diff options
| -rw-r--r-- | FAQ.include | 1432 | ||||
| -rw-r--r-- | Makefile.am | 3 | ||||
| -rw-r--r-- | gtk/help_dlg.c | 47 | ||||
| -rwxr-xr-x | make-faq | 7 |
4 files changed, 1482 insertions, 7 deletions
diff --git a/FAQ.include b/FAQ.include new file mode 100644 index 0000000000..efd686813d --- /dev/null +++ b/FAQ.include @@ -0,0 +1,1432 @@ +"\n" +" The Ethereal FAQ\n" +"\n" +" Note: This is just an ASCII snapshot of the faq and may not be up to\n" +" date. Please go to http://www.ethereal.com/faq for the up to\n" +" date version. The version of the snapshot can be found at the\n" +" end of this document.\n" +"\n" +" INDEX\n" +"\n" +" General Questions:\n" +"\n" +" 1.1 Where can I get help?\n" +"\n" +" 1.2 What protocols are currently supported?\n" +"\n" +" 1.3 Are there any plans to support {your favorite protocol}?\n" +"\n" +" 1.4 Can Ethereal read capture files from {your favorite network\n" +" analyzer}?\n" +"\n" +" 1.5 What devices can Ethereal use to capture packets?\n" +"\n" +" 1.6 How do you pronounce Ethereal? Where did the name come from?\n" +"\n" +" Downloading Ethereal:\n" +"\n" +" 2.1 I downloaded the Win32 installer, but when I try to run it, I get\n" +" an error.\n" +"\n" +" 2.2 When I try to download the WinPcap driver and library, I can't get\n" +" to the WinPcap Web site.\n" +"\n" +" Installing Ethereal:\n" +"\n" +" 3.1 I installed an Ethereal RPM, but Ethereal doesn't seem to be\n" +" installed; only Tethereal is installed.\n" +"\n" +" Building Ethereal:\n" +"\n" +" 4.1 The configure script can't find pcap.h or bpf.h, but I have\n" +" libpcap installed.\n" +"\n" +" 4.2 Why do I get the error \n" +"\n" +" dftest_DEPENDENCIES was already defined in condition TRUE, which\n" +" implies condition HAVE_PLUGINS_TRUE\n" +"\n" +" when I try to build Ethereal from CVS or a CVS snapshot?\n" +"\n" +" 4.3 The link failed because of an undefined reference to\n" +" snmp_set_full_objid.\n" +"\n" +" 4.4 The link fails with a number of \"Output line too long.\" messages\n" +" followed by linker errors. \n" +"\n" +" 4.5 The link fails on Solaris because plugin_list is undefined. \n" +"\n" +" 4.6 The build fails on Windows because of conflicts between winsock.h\n" +" and winsock2.h. \n" +"\n" +" Using Ethereal:\n" +"\n" +" 5.1 When I use Ethereal to capture packets, I see only packets to and\n" +" from my machine, or I'm not seeing all the traffic I'm expecting to\n" +" see from or to the machine I'm trying to monitor.\n" +"\n" +" 5.2 I can't see any TCP packets other than packets to and from my\n" +" machine, even though another sniffer on the network sees those\n" +" packets.\n" +"\n" +" 5.3 I can set a display filter just fine, but capture filters don't\n" +" work.\n" +"\n" +" 5.4 I'm entering valid capture filters, but I still get \"parse error\"\n" +" errors.\n" +"\n" +" 5.5 I saved a filter and tried to use its name to filter the display,\n" +" but I got an \"Unexpected end of filter string\" error.\n" +"\n" +" 5.6 I've just installed Ethereal, and the traffic on my local LAN is\n" +" boring.\n" +"\n" +" 5.7 When I run Ethereal on Solaris 8, it dies with a Bus Error when I\n" +" start it.\n" +"\n" +" 5.8 I'm running Ethereal on Linux; why do my time stamps have only\n" +" 100ms resolution, rather than 1us resolution?\n" +"\n" +" 5.9 I'm capturing packets on {Windows 95, Windows 98, Windows Me}; why\n" +" are the time stamps on packets wrong? \n" +"\n" +" 5.10 When I try to run Ethereal on Windows, it fails to run because it\n" +" can't find packet.dll.\n" +"\n" +" 5.11 Why does some network interface on my machine not show up in the\n" +" list of interfaces in the \"Interface:\" field in the dialog box popped\n" +" up by \"Capture->Start\", and/or why does Ethereal give me an error if I\n" +" try to capture on that interface? \n" +"\n" +" 5.12 I'm running Ethereal on Windows NT/2000/XP/Server; my machine has\n" +" a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the\n" +" \"Interface\" item in the \"Capture Options\" dialog box. Why can no\n" +" packets be sent on or received from that network while I'm trying to\n" +" capture traffic on that interface?\n" +"\n" +" 5.13 I'm running Ethereal on Windows 95/98/Me, on a machine with more\n" +" than one network adapter of the same type; Ethereal shows all of those\n" +" adapters with the same name, but I can't use any of those adapters\n" +" other than the first one.\n" +"\n" +" 5.14 I have an XXX network card on my machine; if I try to capture on\n" +" it, my machine crashes or resets itself. \n" +"\n" +" 5.15 My machine crashes or resets itself when I select \"Start\" from\n" +" the \"Capture\" menu or select \"Preferences\" from the \"Edit\" menu. \n" +"\n" +" 5.16 Does Ethereal work on Windows ME? \n" +"\n" +" 5.17 Does Ethereal work on Windows XP? \n" +"\n" +" 5.18 Why doesn't Ethereal correctly identify RTP packets? It shows\n" +" them only as UDP.\n" +"\n" +" 5.19 Why doesn't Ethereal show Yahoo Messenger packets in captures\n" +" that contain Yahoo Messenger traffic?\n" +"\n" +" 5.20 Why do I get the error \n" +"\n" +" Gdk-ERROR **: Palettized display (256-colour) mode not supported on\n" +" Windows.\n" +" aborting....\n" +"\n" +" when I try to run Ethereal on Windows?\n" +"\n" +" 5.21 When I capture on Windows in promiscuous mode, I can see packets\n" +" other than those sent to or from my machine; however, those packets\n" +" show up with a \"Short Frame\" indication, unlike packets to or from my\n" +" machine. What should I do to arrange that I see those packets in their\n" +" entirety? \n" +"\n" +" 5.22 How can I capture raw 802.11 packets, including non-data\n" +" (management, beacon) packets? \n" +"\n" +" 5.23 How can I capture packets with CRC errors? \n" +"\n" +" 5.24 How can I capture entire frames, including the FCS? \n" +"\n" +" 5.25 Ethereal hangs after I stop a capture. \n" +"\n" +" 5.26 How can I search for, or filter, packets that have a particular\n" +" string anywhere in them? \n" +"\n" +" GENERAL QUESTIONS \n" +" Q 1.1: Where can I get help?\n" +"\n" +" A: Support is available on the ethereal-users mailing list.\n" +" Subscription information and archives for all of Ethereal's mailing\n" +" lists can be found at http://www.ethereal.com/lists\n" +"\n" +" Q 1.2: What protocols are currently supported?\n" +"\n" +" A: There are currently 340 supported protocols and media, listed\n" +" below. Descriptions can be found in the ethereal(1) man page.\n" +"\n" +" 802.1q Virtual LAN\n" +" 802.1x Authentication\n" +" AFS (4.0) Replication Server call declarations\n" +" AOL Instant Messenger\n" +" ARCNET\n" +" ATM\n" +" ATM LAN Emulation\n" +" AVS WLAN Capture header\n" +" Ad hoc On-demand Distance Vector Routing Protocol\n" +" Ad hoc On-demand Distance Vector Routing Protocol v6\n" +" Address Resolution Protocol\n" +" Aggregate Server Access Protocol\n" +" Andrew File System (AFS)\n" +" Apache JServ Protocol v1.3\n" +" AppleTalk Filing Protocol\n" +" AppleTalk Session Protocol\n" +" AppleTalk Transaction Protocol packet\n" +" Appletalk Address Resolution Protocol\n" +" Async data over ISDN (V.120)\n" +" Authentication Header\n" +" BACnet Virtual Link Control\n" +" Banyan Vines\n" +" Banyan Vines Fragmentation Protocol\n" +" Banyan Vines SPP\n" +" Blocks Extensible Exchange Protocol\n" +" Boot Parameters\n" +" Bootstrap Protocol\n" +" Border Gateway Protocol\n" +" Building Automation and Control Network APDU\n" +" Building Automation and Control Network NPDU\n" +" CDS Clerk Server Calls\n" +" Check Point High Availability Protocol\n" +" Checkpoint FW-1\n" +" Cisco Auto-RP\n" +" Cisco Discovery Protocol\n" +" Cisco Group Management Protocol\n" +" Cisco HDLC\n" +" Cisco Hot Standby Router Protocol\n" +" Cisco ISL\n" +" Cisco Interior Gateway Routing Protocol\n" +" Cisco NetFlow\n" +" Cisco SLARP\n" +" Clearcase NFS\n" +" CoSine IPNOS L2 debug output\n" +" Common Open Policy Service\n" +" Common Unix Printing System (CUPS) Browsing Protocol\n" +" DCE DFS Calls\n" +" DCE Distributed Time Service Local Server\n" +" DCE Distributed Time Service Provider\n" +" DCE Name Service\n" +" DCE RPC\n" +" DCE Security ID Mapper\n" +" DCE/RPC BOS Server\n" +" DCE/RPC CDS Solicitation\n" +" DCE/RPC Conversation Manager\n" +" DCE/RPC Endpoint Mapper\n" +" DCE/RPC FLDB\n" +" DCE/RPC FLDB UBIK TRANSFER\n" +" DCE/RPC FLDB UBIKVOTE\n" +" DCE/RPC Kerberos V\n" +" DCE/RPC RS_ACCT\n" +" DCE/RPC RS_MISC\n" +" DCE/RPC RS_UNIX\n" +" DCE/RPC Remote Management\n" +" DCE/RPC Repserver Calls\n" +" DCE/RPC TokenServer Calls\n" +" DCE/RPC UpServer\n" +" DCOM OXID Resolver\n" +" DCOM Remote Activation\n" +" DEC Spanning Tree Protocol\n" +" DHCPv6\n" +" DNS Control Program Server\n" +" Data\n" +" Data Link SWitching\n" +" Data Stream Interface\n" +" Datagram Delivery Protocol\n" +" Diameter Protocol\n" +" Distance Vector Multicast Routing Protocol\n" +" Distributed Checksum Clearinghouse Prototocl\n" +" Domain Name Service\n" +" Dummy Protocol\n" +" Dynamic DNS Tools Protocol\n" +" Encapsulating Security Payload\n" +" Enhanced Interior Gateway Routing Protocol\n" +" Ethernet\n" +" Extensible Authentication Protocol\n" +" FC Extended Link Svc\n" +" FCIP\n" +" FTP Data\n" +" FTServer Operations\n" +" Fiber Distributed Data Interface\n" +" Fibre Channel\n" +" Fibre Channel Protocol for SCSI\n" +" Fibre Channel SW_ILS\n" +" File Transfer Protocol (FTP)\n" +" Financial Information eXchange Protocol\n" +" Frame\n" +" Frame Relay\n" +" GARP Multicast Registration Protocol\n" +" GARP VLAN Registration Protocol\n" +" GPRS Tunneling Protocol\n" +" GPRS Tunnelling Protocol v0\n" +" GPRS Tunnelling Protocol v1\n" +" General Inter-ORB Protocol\n" +" Generic Routing Encapsulation\n" +" Generic Security Service Application Program Interface\n" +" Gnutella Protocol\n" +" Hummingbird NFS Daemon\n" +" HyperSCSI\n" +" Hypertext Transfer Protocol\n" +" ICQ Protocol\n" +" IEEE 802.11 wireless LAN\n" +" IEEE 802.11 wireless LAN management frame\n" +" ILMI\n" +" IP Over FC\n" +" IP Payload Compression\n" +" IPX Message\n" +" IPX Routing Information Protocol\n" +" ISDN\n" +" ISDN Q.921-User Adaptation Layer\n" +" ISDN User Part\n" +" ISO 10589 ISIS InTRA Domain Routeing Information Exchange Protocol\n" +" ISO 8073 COTP Connection-Oriented Transport Protocol\n" +" ISO 8473 CLNP ConnectionLess Network Protocol\n" +" ISO 8602 CLTP ConnectionLess Transport Protocol\n" +" ISO 9542 ESIS Routeing Information Exchange Protocol\n" +" ITU-T Recommendation H.261\n" +" Inter-Access-Point Protocol\n" +" Interbase\n" +" Internet Cache Protocol\n" +" Internet Content Adaptation Protocol\n" +" Internet Control Message Protocol\n" +" Internet Control Message Protocol v6\n" +" Internet Group Management Protocol\n" +" Internet Message Access Protocol\n" +" Internet Printing Protocol\n" +" Internet Protocol\n" +" Internet Protocol Version 6\n" +" Internet Relay Chat\n" +" Internet Security Association and Key Management Protocol\n" +" Internetwork Packet eXchange\n" +" Java RMI\n" +" Java Serialization\n" +" Kerberos\n" +" Kernel Lock Manager\n" +" Label Distribution Protocol\n" +" Layer 2 Tunneling Protocol\n" +" Lightweight Directory Access Protocol\n" +" Line Printer Daemon Protocol\n" +" Link Access Procedure Balanced (LAPB)\n" +" Link Access Procedure Balanced Ethernet (LAPBETHER)\n" +" Link Access Procedure, Channel D (LAPD)\n" +" Link Aggregation Control Protocol\n" +" Link Management Protocol (LMP)\n" +" Linux cooked-mode capture\n" +" Local Management Interface\n" +" LocalTalk Link Access Protocol\n" +" Logical-Link Control\n" +" Lucent/Ascend debug output\n" +" MMS Message Encapsulation\n" +" MS Proxy Protocol\n" +" MSNIP: Multicast Source Notification of Interest Protocol\n" +" MTP 2 Transparent Proxy\n" +" MTP 2 User Adaptation Layer\n" +" MTP 3 User Adaptation Layer\n" +" MTP2 Peer Adaptation Layer\n" +" Message Transfer Part Level 2\n" +" Message Transfer Part Level 3\n" +" Microsoft Distributed File System\n" +" Microsoft Exchange MAPI\n" +" Microsoft Local Security Architecture\n" +" Microsoft Local Security Architecture (Directory Services)\n" +" Microsoft Network Logon\n" +" Microsoft Registry\n" +" Microsoft Security Account Manager\n" +" Microsoft Server Service\n" +" Microsoft Spool Subsystem\n" +" Microsoft Telephony API Service\n" +" Microsoft Windows Browser Protocol\n" +" Microsoft Windows Lanman Remote API Protocol\n" +" Microsoft Windows Logon Protocol\n" +" Microsoft Workstation Service\n" +" Mobile IP\n" +" Modbus/TCP\n" +" Mount Service\n" +" MultiProtocol Label Switching Header\n" +" Multicast Router DISCovery protocol\n" +" Multicast Source Discovery Protocol\n" +" NFSACL\n" +" NFSAUTH\n" +" NIS+\n" +" NIS+ Callback\n" +" NSPI\n" +" NTLM Secure Service Provider\n" +" Name Binding Protocol\n" +" Name Management Protocol over IPX\n" +" NetBIOS\n" +" NetBIOS Datagram Service\n" +" NetBIOS Name Service\n" +" NetBIOS Session Service\n" +" NetBIOS over IPX\n" +" NetWare Core Protocol\n" +" Network Data Management Protocol\n" +" Network File System\n" +" Network Lock Manager Protocol\n" +" Network News Transfer Protocol\n" +" Network Status Monitor CallBack Protocol\n" +" Network Status Monitor Protocol\n" +" Network Time Protocol\n" +" Novell Distributed Print System\n" +" Null/Loopback\n" +" Open Shortest Path First\n" +" OpenBSD Packet Filter log file\n" +" PC NFS\n" +" PPP Bandwidth Allocation Control Protocol\n" +" PPP Bandwidth Allocation Protocol\n" +" PPP CDP Control Protocol\n" +" PPP Callback Control Protocol\n" +" PPP Challenge Handshake Authentication Protocol\n" +" PPP Compressed Datagram\n" +" PPP Compression Control Protocol\n" +" PPP IP Control Protocol\n" +" PPP IPv6 Control Protocol\n" +" PPP Link Control Protocol\n" +" PPP MPLS Control Protocol\n" +" PPP Multilink Protocol\n" +" PPP Multiplexing\n" +" PPP Password Authentication Protocol\n" +" PPP VJ Compression\n" +" PPP-over-Ethernet Discovery\n" +" PPP-over-Ethernet Session\n" +" PPPMux Control Protocol\n" +" Point-to-Point Protocol\n" +" Point-to-Point Tunnelling Protocol\n" +" Portmap\n" +" Post Office Protocol\n" +" Pragmatic General Multicast\n" +" Prism\n" +" Privilege Server operations\n" +" Protocol Independent Multicast\n" +" Q.2931\n" +" Q.931\n" +" Quake II Network Protocol\n" +" Quake III Arena Network Protocol\n" +" Quake Network Protocol\n" +" QuakeWorld Network Protocol\n" +" Qualified Logical Link Control\n" +" RFC 2250 MPEG1\n" +" RIPng\n" +" RPC Browser\n" +" RSTAT\n" +" RX Protocol\n" +" Radio Access Network Application Part\n" +" Radius Protocol\n" +" Raw packet data\n" +" Real Time Streaming Protocol\n" +" Real-Time Transport Protocol\n" +" Real-time Transport Control Protocol\n" +" Registry Server Attributes Manipulation Interface\n" +" Registry server administration operations.\n" +" Remote Override interface\n" +" Remote Procedure Call\n" +" Remote Program Load\n" +" Remote Quota\n" +" Remote Shell\n" +" Remote Wall protocol\n" +" Remote sec_login preauth interface.\n" +" Resource ReserVation Protocol (RSVP)\n" +" Rlogin Protocol\n" +" Routing Information Protocol\n" +" Routing Table Maintenance Protocol\n" +" SADMIND\n" +" SCSI\n" +" SGI Mount Service\n" +" SMB (Server Message Block Protocol)\n" +" SMB MailSlot Protocol\n" +" SMB Pipe Protocol\n" +" SNA-over-Ethernet\n" +" SNMP Multiplex Protocol\n" +" SPNEGO-KRB5\n" +" SPRAY\n" +" SS7 SCCP-User Adaptation Layer\n" +" SSCOP\n" +" Secure Socket Layer\n" +" Sequenced Packet eXchange\n" +" Service Advertisement Protocol\n" +" Service Location Protocol\n" +" Session Announcement Protocol\n" +" Session Description Protocol\n" +" Session Initiation Protocol\n" +" Short Message Peer to Peer\n" +" Signalling Connection Control Part\n" +" Signalling Connection Control Part Management\n" +" Simple Mail Transfer Protocol\n" +" Simple Network Management Protocol\n" +" Sinec H1 Protocol\n" +" Skinny Client Control Protocol\n" +" SliMP3 Communication Protocol\n" +" Socks Protocol\n" +" Spanning Tree Protocol\n" +" Spnego\n" +" Stream Control Transmission Protocol\n" +" Syslog message\n" +" Systems Network Architecture\n" +" TACACS\n" +" TACACS+\n" +" TPKT\n" +" Tabular Data Stream\n" +" Telnet\n" +" Time Protocol\n" +" Time Synchronization Protocol\n" +" Token-Ring\n" +" Token-Ring Media Access Control\n" +" Transmission Control Protocol\n" +" Transparent Network Substrate Protocol\n" +" Trivial File Transfer Protocol\n" +" Universal Computer Protocol\n" +" User Datagram Protocol\n" +" Virtual Router Redundancy Protocol\n" +" Virtual Trunking Protocol\n" +" Web Cache Coordination Protocol\n" +" Wellfleet Compression\n" +" Who\n" +" Windows 2000 DNS\n" +" Wireless Session Protocol\n" +" Wireless Transaction Protocol\n" +" Wireless Transport Layer Security\n" +" X Display Manager Control Protocol\n" +" X.25\n" +" X.25 over TCP\n" +" X11\n" +" Xyplex\n" +" Yahoo Messenger Protocol\n" +" Yellow Pages Bind\n" +" Yellow Pages Passwd\n" +" Yellow Pages Service\n" +" Yellow Pages Transfer\n" +" Zebra Protocol\n" +" Zone Information Protocol\n" +" iSCSI\n" +"\n" +" Q 1.3: Are there any plans to support {your favorite protocol}?\n" +"\n" +" A: Support for particular protocols is added to Ethereal as a result\n" +" of people contributing that support; no formal plans for adding\n" +" support for particular protocols in particular future releases exist.\n" +"\n" +" Q 1.4: Can Ethereal read capture files from {your favorite network\n" +" analyzer}?\n" +"\n" +" A: Support for particular protocols is added to Ethereal as a result\n" +" of people contributing that support; no formal plans for adding\n" +" support for particular protocols in particular future releases exist.\n" +"\n" +" If a network analyzer writes out files in a format already supported\n" +" by Ethereal (e.g., in libpcap format), Ethereal may already be able to\n" +" read them, unless the analyzer has added its own proprietary\n" +" extensions to that format.\n" +"\n" +" If a network analyzer writes out files in its own format, or has added\n" +" proprietary extensions to another format, in order to make Ethereal\n" +" read captures from that network analyzer, we would either have to have\n" +" a specification for the file format, or the extensions, sufficient to\n" +" give us enough information to read the parts of the file relevant to\n" +" Ethereal, or would need at least one capture file in that format AND a\n" +" detailed textual analysis of the packets in that capture file (showing\n" +" packet time stamps, packet lengths, and the top-level packet header)\n" +" in order to reverse-engineer the file format.\n" +"\n" +" Note that there is no guarantee that we will be able to\n" +" reverse-engineer a capture file format.\n" +"\n" +" Q 1.5: What devices can Ethereal use to capture packets?\n" +"\n" +" A: Ethereal can read live data from Ethernet, Token-Ring, FDDI, serial\n" +" (PPP and SLIP) (if the OS on which it's running allows Ethereal to do\n" +" so), 802.11 wireless LAN (if the OS on which it's running allows\n" +" Ethereal to do so), ATM connections (if the OS on which it's running\n" +" allows Ethereal to do so), and the \"any\" device supported on Linux by\n" +" recent versions of libpcap. See the list of supported capture media on\n" +" various OSes for details (several items in there say \"Unknown\", which\n" +" doesn't mean \"Ethereal can't capture on them\", it means \"we don't know\n" +" whether it can capture on them\"; we expect that it will be able to\n" +" capture on many of them, but we haven't tried it ourselves - if you\n" +" try one of those types and it works, please send an update to\n" +" ethereal-web[AT]ethereal.com).\n" +"\n" +" It can also read a variety of capture file formats, including:\n" +" * libpcap/tcpdump\n" +" * Sun snoop/atmsnoop\n" +" * Shomiti/Finisar Surveyor\n" +" * LanAlyzer\n" +" * DOS-based Sniffer (compressed and uncompressed)\n" +" * MS Network Monitor\n" +" * AIX iptrace\n" +" * NetXray and Windows-based Sniffer\n" +" * EtherPeek/TokenPeek/AiroPeek\n" +" * RADCOM WAN/LAN analyzer\n" +" * Lucent/Ascend debug output\n" +" * Toshiba ISDN router \"snoop\" output\n" +" * HPUX nettl\n" +" * ISDN4BSD \"i4btrace\" utility.\n" +" * Cisco Secure IDS\n" +" * pppd log files (pppdump format)\n" +" * VMS TCPIPtrace\n" +" * DBS Etherwatch\n" +" * Visual Networks' Visual UpTime\n" +" * CoSine L2 debug\n" +"\n" +" so that it can read traces from various network types, as captured by\n" +" other applications or equipment, even if it cannot itself capture on\n" +" those network types.\n" +"\n" +" Q 1.6: How do you pronounce Ethereal? Where did the name come from?\n" +"\n" +" A: The English pronunciation can be found in Merriam-Webster's online\n" +" dictionary at\n" +" http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=ethereal.\n" +"\n" +" According to the book \"Computer Networks\" by Andrew Tannenbaum,\n" +" Ethernet was named after the \"luminiferous ether\" which was once\n" +" thought to carry electromagnetic radiation. Taking that into\n" +" consideration, Ethereal seemed like an appropriate name for an\n" +" Ethernet sniffer.\n" +"\n" +" DOWNLOADING ETHEREAL \n" +" Q 2.1: I downloaded the Win32 installer, but when I try to run it, I\n" +" get an error.\n" +"\n" +" A: The program you used to download it may have downloaded it\n" +" incorrectly. Web browsers sometimes may do this.\n" +"\n" +" Try downloading it with, for example:\n" +" * Wget, for which Windows binaries are available on the SunSITE FTP\n" +" server at sunsite.tk or Heiko Herold's windows wget spot - wGetGUI\n" +" offers a GUI interface that uses wget;\n" +" * WS_FTP from Ipswitch,\n" +" * the ftp command that comes with Windows.\n" +"\n" +" If you use the ftp command, make sure you do the transfer in binary\n" +" mode rather than ASCII mode, by using the binary command before\n" +" transferring the file.\n" +"\n" +" Q 2.2: When I try to download the WinPcap driver and library, I can't\n" +" get to the WinPcap Web site.\n" +"\n" +" A: As is the case with all Web sites, that site won't necessarily\n" +" always be accessible; the server may be down due to a problem or down\n" +" for maintenance, or there may be a networking problem between you and\n" +" the server. You should try again later, or try the local mirror or the\n" +" Wiretapped.net mirror.\n" +"\n" +" INSTALLING ETHEREAL \n" +" Q 3.1: I installed an Ethereal RPM, but Ethereal doesn't seem to be\n" +" installed; only Tethereal is installed.\n" +"\n" +" A: Red Hat RPMs for Ethereal put only the non-GUI components into the\n" +" ethereal RPM, the fact that Ethereal is a GUI program nonwithstanding;\n" +" there's a separate ethereal-gnome RPM that includes GUI components\n" +" such as Ethereal itself, the fact that Ethereal doesn't use GNOME\n" +" nonwithstanding. Find the ethereal-gnome RPM, and install that also.\n" +"\n" +" BUILDING ETHEREAL \n" +" Q 4.1: The configure script can't find pcap.h or bpf.h, but I have\n" +" libpcap installed.\n" +"\n" +" A: Are you sure pcap.h and bpf.h are installed? The official\n" +" distribution of libpcap only installs the libpcap.a library file when\n" +" \"make install\" is run. To install pcap.h and bpf.h, you must run \"make\n" +" install-incl\". If you're running Debian or Redhat, make sure you have\n" +" the \"libpcap-dev\" or \"libpcap-devel\" packages installed.\n" +"\n" +" It's also possible that pcap.h and bpf.h have been installed in a\n" +" strange location. If this is the case, you may have to tweak\n" +" aclocal.m4.\n" +"\n" +" Q 4.2: Why do I get the error \n" +"\n" +" dftest_DEPENDENCIES was already defined in condition TRUE, which\n" +" implies condition HAVE_PLUGINS_TRUE\n" +"\n" +" when I try to build Ethereal from CVS or a CVS snapshot?\n" +"\n" +" A: You probably have automake 1.5 installed on your machine (the\n" +" command automake --version will report the version of automake on your\n" +" machine). There is a bug in that version of automake that causes this\n" +" problem; upgrade to a later version of automake (1.6 or later).\n" +"\n" +" Q 4.3: The link failed because of an undefined reference to\n" +" snmp_set_full_objid.\n" +"\n" +" A: You probably have the shared library for UCD SNMP 4.1.1 installed\n" +" (so that snmp_set_full_objid is a macro, rather than a routine in the\n" +" SNMP shared library), but the `development' package for an earlier or\n" +" later UCD SNMP library (so that snmp_set_full_objid is not defined as\n" +" a macro, causing Ethereal to attempt to call it as a routine).\n" +"\n" +" If you are on a Linux system that uses RPMs, and the UCD SNMP packages\n" +" are installed as RPMs, the command rpm -qa | grep snmp will report the\n" +" versions of the SNMP packages you have installed; they should all have\n" +" the same version number, such as 4.0.1 or 4.1.1 or 4.1.2. If they\n" +" don't, remove the RPM for the development package (which will probably\n" +" have a name beginning with ucd-snmp-devel) and install the version of\n" +" the development package with the same version number as the other\n" +" ucd-snmp packages have.\n" +"\n" +" After installing the 4.1.1 version of the UCD SNMP header files, do a\n" +" make clean and then rebuild Ethereal.\n" +"\n" +" Q 4.4: The link fails with a number of \"Output line too long.\"\n" +" messages followed by linker errors. \n" +"\n" +" A: The version of the sed command on your system is incapable of\n" +" handling very long lines. On Solaris, for example, /usr/bin/sed has a\n" +" line length limit too low to allow libtool to work; /usr/xpg4/bin/sed\n" +" can handle it, as can GNU sed if you have it installed.\n" +"\n" +" On Solaris, changing your command search path to search /usr/xpg4/bin\n" +" before /usr/bin should make the problem go away; on any platform on\n" +" which you have this problem, installing GNU sed and changing your\n" +" command path to search the directory in which it is installed before\n" +" searching the directory with the version of sed that came with the OS\n" +" should make the problem go away.\n" +"\n" +" Q 4.5: The link fails on Solaris because plugin_list is undefined. \n" +"\n" +" A: This appears to be due to a problem with some versions of the GTK+\n" +" and GLib packages from www.sunfreeware.org; un-install those packages,\n" +" and try getting the 1.2.10 versions from that site, or the versions\n" +" from The Written Word, or the versions from Sun's GNOME distribution,\n" +" or the versions from the supplemental software CD that comes with the\n" +" Solaris media kit, or build them from source from the GTK Web site.\n" +" Then re-run the configuration script, and try rebuilding Ethereal. (If\n" +" you get the 1.2.10 versions from www.sunfreeware.org, and the problem\n" +" persists, un-install them and try installing one of the other versions\n" +" mentioned.)\n" +"\n" +" Q 4.6: The build fails on Windows because of conflicts between\n" +" winsock.h and winsock2.h. \n" +"\n" +" A: As of Ethereal 0.9.5, you must install WinPcap 2.3 or later, and\n" +" the corresponding version of the developer's pack, in order to be able\n" +" to compile Ethereal; it will not compile with older versions of the\n" +" developer's pack. The symptoms of this failure are conflicts between\n" +" definitions in winsock.h and in winsock2.h; Ethereal uses winsock2.h,\n" +" but pre-2.3 versions of the WinPcap developer's packet use winsock.h.\n" +" (2.3 uses winsock2.h, so if Ethereal were to use winsock.h, it would\n" +" not be able to build with current versions of the WinPcap developer's\n" +" pack.)\n" +"\n" +" Note that the installed version of the developer's pack should be the\n" +" same version as the version of WinPcap you have installed.\n" +"\n" +" USING ETHEREAL \n" +" Q 5.1: When I use Ethereal to capture packets, I see only packets to\n" +" and from my machine, or I'm not seeing all the traffic I'm expecting\n" +" to see from or to the machine I'm trying to monitor.\n" +"\n" +" A: This might be because the interface on which you're capturing is\n" +" plugged into a switch; on a switched network, unicast traffic between\n" +" two ports will not necessarily appear on other ports - only broadcast\n" +" and multicast traffic will be sent to all ports.\n" +"\n" +" Note that even if your machine is plugged into a hub, the \"hub\" may be\n" +" a switched hub, in which case you're still on a switched network.\n" +"\n" +" Note also that on the Linksys Web site, they say that their\n" +" auto-sensing hubs \"broadcast the 10Mb packets to the port that operate\n" +" at 10Mb only and broadcast the 100Mb packets to the ports that operate\n" +" at 100Mb only\", which would indicate that if you sniff on a 10Mb port,\n" +" you will not see traffic coming sent to a 100Mb port, and vice versa.\n" +" This problem has also been reported for Netgear dual-speed hubs, and\n" +" may exist for other \"auto-sensing\" or \"dual-speed\" hubs.\n" +"\n" +" Some switches have the ability to replicate all traffic on all ports\n" +" to a single port so that you can plug your sniffer into that single\n" +" port to sniff all traffic. You would have to check the documentation\n" +" for the switch to see if this is possible and, if so, to see how to do\n" +" this. See, for example, this documentation from Cisco on the Switched\n" +" Port Analyzer (SPAN) feature on Catalyst switches.\n" +"\n" +" If your machine is not plugged into a switched network or a dual-speed\n" +" hub, or it is plugged into a switched network but the port is set up\n" +" to have all traffic replicated to it, the problem might be that the\n" +" network interface on which you're capturing doesn't support\n" +" \"promiscuous\" mode, or because your OS can't put the interface into\n" +" promiscuous mode. Normally, network interfaces supply to the host\n" +" only:\n" +" * packets sent to one of that host's link-layer addresses;\n" +" * broadcast packets;\n" +" * multicast packets sent to a multicast address that the host has\n" +" configured the interface to accept.\n" +"\n" +" Most network interfaces can also be put in \"promiscuous\" mode, in\n" +" which they supply to the host all network packets they see. Ethereal\n" +" will try to put the interface on which it's capturing into promiscuous\n" +" mode unless the \"Capture packets in promiscuous mode\" option is turned\n" +" off in the \"Capture Options\" dialog box, and Tethereal will try to put\n" +" the interface on which it's capturing into promiscuous mode unless the\n" +" -p option was specified. However, some network interfaces don't\n" +" support promiscuous mode, and some OSes might not allow interfaces to\n" +" be put into promiscuous mode.\n" +"\n" +" If the interface is not running in promiscuous mode, it won't see any\n" +" traffic that isn't intended to be seen by your machine. It will see\n" +" broadcast packets, and multicast packets sent to a multicast MAC\n" +" address the interface is set up to receive.\n" +"\n" +" You should ask the vendor of your network interface whether it\n" +" supports promiscuous mode. If it does, you should ask whoever supplied\n" +" the driver for the interface (the vendor, or the supplier of the OS\n" +" you're running on your machine) whether it supports promiscuous mode\n" +" with that network interface.\n" +"\n" +" In the case of token ring interfaces, the drivers for some of them, on\n" +" Windows, may require you to enable promiscuous mode in order to\n" +" capture in promiscuous mode. Ask the vendor of the card how to do\n" +" this.\n" +"\n" +" In the case of wireless LAN interfaces, it appears that, when those\n" +" interfaces are promiscuously sniffing, they're running in a\n" +" significantly different mode from the mode that they run in when\n" +" they're just acting as network interfaces (to the extent that it would\n" +" be a significant effor for those drivers to support for promiscuously\n" +" sniffing and acting as regular network interfaces at the same time),\n" +" so it may be that Windows drivers for those interfaces don't support\n" +" promiscuous mode.\n" +"\n" +" Q 5.2: I can't see any TCP packets other than packets to and from my\n" +" machine, even though another sniffer on the network sees those\n" +" packets.\n" +"\n" +" A: You're probably not seeing any packets other than unicast packets\n" +" to or from your machine, and broadcast and multicast packets; a switch\n" +" will normally send to a port only unicast traffic sent to the MAC\n" +" address for the interface on that port, and broadcast and multicast\n" +" traffic - it won't send to that port unicast traffic sent to a MAC\n" +" address for some other interface - and a network interface not in\n" +" promiscuous mode will receive only unicast traffic sent to the MAC\n" +" address for that interface, broadcast traffic, and multicast traffic\n" +" sent to a multicast MAC address the interface is set up to receive.\n" +"\n" +" TCP doesn't use broadcast or multicast, so you will only see your own\n" +" TCP traffic, but UDP services may use broadcast or multicast so you'll\n" +" see some UDP traffic - however, this is not a problem with TCP\n" +" traffic, it's a problem with unicast traffic, as you also won't see\n" +" all UDP traffic between other machines.\n" +"\n" +" I.e., this is probably the same problem discussed in the previous\n" +" question; see the response to that question.\n" +"\n" +" Q 5.3: I can set a display filter just fine, but capture filters don't\n" +" work.\n" +"\n" +" A: Capture filters currently use a different syntax than display\n" +" filters. Here's the corresponding section from the ethereal(1) man\n" +" page:\n" +"\n" +" \"Display filters in Ethereal are very powerful; more fields are\n" +" filterable in Ethereal than in other protocol analyzers, and the\n" +" syntax you can use to create your filters is richer. As Ethereal\n" +" progresses, expect more and more protocol fields to be allowed in\n" +" display filters.\n" +"\n" +" Packet capturing is performed with the pcap library. The capture\n" +" filter syntax follows the rules of the pcap library. This syntax is\n" +" different from the display filter syntax.\"\n" +"\n" +" The capture filter syntax used by libpcap can be found in the\n" +" tcpdump(8) man page.\n" +"\n" +" Q 5.4: I'm entering valid capture filters, but I still get \"parse\n" +" error\" errors.\n" +"\n" +" A: There is a bug in some versions of libpcap/WinPcap that cause it to\n" +" report parse errors even for valid expressions if a previous filter\n" +" expression was invalid and got a parse error.\n" +"\n" +" Try exiting and restarting Ethereal; if you are using a version of\n" +" libpcap/WinPcap with this bug, this will \"erase\" its memory of the\n" +" previous parse error. If the capture filter that got the \"parse error\"\n" +" now works, the earlier error with that filter was probably due to this\n" +" bug. The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions of\n" +" libpcap have this bug, but 0.6[.x] and later versions don't.\n" +"\n" +" Versions of WinPcap prior to 2.3 are based on pre-0.6 versions of\n" +" libpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, and\n" +" doesn't have this bug.\n" +"\n" +" If you are running Ethereal on a UNIX-flavored platform, run \"ethereal\n" +" -v\", or select \"About Ethereal...\" from the \"Help\" menu in Ethereal,\n" +" to see what version of libpcap it's using. If it's not 0.6 or later,\n" +" you will need either to upgrade your OS to get a later version of\n" +" libpcap, or will need to build and install a later version of libpcap\n" +" from the tcpdump.org Web site and then recompile Ethereal from source\n" +" with that later version of libpcap.\n" +"\n" +" If you are running Ethereal on Windows with a pre-2.3 version of\n" +" WinPcap, you will need to un-install WinPcap and then download and\n" +" install WinPcap 2.3.\n" +"\n" +" Q 5.5: I saved a filter and tried to use its name to filter the\n" +" display, but I got an \"Unexpected end of filter string\" error.\n" +"\n" +" A: You cannot use the name of a saved display filter as a filter. To\n" +" filter the display, you can enter a display filter expression - not\n" +" the name of a saved display filter - in the \"Filter:\" box at the\n" +" bottom of the display, and type the key or press the \"Apply\" button\n" +" (that does not require you to have a saved filter), or, if you want to\n" +" use a saved filter, you can press the \"Filter:\" button, select the\n" +" filter in the dialog box that pops up, and press the \"OK\" button.\n" +"\n" +" Q 5.6: I've just installed Ethereal, and the traffic on my local LAN\n" +" is boring.\n" +"\n" +" A: We have a collection of strange and exotic sample capture files at\n" +" http://www.ethereal.com/sample/\n" +"\n" +" Q 5.7: When I run Ethereal on Solaris 8, it dies with a Bus Error when\n" +" I start it.\n" +"\n" +" A: Some versions of the GTK+ library from www.sunfreeware.org appear\n" +" to be buggy, causing Ethereal to drop core with a Bus Error.\n" +" Un-install those packages, and try getting the 1.2.10 version from\n" +" that site, or the version from The Written Word, or the version from\n" +" Sun's GNOME distribution, or the version from the supplemental\n" +" software CD that comes with the Solaris media kit, or build it from\n" +" source from the GTK Web site. Update the GLib library to the 1.2.10\n" +" version, from the same source, as well. (If you get the 1.2.10\n" +" versions from www.sunfreeware.org, and the problem persists,\n" +" un-install them and try installing one of the other versions\n" +" mentioned.) Similar problems may exist with older versions of GTK+ for\n" +" earlier versions of Solaris.\n" +"\n" +" Q 5.8: I'm running Ethereal on Linux; why do my time stamps have only\n" +" 100ms resolution, rather than 1us resolution?\n" +"\n" +" A: Ethereal gets time stamps from libpcap/WinPcap, and libpcap/WinPcap\n" +" get them from the OS kernel, so Ethereal - and any other program using\n" +" libpcap, such as tcpdump - is at the mercy of the time stamping code\n" +" in the OS for time stamps.\n" +"\n" +" At least on x86-based machines, Linux can get high-resolution time\n" +" stamps on newer processors with the Time Stamp Counter (TSC) register;\n" +" for example, Intel x86 processors, starting with the Pentium Pro, and\n" +" including all x86 processors since then, have had a TSC, and other\n" +" vendors probably added the TSC at some point to their families of x86\n" +" processors.\n" +"\n" +" The Linux kernel must be configured with the CONFIG_X86_TSC option\n" +" enabled in order to use the TSC. Make sure this option is enabled in\n" +" your kernel.\n" +"\n" +" In addition, some Linux distributions may have bugs in their versions\n" +" of the kernel that cause packets not to be given high-resolution time\n" +" stamps even if the TSC is enabled. See, for example, bug 61111 for Red\n" +" Hat Linux 7.2. If your distribution has a bug such as this, you may\n" +" have to run a standard kernel from kernel.org in order to get\n" +" high-resolution time stamps.\n" +"\n" +" Q 5.9: I'm capturing packets on {Windows 95, Windows 98, Windows Me};\n" +" why are the time stamps on packets wrong? \n" +"\n" +" A: This is due to a bug in WinPcap. The bug should be fixed in the\n" +" WinPcap 3.0 alpha release - note that it's an alpha release, so it may\n" +" be buggier than the current production release of WinPcap; please\n" +" report those bugs to the WinPcap developers, and help them try to\n" +" track down the problem, so that they can fix it for the final release.\n" +"\n" +" Q 5.10: When I try to run Ethereal on Windows, it fails to run because\n" +" it can't find packet.dll.\n" +"\n" +" A: In older versions of Ethereal, there were two binary distributions\n" +" available for Windows, one that supported capturing packets, and one\n" +" that didn't. The version that supported capturing packets required\n" +" that you install the WinPcap driver; if you didn't install it, it\n" +" would fail to run because it couldn't find packet.dll.\n" +"\n" +" The current version of Ethereal has only one binary distribution for\n" +" Windows; that version will check whether WinPcap is installed and, if\n" +" it's not, will disable support for packet capture.\n" +"\n" +" The WinPcap driver and libraries can be downloaded from the WinPcap\n" +" Web site, the local mirror of the WinPcap Web site, or the\n" +" Wiretapped.net mirror of the WinPcap site.\n" +"\n" +" Q 5.11: Why does some network interface on my machine not show up in\n" +" the list of interfaces in the \"Interface:\" field in the dialog box\n" +" popped up by \"Capture->Start\", and/or why does Ethereal give me an\n" +" error if I try to capture on that interface? \n" +"\n" +" A: If you are running Ethereal on a UNIX-flavored platform, you may\n" +" need to run Ethereal from an account with sufficient privileges to\n" +" capture packets, such as the super-user account. Only those interfaces\n" +" that Ethereal can open for capturing show up in that list; if you\n" +" don't have sufficient privileges to capture on any interfaces, no\n" +" interfaces will show up in the list.\n" +"\n" +" If you are running Ethereal on Windows NT 4.0, Windows 2000, Windows\n" +" XP, or Windows Server, and this is the first time you have run a\n" +" WinPcap-based program (such as Ethereal, or Tethereal, or WinDump, or\n" +" Analyzer, or...) since the machine was rebooted, you need to run that\n" +" program from an account with administrator privileges; once you have\n" +" run such a program, you will not need administrator privileges to run\n" +" any such programs until you reboot.\n" +"\n" +" If you are running on a UNIX-flavored platform and have sufficient\n" +" privileges, or if you are running on Windows 95/98/Me, or if you are\n" +" running on Windows NT 4.0/2000/XP/Server and have administrator\n" +" privileges or a WinPcap program has been run with those privileges\n" +" since the machine rebooted, then note that Ethereal relies on the\n" +" libpcap library, and on the facilities that come with the OS on which\n" +" it's running in order to do captures; on Windows, it also relies on\n" +" the device driver that comes with WinPcap (which is a version of\n" +" libpcap for Windows).\n" +"\n" +" Therefore, if the OS, the libpcap library, or the WinPcap driver don't\n" +" support capturing on a particular network interface device, Ethereal\n" +" won't be able to capture on that device.\n" +"\n" +" On Linux, note that you need to have \"packet socket\" support enabled\n" +" in your kernel; see the \"Packet socket\" item in the Linux\n" +" \"Configure.help\" file.\n" +"\n" +" On BSD, note that you need to have BPF support enabled in your kernel;\n" +" see the documentation for your system for information on how to enable\n" +" BPF support (if it's not enabled by default on your system).\n" +"\n" +" On DEC OSF/1, Digital UNIX, or Tru64 UNIX, note that you need to have\n" +" packet filtering support in your kernel; the doconfig command will\n" +" allow you to configure and build a new kernel with that option.\n" +"\n" +" On Windows, note that:\n" +" * 2.02 and earlier versions of the WinPcap driver and library that\n" +" Ethereal uses for packet capture didn't support Token Ring\n" +" interfaces; the current version, 2.3, does support Token Ring, and\n" +" the current version of Ethereal works with (and, in fact,\n" +" requires) WinPcap 2.1 or later.\n" +" If you are having problems capturing on Token Ring interfaces, and\n" +" you have WinPcap 2.02 or an earlier version of WinPcap installed,\n" +" you should uninstall WinPcap, download and install the current\n" +" version of WinPcap, and then install the latest version of\n" +" Ethereal.\n" +" * WinPcap doesn't support PPP WAN interfaces on Windows\n" +" NT/2000/XP/Server, so Ethereal cannot capture packets on those\n" +" devices when running on Windows NT/2000/XP/Server. Regular dial-up\n" +" lines, ISDN lines, and various other lines such as T1/E1 lines are\n" +" all PPP interfaces. This may cause the interface not to show up on\n" +" the list of interfaces in the \"Capture Options\" dialog.\n" +" * WinPcap currently does not support multiprocessor machines (note\n" +" that machines with a single multi-threaded processor, such as\n" +" Intel's new multi-threaded x86 processors, are multiprocessor\n" +" machines as far as the OS and WinPcap are concerned), and recent\n" +" versions refuse to operate if they detect that they're running on\n" +" a multiprocessor machine, which means that they may not show any\n" +" network interfaces.\n" +"\n" +" If you are having trouble capturing on a particular network interface,\n" +" and you've made sure that (on platforms that require it) you've\n" +" arranged that packet capture support is present, as per the above,\n" +" first try capturing on that device with tcpdump - or, on Windows, the\n" +" tcpdump port to Windows, named WinDump; see the WinDump Web site, the\n" +" local mirror of the WinDump Web site, or the Wiretapped.net mirror of\n" +" the WinDump site, for information on using WinDump.\n" +"\n" +" If you can capture on the interface with tcpdump/WinDump, send mail to\n" +" ethereal-users@ethereal.com giving full details of the problem,\n" +" including\n" +" * the operating system you're using, and the version of that\n" +" operating system (for Linux, give both the version number of the\n" +" kernel and the name and version number of the distribution you're\n" +" using);\n" +" * the type of network device you're using;\n" +" * the error message you get from Ethereal.\n" +"\n" +" If you cannot capture on the interface with tcpdump/WinDump, this is\n" +" almost certainly a problem with one or more of:\n" +" * the operating system you're using;\n" +" * the device driver for the interface you're using;\n" +" * the libpcap/WinPcap library and, if this is Windows, the WinPcap\n" +" device driver;\n" +"\n" +" so:\n" +" * if you are using Windows, first check the WinPcap FAQ, the local\n" +" mirror of that FAQ, or the Wiretapped.net mirror of that FAQ, to\n" +" see if your problem is mentioned there. If not, then see the\n" +" WinPcap support page (or the local mirror of that page) - check\n" +" the \"Submitting bugs\" section;\n" +" * if you are using some Linux distribution, some version of BSD, or\n" +" some other UNIX-flavored OS, you should report the problem to the\n" +" company or organization that produces the OS (in the case of a\n" +" Linux distribution, report the problem to whoever produces the\n" +" distribution).\n" +"\n" +" You may also want to ask the ethereal-users@ethereal.com and, if this\n" +" is a UNIX-flavored platform, tcpdump-workers@tcpdump.org mailing lists\n" +" to see if anybody happens to know about the problem and know a\n" +" workaround or fix for the problem. In your mail, please give full\n" +" details of the problem, as described above, and also indicate that the\n" +" problem occurs with tcpdump/WinDump, not just with Ethereal.\n" +"\n" +" Q 5.12: I'm running Ethereal on Windows NT/2000/XP/Server; my machine\n" +" has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the\n" +" \"Interface\" item in the \"Capture Options\" dialog box. Why can no\n" +" packets be sent on or received from that network while I'm trying to\n" +" capture traffic on that interface?\n" +"\n" +" A: WinPcap doesn't support PPP WAN interfaces on Windows\n" +" NT/2000/XP/Server; one symptom that may be seen is that attempts to\n" +" capture in promiscuous mode on the interface cause the interface to be\n" +" incapable of sending or receiving packets. You can disable promiscuous\n" +" mode using the -p command-line flag or the item in the \"Capture\n" +" Preferences\" dialog box, but this may mean that outgoing packets, or\n" +" incoming packets, won't be seen in the capture.\n" +"\n" +" Q 5.13: I'm running Ethereal on Windows 95/98/Me, on a machine with\n" +" more than one network adapter of the same type; Ethereal shows all of\n" +" those adapters with the same name, but I can't use any of those\n" +" adapters other than the first one.\n" +"\n" +" A: Unfortunately, Windows 95/98/Me gives the same name to multiple\n" +" instances of the type of same network adapter. Therefore, WinPcap\n" +" cannot distinguish between them, so a WinPcap-based application can\n" +" capture only on the first such interface; Ethereal is a\n" +" libpcap/WinPcap-based application.\n" +"\n" +" Q 5.14: I have an XXX network card on my machine; if I try to capture\n" +" on it, my machine crashes or resets itself. \n" +"\n" +" A: This is almost certainly a problem with one or more of:\n" +" * the operating system you're using;\n" +" * the device driver for the interface you're using;\n" +" * the libpcap/WinPcap library and, if this is Windows, the WinPcap\n" +" device driver;\n" +"\n" +" so:\n" +" * if you are using Windows, see the WinPcap support page (or the\n" +" local mirror of that page) - check the \"Submitting bugs\" section;\n" +" * if you are using some Linux distribution, some version of BSD, or\n" +" some other UNIX-flavored OS, you should report the problem to the\n" +" company or organization that produces the OS (in the case of a\n" +" Linux distribution, report the problem to whoever produces the\n" +" distribution).\n" +"\n" +" Q 5.15: My machine crashes or resets itself when I select \"Start\" from\n" +" the \"Capture\" menu or select \"Preferences\" from the \"Edit\" menu. \n" +"\n" +" A: Both of those operations cause Ethereal to try to build a list of\n" +" the interfaces that it can open; it does so by getting a list of\n" +" interfaces and trying to open them. There is probably an OS, driver,\n" +" or, for Windows, WinPcap bug that causes the system to crash when this\n" +" happens; see the previous question.\n" +"\n" +" Q 5.16: Does Ethereal work on Windows ME? \n" +"\n" +" A: Yes, but if you want to capture packets, you will need to install\n" +" the latest version of WinPcap, as 2.02 and earlier versions of WinPcap\n" +" didn't support Windows ME. You should also install the latest version\n" +" of Ethereal as well.\n" +"\n" +" Q 5.17: Does Ethereal work on Windows XP? \n" +"\n" +" A: Yes, but if you want to capture packets, you will need to install\n" +" the latest version of WinPcap, as 2.2 and earlier versions of WinPcap\n" +" didn't support Windows XP.\n" +"\n" +" Q 5.18: Why doesn't Ethereal correctly identify RTP packets? It shows\n" +" them only as UDP.\n" +"\n" +" A: Ethereal can identify a UDP datagram as containing a packet of a\n" +" particular protocol running atop UDP only if\n" +" 1. The protocol in question has a particular standard port number,\n" +" and the UDP source or destination port number is that port\n" +" 2. Packets of that protocol can be identified by looking for a\n" +" \"signature\" of some type in the packet - i.e., some data that, if\n" +" Ethereal finds it in some particular part of a packet, means that\n" +" the packet is almost certainly a packet of that type.\n" +" 3. Some other traffic earlier in the capture indicated that, for\n" +" example, UDP traffic between two particular addresses and ports\n" +" will be RTP traffic.\n" +"\n" +" RTP doesn't have a standard port number, so 1) doesn't work; it\n" +" doesn't, as far as I know, have any \"signature\", so 2) doesn't work.\n" +"\n" +" That leaves 3). If there's RTSP traffic that sets up an RTP session,\n" +" then, at least in some cases, the RTSP dissector will set things up so\n" +" that subsequent RTP traffic will be identified. Currently, that's the\n" +" only place we do that; there may be other places.\n" +"\n" +" However, there will always be places where Ethereal is simply\n" +" incapable of deducing that a given UDP flow is RTP; a mechanism would\n" +" be needed to allow the user to specify that a given conversation\n" +" should be treated as RTP. As of Ethereal 0.8.16, such a mechanism\n" +" exists; if you select a UDP or TCP packet, the right mouse button menu\n" +" will have a \"Decode As...\" menu item, which will pop up a dialog box\n" +" letting you specify that the source port, the destination port, or\n" +" both the source and destination ports of the packet should be\n" +" dissected as some particular protocol.\n" +"\n" +" Q 5.19: Why doesn't Ethereal show Yahoo Messenger packets in captures\n" +" that contain Yahoo Messenger traffic?\n" +"\n" +" A: Ethereal only recognizes as Yahoo Messenger traffic packets to or\n" +" from TCP port 3050 that begin with \"YPNS\" or \"YHOO\". This means that\n" +" 1. TCP segments that start with the middle of a Yahoo Messenger\n" +" packet that takes more than one TCP segment will not be recognized\n" +" as Yahoo Messenger packets (even if the TCP segment also contains\n" +" the beginning of another Yahoo Messenger packet);\n" +" 2. Yahoo Messenger packets that begin with \"YMSG\", as packets for\n" +" some versions of the protocol apparently do, will not be\n" +" recognized as Yahoo Messenger packets.\n" +"\n" +" Q 5.20: Why do I get the error \n" +"\n" +" Gdk-ERROR **: Palettized display (256-colour) mode not supported on\n" +" Windows.\n" +" aborting....\n" +"\n" +" when I try to run Ethereal on Windows?\n" +"\n" +" A: Ethereal is built using the GTK+ toolkit, which supports most\n" +" UNIX-flavored OSes, and also supports Windows; that toolkit doesn't\n" +" support 256-color mode on Windows - it requires HiColor (16-bit\n" +" colors) or more. If your display supports more than 256 colors, switch\n" +" to a display mode with more colors; if it doesn't support more than\n" +" 256 colors, you will be unable to run Ethereal.\n" +"\n" +" Q 5.21: When I capture on Windows in promiscuous mode, I can see\n" +" packets other than those sent to or from my machine; however, those\n" +" packets show up with a \"Short Frame\" indication, unlike packets to or\n" +" from my machine. What should I do to arrange that I see those packets\n" +" in their entirety? \n" +"\n" +" A: In at least some cases, this appears to be the result of PGPnet\n" +" running on the network interface on which you're capturing; turn it\n" +" off on that interface.\n" +"\n" +" Q 5.22: How can I capture raw 802.11 packets, including non-data\n" +" (management, beacon) packets? \n" +"\n" +" A: The answer to this depends on the operating system on which you're\n" +" running and the 802.11 interface you're using.\n" +"\n" +" Cisco Aironet cards:\n" +"\n" +" The only platforms that allow Ethereal to capture raw 802.11 packets\n" +" on Cisco Aironet cards are:\n" +" * Linux, with a 2.4.6 or later kernel;\n" +" * FreeBSD 4.6 or later, as the driver in FreeBSD 4.5 has bugs that\n" +" cause packets not to be captured correctly, and the driver in\n" +" releases prior to 4.5 didn't support capturing raw packets.\n" +"\n" +" On FreeBSD, the ancontrol utility must be used; do not enable the full\n" +" Aironet header via BPF, as Ethereal doesn't currently support that.\n" +"\n" +" On Linux, you will need to do\n" +"\n" +"echo \"Mode: rfmon\" >/proc/driver/aironet/ethN/Config\n" +"\n" +" if your Aironet card is ethN. To capture traffic from any BSS, do\n" +"\n" +"echo \"Mode: y\" >/proc/driver/aironet/ethN/Config\n" +"\n" +" and to return to the normal mode, do\n" +"\n" +"echo \"Mode: ess\" >/proc/driver/aironet/ethN/Config\n" +"\n" +" In either case, Ethereal would have to be linked with libpcap 0.7.1 or\n" +" later; this means that most Ethereal binary packages won't work unless\n" +" they're statically linked with libpcap 0.7.1 or later, or they're\n" +" dynamically linked with libpcap and your system has a libpcap 0.7.1 or\n" +" later shared library installed (note that libpcap source package from\n" +" tcpdump.org does not build shared libraries).\n" +"\n" +" Cards using the Prism II chip set (see this page of Linux 802.11\n" +" information for details on wireless cards, including information on\n" +" the chips they use):\n" +"\n" +" You can capture raw 802.11 packets with Prism II cards on Linux\n" +" systems with the 0.1.14-pre1 or later version of the linux-wlan-ng\n" +" drivers (see the linux-wlan page, and the linux-wlan-ng tarball\n" +" directory), or with Solomon Peachy's patches to the linux-wlan-ng\n" +" 0.1.13 drivers (see the `0132-packet-v71.diff' link on his software\n" +" page; the patch speaks of 0.1.13-pre2, but appears to apply to 0.1.13\n" +" as well). If you are using the 0.1.13 drivers, you might also want his\n" +" `0132-promisc-v23.diff' patch as well; if you are using the\n" +" 0.1.14-pre1 drivers, you might also want his\n" +" `014p1-promiscfixes-v1.diff' patches - both of those are already in\n" +" 0.1.14-pre2.\n" +"\n" +" Those require either Solomon's patch to libpcap 0.7.1 (see his\n" +" `libpcap-0.7.1-prism.diff' file, or his RPMs of that version of\n" +" libpcap), or the current CVS version of libpcap, which includes his\n" +" patch (download it from the `Current Tar files' section of the\n" +" tcpdump.org Web site).\n" +"\n" +" You may have to run a command to put the interface into monitor mode,\n" +" or to change other interface settings.\n" +" Earlier versions of the linux-wlan-ng drivers don't allow Ethereal to\n" +" directly capture raw 802.11 packets on Prism II cards; however, on\n" +" Linux systems with the linux-wlan-ng drivers version 0.1.6, the\n" +" Prismdump utility can be used to capture packets; it saves packets in\n" +" a form that Ethereal can read. Prismdump can be downloaded from this\n" +" page on the developer.axis.com Web site.\n" +"\n" +" On other platforms, capturing raw 802.11 packets on Prism II cards is\n" +" not currently supported.\n" +"\n" +" Orinoco Silver and Gold cards:\n" +"\n" +" On Linux systems, when using either the orinoco_cs-0.09b driver or the\n" +" driver in at least some versions of the Linux kernel, the\n" +" `orinoco-09b-packet-1.diff' patch on the Orinoco Monitor Mode Patch\n" +" Page should allow you to do capture raw 802.11 packets.\n" +"\n" +" The patch appears to apply to the driver in the 2.4.18 kernel, but we\n" +" don't know whether it works; the directions on that page are for the\n" +" pcmcia-cs drivers, not for the driver in the kernel itself.\n" +" Note that the page indicates that not all versions of the Orinoco\n" +" firmware support this patch. The Orinoco patches require Solomon\n" +" Peachy's libpcap patches.\n" +"\n" +" On other platforms, capturing raw 802.11 packets on Orinoco cards is\n" +" not currently supported.\n" +"\n" +" Other 802.11 interfaces:\n" +"\n" +" With other 802.11 interfaces, no platform allows Ethereal to capture\n" +" raw 802.11 packets, as far as we know. If you know of other 802.11\n" +" interfaces that are supported (note that there are many `Prism II\n" +" cards', so your card might be a Prism II card), please let us know,\n" +" and include URLs for sites containing any necessary patches to add\n" +" this support.\n" +"\n" +" On platforms that don't allow Ethereal to capture raw 802.11 packets,\n" +" the 802.11 network will appear like an Ethernet to Ethereal.\n" +"\n" +" Q 5.23: How can I capture packets with CRC errors? \n" +"\n" +" A: Ethereal can capture only the packets that the packet capture\n" +" library - libpcap on UNIX-flavored OSes, and the WinPcap port to\n" +" Windows of libpcap on Windows - can capture, and libpcap/WinPcap can\n" +" capture only the packets that the OS's raw packet capture mechanism\n" +" (or the WinPcap driver, and the underlying OS networking code and\n" +" network interface drivers, on Windows) will allow it to capture.\n" +"\n" +" Unless the OS can be configured to supply packets with errors such as\n" +" invalid CRCs to the raw packet capture mechanism, Ethereal - and other\n" +" programs that capture raw packets, such as tcpdump - cannot capture\n" +" those packets. You will have to determine whether your OS can be so\n" +" configured, configure it if possible, and make whatever changes to\n" +" libpcap and the packet capture program you're using are necessary to\n" +" support capturing those packets.\n" +"\n" +" Q 5.24: How can I capture entire frames, including the FCS? \n" +"\n" +" A: Ethereal can't capture any data that the packet capture library -\n" +" libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of\n" +" libpcap on Windows - can capture, and libpcap/WinPcap can capture only\n" +" the data that the OS's raw packet capture mechanism (or the WinPcap\n" +" driver, and the underlying OS networking code and network interface\n" +" drivers, on Windows) will allow it to capture.\n" +"\n" +" For any particular link-layer network type, unless the OS supplies the\n" +" FCS of a frame as part of the frame, or can be configured to supply\n" +" the FCS of a frame as part of the frame, Ethereal - and other programs\n" +" that capture raw packets, such as tcpdump - cannot capture the FCS of\n" +" a frame. You will have to determine whether your OS can be so\n" +" configured, configure it if possible, and make whatever changes to\n" +" libpcap and the packet capture program you're using are necessary to\n" +" support capturing the FCS of a frame. Most if not all OSes probably do\n" +" not support capturing the FCS of a frame on Ethernet, and probably do\n" +" not support it on most other link-layer types.\n" +"\n" +" Q 5.25: Ethereal hangs after I stop a capture. \n" +"\n" +" A: The most likely reason for this is that Ethereal is trying to look\n" +" up an IP address in the capture to convert it to a name (so that, for\n" +" example, it can display the name in the source address or destination\n" +" address columns), and that lookup process is taking a very long time.\n" +"\n" +" Ethereal calls a routine in the OS of the machine on which it's\n" +" running to convert of IP addresses to the corresponding names. That\n" +" routine probably does one or more of:\n" +" * a search of a system file listing IP addresses and names;\n" +" * a lookup using DNS;\n" +" * on UNIX systems, a lookup using NIS;\n" +" * on Windows systems, a NetBIOS-over-TCP query.\n" +"\n" +" If a DNS server that's used in an address lookup is not responding,\n" +" the lookup will fail, but will only fail after a timeout while the\n" +" system routine waits for a reply.\n" +"\n" +" In addition, on Windows systems, if the DNS lookup of the address\n" +" fails, either because the server isn't responding or because there are\n" +" no records in the DNS that could be used to map the address to a name,\n" +" a NetBIOS-over-TCP query will be made. That query involves sending a\n" +" message to the NetBIOS-over-TCP name service on that machine, asking\n" +" for the name and other information about the machine. If the machine\n" +" isn't running software that responds to those queries - for example,\n" +" many non-Windows machines wouldn't be running that software - the\n" +" lookup will only fail after a timeout. Those timeouts can cause the\n" +" lookup to take a long time.\n" +"\n" +" If you disable network address-to-name translation - for example, by\n" +" turning off the `Enable network name resolution' option in the `Name\n" +" resolution' options in the dialog box you get by selecting\n" +" `Preferences' from the `Edit' menu - the lookups of the address won't\n" +" be done, which may speed up the process of reading the capture file\n" +" after the capture is stopped. You can make that setting the default by\n" +" using the `Save' button in that dialog box; note that this will save\n" +" all your current preference settings.\n" +"\n" +" If Ethereal hangs when reading a capture even with network name\n" +" resolution turned off, there might, for example, be a bug in one of\n" +" Ethereal's dissectors for a protocol causing it to loop infinitely.\n" +" The bug should be reported to the Ethereal developers' mailing list at\n" +" ethereal-dev@ethereal.com.\n" +"\n" +" On UNIX-flavored OSes, please try to force Ethereal to dump core, by\n" +" sending it a SIGABRT signal (usually signal 6) with the kill command,\n" +" and then get a stack trace if you have a debugger installed. A stack\n" +" trace can be obtained by using your debugger (gdb in this example),\n" +" the Ethereal binary, and the resulting core file. Here's an example of\n" +" how to use the gdb command backtrace to do so.\n" +" $ gdb ethereal core\n" +" (gdb) backtrace\n" +" ..... prints the stack trace\n" +" (gdb) quit\n" +" $\n" +"\n" +" The core dump file may be named \"ethereal.core\" rather than \"core\" on\n" +" some platforms (e.g., BSD systems)\n" +"\n" +" Also, if at all possible, please send a copy of the capture file that\n" +" caused the problem; when capturing packets, Ethereal normally writes\n" +" captured packets to a temporary file, which will probably be in /tmp\n" +" or /var/tmp on UNIX-flavored OSes and \\TEMP on Windows, so the capture\n" +" file will probably be there. It will have a name beginning with ether,\n" +" with some mixture of letters and numbers after that. Please don't send\n" +" a trace file greater than 1 MB when compressed. If the trace file\n" +" contains sensitive information (e.g., passwords), then please do not\n" +" send it.\n" +"\n" +" Q 5.26: How can I search for, or filter, packets that have a\n" +" particular string anywhere in them? \n" +"\n" +" A: Currently, you can't.\n" +"\n" +" That's a feature that would be hard to implement in capture filters\n" +" without changes to the capture filter code, which, on many platforms,\n" +" is in the OS kernel and, on other platforms, is in the libpcap\n" +" library.\n" +"\n" +" It would be easier to implement in display filters, but it hasn't been\n" +" implemented yet. It would be best implemented as a display filter\n" +" \"string match\" operator, which would let you check not only the entire\n" +" packet for a string, but check portions of the packet for a string. It\n" +" should probably not use a naive string matching mechanism, as there\n" +" are mechanisms much faster than the naive one.\n" +"\n" +"\n" +" Support can be found on the ethereal-users[AT]ethereal.com mailing\n" +" list. \n" +" For corrections/additions/suggestions for this page, please send email\n" +" to: ethereal-web[AT]ethereal.com\n" +" Last modified: Thu, January 16 2003.\n" diff --git a/Makefile.am b/Makefile.am index 81ce767ee3..cc20fc4ffe 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,7 @@ # Makefile.am # Automake file for Ethereal # -# $Id: Makefile.am,v 1.548 2003/01/25 00:22:49 guy Exp $ +# $Id: Makefile.am,v 1.549 2003/01/29 12:58:45 jmayer Exp $ # # Ethereal - Network traffic analyzer # By Gerald Combs <gerald@ethereal.com> @@ -1026,6 +1026,7 @@ DISTCLEANFILES = \ EXTRA_DIST = \ Ethereal.desktop \ FAQ \ + FAQ.include \ INSTALL.configure \ Makefile.nmake \ README.aix \ diff --git a/gtk/help_dlg.c b/gtk/help_dlg.c index f44b48d9dd..4242af7b0e 100644 --- a/gtk/help_dlg.c +++ b/gtk/help_dlg.c @@ -1,6 +1,6 @@ /* help_dlg.c * - * $Id: help_dlg.c,v 1.30 2003/01/26 19:35:31 deniel Exp $ + * $Id: help_dlg.c,v 1.31 2003/01/29 12:58:48 jmayer Exp $ * * Laurent Deniel <laurent.deniel@free.fr> * @@ -47,7 +47,8 @@ typedef enum { OVERVIEW_HELP, PROTOCOL_HELP, DFILTER_HELP, - CFILTER_HELP + CFILTER_HELP, + FAQ_HELP } help_type_t; static void help_close_cb(GtkWidget *w, gpointer data); @@ -60,13 +61,13 @@ static void set_help_text(GtkWidget *w, help_type_t type); * if somebody tries to do "Help->Help" while there's already a * "Help" window up, we just pop up the existing one, rather than * creating a new one. - */ +*/ static GtkWidget *help_w = NULL; /* * Keep static pointers to the text widgets as well. */ -GtkWidget *overview_text, *proto_text, *dfilter_text, *cfilter_text; +GtkWidget *overview_text, *proto_text, *dfilter_text, *faq_text, *cfilter_text; void help_cb(GtkWidget *w _U_, gpointer data _U_) { @@ -79,6 +80,7 @@ void help_cb(GtkWidget *w _U_, gpointer data _U_) #else *dfilter_vb, #endif + *faq_vb, *cfilter_vb; if (help_w != NULL) { @@ -247,6 +249,36 @@ void help_cb(GtkWidget *w _U_, gpointer data _U_) gtk_notebook_append_page(GTK_NOTEBOOK(help_nb), dfilter_vb, label); #endif + /* FAQ help (this one has no horizontal scrollbar) */ + + faq_vb = gtk_vbox_new(FALSE, 0); + gtk_container_border_width(GTK_CONTAINER(faq_vb), 1); + txt_scrollw = scrolled_window_new(NULL, NULL); + gtk_box_pack_start(GTK_BOX(faq_vb), txt_scrollw, TRUE, TRUE, 0); +#if GTK_MAJOR_VERSION < 2 + gtk_scrolled_window_set_policy(GTK_SCROLLED_WINDOW(txt_scrollw), + GTK_POLICY_NEVER, + GTK_POLICY_ALWAYS); + faq_text = gtk_text_new(NULL, NULL ); + gtk_text_set_editable(GTK_TEXT(faq_text), FALSE); + gtk_text_set_word_wrap(GTK_TEXT(faq_text), TRUE); + gtk_text_set_line_wrap(GTK_TEXT(faq_text), TRUE); +#else + gtk_scrolled_window_set_policy(GTK_SCROLLED_WINDOW(txt_scrollw), + GTK_POLICY_NEVER, + GTK_POLICY_AUTOMATIC); + faq_text = gtk_text_view_new(); + gtk_text_view_set_editable(GTK_TEXT_VIEW(faq_text), FALSE); + gtk_text_view_set_wrap_mode(GTK_TEXT_VIEW(faq_text), GTK_WRAP_WORD); +#endif + set_help_text(faq_text, FAQ_HELP); + gtk_container_add(GTK_CONTAINER(txt_scrollw), faq_text); + gtk_widget_show(txt_scrollw); + gtk_widget_show(faq_text); + gtk_widget_show(faq_vb); + label = gtk_label_new("FAQ"); + gtk_notebook_append_page(GTK_NOTEBOOK(help_nb), faq_vb, label); + /* capture filter help (this one has no horizontal scrollbar) */ cfilter_vb = gtk_vbox_new(FALSE, 0); @@ -337,6 +369,10 @@ static char *dfilter_help = "The following per-protocol fields can be used in display\n" "filters:\n"; +static char *faq_help = +#include "../FAQ.include" +"\n"; + static char *cfilter_help = "Packet capturing is performed with the pcap library. The capture filter " "syntax follows the rules of this library.\nSo this syntax is different " @@ -508,6 +544,9 @@ static void set_help_text(GtkWidget *w, help_type_t type) WIDGET_SET_SIZE(w, 20 + width, 20 + height); #endif break; + case FAQ_HELP : + insert_text(w, faq_help, -1); + break; case CFILTER_HELP : insert_text(w, cfilter_help, -1); break; @@ -1,6 +1,6 @@ #!/bin/sh -x # -# $Id: make-faq,v 1.1 2002/08/20 00:01:52 jmayer Exp $ +# $Id: make-faq,v 1.2 2003/01/29 12:58:45 jmayer Exp $ # # Make-faq - Creates a plain text version of the Ethereal FAQ # from http://www.ethereal.com/faq @@ -14,7 +14,7 @@ cat >$FAQ <<EOF Note: This is just an ASCII snapshot of the faq and may not be up to date. Please go to http://www.ethereal.com/faq for the up to - date version. The version of the snapshot can be found at the + date version. The version of this snapshot can be found at the end of this document. INDEX @@ -23,4 +23,7 @@ EOF lynx -dump -nolist "http://www.ethereal.com/faq" | sed -e '1,/INDEX/d' >>FAQ +# Create an #include'able version for gtk/help_dlg.c +sed -e 's/\\/\\\\/g' -e 's/"/\\"/g' -e 's/^/"/' -e 's/$/\\n"/' <FAQ >FAQ.include + exit 0 |