nexmon – Blame information for rev 1
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1 | office | 1 | General Information |
| 2 | ------- ----------- |
||
| 3 | |||
| 4 | Wireshark is a network traffic analyzer, or "sniffer", for Unix and |
||
| 5 | Unix-like operating systems. It uses GTK+, a graphical user interface |
||
| 6 | library, and libpcap, a packet capture and filtering library. |
||
| 7 | |||
| 8 | The Wireshark distribution also comes with TShark, which is a |
||
| 9 | line-oriented sniffer (similar to Sun's snoop, or tcpdump) that uses the |
||
| 10 | same dissection, capture-file reading and writing, and packet filtering |
||
| 11 | code as Wireshark, and with editcap, which is a program to read capture |
||
| 12 | files and write the packets from that capture file, possibly in a |
||
| 13 | different capture file format, and with some packets possibly removed |
||
| 14 | from the capture. |
||
| 15 | |||
| 16 | The official home of Wireshark is |
||
| 17 | |||
| 18 | http://www.wireshark.org |
||
| 19 | |||
| 20 | The latest distribution can be found in the subdirectory |
||
| 21 | |||
| 22 | http://www.wireshark.org/download |
||
| 23 | |||
| 24 | |||
| 25 | Installation |
||
| 26 | ------------ |
||
| 27 | |||
| 28 | Wireshark is known to compile and run on the following systems: |
||
| 29 | |||
| 30 | - Linux (2.0 and later kernels, various distributions) |
||
| 31 | - Solaris (2.5.1 and later) |
||
| 32 | - FreeBSD (2.2.5 and later) |
||
| 33 | - NetBSD |
||
| 34 | - OpenBSD |
||
| 35 | - OS X (10.2 and later) |
||
| 36 | - HP-UX (10.20, 11.00, 11.11) |
||
| 37 | - Sequent PTX v4.4.5 (Nick Williams <njw@sequent.com>) |
||
| 38 | - Tru64 UNIX (formerly Digital UNIX) (3.2 and later) |
||
| 39 | - Irix (6.5) |
||
| 40 | - AIX (4.3.2, with a bit of work) |
||
| 41 | - Windows (2003, XP, Vista, 7) |
||
| 42 | |||
| 43 | and possibly on other versions of those OSes. It should run on other |
||
| 44 | Unix-ish systems without too much trouble. |
||
| 45 | |||
| 46 | If you have an older version of the operating systems listed above, it |
||
| 47 | might be supported by an older version of Wireshark. In particular, |
||
| 48 | Windows 2000 is supported by Wireshark 1.2.x, Windows NT 4.0 is supported by |
||
| 49 | Wireshark 0.99.4, and Windows 95, 98, and ME are supported by Ethereal 0.99.0. |
||
| 50 | |||
| 51 | NOTE: the Makefile appears to depend on GNU "make"; it doesn't appear to |
||
| 52 | work with the "make" that comes with Solaris 7 nor the BSD "make". |
||
| 53 | |||
| 54 | Both Perl and Python are needed, the former for building the man pages. |
||
| 55 | |||
| 56 | If you decide to modify the yacc grammar or lex scanner, then |
||
| 57 | you need "flex" - it cannot be built with vanilla "lex" - |
||
| 58 | and either "bison" or the Berkeley "yacc". Your flex |
||
| 59 | version must be 2.5.1 or greater. Check this with 'flex -V'. |
||
| 60 | |||
| 61 | You must therefore install Perl, Python, GNU "make", "flex", and either "bison" |
||
| 62 | or Berkeley "yacc" on systems that lack them. |
||
| 63 | |||
| 64 | Full installation instructions can be found in the INSTALL file. |
||
| 65 | |||
| 66 | See also the appropriate README.<OS> files for OS-specific installation |
||
| 67 | instructions. |
||
| 68 | |||
| 69 | Usage |
||
| 70 | ----- |
||
| 71 | |||
| 72 | In order to capture packets from the network, you need to make the |
||
| 73 | dumpcap program set-UID to root, or you need to have access to the |
||
| 74 | appropriate entry under /dev if your system is so inclined (BSD-derived |
||
| 75 | systems, and systems such as Solaris and HP-UX that support DLPI, |
||
| 76 | typically fall into this category). Although it might be tempting to |
||
| 77 | make the Wireshark and TShark executables setuid root, or to run them as |
||
| 78 | root please don't. The capture process has been isolated in dumpcap; |
||
| 79 | this simple program is less likely to contain security holes, and thus |
||
| 80 | safer to run as root. |
||
| 81 | |||
| 82 | Please consult the man page for a description of each command-line |
||
| 83 | option and interface feature. |
||
| 84 | |||
| 85 | |||
| 86 | Multiple File Types |
||
| 87 | ------------------- |
||
| 88 | |||
| 89 | The wiretap library is a packet-capture library currently under |
||
| 90 | development parallel to wireshark. In the future it is hoped that |
||
| 91 | wiretap will have more features than libpcap, but wiretap is still in |
||
| 92 | its infancy. However, wiretap is used in wireshark for its ability |
||
| 93 | to read multiple file types. See the Wireshark man page or the |
||
| 94 | Wireshark User's Guide for a list of supported file formats. |
||
| 95 | |||
| 96 | In addition, it can read gzipped versions of any of those files |
||
| 97 | automatically, if you have the zlib library available when compiling |
||
| 98 | Wireshark. Wireshark needs a modern version of zlib to be able to use |
||
| 99 | zlib to read gzipped files; version 1.1.3 is known to work. Versions |
||
| 100 | prior to 1.0.9 are missing some functions that Wireshark needs and won't |
||
| 101 | work. "./configure" should detect if you have the proper zlib version |
||
| 102 | available and, if you don't, should disable zlib support. You can always |
||
| 103 | use "./configure --disable-zlib" to explicitly disable zlib support. |
||
| 104 | |||
| 105 | Although Wireshark can read AIX iptrace files, the documentation on |
||
| 106 | AIX's iptrace packet-trace command is sparse. The 'iptrace' command |
||
| 107 | starts a daemon which you must kill in order to stop the trace. Through |
||
| 108 | experimentation it appears that sending a HUP signal to that iptrace |
||
| 109 | daemon causes a graceful shutdown and a complete packet is written |
||
| 110 | to the trace file. If a partial packet is saved at the end, Wireshark |
||
| 111 | will complain when reading that file, but you will be able to read all |
||
| 112 | other packets. If this occurs, please let the Wireshark developers know |
||
| 113 | at wireshark-dev@wireshark.org, and be sure to send us a copy of that trace |
||
| 114 | file if it's small and contains non-sensitive data. |
||
| 115 | |||
| 116 | Support for Lucent/Ascend products is limited to the debug trace output |
||
| 117 | generated by the MAX and Pipline series of products. Wireshark can read |
||
| 118 | the output of the "wandsession" "wandisplay", "wannext", and "wdd" |
||
| 119 | commands. |
||
| 120 | |||
| 121 | Wireshark can also read dump trace output from the Toshiba "Compact Router" |
||
| 122 | line of ISDN routers (TR-600 and TR-650). You can telnet to the router |
||
| 123 | and start a dump session with "snoop dump". |
||
| 124 | |||
| 125 | CoSine L2 debug output can also be read by Wireshark. To get the L2 |
||
| 126 | debug output, get in the diags mode first and then use |
||
| 127 | "create-pkt-log-profile" and "apply-pkt-log-profile" commands under |
||
| 128 | layer-2 category. For more detail how to use these commands, you |
||
| 129 | should examine the help command by "layer-2 create ?" or "layer-2 apply ?". |
||
| 130 | |||
| 131 | To use the Lucent/Ascend, Toshiba and CoSine traces with Wireshark, you must |
||
| 132 | capture the trace output to a file on disk. The trace is happening inside |
||
| 133 | the router and the router has no way of saving the trace to a file for you. |
||
| 134 | An easy way of doing this under Unix is to run "telnet <ascend> | tee <outfile>". |
||
| 135 | Or, if your system has the "script" command installed, you can save |
||
| 136 | a shell session, including telnet to a file. For example, to a file named |
||
| 137 | tracefile.out: |
||
| 138 | |||
| 139 | $ script tracefile.out |
||
| 140 | Script started on <date/time> |
||
| 141 | $ telnet router |
||
| 142 | ..... do your trace, then exit from the router's telnet session. |
||
| 143 | $ exit |
||
| 144 | Script done on <date/time> |
||
| 145 | |||
| 146 | |||
| 147 | |||
| 148 | IPv6 |
||
| 149 | ---- |
||
| 150 | If your operating system includes IPv6 support, wireshark will attempt to |
||
| 151 | use reverse name resolution capabilities when decoding IPv6 packets. |
||
| 152 | |||
| 153 | If you want to turn off name resolution while using wireshark, start |
||
| 154 | wireshark with the "-n" option to turn off all name resolution (including |
||
| 155 | resolution of MAC addresses and TCP/UDP/SMTP port numbers to names), or |
||
| 156 | with the "-N mt" option to turn off name resolution for all |
||
| 157 | network-layer addresses (IPv4, IPv6, IPX). |
||
| 158 | |||
| 159 | You can make that the default setting by opening the Preferences dialog |
||
| 160 | box using the Preferences item in the Edit menu, selecting "Name |
||
| 161 | resolution", turning off the appropriate name resolution options, |
||
| 162 | clicking "Save", and clicking "OK". |
||
| 163 | |||
| 164 | If you would like to compile wireshark without support for IPv6 name |
||
| 165 | resolution, use the "--disable-ipv6" option with "./configure". If you |
||
| 166 | compile wireshark without IPv6 name resolution, you will still be able to |
||
| 167 | decode IPv6 packets, but you'll only see IPv6 addresses, not host names. |
||
| 168 | |||
| 169 | |||
| 170 | SNMP |
||
| 171 | ---- |
||
| 172 | Wireshark can do some basic decoding of SNMP packets; it can also use |
||
| 173 | the libsmi library to do more sophisticated decoding, by reading MIB |
||
| 174 | files and using the information in those files to display OIDs and |
||
| 175 | variable binding values in a friendlier fashion. The configure script |
||
| 176 | will automatically determine whether you have the libsmi library on |
||
| 177 | your system. If you have the libsmi library but _do not_ want to have |
||
| 178 | Wireshark use it, you can run configure with the "--without-libsmi" |
||
| 179 | option. |
||
| 180 | |||
| 181 | How to Report a Bug |
||
| 182 | ------------------- |
||
| 183 | Wireshark is still under constant development, so it is possible that you will |
||
| 184 | encounter a bug while using it. Please report bugs at http://bugs.wireshark.org. |
||
| 185 | Be sure you enter into the bug: |
||
| 186 | |||
| 187 | 1) the complete build information from the "About Wireshark" |
||
| 188 | item in the Help menu or the output of "wireshark -v" for |
||
| 189 | Wireshark bugs and the output of "tshark -v" for TShark bugs; |
||
| 190 | |||
| 191 | 2) if the bug happened on Linux, the Linux distribution you were |
||
| 192 | using, and the version of that distribution; |
||
| 193 | |||
| 194 | 3) the command you used to invoke Wireshark, if you ran |
||
| 195 | Wireshark from the command line, or TShark, if you ran |
||
| 196 | TShark, and the sequence of operations you performed that |
||
| 197 | caused the bug to appear. |
||
| 198 | |||
| 199 | If the bug is produced by a particular trace file, please be sure to |
||
| 200 | attach to the bug a trace file along with your bug description. If the |
||
| 201 | trace file contains sensitive information (e.g., passwords), then please |
||
| 202 | do not send it. |
||
| 203 | |||
| 204 | If Wireshark died on you with a 'segmentation violation', 'bus error', |
||
| 205 | 'abort', or other error that produces a UNIX core dump file, you can |
||
| 206 | help the developers a lot if you have a debugger installed. A stack |
||
| 207 | trace can be obtained by using your debugger ('gdb' in this example), |
||
| 208 | the wireshark binary, and the resulting core file. Here's an example of |
||
| 209 | how to use the gdb command 'backtrace' to do so. |
||
| 210 | |||
| 211 | $ gdb wireshark core |
||
| 212 | (gdb) backtrace |
||
| 213 | ..... prints the stack trace |
||
| 214 | (gdb) quit |
||
| 215 | $ |
||
| 216 | |||
| 217 | The core dump file may be named "wireshark.core" rather than "core" on |
||
| 218 | some platforms (e.g., BSD systems). If you got a core dump with |
||
| 219 | TShark rather than Wireshark, use "tshark" as the first argument to |
||
| 220 | the debugger; the core dump may be named "tshark.core". |
||
| 221 | |||
| 222 | Disclaimer |
||
| 223 | ---------- |
||
| 224 | |||
| 225 | There is no warranty, expressed or implied, associated with this product. |
||
| 226 | Use at your own risk. |
||
| 227 | |||
| 228 | |||
| 229 | Gerald Combs <gerald@wireshark.org> |
||
| 230 | Gilbert Ramirez <gram@alumni.rice.edu> |
||
| 231 | Guy Harris <guy@alum.mit.edu> |