ethereal can open for capturing show up in that \n"
-" list; if you don't have sufficient privileges to capture on any \n"
-" interfaces, no interfaces will show up in the list. \n"
-" \n"
-" If you are running Ethereal from an account with sufficient \n"
-" privileges, then note that Ethereal relies on the libpcap library, and \n"
-" on the facilities that come with the OS on which it's running in order \n"
-" to do captures. \n"
-" \n"
-" Therefore, if the OS or the libpcap library don't support capturing on \n"
-" a particular network interface device, Ethereal won't be able to \n"
-" capture on that device. \n"
-" \n"
-" On Linux, note that you need to have \"packet socket\" support enabled \n"
-" in your kernel; see the \"Packet socket\" item in the Linux \n"
-" \"Configure.help\" file. \n"
-" \n"
-" On BSD, note that you need to have BPF support enabled in your kernel; \n"
-" see the documentation for your system for information on how to enable \n"
-" BPF support (if it's not enabled by default on your system). \n"
-" \n"
-" On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have \n"
-" packet filtering support in your kernel; the doconfig command will \n"
-" allow you to configure and build a new kernel with that option. \n"
-" \n"
-" On Solaris, note that libpcap 0.6.2 and earlier didn't support Token \n"
-" Ring interfaces; the current version, 0.7.2, does support Token Ring, \n"
-" and the current version of Ethereal works with libcap 0.7.2 and later. \n"
-" \n"
-" If an interface doesn't show up in the list of interfaces in the \n"
-" \"Interface:\" field, and you know the name of the interface, try \n"
-" entering that name in the \"Interface:\" field and capturing on that \n"
-" device. \n"
-" \n"
-" If the attempt to capture on it succeeds, the interface is somehow not \n"
-" being reported by the mechanism Ethereal uses to get a list of \n"
-" interfaces; please report this to ethereal-dev@ethereal.com giving \n"
-" full details of the problem, including \n"
-" * the operating system you're using, and the version of that \n"
-" operating system (for Linux, give both the version number of the \n"
-" kernel and the name and version number of the distribution you're \n"
-" using); \n"
-" * the type of network device you're using. \n"
-" \n"
-" If you are having trouble capturing on a particular network interface, \n"
-" and you've made sure that (on platforms that require it) you've \n"
-" arranged that packet capture support is present, as per the above, \n"
-" first try capturing on that device with tcpdump. \n"
-" \n"
-" If you can capture on the interface with tcpdump, send mail to \n"
-" ethereal-users@ethereal.com giving full details of the problem, \n"
-" including \n"
-" * the operating system you're using, and the version of that \n"
-" operating system (for Linux, give both the version number of the \n"
-" kernel and the name and version number of the distribution you're \n"
-" using); \n"
-" * the type of network device you're using; \n"
-" * the error message you get from Ethereal. \n"
-" \n"
-" If you cannot capture on the interface with tcpdump, this is almost \n"
-" certainly a problem with one or more of: \n"
-" * the operating system you're using; \n"
-" * the device driver for the interface you're using; \n"
-" * the libpcap library; \n"
-" \n"
-" so you should report the problem to the company or organization that \n"
-" produces the OS (in the case of a Linux distribution, report the \n"
-" problem to whoever produces the distribution). \n"
-" \n"
-" You may also want to ask the ethereal-users@ethereal.com and the \n"
-" tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to \n"
-" know about the problem and know a workaround or fix for the problem. \n"
-" In your mail, please give full details of the problem, as described \n"
-" above, and also indicate that the problem occurs with tcpdump not just \n"
-" with Ethereal. \n"
-" \n"
" Q 5.18: I'm running Ethereal on Windows NT/2000/XP/Server; my machine \n"
" has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the \n"
" \"Interface\" item in the \"Capture Options\" dialog box. Why can no \n"
@@ -1394,11 +1471,11 @@ const char *faq_part[] = {
" or, for Windows, WinPcap bug that causes the system to crash when this \n"
" happens; see the previous question. \n"
" \n"
-" Q 5.24: Does Ethereal work on Windows ME? \n"
+" Q 5.24: Does Ethereal work on Windows Me? \n"
" \n"
" A: Yes, but if you want to capture packets, you will need to install \n"
" the latest version of WinPcap, as 2.02 and earlier versions of WinPcap \n"
-" didn't support Windows ME. You should also install the latest version \n"
+" didn't support Windows Me. You should also install the latest version \n"
" of Ethereal as well. \n"
" \n"
" Q 5.25: Does Ethereal work on Windows XP? \n"
@@ -1487,6 +1564,18 @@ const char *faq_part[] = {
" support that and, even on operating systems that do support it, not \n"
" all drivers, and thus not all cards, support it. \n"
" \n"
+" NOTE: an interface running in monitor mode will, on most if not all \n"
+" platforms, not be able to act as a regular network interface; putting \n"
+" it into monitor mode will, in effect, take your machine off of \n"
+" whatever network it's on as long as the interface is in monitor mode, \n"
+" allowing it only to passively capture packets. \n"
+" \n"
+" This means that you should disable name resolution when capturing in \n"
+" monitor mode; otherwise, when Ethereal (or Tethereal, or tcpdump) \n"
+" tries to display IP addresses as host names, it will probably block \n"
+" for a long time trying to resolve the name because it will not be able \n"
+" to communicate with any DNS or NIS servers. \n"
+" \n"
" Cisco Aironet cards: \n"
" \n"
" The only platforms that allow Ethereal to capture raw 802.11 packets \n"
@@ -1496,15 +1585,30 @@ const char *faq_part[] = {
" cause packets not to be captured correctly, and the driver in \n"
" releases prior to 4.5 didn't support capturing raw packets. \n"
" \n"
-" On FreeBSD, the ancontrol utility must be used; do not enable the full \n"
-" Aironet header via BPF, as Ethereal doesn't currently support that. \n"
+" On FreeBSD, the ancontrol utility must be used. The command \n"
+" \n"
+"ancontrol -i anN -M flag \n"
+" \n"
+" is used to enable or disable monitor mode. If flag is 0, monitor mode \n"
+" will be turned off; otherwise, flag should be the sum of: \n"
+" * 1, to turn monitor mode on; \n"
+" * 2, if you want to capture traffic from any BSS rather than just \n"
+" the BSS with which the card is associated; \n"
+" * 4, if you want to see beacon packets (capturing beacon packets \n"
+" increases the CPU requirements of capturing). \n"
+" \n"
+" Don't add 8 in; Ethereal currently doesn't support the full Aironet \n"
+" header. \n"
" \n"
" On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will \n"
" need to do \n"
" \n"
"echo \"Mode: rfmon\" >/proc/driver/aironet/ethN/Config \n"
" \n"
-" if your Aironet card is ethN. To capture traffic from any BSS, do \n"
+" if your Aironet card is ethN. To capture traffic from any BSS rather \n"
+,
+
+" than just the BSS with which the card is associated, do \n"
" \n"
"echo \"Mode: y\" >/proc/driver/aironet/ethN/Config \n"
" \n"
@@ -1512,10 +1616,10 @@ const char *faq_part[] = {
" \n"
"echo \"Mode: ess\" >/proc/driver/aironet/ethN/Config \n"
" \n"
-" On Linux with the driver in the 2.4.20 kernel, or with the CVS drivers \n"
-" from the airo-linux SourceForge site, you will have to capture on the \n"
-" wifiN interface if your Aironet card is ethN, after running the \n"
-" commands listed above. \n"
+" On Linux with the driver in the 2.4.20 or later kernel, or with the \n"
+" CVS drivers from the airo-linux SourceForge site, you will have to \n"
+" capture on the wifiN interface if your Aironet card is ethN, after \n"
+" running the commands listed above. \n"
" \n"
" In all of those cases, Ethereal would have to be linked with libpcap \n"
" 0.7.1 or later; this means that most Ethereal binary packages won't \n"
@@ -1583,7 +1687,7 @@ const char *faq_part[] = {
" check the version of the Orinoco drivers that shipped with your kernel \n"
" by examining the first few lines of the orinoco.c file. \n"
" \n"
-" Te Orinoco patches require either Solomon Peachy's patch to libpcap \n"
+" The Orinoco patches require either Solomon Peachy's patch to libpcap \n"
" 0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that \n"
" version of libpcap), or the current CVS version of libpcap, which \n"
" includes his patch (download it from the \"Current Tar files\" section \n"
@@ -1598,6 +1702,18 @@ const char *faq_part[] = {
" On other platforms, capturing raw 802.11 packets on Orinoco cards is \n"
" not currently supported. \n"
" \n"
+" Cards with the Atheros Communications AR5000 or AR5001 chipsets: \n"
+" \n"
+" You can capture raw 802.11 packets with AR5K cards on Linux systems \n"
+" with the v5_ar5k drivers. You will need the Linux wireless-tools \n"
+" version 25 or higher to put the card into monitor mode. \n"
+" \n"
+" Cards with the Texas Instruments ACX100 chipset: \n"
+" \n"
+" You can capture raw 802.11 packets with ACX100 cards on Linux systems \n"
+" with the ACX100 OSS drivers available from the ACX100 wireless network \n"
+" driver project SourceForge site. \n"
+" \n"
" Other 802.11 interfaces: \n"
" \n"
" With other 802.11 interfaces, no platform allows Ethereal to capture \n"
@@ -1606,13 +1722,28 @@ const char *faq_part[] = {
" cards\", so your card might be a Prism II card), please let us know, \n"
" and include URLs for sites containing any necessary patches to add \n"
" this support. \n"
-,
-
" \n"
" On platforms that don't allow Ethereal to capture raw 802.11 packets, \n"
" the 802.11 network will appear like an Ethernet to Ethereal. \n"
" \n"
-" Q 5.31: How can I capture packets with CRC errors? \n"
+" Q 5.31: I'm trying to capture 802.11 traffic on Windows; why am I not \n"
+" seeing any packets? \n"
+" \n"
+" A: At least some 802.11 card drivers on Windows appear not to see any \n"
+" packets if they're running in promiscuous mode. Try turning \n"
+" promiscuous mode off; you'll only be able to see packets sent by and \n"
+" received by your machine, not third-party traffic, and it'll look like \n"
+" Ethernet traffic and won't include any management or control frames, \n"
+" but that's a limitation of the card drivers. \n"
+" \n"
+" Q 5.32: I'm trying to capture 802.11 traffic on Windows; why am I \n"
+" seeing packets received by the machine on which I'm capturing traffic, \n"
+" but not packets sent by that machine? \n"
+" \n"
+" A: This appears to be another problem with promiscuous mode; try \n"
+" turning it off. \n"
+" \n"
+" Q 5.33: How can I capture packets with CRC errors? \n"
" \n"
" A: Ethereal can capture only the packets that the packet capture \n"
" library - libpcap on UNIX-flavored OSes, and the WinPcap port to \n"
@@ -1621,15 +1752,32 @@ const char *faq_part[] = {
" (or the WinPcap driver, and the underlying OS networking code and \n"
" network interface drivers, on Windows) will allow it to capture. \n"
" \n"
-" Unless the OS can be configured to supply packets with errors such as \n"
+" Unless the OS always supplies packets with errors such as invalid CRCs \n"
+" to the raw packet capture mechanism, or can be configured to do so, \n"
" invalid CRCs to the raw packet capture mechanism, Ethereal - and other \n"
" programs that capture raw packets, such as tcpdump - cannot capture \n"
-" those packets. You will have to determine whether your OS can be so \n"
-" configured, configure it if possible, and make whatever changes to \n"
-" libpcap and the packet capture program you're using are necessary to \n"
-" support capturing those packets. \n"
-" \n"
-" Q 5.32: How can I capture entire frames, including the FCS? \n"
+" those packets. You will have to determine whether your OS needs to be \n"
+" so configured and, if so, can be so configured, configure it if \n"
+" necessary and possible, and make whatever changes to libpcap and the \n"
+" packet capture program you're using are necessary, if any, to support \n"
+" capturing those packets. \n"
+" \n"
+" Most OSes probably do not support capturing packets with invalid CRCs \n"
+" on Ethernet, and probably do not support it on most other link-layer \n"
+" types. Some drivers on some OSes do support it, such as some Ethernet \n"
+" drivers on FreeBSD; in those OSes, you might always get those packets, \n"
+" or you might only get them if you capture in promiscuous mode (you'd \n"
+" have to determine which is the case). \n"
+" \n"
+" Note that libpcap does not currently supply to programs that use it an \n"
+" indication of whether the packet's CRC was invalid (because the \n"
+" drivers themselves do not supply that information to the raw packet \n"
+" capture mechanism); therefore, Ethereal will not indicate which \n"
+" packets had CRC errors unless the FCS was captured (see the next \n"
+" question) and you're using Ethereal 0.9.15 and later, in which case \n"
+" Ethereal will check the CRC and indicate whether it's correct or not. \n"
+" \n"
+" Q 5.34: How can I capture entire frames, including the FCS? \n"
" \n"
" A: Ethereal can't capture any data that the packet capture library - \n"
" libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of \n"
@@ -1639,17 +1787,29 @@ const char *faq_part[] = {
" drivers, on Windows) will allow it to capture. \n"
" \n"
" For any particular link-layer network type, unless the OS supplies the \n"
-" FCS of a frame as part of the frame, or can be configured to supply \n"
-" the FCS of a frame as part of the frame, Ethereal - and other programs \n"
-" that capture raw packets, such as tcpdump - cannot capture the FCS of \n"
-" a frame. You will have to determine whether your OS can be so \n"
-" configured, configure it if possible, and make whatever changes to \n"
-" libpcap and the packet capture program you're using are necessary to \n"
-" support capturing the FCS of a frame. Most if not all OSes probably do \n"
-" not support capturing the FCS of a frame on Ethernet, and probably do \n"
-" not support it on most other link-layer types. \n"
-" \n"
-" Q 5.33: Ethereal hangs after I stop a capture. \n"
+" FCS of a frame as part of the frame, or can be configured to do so, \n"
+" Ethereal - and other programs that capture raw packets, such as \n"
+" tcpdump - cannot capture the FCS of a frame. You will have to \n"
+" determine whether your OS needs to be so configured and, if so, can be \n"
+" so configured, configure it if necessary and possible, and make \n"
+" whatever changes to libpcap and the packet capture program you're \n"
+" using are necessary, if any, to support capturing the FCS of a frame. \n"
+" \n"
+" Most OSes do not support capturing the FCS of a frame on Ethernet, and \n"
+" probably do not support it on most other link-layer types. Some \n"
+" drivres on some OSes do support it, such as some (all?) Ethernet \n"
+" drivers on NetBSD and possibly the driver for Apple's gigabit Ethernet \n"
+" interface in Mac OS X; in those OSes, you might always get the FCS, or \n"
+" you might only get the FCS if you capture in promiscuous mode (you'd \n"
+" have to determine which is the case). \n"
+" \n"
+" Versions of Ethereal prior to 0.9.15 will not treat an Ethernet FCS in \n"
+" a captured packet as an FCS. 0.9.15 and later will attempt to \n"
+" determine whether there's an FCS at the end of the frame and, if it \n"
+" thinks there is, will display it as such, and will check whether it's \n"
+" the correct CRC-32 value or not. \n"
+" \n"
+" Q 5.35: Ethereal hangs after I stop a capture. \n"
" \n"
" A: The most likely reason for this is that Ethereal is trying to look \n"
" up an IP address in the capture to convert it to a name (so that, for \n"
@@ -1719,7 +1879,7 @@ const char *faq_part[] = {
" contains sensitive information (e.g., passwords), then please do not \n"
" send it. \n"
" \n"
-" Q 5.34: How can I search for, or filter, packets that have a \n"
+" Q 5.36: How can I search for, or filter, packets that have a \n"
" particular string anywhere in them? \n"
" \n"
" A: If you want to do this when capturing, you can't. That's a feature \n"
@@ -1735,12 +1895,18 @@ const char *faq_part[] = {
" particular string; this has been added to the \"Find Frame\" dialog \n"
" (\"Find Frame\" under the \"Edit\" menu, or control-F). \n"
" \n"
+" In 0.9.15 and later, you can search for those packets using either the \n"
+" mechanism introduced in 0.9.14 or using the new \"contains\" operator in \n"
+" filter expressions, which lets you search the entire packet or text \n"
+" string or byte string fields in the packet; the \"contains\" operator \n"
+" can also be used in expressions used to filter the display. \n"
+" \n"
" \n"
" Support can be found on the ethereal-users[AT]ethereal.com mailing \n"
" list. \n"
" For corrections/additions/suggestions for this page, please send email \n"
" to: ethereal-web[AT]ethereal.com \n"
-" Last modified: Tue, August 19 2003. \n"
+" Last modified: Fri, December 12 2003. \n"
};
#define FAQ_PARTS 5
-#define FAQ_SIZE 80384
+#define FAQ_SIZE 86361
diff --git a/help/faq.txt b/help/faq.txt
index 5a63b00468..4b0750e7f7 100644
--- a/help/faq.txt
+++ b/help/faq.txt
@@ -68,53 +68,53 @@
5.3 I'm only seeing ARP packets when I try to capture traffic.
- 5.4 How do I put an interface into promiscuous mode?
+ 5.4 I'm running Ethereal on Windows; why does some network interface
+ on my machine not show up in the list of interfaces in the
+ "Interface:" field in the dialog box popped up by "Capture->Start",
+ and/or why does Ethereal give me an error if I try to capture on that
+ interface?
- 5.5 I can set a display filter just fine, but capture filters don't
+ 5.5 I'm running on a UNIX-flavored OS; why does some network interface
+ on my machine not show up in the list of interfaces in the
+ "Interface:" field in the dialog box popped up by "Capture->Start",
+ and/or why does Ethereal give me an error if I try to capture on that
+ interface?
+
+ 5.6 How do I put an interface into promiscuous mode?
+
+ 5.7 I can set a display filter just fine, but capture filters don't
work.
- 5.6 I'm entering valid capture filters, but I still get "parse error"
+ 5.8 I'm entering valid capture filters, but I still get "parse error"
errors.
- 5.7 I saved a filter and tried to use its name to filter the display,
+ 5.9 I saved a filter and tried to use its name to filter the display,
but I got an "Unexpected end of filter string" error.
- 5.8 Why am I seeing lots of packets with incorrect TCP checksums?
+ 5.10 Why am I seeing lots of packets with incorrect TCP checksums?
- 5.9 I've just installed Ethereal, and the traffic on my local LAN is
+ 5.11 I've just installed Ethereal, and the traffic on my local LAN is
boring.
- 5.10 When I run Ethereal on Solaris 8, it dies with a Bus Error when I
+ 5.12 When I run Ethereal on Solaris 8, it dies with a Bus Error when I
start it.
- 5.11 When I run Ethereal on Windows NT, it dies with a Dr. Watson
+ 5.13 When I run Ethereal on Windows NT, it dies with a Dr. Watson
error, reporting an "Integer division by zero" exception, when I start
it.
- 5.12 When I try to run Ethereal, it complains about
+ 5.14 When I try to run Ethereal, it complains about
sprint_realloc_objid being undefined.
- 5.13 I'm running Ethereal on Linux; why do my time stamps have only
+ 5.15 I'm running Ethereal on Linux; why do my time stamps have only
100ms resolution, rather than 1us resolution?
- 5.14 I'm capturing packets on {Windows 95, Windows 98, Windows Me};
+ 5.16 I'm capturing packets on {Windows 95, Windows 98, Windows Me};
why are the time stamps on packets wrong?
- 5.15 When I try to run Ethereal on Windows, it fails to run because it
+ 5.17 When I try to run Ethereal on Windows, it fails to run because it
can't find packet.dll.
- 5.16 I'm running Ethereal on Windows; why does some network interface
- on my machine not show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start",
- and/or why does Ethereal give me an error if I try to capture on that
- interface?
-
- 5.17 I'm running on a UNIX-flavored OS; why does some network
- interface on my machine not show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start",
- and/or why does Ethereal give me an error if I try to capture on that
- interface?
-
5.18 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has
a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
"Interface" item in the "Capture Options" dialog box. Why can no
@@ -137,7 +137,7 @@
5.23 My machine crashes or resets itself when I select "Start" from
the "Capture" menu or select "Preferences" from the "Edit" menu.
- 5.24 Does Ethereal work on Windows ME?
+ 5.24 Does Ethereal work on Windows Me?
5.25 Does Ethereal work on Windows XP?
@@ -164,13 +164,20 @@
5.30 How can I capture raw 802.11 packets, including non-data
(management, beacon) packets?
- 5.31 How can I capture packets with CRC errors?
+ 5.31 I'm trying to capture 802.11 traffic on Windows; why am I not
+ seeing any packets?
- 5.32 How can I capture entire frames, including the FCS?
+ 5.32 I'm trying to capture 802.11 traffic on Windows; why am I seeing
+ packets received by the machine on which I'm capturing traffic, but
+ not packets sent by that machine?
- 5.33 Ethereal hangs after I stop a capture.
+ 5.33 How can I capture packets with CRC errors?
- 5.34 How can I search for, or filter, packets that have a particular
+ 5.34 How can I capture entire frames, including the FCS?
+
+ 5.35 Ethereal hangs after I stop a capture.
+
+ 5.36 How can I search for, or filter, packets that have a particular
string anywhere in them?
GENERAL QUESTIONS
@@ -182,12 +189,19 @@
Q 1.2: What protocols are currently supported?
- A: There are currently 393 supported protocols and media, listed
+ A: There are currently 442 supported protocols and media, listed
below. Descriptions can be found in the ethereal(1) man page.
802.1q Virtual LAN
802.1x Authentication
+ AAL type 2 signalling protocol - Capability set 1 (Q.2630.1)
AFS (4.0) Replication Server call declarations
+ ANSI A-I/F BSMAP
+ ANSI A-I/F DTAP
+ ANSI IS-637-A (SMS) Teleservice Layer
+ ANSI IS-637-A (SMS) Transport Layer
+ ANSI IS-683-A (OTA (Mobile))
+ ANSI Mobile Application Part
AOL Instant Messenger
ARCNET
ATM
@@ -200,6 +214,7 @@
Address Resolution Protocol
Aggregate Server Access Protocol
Alert Standard Forum
+ Alteon - Transparent Proxy Cache Protocol
Andrew File System (AFS)
Apache JServ Protocol v1.3
AppleTalk Filing Protocol
@@ -210,6 +225,8 @@
Async data over ISDN (V.120)
Authentication Header
BACnet Virtual Link Control
+ BSS GPRS Protocol
+ BSSAP/BSAP
Banyan Vines ARP
Banyan Vines Echo
Banyan Vines Fragmentation Protocol
@@ -219,6 +236,8 @@
Banyan Vines LLC
Banyan Vines RTP
Banyan Vines SPP
+ Bearer Independent Call Control
+ Bi-directional Fault Detection Control Message
Blocks Extensible Exchange Protocol
Boardwalk
Boot Parameters
@@ -226,6 +245,7 @@
Border Gateway Protocol
Building Automation and Control Network APDU
Building Automation and Control Network NPDU
+ CCSDS
CDS Clerk Server Calls
Check Point High Availability Protocol
Checkpoint FW-1
@@ -242,6 +262,8 @@
CoSine IPNOS L2 debug output
Common Open Policy Service
Common Unix Printing System (CUPS) Browsing Protocol
+ Connectionless Lightweight Directory Access Protocol
+ Cross Point Frame Injector
DCE DFS Calls
DCE Distributed Time Service Local Server
DCE Distributed Time Service Provider
@@ -249,15 +271,21 @@
DCE RPC
DCE Security ID Mapper
DCE/RPC BOS Server
+ DCE/RPC BUDB
+ DCE/RPC BUTC
DCE/RPC CDS Solicitation
DCE/RPC Conversation Manager
DCE/RPC Endpoint Mapper
+ DCE/RPC Endpoint Mapper4
DCE/RPC FLDB
DCE/RPC FLDB UBIK TRANSFER
DCE/RPC FLDB UBIKVOTE
+ DCE/RPC ICL RPC
DCE/RPC Kerberos V
DCE/RPC RS_ACCT
+ DCE/RPC RS_BIND
DCE/RPC RS_MISC
+ DCE/RPC RS_PROP_ACCT
DCE/RPC RS_UNIX
DCE/RPC Remote Management
DCE/RPC Repserver Calls
@@ -297,20 +325,28 @@
Fibre Channel Name Server
Fibre Channel Protocol for SCSI
Fibre Channel SW_ILS
+ Fibre Channel Security Protocol
+ Fibre Channel Single Byte Command
File Transfer Protocol (FTP)
Financial Information eXchange Protocol
Frame
Frame Relay
GARP Multicast Registration Protocol
GARP VLAN Registration Protocol
+ GPRS Network service
GPRS Tunneling Protocol
- GPRS Tunnelling Protocol v0
- GPRS Tunnelling Protocol v1
+ GSM A-I/F BSSMAP
+ GSM A-I/F DTAP
+ GSM A-I/F RP
+ GSM Mobile Application Part
+ GSM SMS TPDU (GSM 03.40)
General Inter-ORB Protocol
Generic Routing Encapsulation
Generic Security Service Application Program Interface
Gnutella Protocol
+ H225
H245
+ H4501
HP Extended Local-Link Control
HP Remote Maintenance Protocol
Hummingbird NFS Daemon
@@ -330,10 +366,12 @@
ISDN User Part
ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol
ISO 8073 COTP Connection-Oriented Transport Protocol
+ ISO 8327-1 OSI Session Protocol
ISO 8473 CLNP ConnectionLess Network Protocol
ISO 8602 CLTP ConnectionLess Transport Protocol
ISO 9542 ESIS Routeing Information Exchange Protocol
ITU-T Recommendation H.261
+ ITU-T Recommendation H.263 RTP Payload header (RFC2190)
InMon sFlow
Intel ANS probe
Intelligent Platform Management Interface
@@ -344,6 +382,7 @@
Internet Control Message Protocol
Internet Control Message Protocol v6
Internet Group Management Protocol
+ Internet Group membership Authentication Protocol
Internet Message Access Protocol
Internet Printing Protocol
Internet Protocol
@@ -357,7 +396,11 @@
Kerberos
Kerberos Administration
Kernel Lock Manager
+ LWAP Control Message
+ LWAPP Encapsulated Packet
+ LWAPP Layer 3 Packet
Label Distribution Protocol
+ Laplink
Layer 2 Tunneling Protocol
Lightweight Directory Access Protocol
Line Printer Daemon Protocol
@@ -373,6 +416,7 @@
Lucent/Ascend debug output
MDS Header
MMS Message Encapsulation
+ MS Kpasswd
MS Proxy Protocol
MSN Messenger Service
MSNIP: Multicast Source Notification of Interest Protocol
@@ -383,6 +427,7 @@
Message Transfer Part Level 2
Message Transfer Part Level 3
Message Transfer Part Level 3 Management
+ Microsoft Directory Replication Service
Microsoft Distributed File System
Microsoft Exchange MAPI
Microsoft Local Security Architecture
@@ -430,6 +475,7 @@
Network Status Monitor CallBack Protocol
Network Status Monitor Protocol
Network Time Protocol
+ Nortel SONMP
Novell Distributed Print System
Null/Loopback
Open Shortest Path First
@@ -455,7 +501,7 @@
PPP-over-Ethernet Discovery
PPP-over-Ethernet Session
PPPMux Control Protocol
- Packet Encoding Rules (ASN.1 X.691)
+ Packed Encoding Rules (ASN.1 X.691)
Point-to-Point Protocol
Point-to-Point Tunnelling Protocol
Portmap
@@ -466,14 +512,17 @@
Protocol Independent Multicast
Q.2931
Q.931
+ Q.933
Quake II Network Protocol
Quake III Arena Network Protocol
Quake Network Protocol
QuakeWorld Network Protocol
Qualified Logical Link Control
RFC 2250 MPEG1
+ RFC 2833 RTP Event
RIPng
RPC Browser
+ RS Interface properties
RSTAT
RSYNC File Synchroniser
RX Protocol
@@ -491,6 +540,7 @@
Remote Program Load
Remote Quota
Remote Shell
+ Remote Shutdown
Remote Wall protocol
Remote sec_login preauth interface.
Resource ReserVation Protocol (RSVP)
@@ -499,6 +549,7 @@
Routing Table Maintenance Protocol
SADMIND
SCSI
+ SEBEK - Kernel Data Capture
SGI Mount Service
SMB (Server Message Block Protocol)
SMB MailSlot Protocol
@@ -517,11 +568,13 @@
Session Announcement Protocol
Session Description Protocol
Session Initiation Protocol
+ Session Initiation Protocol (SIP as raw text)
Short Message Peer to Peer
Signalling Connection Control Part
Signalling Connection Control Part Management
Simple Mail Transfer Protocol
Simple Network Management Protocol
+ Simple Traversal of UDP Through NAT
Sinec H1 Protocol
Skinny Client Control Protocol
SliMP3 Communication Protocol
@@ -533,8 +586,10 @@
Syslog message
Systems Network Architecture
Systems Network Architecture XID
+ T38
TACACS
TACACS+
+ TEREDO Tunneling IPv6 over UDP through NATs
TPKT
Tabular Data Stream
Tazmen Sniffer Protocol
@@ -543,6 +598,7 @@
Time Synchronization Protocol
Token-Ring
Token-Ring Media Access Control
+ Transaction Capabilities Application Part
Transmission Control Protocol
Transparent Network Substrate Protocol
Trivial File Transfer Protocol
@@ -694,11 +750,17 @@
Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be
installed; only Tethereal is installed.
- A: Red Hat RPMs for Ethereal put only the non-GUI components into the
- ethereal RPM, the fact that Ethereal is a GUI program nonwithstanding;
- there's a separate ethereal-gnome RPM that includes GUI components
- such as Ethereal itself, the fact that Ethereal doesn't use GNOME
- nonwithstanding. Find the ethereal-gnome RPM, and install that also.
+ A: Older versions of the Red Hat RPMs for Ethereal put only the
+ non-GUI components into the ethereal RPM, the fact that Ethereal is a
+ GUI program nonwithstanding; newer versions make it a bit clearer by
+ giving that RPM a name starting with ethereal-base.
+
+ In those older versions, there's a separate ethereal-gnome RPM that
+ includes GUI components such as Ethereal itself, the fact that
+ Ethereal doesn't use GNOME nonwithstanding; newer versions make it a
+ bit clearer by giving that RPM a name starting with ethereal-gtk+.
+
+ Find the ethereal-gnome or ethereal-gtk+ RPM, and install that also.
BUILDING ETHEREAL
Q 4.1: The configure script can't find pcap.h or bpf.h, but I have
@@ -802,7 +864,24 @@
ports on the console for HP Advancestack Switch 208 and 224;
* the "Network Monitoring Port Features" section of chapter 6 of
documentation from HP for HP ProCurve Switches 1600M, 2424M,
- 4000M, and 8000M.
+ 4000M, and 8000M;
+ * the "Switch Port-Mirroring" section of chapter 6 of documentation
+ from Extreme Networks for their Summit 200 switches;
+ * the documentation on "Configuring Port Mirroring and Monitoring"
+ in Foundry Networks' documentation for their FastIron Edge
+ Switches;
+ * the documentation on "Configuring Port Mirroring and Monitoring"
+ in Foundry Networks' documentation for their BigIron MG8 Layer 3
+ Switches;
+ * the "Port Monitor" subsection of the "Status Monitor and
+ Statistics" section of the documentation from Foundry Networks for
+ their EdgeIron 4802F and 10GC2F switches;
+ * the "Configuring Port Mirroring" section of chapter 3 of the
+ documentation from Foundry Networks for their EdgeIron 24G,
+ 2402CF, and 4802CF switches;
+ * the documentation on "Configuring Port Mirroring and Monitoring"
+ in Foundry Networks' documentation for their other switches and
+ metro routers.
Note also that many firewall/NAT boxes have a switch built into them;
this includes many of the "cable/DSL router" boxes. If you have a box
@@ -899,7 +978,199 @@
I.e., this is probably the same question as this earlier one; see the
response to that question.
- Q 5.4: How do I put an interface into promiscuous mode?
+ Q 5.4: I'm running Ethereal on Windows; why does some network
+ interface on my machine not show up in the list of interfaces in the
+ "Interface:" field in the dialog box popped up by "Capture->Start",
+ and/or why does Ethereal give me an error if I try to capture on that
+ interface?
+
+ A: If you are running Ethereal on Windows NT 4.0, Windows 2000,
+ Windows XP, or Windows Server, and this is the first time you have run
+ a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump,
+ or Analyzer, or...) since the machine was rebooted, you need to run
+ that program from an account with administrator privileges; once you
+ have run such a program, you will not need administrator privileges to
+ run any such programs until you reboot.
+
+ If you are running on Windows 95/98/Me, or if you are running on
+ Windows NT 4.0/2000/XP/Server and have administrator privileges or a
+ WinPcap-based program has been run with those privileges since the
+ machine rebooted, then note that Ethereal relies on the WinPcap
+ library, on the WinPcap device driver, and on the facilities that come
+ with the OS on which it's running in order to do captures.
+
+ Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
+ support capturing on a particular network interface device, Ethereal
+ won't be able to capture on that device.
+
+ Note that:
+ 1. 2.02 and earlier versions of the WinPcap driver and library that
+ Ethereal uses for packet capture didn't support Token Ring
+ interfaces; versions 2.1 and later support Token Ring, and the
+ current version of Ethereal works with (and, in fact, requires)
+ WinPcap 2.1 or later.
+ If you are having problems capturing on Token Ring interfaces, and
+ you have WinPcap 2.02 or an earlier version of WinPcap installed,
+ you should uninstall WinPcap, download and install the current
+ version of WinPcap, and then install the latest version of
+ Ethereal.
+ 2. On Windows 95, 98, or Me, sometimes more than one interface will
+ be given the same name; if that is the case, you will only be able
+ to capture on one of those interfaces - it's not clear to which
+ one the name, when used in a WinPcap-based application, will
+ refer. For example, if you have a PPP serial interface and a VPN
+ interface, they might show up with the same name, for example
+ "ppp-mac", and if you try to capture on "ppp-mac", it might not
+ capture on the interface you're currently using. In that case, you
+ might, for example, have to remove the VPN interface from the
+ system in order to capture on the PPP serial interface.
+ 3. WinPcap doesn't support PPP WAN interfaces on Windows
+ NT/2000/XP/Server, so Ethereal cannot capture packets on those
+ devices when running on Windows NT/2000/XP/Server. Regular dial-up
+ lines, ISDN lines, and various other lines such as T1/E1 lines are
+ all PPP interfaces. This may cause the interface not to show up on
+ the list of interfaces in the "Capture Options" dialog.
+ 4. WinPcap prior to 3.0 does not support multiprocessor machines
+ (note that machines with a single multi-threaded processor, such
+ as Intel's new multi-threaded x86 processors, are multiprocessor
+ machines as far as the OS and WinPcap are concerned), and recent
+ 2.x versions of WinPcap refuse to operate if they detect that
+ they're running on a multiprocessor machine, which means that they
+ may not show any network interfaces. You will need to use WinPcap
+ 3.0 to capture on a multiprocessor machine.
+
+ If an interface doesn't show up in the list of interfaces in the
+ "Interface:" field, and you know the name of the interface, try
+ entering that name in the "Interface:" field and capturing on that
+ device.
+
+ If the attempt to capture on it succeeds, the interface is somehow not
+ being reported by the mechanism Ethereal uses to get a list of
+ interfaces; please report this to ethereal-dev@ethereal.com giving
+ full details of the problem, including
+ * the operating system you're using, and the version of that
+ operating system;
+ * the type of network device you're using.
+
+ If you are having trouble capturing on a particular network interface,
+ first try capturing on that device with WinDump; see the WinDump Web
+ site or the local mirror of the WinDump Web site for information on
+ using WinDump.
+
+ If you can capture on the interface with WinDump, send mail to
+ ethereal-users@ethereal.com giving full details of the problem,
+ including
+ * the operating system you're using, and the version of that
+ operating system;
+ * the type of network device you're using;
+ * the error message you get from Ethereal.
+
+ If you cannot capture on the interface with WinDump, this is almost
+ certainly a problem with one or more of:
+ * the operating system you're using;
+ * the device driver for the interface you're using;
+ * the WinPcap library and/or the WinPcap device driver;
+
+ so first check the WinPcap FAQ, the local mirror of that FAQ, or the
+ Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
+ there. If not, then see the WinPcap support page (or the local mirror
+ of that page) - check the "Submitting bugs" section.
+
+ You may also want to ask the ethereal-users@ethereal.com and the
+ winpcap-users@winpcap.polito.it mailing lists to see if anybody
+ happens to know about the problem and know a workaround or fix for the
+ problem. (Note that you will have to subscribe to that list in order
+ to be allowed to mail to it; see the WinPcap support page, or the
+ local mirror of that page, for information on the mailing list.) In
+ your mail, please give full details of the problem, as described
+ above, and also indicate that the problem occurs with WinDump, not
+ just with Ethereal.
+
+ Q 5.5: I'm running on a UNIX-flavored OS; why does some network
+ interface on my machine not show up in the list of interfaces in the
+ "Interface:" field in the dialog box popped up by "Capture->Start",
+ and/or why does Ethereal give me an error if I try to capture on that
+ interface?
+
+ A: You may need to run Ethereal from an account with sufficient
+ privileges to capture packets, such as the super-user account. Only
+ those interfaces that Ethereal can open for capturing show up in that
+ list; if you don't have sufficient privileges to capture on any
+ interfaces, no interfaces will show up in the list.
+
+ If you are running Ethereal from an account with sufficient
+ privileges, then note that Ethereal relies on the libpcap library, and
+ on the facilities that come with the OS on which it's running in order
+ to do captures.
+
+ Therefore, if the OS or the libpcap library don't support capturing on
+ a particular network interface device, Ethereal won't be able to
+ capture on that device.
+
+ On Linux, note that you need to have "packet socket" support enabled
+ in your kernel; see the "Packet socket" item in the Linux
+ "Configure.help" file.
+
+ On BSD, note that you need to have BPF support enabled in your kernel;
+ see the documentation for your system for information on how to enable
+ BPF support (if it's not enabled by default on your system).
+
+ On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have
+ packet filtering support in your kernel; the doconfig command will
+ allow you to configure and build a new kernel with that option.
+
+ On Solaris, note that libpcap 0.6.2 and earlier didn't support Token
+ Ring interfaces; the current version, 0.7.2, does support Token Ring,
+ and the current version of Ethereal works with libcap 0.7.2 and later.
+
+ If an interface doesn't show up in the list of interfaces in the
+ "Interface:" field, and you know the name of the interface, try
+ entering that name in the "Interface:" field and capturing on that
+ device.
+
+ If the attempt to capture on it succeeds, the interface is somehow not
+ being reported by the mechanism Ethereal uses to get a list of
+ interfaces; please report this to ethereal-dev@ethereal.com giving
+ full details of the problem, including
+ * the operating system you're using, and the version of that
+ operating system (for Linux, give both the version number of the
+ kernel and the name and version number of the distribution you're
+ using);
+ * the type of network device you're using.
+
+ If you are having trouble capturing on a particular network interface,
+ and you've made sure that (on platforms that require it) you've
+ arranged that packet capture support is present, as per the above,
+ first try capturing on that device with tcpdump.
+
+ If you can capture on the interface with tcpdump, send mail to
+ ethereal-users@ethereal.com giving full details of the problem,
+ including
+ * the operating system you're using, and the version of that
+ operating system (for Linux, give both the version number of the
+ kernel and the name and version number of the distribution you're
+ using);
+ * the type of network device you're using;
+ * the error message you get from Ethereal.
+
+ If you cannot capture on the interface with tcpdump, this is almost
+ certainly a problem with one or more of:
+ * the operating system you're using;
+ * the device driver for the interface you're using;
+ * the libpcap library;
+
+ so you should report the problem to the company or organization that
+ produces the OS (in the case of a Linux distribution, report the
+ problem to whoever produces the distribution).
+
+ You may also want to ask the ethereal-users@ethereal.com and the
+ tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to
+ know about the problem and know a workaround or fix for the problem.
+ In your mail, please give full details of the problem, as described
+ above, and also indicate that the problem occurs with tcpdump not just
+ with Ethereal.
+
+ Q 5.6: How do I put an interface into promiscuous mode?
A: By not disabling promiscuous mode when running Ethereal or
Tethereal.
@@ -921,7 +1192,7 @@
I.e., this is probably the same question as this earlier one; see the
response to that question.
- Q 5.5: I can set a display filter just fine, but capture filters don't
+ Q 5.7: I can set a display filter just fine, but capture filters don't
work.
A: Capture filters currently use a different syntax than display
@@ -941,7 +1212,7 @@
The capture filter syntax used by libpcap can be found in the
tcpdump(8) man page.
- Q 5.6: I'm entering valid capture filters, but I still get "parse
+ Q 5.8: I'm entering valid capture filters, but I still get "parse
error" errors.
A: There is a bug in some versions of libpcap/WinPcap that cause it to
@@ -973,7 +1244,7 @@
WinPcap, you will need to un-install WinPcap and then download and
install WinPcap 2.3.
- Q 5.7: I saved a filter and tried to use its name to filter the
+ Q 5.9: I saved a filter and tried to use its name to filter the
display, but I got an "Unexpected end of filter string" error.
A: You cannot use the name of a saved display filter as a filter. To
@@ -984,7 +1255,7 @@
use a saved filter, you can press the "Filter:" button, select the
filter in the dialog box that pops up, and press the "OK" button.
- Q 5.8: Why am I seeing lots of packets with incorrect TCP checksums?
+ Q 5.10: Why am I seeing lots of packets with incorrect TCP checksums?
A: If the packets that have incorrect TCP checksums are all being sent
by the machine on which Ethereal is running, this is probably because
@@ -1016,13 +1287,13 @@
tcp.check_checksum:false command-line flag, or manually set in your
preferences file by adding a tcp.check_checksum:false line.
- Q 5.9: I've just installed Ethereal, and the traffic on my local LAN
+ Q 5.11: I've just installed Ethereal, and the traffic on my local LAN
is boring.
A: We have a collection of strange and exotic sample capture files at
http://www.ethereal.com/sample/
- Q 5.10: When I run Ethereal on Solaris 8, it dies with a Bus Error
+ Q 5.12: When I run Ethereal on Solaris 8, it dies with a Bus Error
when I start it.
A: Some versions of the GTK+ library from www.sunfreeware.org appear
@@ -1040,7 +1311,7 @@
Similar problems may exist with older versions of GTK+ for earlier
versions of Solaris.
- Q 5.11: When I run Ethereal on Windows NT, it dies with a Dr. Watson
+ Q 5.13: When I run Ethereal on Windows NT, it dies with a Dr. Watson
error, reporting an "Integer division by zero" exception, when I start
it.
@@ -1048,7 +1319,7 @@
VGA driver; if that's not the correct driver for your video card, try
running the correct driver for your video card.
- Q 5.12: When I try to run Ethereal, it complains about
+ Q 5.14: When I try to run Ethereal, it complains about
sprint_realloc_objid being undefined.
A: Ethereal can only be linked with version 4.2.2 or later of UCD
@@ -1058,7 +1329,7 @@
the older version, and fails. You will have to replace that version of
UCD SNMP with version 4.2.2 or a later version.
- Q 5.13: I'm running Ethereal on Linux; why do my time stamps have only
+ Q 5.15: I'm running Ethereal on Linux; why do my time stamps have only
100ms resolution, rather than 1us resolution?
A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap
@@ -1084,13 +1355,13 @@
have to run a standard kernel from kernel.org in order to get
high-resolution time stamps.
- Q 5.14: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
+ Q 5.16: I'm capturing packets on {Windows 95, Windows 98, Windows Me};
why are the time stamps on packets wrong?
A: This is due to a bug in WinPcap. The bug should be fixed in WinPcap
3.0.
- Q 5.15: When I try to run Ethereal on Windows, it fails to run because
+ Q 5.17: When I try to run Ethereal on Windows, it fails to run because
it can't find packet.dll.
A: In older versions of Ethereal, there were two binary distributions
@@ -1107,200 +1378,6 @@
Web site, the local mirror of the WinPcap Web site, or the
Wiretapped.net mirror of the WinPcap site.
- Q 5.16: I'm running Ethereal on Windows; why does some network
- interface on my machine not show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start",
- and/or why does Ethereal give me an error if I try to capture on that
- interface?
-
- A: If you are running Ethereal on Windows NT 4.0, Windows 2000,
- Windows XP, or Windows Server, and this is the first time you have run
- a WinPcap-based program (such as Ethereal, or Tethereal, or WinDump,
- or Analyzer, or...) since the machine was rebooted, you need to run
- that program from an account with administrator privileges; once you
- have run such a program, you will not need administrator privileges to
- run any such programs until you reboot.
-
- If you are running on Windows 95/98/Me, or if you are running on
- Windows NT 4.0/2000/XP/Server and have administrator privileges or a
- WinPcap-based program has been run with those privileges since the
- machine rebooted, then note that Ethereal relies on the WinPcap
- library, on the WinPcap device driver, and on the facilities that come
- with the OS on which it's running in order to do captures.
-
- Therefore, if the OS, the WinPcap library, or the WinPcap driver don't
- support capturing on a particular network interface device, Ethereal
- won't be able to capture on that device.
-
- Note that:
- * 2.02 and earlier versions of the WinPcap driver and library that
- Ethereal uses for packet capture didn't support Token Ring
- interfaces; the current version, 2.3, does support Token Ring, and
- the current version of Ethereal works with (and, in fact,
- requires) WinPcap 2.1 or later.
- If you are having problems capturing on Token Ring interfaces, and
- you have WinPcap 2.02 or an earlier version of WinPcap installed,
- you should uninstall WinPcap, download and install the current
- version of WinPcap, and then install the latest version of
- Ethereal.
- * On Windows 95, 98, or Me, sometimes more than one interface will
- be given the same name; if that is the case, you will only be able
- to capture on one of those interfaces - it's not clear to which
- one the name, when used in a WinPcap-based application, will
- refer. For example, if you have a PPP serial interface and a VPN
- interface, they might show up with the same name, for example
- "ppp-mac", and if you try to capture on "ppp-mac", it might not
- capture on the interface you're currently using. In that case, you
- might, for example, have to remove the VPN interface from the
- system in order to capture on the PPP serial interface.
- * WinPcap doesn't support PPP WAN interfaces on Windows
- NT/2000/XP/Server, so Ethereal cannot capture packets on those
- devices when running on Windows NT/2000/XP/Server. Regular dial-up
- lines, ISDN lines, and various other lines such as T1/E1 lines are
- all PPP interfaces. This may cause the interface not to show up on
- the list of interfaces in the "Capture Options" dialog.
- * WinPcap prior to 3.0 does not support multiprocessor machines
- (note that machines with a single multi-threaded processor, such
- as Intel's new multi-threaded x86 processors, are multiprocessor
- machines as far as the OS and WinPcap are concerned), and recent
- 2.x versions of WinPcap refuse to operate if they detect that
- they're running on a multiprocessor machine, which means that they
- may not show any network interfaces. You will need to use WinPcap
- 3.0 to capture on a multiprocessor machine.
-
- If an interface doesn't show up in the list of interfaces in the
- "Interface:" field, and you know the name of the interface, try
- entering that name in the "Interface:" field and capturing on that
- device.
-
- If the attempt to capture on it succeeds, the interface is somehow not
- being reported by the mechanism Ethereal uses to get a list of
- interfaces; please report this to ethereal-dev@ethereal.com giving
- full details of the problem, including
- * the operating system you're using, and the version of that
- operating system;
- * the type of network device you're using.
-
- If you are having trouble capturing on a particular network interface,
- and you've made sure that (on platforms that require it) you've
- arranged that packet capture support is present, as per the above,
- first try capturing on that device with WinDump; see the WinDump Web
- site or the local mirror of the WinDump Web site for information on
- using WinDump.
-
- If you can capture on the interface with WinDump, send mail to
- ethereal-users@ethereal.com giving full details of the problem,
- including
- * the operating system you're using, and the version of that
- operating system;
- * the type of network device you're using;
- * the error message you get from Ethereal.
-
- If you cannot capture on the interface with WinDump, this is almost
- certainly a problem with one or more of:
- * the operating system you're using;
- * the device driver for the interface you're using;
- * the WinPcap library and/or the WinPcap device driver;
-
- so first check the WinPcap FAQ, the local mirror of that FAQ, or the
- Wiretapped.net mirror of that FAQ, to see if your problem is mentioned
- there. If not, then see the WinPcap support page (or the local mirror
- of that page) - check the "Submitting bugs" section.
-
- You may also want to ask the ethereal-users@ethereal.com and the
- winpcap-users@winpcap.polito.it mailing lists to see if anybody
- happens to know about the problem and know a workaround or fix for the
- problem. (Note that you will have to subscribe to that list in order
- to be allowed to mail to it; see the WinPcap support page, or the
- local mirror of that page, for information on the mailing list.) In
- your mail, please give full details of the problem, as described
- above, and also indicate that the problem occurs with WinDump, not
- just with Ethereal.
-
- Q 5.17: I'm running on a UNIX-flavored OS; why does some network
- interface on my machine not show up in the list of interfaces in the
- "Interface:" field in the dialog box popped up by "Capture->Start",
- and/or why does Ethereal give me an error if I try to capture on that
- interface?
-
- A: You may need to run Ethereal from an account with sufficient
- privileges to capture packets, such as the super-user account. Only
- those interfaces that Ethereal can open for capturing show up in that
- list; if you don't have sufficient privileges to capture on any
- interfaces, no interfaces will show up in the list.
-
- If you are running Ethereal from an account with sufficient
- privileges, then note that Ethereal relies on the libpcap library, and
- on the facilities that come with the OS on which it's running in order
- to do captures.
-
- Therefore, if the OS or the libpcap library don't support capturing on
- a particular network interface device, Ethereal won't be able to
- capture on that device.
-
- On Linux, note that you need to have "packet socket" support enabled
- in your kernel; see the "Packet socket" item in the Linux
- "Configure.help" file.
-
- On BSD, note that you need to have BPF support enabled in your kernel;
- see the documentation for your system for information on how to enable
- BPF support (if it's not enabled by default on your system).
-
- On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have
- packet filtering support in your kernel; the doconfig command will
- allow you to configure and build a new kernel with that option.
-
- On Solaris, note that libpcap 0.6.2 and earlier didn't support Token
- Ring interfaces; the current version, 0.7.2, does support Token Ring,
- and the current version of Ethereal works with libcap 0.7.2 and later.
-
- If an interface doesn't show up in the list of interfaces in the
- "Interface:" field, and you know the name of the interface, try
- entering that name in the "Interface:" field and capturing on that
- device.
-
- If the attempt to capture on it succeeds, the interface is somehow not
- being reported by the mechanism Ethereal uses to get a list of
- interfaces; please report this to ethereal-dev@ethereal.com giving
- full details of the problem, including
- * the operating system you're using, and the version of that
- operating system (for Linux, give both the version number of the
- kernel and the name and version number of the distribution you're
- using);
- * the type of network device you're using.
-
- If you are having trouble capturing on a particular network interface,
- and you've made sure that (on platforms that require it) you've
- arranged that packet capture support is present, as per the above,
- first try capturing on that device with tcpdump.
-
- If you can capture on the interface with tcpdump, send mail to
- ethereal-users@ethereal.com giving full details of the problem,
- including
- * the operating system you're using, and the version of that
- operating system (for Linux, give both the version number of the
- kernel and the name and version number of the distribution you're
- using);
- * the type of network device you're using;
- * the error message you get from Ethereal.
-
- If you cannot capture on the interface with tcpdump, this is almost
- certainly a problem with one or more of:
- * the operating system you're using;
- * the device driver for the interface you're using;
- * the libpcap library;
-
- so you should report the problem to the company or organization that
- produces the OS (in the case of a Linux distribution, report the
- problem to whoever produces the distribution).
-
- You may also want to ask the ethereal-users@ethereal.com and the
- tcpdump-workers@tcpdump.org mailing lists to see if anybody happens to
- know about the problem and know a workaround or fix for the problem.
- In your mail, please give full details of the problem, as described
- above, and also indicate that the problem occurs with tcpdump not just
- with Ethereal.
-
Q 5.18: I'm running Ethereal on Windows NT/2000/XP/Server; my machine
has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the
"Interface" item in the "Capture Options" dialog box. Why can no
@@ -1386,11 +1463,11 @@
or, for Windows, WinPcap bug that causes the system to crash when this
happens; see the previous question.
- Q 5.24: Does Ethereal work on Windows ME?
+ Q 5.24: Does Ethereal work on Windows Me?
A: Yes, but if you want to capture packets, you will need to install
the latest version of WinPcap, as 2.02 and earlier versions of WinPcap
- didn't support Windows ME. You should also install the latest version
+ didn't support Windows Me. You should also install the latest version
of Ethereal as well.
Q 5.25: Does Ethereal work on Windows XP?
@@ -1479,6 +1556,18 @@
support that and, even on operating systems that do support it, not
all drivers, and thus not all cards, support it.
+ NOTE: an interface running in monitor mode will, on most if not all
+ platforms, not be able to act as a regular network interface; putting
+ it into monitor mode will, in effect, take your machine off of
+ whatever network it's on as long as the interface is in monitor mode,
+ allowing it only to passively capture packets.
+
+ This means that you should disable name resolution when capturing in
+ monitor mode; otherwise, when Ethereal (or Tethereal, or tcpdump)
+ tries to display IP addresses as host names, it will probably block
+ for a long time trying to resolve the name because it will not be able
+ to communicate with any DNS or NIS servers.
+
Cisco Aironet cards:
The only platforms that allow Ethereal to capture raw 802.11 packets
@@ -1488,15 +1577,28 @@
cause packets not to be captured correctly, and the driver in
releases prior to 4.5 didn't support capturing raw packets.
- On FreeBSD, the ancontrol utility must be used; do not enable the full
- Aironet header via BPF, as Ethereal doesn't currently support that.
+ On FreeBSD, the ancontrol utility must be used. The command
+
+ancontrol -i anN -M flag
+
+ is used to enable or disable monitor mode. If flag is 0, monitor mode
+ will be turned off; otherwise, flag should be the sum of:
+ * 1, to turn monitor mode on;
+ * 2, if you want to capture traffic from any BSS rather than just
+ the BSS with which the card is associated;
+ * 4, if you want to see beacon packets (capturing beacon packets
+ increases the CPU requirements of capturing).
+
+ Don't add 8 in; Ethereal currently doesn't support the full Aironet
+ header.
On Linux with the driver in the 2.4.6 through 2.4.19 kernel, you will
need to do
echo "Mode: rfmon" >/proc/driver/aironet/ethN/Config
- if your Aironet card is ethN. To capture traffic from any BSS, do
+ if your Aironet card is ethN. To capture traffic from any BSS rather
+ than just the BSS with which the card is associated, do
echo "Mode: y" >/proc/driver/aironet/ethN/Config
@@ -1504,10 +1606,10 @@ echo "Mode: y" >/proc/driver/aironet/ethN/Config
echo "Mode: ess" >/proc/driver/aironet/ethN/Config
- On Linux with the driver in the 2.4.20 kernel, or with the CVS drivers
- from the airo-linux SourceForge site, you will have to capture on the
- wifiN interface if your Aironet card is ethN, after running the
- commands listed above.
+ On Linux with the driver in the 2.4.20 or later kernel, or with the
+ CVS drivers from the airo-linux SourceForge site, you will have to
+ capture on the wifiN interface if your Aironet card is ethN, after
+ running the commands listed above.
In all of those cases, Ethereal would have to be linked with libpcap
0.7.1 or later; this means that most Ethereal binary packages won't
@@ -1575,7 +1677,7 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config
check the version of the Orinoco drivers that shipped with your kernel
by examining the first few lines of the orinoco.c file.
- Te Orinoco patches require either Solomon Peachy's patch to libpcap
+ The Orinoco patches require either Solomon Peachy's patch to libpcap
0.7.1 (see his libpcap-0.7.1-prism.diff file, or his RPMs of that
version of libpcap), or the current CVS version of libpcap, which
includes his patch (download it from the "Current Tar files" section
@@ -1590,6 +1692,18 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config
On other platforms, capturing raw 802.11 packets on Orinoco cards is
not currently supported.
+ Cards with the Atheros Communications AR5000 or AR5001 chipsets:
+
+ You can capture raw 802.11 packets with AR5K cards on Linux systems
+ with the v5_ar5k drivers. You will need the Linux wireless-tools
+ version 25 or higher to put the card into monitor mode.
+
+ Cards with the Texas Instruments ACX100 chipset:
+
+ You can capture raw 802.11 packets with ACX100 cards on Linux systems
+ with the ACX100 OSS drivers available from the ACX100 wireless network
+ driver project SourceForge site.
+
Other 802.11 interfaces:
With other 802.11 interfaces, no platform allows Ethereal to capture
@@ -1602,7 +1716,24 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config
On platforms that don't allow Ethereal to capture raw 802.11 packets,
the 802.11 network will appear like an Ethernet to Ethereal.
- Q 5.31: How can I capture packets with CRC errors?
+ Q 5.31: I'm trying to capture 802.11 traffic on Windows; why am I not
+ seeing any packets?
+
+ A: At least some 802.11 card drivers on Windows appear not to see any
+ packets if they're running in promiscuous mode. Try turning
+ promiscuous mode off; you'll only be able to see packets sent by and
+ received by your machine, not third-party traffic, and it'll look like
+ Ethernet traffic and won't include any management or control frames,
+ but that's a limitation of the card drivers.
+
+ Q 5.32: I'm trying to capture 802.11 traffic on Windows; why am I
+ seeing packets received by the machine on which I'm capturing traffic,
+ but not packets sent by that machine?
+
+ A: This appears to be another problem with promiscuous mode; try
+ turning it off.
+
+ Q 5.33: How can I capture packets with CRC errors?
A: Ethereal can capture only the packets that the packet capture
library - libpcap on UNIX-flavored OSes, and the WinPcap port to
@@ -1611,15 +1742,32 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config
(or the WinPcap driver, and the underlying OS networking code and
network interface drivers, on Windows) will allow it to capture.
- Unless the OS can be configured to supply packets with errors such as
+ Unless the OS always supplies packets with errors such as invalid CRCs
+ to the raw packet capture mechanism, or can be configured to do so,
invalid CRCs to the raw packet capture mechanism, Ethereal - and other
programs that capture raw packets, such as tcpdump - cannot capture
- those packets. You will have to determine whether your OS can be so
- configured, configure it if possible, and make whatever changes to
- libpcap and the packet capture program you're using are necessary to
- support capturing those packets.
-
- Q 5.32: How can I capture entire frames, including the FCS?
+ those packets. You will have to determine whether your OS needs to be
+ so configured and, if so, can be so configured, configure it if
+ necessary and possible, and make whatever changes to libpcap and the
+ packet capture program you're using are necessary, if any, to support
+ capturing those packets.
+
+ Most OSes probably do not support capturing packets with invalid CRCs
+ on Ethernet, and probably do not support it on most other link-layer
+ types. Some drivers on some OSes do support it, such as some Ethernet
+ drivers on FreeBSD; in those OSes, you might always get those packets,
+ or you might only get them if you capture in promiscuous mode (you'd
+ have to determine which is the case).
+
+ Note that libpcap does not currently supply to programs that use it an
+ indication of whether the packet's CRC was invalid (because the
+ drivers themselves do not supply that information to the raw packet
+ capture mechanism); therefore, Ethereal will not indicate which
+ packets had CRC errors unless the FCS was captured (see the next
+ question) and you're using Ethereal 0.9.15 and later, in which case
+ Ethereal will check the CRC and indicate whether it's correct or not.
+
+ Q 5.34: How can I capture entire frames, including the FCS?
A: Ethereal can't capture any data that the packet capture library -
libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of
@@ -1629,17 +1777,29 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config
drivers, on Windows) will allow it to capture.
For any particular link-layer network type, unless the OS supplies the
- FCS of a frame as part of the frame, or can be configured to supply
- the FCS of a frame as part of the frame, Ethereal - and other programs
- that capture raw packets, such as tcpdump - cannot capture the FCS of
- a frame. You will have to determine whether your OS can be so
- configured, configure it if possible, and make whatever changes to
- libpcap and the packet capture program you're using are necessary to
- support capturing the FCS of a frame. Most if not all OSes probably do
- not support capturing the FCS of a frame on Ethernet, and probably do
- not support it on most other link-layer types.
-
- Q 5.33: Ethereal hangs after I stop a capture.
+ FCS of a frame as part of the frame, or can be configured to do so,
+ Ethereal - and other programs that capture raw packets, such as
+ tcpdump - cannot capture the FCS of a frame. You will have to
+ determine whether your OS needs to be so configured and, if so, can be
+ so configured, configure it if necessary and possible, and make
+ whatever changes to libpcap and the packet capture program you're
+ using are necessary, if any, to support capturing the FCS of a frame.
+
+ Most OSes do not support capturing the FCS of a frame on Ethernet, and
+ probably do not support it on most other link-layer types. Some
+ drivres on some OSes do support it, such as some (all?) Ethernet
+ drivers on NetBSD and possibly the driver for Apple's gigabit Ethernet
+ interface in Mac OS X; in those OSes, you might always get the FCS, or
+ you might only get the FCS if you capture in promiscuous mode (you'd
+ have to determine which is the case).
+
+ Versions of Ethereal prior to 0.9.15 will not treat an Ethernet FCS in
+ a captured packet as an FCS. 0.9.15 and later will attempt to
+ determine whether there's an FCS at the end of the frame and, if it
+ thinks there is, will display it as such, and will check whether it's
+ the correct CRC-32 value or not.
+
+ Q 5.35: Ethereal hangs after I stop a capture.
A: The most likely reason for this is that Ethereal is trying to look
up an IP address in the capture to convert it to a name (so that, for
@@ -1709,7 +1869,7 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config
contains sensitive information (e.g., passwords), then please do not
send it.
- Q 5.34: How can I search for, or filter, packets that have a
+ Q 5.36: How can I search for, or filter, packets that have a
particular string anywhere in them?
A: If you want to do this when capturing, you can't. That's a feature
@@ -1725,9 +1885,15 @@ echo "Mode: ess" >/proc/driver/aironet/ethN/Config
particular string; this has been added to the "Find Frame" dialog
("Find Frame" under the "Edit" menu, or control-F).
+ In 0.9.15 and later, you can search for those packets using either the
+ mechanism introduced in 0.9.14 or using the new "contains" operator in
+ filter expressions, which lets you search the entire packet or text
+ string or byte string fields in the packet; the "contains" operator
+ can also be used in expressions used to filter the display.
+
Support can be found on the ethereal-users[AT]ethereal.com mailing
list.
For corrections/additions/suggestions for this page, please send email
to: ethereal-web[AT]ethereal.com
- Last modified: Tue, August 19 2003.
+ Last modified: Fri, December 12 2003.