NameDateSize

..16-Mar-201612 KiB

.bzrignore30-Nov-20154.2 KiB

.gitattributes12-Jun-2015318

.gitignore30-Nov-20154.2 KiB

.gitreview24-Feb-2014108

.mailmap09-Nov-20154.7 KiB

.travis.yml09-Nov-2015696

.tx/09-Nov-20154 KiB

abi-descriptor.template30-Nov-2015377

acinclude.m430-Nov-201562.8 KiB

aclocal-fallback/09-Dec-20154 KiB

aclocal-flags01-Apr-20145.1 KiB

adns_dll.dep24-Feb-20141.5 KiB

adns_dll.rc24-Feb-20142.6 KiB

asn1/30-Nov-20154 KiB

AUTHORS09-Dec-2015103.9 KiB

autogen.sh30-Dec-20144.8 KiB

capchild/30-Nov-20154 KiB

capinfos.c15-Dec-201549.8 KiB

capture_info.c15-Dec-20158.4 KiB

capture_info.h14-Dec-20152.7 KiB

capture_opts.c14-Dec-201550.1 KiB

capture_opts.h14-Dec-201514.2 KiB

capture_stop_conditions.c09-Nov-20157.8 KiB

capture_stop_conditions.h13-Oct-20141.3 KiB

captype.c15-Dec-20156.2 KiB

caputils/01-Dec-20154 KiB

cfile.c13-Oct-20142.1 KiB

cfile.h24-Jun-20156.6 KiB

cfilters20-Aug-2015575

ChangeLog10-Sep-2015247.5 KiB

cmake/05-Mar-20144 KiB

cmakeconfig.h.in14-Dec-201513.3 KiB

CMakeLists.txt15-Dec-201578.3 KiB

CMakeListsCustom.txt.example30-Nov-2015985

CMakeOptions.txt20-Nov-20154.2 KiB

codecs/09-Dec-20154 KiB

color.h17-Oct-20142.2 KiB

color_filters.c07-Aug-201524.4 KiB

color_filters.h07-Aug-20156.3 KiB

colorfilters24-Aug-20151.9 KiB

conditions.c25-Aug-20146.7 KiB

conditions.h17-Oct-20144.5 KiB

config.guess24-Feb-201444.2 KiB

config.h.win3230-Nov-20157.3 KiB

config.nmake14-Dec-201557.1 KiB

config.sub24-Feb-201434.7 KiB

configure.ac15-Dec-201594.7 KiB

ConfigureChecks.cmake15-Dec-20157.2 KiB

COPYING25-Mar-201526.8 KiB

CPackConfig.txt13-Oct-20143.2 KiB

debian/14-Dec-20154 KiB

dfilter_macros24-Feb-20140

dfilters15-Sep-2015701

dftest.c15-Dec-20155.8 KiB

diameter/30-Nov-20154 KiB

doc/09-Dec-20154 KiB

docbook/11-Dec-20154 KiB

doxygen.cfg.in01-Apr-20143.4 KiB

doxygen_global.cfg15-Apr-201478.9 KiB

dtds/01-Apr-20144 KiB

dumpcap.c14-Dec-2015193.8 KiB

echld/15-Dec-20154 KiB

echld_test.c18-May-20159.8 KiB

editcap.c15-Dec-201573.1 KiB

epan/15-Dec-201512 KiB

extcap/09-Dec-20154 KiB

extcap.c20-Nov-201525.6 KiB

extcap.h09-Nov-20152.7 KiB

extcap_parser.c08-May-201524.7 KiB

extcap_parser.h08-May-20157.1 KiB

file.c10-Dec-2015153.9 KiB

file.h28-Aug-201521.2 KiB

fileset.c09-Nov-201510.3 KiB

fileset.h17-Oct-20142.4 KiB

fix/05-Mar-20144 KiB

frame_tvbuff.c23-Feb-20158.8 KiB

frame_tvbuff.h17-Oct-20141.6 KiB

globals.h17-Oct-20141.4 KiB

help/16-Nov-20154 KiB

idl/17-Apr-20154 KiB

image/09-Dec-20154 KiB

INSTALL16-Mar-20159.9 KiB

INSTALL.configure24-Feb-20147.6 KiB

ipmap.html24-Feb-20144 KiB

log.h16-Feb-20151.6 KiB

macosx-setup.sh14-Oct-201584 KiB

macosx-support-lib-patches/28-Jul-20144 KiB

make-version.pl30-Nov-201521.8 KiB

Makefile.am09-Dec-201550.3 KiB

Makefile.am.inc30-Nov-20152 KiB

Makefile.common20-Nov-20153.6 KiB

Makefile.nmake14-Dec-201552.8 KiB

Makefile.nmake.inc01-Apr-2014965

manuf14-Dec-20151.7 MiB

manuf.tmpl22-Apr-20143.4 KiB

mergecap.c14-Dec-201513.5 KiB

mkcap.c04-May-201518.8 KiB

NEWS10-Sep-201513.7 KiB

packaging/16-Oct-20154 KiB

pcapio.c25-Aug-201428.6 KiB

pcapio.h13-Oct-20145.7 KiB

pdml2html.xsl11-Jun-20146.8 KiB

plugins/16-Mar-20154 KiB

profiles/24-Feb-20144 KiB

radius/19-Jun-201512 KiB

randpkt-core.c16-Nov-201517.1 KiB

randpkt-core.h16-Nov-20152.2 KiB

randpkt.c14-Dec-20154.4 KiB

rawshark.c15-Dec-201555.5 KiB

README16-Nov-20159.5 KiB

README.aix01-Apr-201411.7 KiB

README.bsd12-Oct-20154.3 KiB

README.cmake16-Nov-20158.6 KiB

README.DECT01-Apr-20141.2 KiB

README.hpux01-Apr-201411.8 KiB

README.linux01-Apr-20145.2 KiB

README.macos20-Nov-20156.9 KiB

README.tru6401-Apr-20141.7 KiB

README.vmware01-Apr-20141.4 KiB

README.windows16-Mar-2015799

register.h12-Aug-20152.2 KiB

reordercap.c14-Dec-201511.5 KiB

ringbuffer.c09-Nov-20159.6 KiB

ringbuffer.h09-Nov-20152 KiB

services14-Dec-2015922.8 KiB

smi_modules24-Feb-2014315

summary.c31-Aug-20157.1 KiB

summary.h17-Oct-20144.7 KiB

sync_pipe.h16-Feb-20153.4 KiB

sync_pipe_write.c09-Nov-20153.3 KiB

test/14-Dec-20154 KiB

text2pcap-scanner.l09-Dec-20152.6 KiB

text2pcap.c14-Dec-201567.9 KiB

text2pcap.h17-Oct-20141.6 KiB

tfshark.c15-Dec-201591.7 KiB

tools/14-Dec-20154 KiB

tpncp/01-Apr-20144 KiB

trigcap.c13-Oct-20148 KiB

tshark.c15-Dec-2015152 KiB

ui/14-Dec-20154 KiB

vagrant_build.sh26-Jun-20151.1 KiB

vagrant_provision.sh12-Oct-20151 KiB

Vagrantfile26-Jun-2015716

version.h.in28-Aug-201520

wimaxasncp/09-Dec-20154 KiB

wireshark-gtk.desktop09-Dec-20154.8 KiB

wireshark-mime-package.xml08-May-20154.6 KiB

wireshark-qt.cpp15-Dec-201553.1 KiB

wireshark.appdata.xml19-Feb-20152.2 KiB

wireshark.desktop09-Dec-20154.8 KiB

wireshark.dox24-Feb-201457

wireshark.pc.in17-Apr-2015368

wiretap/09-Dec-20154 KiB

wka.tmpl30-Apr-201510.4 KiB

ws_symbol_export.h17-Oct-20146.4 KiB

wsutil/15-Dec-20154 KiB

README

1General Information
2------- -----------
3
4Wireshark is a network traffic analyzer, or "sniffer", for Unix and
5Unix-like operating systems.  It uses GTK+, a graphical user interface
6library, and libpcap, a packet capture and filtering library.
7
8The Wireshark distribution also comes with TShark, which is a
9line-oriented sniffer (similar to Sun's snoop, or tcpdump) that uses the
10same dissection, capture-file reading and writing, and packet filtering
11code as Wireshark, and with editcap, which is a program to read capture
12files and write the packets from that capture file, possibly in a
13different capture file format, and with some packets possibly removed
14from the capture.
15
16The official home of Wireshark is
17
18    http://www.wireshark.org
19
20The latest distribution can be found in the subdirectory
21
22    http://www.wireshark.org/download
23
24
25Installation
26------------
27
28Wireshark is known to compile and run on the following systems:
29
30  - Linux (2.0 and later kernels, various distributions)
31  - Solaris (2.5.1 and later)
32  - FreeBSD (2.2.5 and later)
33  - NetBSD
34  - OpenBSD
35  - OS X (10.2 and later)
36  - HP-UX (10.20, 11.00, 11.11)
37  - Sequent PTX v4.4.5  (Nick Williams <njw@sequent.com>)
38  - Tru64 UNIX (formerly Digital UNIX) (3.2 and later)
39  - Irix (6.5)
40  - AIX (4.3.2, with a bit of work)
41  - Windows (2003, XP, Vista, 7)
42
43and possibly on other versions of those OSes.  It should run on other
44Unix-ish systems without too much trouble.
45
46If you have an older version of the operating systems listed above, it
47might be supported by an older version of Wireshark. In particular,
48Windows 2000 is supported by Wireshark 1.2.x, Windows NT 4.0 is supported by
49Wireshark 0.99.4, and Windows 95, 98, and ME are supported by Ethereal 0.99.0.
50
51NOTE: the Makefile appears to depend on GNU "make"; it doesn't appear to
52work with the "make" that comes with Solaris 7 nor the BSD "make".
53
54Both Perl and Python are needed, the former for building the man pages.
55
56If you decide to modify the yacc grammar or lex scanner, then
57you need "flex" - it cannot be built with vanilla "lex" -
58and either "bison" or the Berkeley "yacc". Your flex
59version must be 2.5.1 or greater. Check this with 'flex -V'.
60
61You must therefore install Perl, Python, GNU "make", "flex", and either "bison"
62or Berkeley "yacc" on systems that lack them.
63
64Full installation instructions can be found in the INSTALL file.
65
66See also the appropriate README.<OS> files for OS-specific installation
67instructions.
68
69Usage
70-----
71
72In order to capture packets from the network, you need to make the
73dumpcap program set-UID to root, or you need to have access to the
74appropriate entry under /dev if your system is so inclined (BSD-derived
75systems, and systems such as Solaris and HP-UX that support DLPI,
76typically fall into this category).  Although it might be tempting to
77make the Wireshark and TShark executables setuid root, or to run them as
78root please don't.  The capture process has been isolated in dumpcap;
79this simple program is less likely to contain security holes, and thus
80safer to run as root.
81
82Please consult the man page for a description of each command-line
83option and interface feature.
84
85
86Multiple File Types
87-------------------
88
89The wiretap library is a packet-capture library currently under
90development parallel to wireshark.  In the future it is hoped that
91wiretap will have more features than libpcap, but wiretap is still in
92its infancy. However, wiretap is used in wireshark for its ability
93to read multiple file types.  See the Wireshark man page or the
94Wireshark User's Guide for a list of supported file formats.
95
96In addition, it can read gzipped versions of any of those files
97automatically, if you have the zlib library available when compiling
98Wireshark. Wireshark needs a modern version of zlib to be able to use
99zlib to read gzipped files; version 1.1.3 is known to work.  Versions
100prior to 1.0.9 are missing some functions that Wireshark needs and won't
101work.  "./configure" should detect if you have the proper zlib version
102available and, if you don't, should disable zlib support. You can always
103use "./configure --disable-zlib" to explicitly disable zlib support.
104
105Although Wireshark can read AIX iptrace files, the documentation on
106AIX's iptrace packet-trace command is sparse.  The 'iptrace' command
107starts a daemon which you must kill in order to stop the trace. Through
108experimentation it appears that sending a HUP signal to that iptrace
109daemon causes a graceful shutdown and a complete packet is written
110to the trace file. If a partial packet is saved at the end, Wireshark
111will complain when reading that file, but you will be able to read all
112other packets.  If this occurs, please let the Wireshark developers know
113at wireshark-dev@wireshark.org, and be sure to send us a copy of that trace
114file if it's small and contains non-sensitive data.
115
116Support for Lucent/Ascend products is limited to the debug trace output
117generated by the MAX and Pipline series of products.  Wireshark can read
118the output of the "wandsession" "wandisplay", "wannext", and "wdd"
119commands.
120
121Wireshark can also read dump trace output from the Toshiba "Compact Router"
122line of ISDN routers (TR-600 and TR-650). You can telnet to the router
123and start a dump session with "snoop dump".
124
125CoSine L2 debug output can also be read by Wireshark. To get the L2
126debug output, get in the diags mode first and then use
127"create-pkt-log-profile" and "apply-pkt-log-profile" commands under
128layer-2 category. For more detail how to use these commands, you
129should examine the help command by "layer-2 create ?" or "layer-2 apply ?".
130
131To use the Lucent/Ascend, Toshiba and CoSine traces with Wireshark, you must
132capture the trace output to a file on disk.  The trace is happening inside
133the router and the router has no way of saving the trace to a file for you.
134An easy way of doing this under Unix is to run "telnet <ascend> | tee <outfile>".
135Or, if your system has the "script" command installed, you can save
136a shell session, including telnet to a file. For example, to a file named
137tracefile.out:
138
139$ script tracefile.out
140Script started on <date/time>
141$ telnet router
142..... do your trace, then exit from the router's telnet session.
143$ exit
144Script done on <date/time>
145
146
147
148IPv6
149----
150If your operating system includes IPv6 support, wireshark will attempt to
151use reverse name resolution capabilities when decoding IPv6 packets.
152
153If you want to turn off name resolution while using wireshark, start
154wireshark with the "-n" option to turn off all name resolution (including
155resolution of MAC addresses and TCP/UDP/SMTP port numbers to names), or
156with the "-N mt" option to turn off name resolution for all
157network-layer addresses (IPv4, IPv6, IPX).
158
159You can make that the default setting by opening the Preferences dialog
160box using the Preferences item in the Edit menu, selecting "Name
161resolution", turning off the appropriate name resolution options,
162clicking "Save", and clicking "OK".
163
164If you would like to compile wireshark without support for IPv6 name
165resolution, use the "--disable-ipv6" option with "./configure".  If you
166compile wireshark without IPv6 name resolution, you will still be able to
167decode IPv6 packets, but you'll only see IPv6 addresses, not host names.
168
169
170SNMP
171----
172Wireshark can do some basic decoding of SNMP packets; it can also use
173the libsmi library to do more sophisticated decoding, by reading MIB
174files and using the information in those files to display OIDs and
175variable binding values in a friendlier fashion.  The configure script
176will automatically determine whether you have the libsmi library on
177your system.  If you have the libsmi library but _do not_ want to have
178Wireshark use it, you can run configure with the "--without-libsmi"
179option.
180
181How to Report a Bug
182-------------------
183Wireshark is still under constant development, so it is possible that you will
184encounter a bug while using it. Please report bugs at http://bugs.wireshark.org.
185Be sure you enter into the bug:
186
187	1) the complete build information from the "About Wireshark"
188	   item in the Help menu or the output of "wireshark -v" for
189	   Wireshark bugs and the output of "tshark -v" for TShark bugs;
190
191	2) if the bug happened on Linux, the Linux distribution you were
192	   using, and the version of that distribution;
193
194	3) the command you used to invoke Wireshark, if you ran
195	   Wireshark from the command line, or TShark, if you ran
196	   TShark, and the sequence of operations you performed that
197	   caused the bug to appear.
198
199If the bug is produced by a particular trace file, please be sure to
200attach to the bug a trace file along with your bug description.  If the
201trace file contains sensitive information (e.g., passwords), then please
202do not send it.
203
204If Wireshark died on you with a 'segmentation violation', 'bus error',
205'abort', or other error that produces a UNIX core dump file, you can
206help the developers a lot if you have a debugger installed.  A stack
207trace can be obtained by using your debugger ('gdb' in this example),
208the wireshark binary, and the resulting core file.  Here's an example of
209how to use the gdb command 'backtrace' to do so.
210
211$ gdb wireshark core
212(gdb) backtrace
213..... prints the stack trace
214(gdb) quit
215$
216
217The core dump file may be named "wireshark.core" rather than "core" on
218some platforms (e.g., BSD systems).  If you got a core dump with
219TShark rather than Wireshark, use "tshark" as the first argument to
220the debugger; the core dump may be named "tshark.core".
221
222Disclaimer
223----------
224
225There is no warranty, expressed or implied, associated with this product.
226Use at your own risk.
227
228
229Gerald Combs <gerald@wireshark.org>
230Gilbert Ramirez <gram@alumni.rice.edu>
231Guy Harris <guy@alum.mit.edu>
232

README.aix

1libpcap 0.7.1 and later appear to work on AIX when using AIX's native
2BPF; that appears to work better than DLPI does.  Note that you may have
3to run AIX's tcpdump, as root, before configuring, building, and
4installing libpcap, in order to create the "/dev/bpf" devices and load
5the BPF driver.
6
7However, libpcap 0.7.1 doesn't work perfectly with AIX's BPF - it
8appears that AIX's BPF devices inform their user that packets were
9dropped since the last successful read by returning -1 and setting
10"errno" to EFAULT, which libpcap 0.7.1 treats as an error.  The current
11CVS version of libpcap ignores EFAULT on AIX; it appears that this fixes
12the problem.
13
14Some earlier notes:
15
16The notes about libpcap may not apply, with libpcap 0.7.1 and later, but
17they're preserved here for historical reasons.
18
19The notes about glib, gtk+, and Ethereal may not apply, as we're now
20using GLib 2.x and GTK+ 2.x, and don't have our own gtkclist.c, but
21they're also preserved for historical reasons.
22
23After much work and toil, Craig Rodrigues was able to compile libpcap
24and Ethereal on AIX 4.3.2.  His odyssey is document in various e-mails
25at http://www.ethereal.com/lists/ethereal-dev/199911/
26
27Here are a few excerpts.  Note that, to configure "libpcap" to use DLPI
28rather than BPF (which it'll apparently use by default on AIX),
29specifying the flag
30
31	--with-pcap=dlpi
32
33to the "configure" script for "libpcap" should do the trick.
34
35The source code changes to Ethereal mentioned below should be in the
36current source tree.  The changes to the GLib configure script is in
37GLib 1.2.7; the changes for the "-lgdk" problem are probably still
38necessary in the current version of GTK+.
39
40Subject: Re: [ethereal-dev] Re: [ethereal-users] Problems compiling 0.7.7 under AIX 4.3.2 
41From: Gilbert Ramirez <gram@xiexie.org> 
42Date: Fri, 5 Nov 1999 16:58:17 -0600 
43To: Guy Harris <guy@netapp.com> 
44Cc: Craig Rodrigues <rodrigc@mediaone.net>, ethereal-dev@zing.org 
45
46
47On Fri, Nov 05, 1999 at 01:42:44PM -0600, Guy Harris wrote:
48> 
49> 
50> Hmm.
51> 
52> Looks suspiciously similar to the previous error; have you tried
53> recompiling GTK+ with "xlc_r"?
54
55I believe glib and gtk+ should both be compiled with xlc_r. I haven't
56compiled on AIX in a long time, but I think it's because glib is including
57pthread stuff, so the re-entrant C library, libc_r, is needed. 
58
59
60Compiler Invocation
61
62When compiling a multi-threaded program, you should invoke the C compiler
63using one of the following commands:
64
65xlc_r
66    Invokes the compiler with default language level of ansi.
67cc_r
68    Invokes the compiler with default language level of extended.
69
70
71These commands ensure that the adequate options and libraries are used to be
72compliant with the X/Open Version 5 Standard. The POSIX Threads
73Specification 1003.1c is a subset of the X/Open Specification.
74
75The following libraries are automatically linked with your program when using these commands:
76
77libpthreads.a
78	    Threads library.
79libc.a
80	    Standard C library
81
82
83For example, the following command compiles the foo.c multi-threaded C source file and produces the foo executable file:
84
85cc_r -o foo foo.c
86
87See the cc command for more information about C For AIX.
88
89
90--gilbert
91
92
93To: ethereal-users@zing.org 
94Subject: [ethereal-dev] AIX: gtk problem solved, now an ethereal problem 
95From: Craig Rodrigues <rodrigc@mediaone.net> 
96Date: Mon, 8 Nov 1999 10:46:25 -0500 
97Cc: ethereal-dev@zing.org 
98
99
100Hi,
101
102After much sweat and toil, I have managed to get gtk 1.2.6 to
103compile and not dump core under AIX.  The solutions were to
104(1) apply the attached patch to the configure.ac in the glib-1.2.6
105subdirectory
106
107(2)  In the file gtk+-1.2.6/gtk/Makefile, add a link flag -lgdk to link
108in gdk.
109
110I have submitted (1) to the gtk-devel mailing list where it has been
111accepted.  (2) is an uglier problem, but for now, adding -lgdk by hand
112seems to work.
113
114Now I have a problem....I compiled gtk, and that works.
115I compiled ethereal (after some minor mods), and it starts,
116but when I click on Capture -> Start, I get:
117
118"There are no network interfaces that can be opened."
119
120I am running as root, so I don't think permissions are a problem.
121
122Any ideas?
123
124Thanks.
125-- 
126Craig Rodrigues        
127http://www.gis.net/~craigr    
128rodrigc@mediaone.net          
129
130*** configure.ac.old    Thu Oct  7 17:27:43 1999
131--- configure.ac        Sun Nov  7 19:34:36 1999
132***************
133*** 795,809 ****
134	  fi
135	  if test "$ac_cv_func_getpwuid_r" = "yes"; then
136		  AC_MSG_CHECKING(whether getpwuid_r is posix like)
137!                       # getpwuid_r(0, NULL, NULL, 0) is the signature on
138!                       # solaris, if that is not found, the prog below won't 
139!                       # compile, then the posix signature is assumed as 
140!                       # the default.
141!                       AC_TRY_COMPILE([#include <pwd.h>],
142!                               [getpwuid_r(0, NULL, NULL, 0);],
143!                               [AC_MSG_RESULT(no)],
144!                               [AC_MSG_RESULT(yes)
145!                               AC_DEFINE(HAVE_GETPWUID_R_POSIX)])
146	  fi
147  fi
148  if test x"$have_threads" = xposix; then
149--- 795,809 ----
150	  fi
151	  if test "$ac_cv_func_getpwuid_r" = "yes"; then
152		  AC_MSG_CHECKING(whether getpwuid_r is posix like)
153!                       # The signature for the POSIX version is:
154!                       # int getpwuid_r(uid_t, struct passwd *, char *, size_t, struct passwd **)
155!                       AC_TRY_COMPILE([#include <pwd.h>
156!                                         #include <sys/types.h>
157!                                         #include <stdlib.h>],
158!                               [getpwuid_r((uid_t)0, NULL, NULL, (size_t)0, NULL);],
159!                               [AC_DEFINE(HAVE_GETPWUID_R_POSIX)
160!                               AC_MSG_RESULT(yes)],
161!                               [AC_MSG_RESULT(no)])
162	  fi
163  fi
164  if test x"$have_threads" = xposix; then
165
166
167
168To: ethereal-dev@zing.org 
169Subject: Re: [ethereal-dev] AIX: gtk problem solved, now an ethereal problem 
170From: Craig Rodrigues <rodrigc@mediaone.net> 
171Date: Wed, 10 Nov 1999 12:18:47 -0500 
172
173
174
175Hi,
176
177OK, I'm getting closer and closer to this working on AIX.
178
179Things I've done:
180
181(1) In a bunch of places in the code I removed '//' style C++ comments
182which the IBM C compiler didn't like.
183
184(2) I also found some places in the code like:
185
186enum some_enum {  FOO, BAR, };
187
188IBM C did not like the trailing "," after BAR.
189
190(3) In packet-ipv6.h, IPV6_VERSION is defined, but that is already
191defined in <netinet/in.h> on AIX 4.3, so for now I just commented that out.
192
193(4) in packet-afs.c, when it sucks in <netinet/in.h>,  in.h sucks in
194<sys/machine.h> which defines LITTLE_ENDIAN.  This conflicts with
195LITTLE_ENDIAN in globals.h.  So what I did was, in globals.h, I added:
196
197#ifdef HAVE_NETINET_IN_H
198#include <netinet/in.h>
199#endif
200
201So after doing all these things, I can compile ethereal and run it.  
202I can list the
203correct network interfaces on my system: lo0 and en0.  However,
204when I start capturing packets on en0, they are all of the protocol type
205"TRMAC" and "TR".  The only problem is, I'm not on a Token Ring network.
206
207Any ideas?
208
209No. Time        Source                Destination           Protocol   Info
2101 0.000000    0a:30:a1:08:00:45     06:74:60:08:00:5a     TR   Token-Ring Unknown
2112 0.210304    0a:30:a1:08:00:45     06:74:60:08:00:5a     TR   Token-Ring Unknown
2123 0.926080    0a:30:a1:08:00:45     06:74:60:08:00:5a     TR   Token-Ring Unknown
2134 0.4236416   0a:30:a1:08:00:45     06:74:60:08:00:5a     TR   Token-Ring Unknown
2145 0.4712064   6f:06:74:60:08:00     5a:8a:30:a1:00:00 TR MAC Unknown Major Vector: 127
215
216
217---------------------
218It turns out that libpcap was using IFT_* numbers instead of DLT_* numbers for
219link types. That has been fixed
220---------------------
221
222
223To: tcpdump-workers@tcpdump.org 
224Subject: [ethereal-dev] Sucess with libpcap under AIX 
225From: Craig Rodrigues <rodrigc@mediaone.net> 
226Date: Sat, 20 Nov 1999 03:34:50 -0500 
227Cc: ethereal-dev@zing.org 
228
229
230Hi,
231
232I have managed to successfully compile and use the latest
233snapshot of libpcap under AIX using DLPI.  bpf is majorly
234brain-dead under AIX, and very unsupported.  Rather than
235find all the bugs in AIX's bpf, I decided to try using
236dlpi, which is officially supported.
237
238The first step is to get the setup right.  To determine if
239you have the dlpi driver loaded correctly, type:
240strload -q -d dlpi
241
242If the result is:
243dlpi: yes
244
245then you are ready to use dlpi.
246
247If you get:
248dlpi: no
249
250Then you need to type:
251strload -f /etc/dlpi.conf
252
253Check again with strload -q -d dlpi that the dlpi driver is loaded.
254
255I had to make one minor code change to pcap-dlpi.c.  Maybe someone
256can explain it to me, because I am not familiar with dlpi or
257streams programming.  It took me hours to figure this out, because
258I'm not familiar with dlpi.
259
260In pcap-dlpi.c, lines 316-320:
261#if !defined(HAVE_HPUX9) && !defined(HAVE_HPUX10_20) && !defined(sinix)
262       if (dlbindreq(p->fd, 0, ebuf) < 0 ||
263	   dlbindack(p->fd, (char *)buf, ebuf) < 0)
264	    goto bad;
265#endif
266
267I changed it to:
268#if !defined(HAVE_HPUX9) && !defined(HAVE_HPUX10_20) && !defined(sinix)
269       if (dlbindreq(p->fd, 1620, ebuf) < 0 ||
270	   dlbindack(p->fd, (char *)buf, ebuf) < 0)
271	    goto bad;
272#endif
273
274I picked the number 1620 out of thin air.  The second parameter
275to dlbindreq() sets the value of dl_sap.  This dl_sap
276value is then passed along to the DLPI driver through
277the DL_BIND_REQ primitive.  I guess that it cannot be 0 under
278AIX, but I'm not sure.
279
280If someone knows anything about DLPI, I'd appreciate a clarification.
281Basically, I am just using the DLPI specification at:
282http://www.opengroup.org/onlinepubs/009638599/ which is pretty good.
283The AIX documentation is not so well written.
284
285But basically, after I fixed up pcap-dlpi.c, I managed to get libpcap
286working under AIX.  This enabled me to successfully run Ethereal,
287ie. all the packets on my Ethernet network correctly showed up
288as Ethernet and not Token Ring in the Wireshark screen.
289
290YAY!
291-- 
292Craig Rodrigues        
293http://www.gis.net/~craigr    
294rodrigc@mediaone.net          
295
296Date: Thu, 11 Nov 1999 23:47:02 -0500
297From: Craig Rodrigues <rodrigc@mediaone.net>
298To: ethereal-dev@zing.org
299Subject: Re: [ethereal-dev] AIX: gtk problem solved, now an ethereal  problem
300
301On Thu, Nov 11, 1999 at 11:50:23AM -0800, Guy Harris wrote:
302> > The only differences between gtkclist.c in the gtk distribution and
303> > gtkclist.c in the ethereal distribution relate to the ROW_ELEMENT
304> > macro.  It looks like an optimization for retrieving the GList item
305> > when the requested row is the last row in the list.
306> 
307> Yup - as per my other mail, Ethereal does that rather a lot when
308> building the CList, and the optimization changes quadratic behavior to
309> linear behavior.
310> 
311> > Any ideas why this causes trouble?
312> 
313> Mismatches between the layouts of data structures as declared in the
314> "gtk/gtk*.h" files in the Wireshark source tree and the layouts as
315> declared in the header files in the GTK+ source (either due to header
316> file differences - although the header files appear to be identical to
317> the GTK+ 1.2.6 ones - or due to compiler behavior differences)?
318
319I tried stepping things through the debugger, and constantly
320hit the same segfault inside gdk_string_width(), line 308 of gdkfont.c
321
322Fails on line: switch(font->type),
323where *font is: (type = -1, ascent = -1, descent = -1)
324
325Stack trace:
326gdk_string_width(font = 0x7caf01a4, string = "../"), line 308 in "gdkfont.c"
327gtk_file_selection_populate(fs = 0x20094468, rel_path = "", try_complete = 0), line 1341 in "gtkfilesel.c"
328gtk_file_selection_init(filesel = 0x20094468), line 513 in "gtkfilesel.c"
329gtk_type_new(0xc315), line 403 in "gtktypeutils.c"
330gtk_file_selection_new(title = "Ethereal: Open Capture File"), line 524 in "gtkfilesel.c"
331file_open_cmd_cb(0x200640f4, 0x0), line 79 in "file_dlg.c"
332
333Removing gtkclist.o from libui.a and recompiling removed this problem.
334
335Any ideas?  I'm stumped.
336
337-- 
338Craig Rodrigues        
339http://www.gis.net/~craigr    
340rodrigc@mediaone.net          
341

README.bsd

1Installing Wireshark on FreeBSD/OpenBSD/NetBSD/DragonFly BSD
2========================================================================
3
4     1. Extra packages required
5     2. Compiling Wireshark 
6     3. Berkeley Packet Filter (BPF) requirement
7     4. Running Wireshark as a non-root user
8
9
101. Extra packages required
11---------------------------
12Wireshark requires a number of additional programs to function.
13Install the latest versions of the following programs before compiling:
14
15The easiest way to install these is by using your operating system's
16ports or packages system.  If you prefer to build from source, the programs
17can be found at the following sites:
18
19    glib 2.16 or later:
20         ftp.gnome.org:/pub/gnome/sources/glib/
21	 http://ftp.gnome.org/pub/gnome/sources/glib/
22
23    pkgconfig:
24         http://pkgconfig.freedesktop.org/releases/
25
26    python 2.5 or later:
27         https://www.python.org/downloads/source/
28
29If you want to use the Wireshark GUI, install one or both of these toolkits:
30
31   gtk+ 2.12 or later:
32         ftp.gnome.org:/pub/gnome/sources/gtk+/
33	 http://ftp.gnome.org/pub/gnome/sources/gtk+/
34
35    Qt 4.7 or later:
36	 http://download.qt-project.org/official_releases/qt/
37
38
39(These programs may require additional dependencies)
40
41Additional programs can be used to enhance Wireshark's functionality.
42These can be found by typing ./configure --help or looking at the output
43at the end of running the configure script.
44
45
462. Compiling Wireshark
47-----------------------
48To compile Wireshark with the default options, run configure, make and
49make install (you may have to run "autogen.sh" first):
50
51     ./configure
52     make
53     make install
54
55The configure and make steps can be run as a non-root user and you can
56run Wireshark from the compilation directory itself.  You must run make
57install as root in order to copy the program to the proper directories.
58
59
603. Berkeley Packet Filter (BPF) requirement
61--------------------------------------------
62In order to capture packets (with Wireshark/TShark, tcpdump, or any
63other packet capture program) on a BSD system, your kernel must have the
64Berkeley Packet Filter mechanism enabled.  The default kernel
65configurations in recent versions of BSD systems have this enabled
66already.  To verify the bpf device is present, look in the /dev
67directory:
68
69    ls -l /dev/bpf*
70
71You should see one or more bpf devices listed similar to this:
72
73    crw-------  1 root  wheel    0,  90 Aug 10 21:05 /dev/bpf0
74    crw-------  1 root  wheel    0,  91 Aug 10 21:05 /dev/bpf1
75
76Packet-capturing programs will pick the first bpf device that's not in
77use.  Recent versions of most BSDs will create bpf devices as needed, so
78you don't have to configure the number of devices that will be
79available.
80
814. Running wireshark as a non-root user
82-------------------------------------------
83Since the bpf devices are read-only by the owner (root), you normally
84have to run packet capturing programs such as Wireshark as root.  It is
85safer to run programs as a non-root user if possible.  To run Wireshark
86as a non-root user, you must change the permissions on the bpf device(s).
87If you are the only user that needs to use Wireshark, the easiest way
88is to change the owner of each bpf device to your username.  You can also
89add the read/write ability to the group (typically wheel) and add users
90that need to use Wireshark to the wheel group.  Check your operating
91system's documentation on how to make permanent these changes as they
92are often reset upon reboot; if /dev is implemented with devfs, it might
93be possible to configure devfs to create all bpf devices owned by a
94particular user and/or group and with particular permissions.  In
95FreeBSD 6.0 and later this can be done by creating an /etc/devfs.rules
96file with content such as
97
98	[localrules=10]
99	add path 'bpf*' {mode and permissions}
100
101where "mode and permissions" can include clauses such as
102
103	mode {octal permissions}
104
105to set the permissions on the device (e.g., "mode 0660" to set the
106permissions to rw-rw-r--),
107
108	user {user}
109
110to set the user who owns the device, or
111
112	group {group}
113
114to set the group that owns the device and adding a line such as
115
116	devfs_system_ruleset=localrules
117
118to /etc/rc.conf.  For example, an /etc/devfs.rules file with
119
120	[localrules=10]
121	add path 'bpf*' mode 0660 group wheel
122
123will grant read and write permissions on all BPF devices to all users in
124the "wheel" group.
125

README.cmake

1          Explain the cmake build system for wireshark
2
3                           Notice
4
5   To find out the current state of the cmake implementation for
6   Wireshark, please take a look at "What needs to be done?" below.
7
8Table of contents
9=================
10
11How to get started with cmake (Unix/Linux and Win32/64)?
12Why cmake?
13Why not cmake?
14What needs to be done?
15Links regarding cmake
16
17How to get started with cmake (Unix/Linux and Win32/64)?
18========================================================
19
20You can find documentation on cmake at: http://www.cmake.org/
21
22cmake is designed to support out of tree builds. So much so, that
23in tree builds do not work properly in all cases.
24
25How to do out of tree build (Unix/Linux):
261) Install cmake.
272) Assuming, you are in the top directory of the wireshark source
28   cd ..
293) mkdir build
304) cd build
315) cmake [options] ../<Name_of_WS_source_dir>
326) make (or cmake --build .)
337) (as root) umask 0022 && make install
34
35Note 1:
36  In step 5) you may need to override the defaults for features. Common
37  options include:
38
39  # Disable the POSIX capbabilities check
40  -DENABLE_CAP=OFF
41
42  # Enable debugging symbols
43  -DCMAKE_BUILD_TYPE=Debug
44
45  # Disable GTK+ 3
46  -DENABLE_GTK3=OFF
47
48  # Build documentation
49  -DENABLE_HTML_GUIDES=ON
50  -DENABLE_PDF_GUIDES=ON
51
52  # Make ccache and clang work together
53  -DCMAKE_C_FLAGS='-Qunused-arguments'
54
55  # Force Python path on Windows. May be needed if Cygwin's
56  # /usr/bin/python is present and is a symlink
57  # http://public.kitware.com/Bug/view.php?id=13818
58  -DPYTHON_EXECUTABLE=c:/Python27/python
59
60  # Disable building an application bundle (Wireshark.app) on OS X
61  -DENABLE_APPLICATION_BUNDLE=OFF
62
63  # Qt Creator expects .cbp files when used with CMake.
64  -G "CodeBlocks - Unix Makefiles"
65  -G "CodeBlocks - NMake Makefiles"
66
67Note 2:
68  After running cmake, you can always run "make help" to see
69  a list of all possible make targets.
70
71Note 3:
72  Cmake honors user umask for creating directories as of now:
73  http://public.kitware.com/Bug/view.php?id=9620
74  To get predictable results please set umask explicitly.
75
76How to do an out of tree build using Visual C++ 2013:
77[This is at rc status and should build all executables, support for VS2010 and VS2012
78 is included, but hasn't been tested.]
790) Install cmake (currently 3.1.3 or later is recommended).  You can use chocolatey,
80   choco inst cmake.
811) Follow https://www.wireshark.org/docs/wsdg_html_chunked/ChSetupWin32.html
82   Steps 1-9
831a) Set the library search path.
84    If you set WIRESHARK_BASE_DIR,
85    %WIRESHARK_BASE_DIR%\wireshark-%WIRESHARK_TARGET_PLATFORM%-libs will
86    be used as the top-level library directory.
87    If you set WIRESHARK_LIB_DIR, it will be used as the top-level library
88    directory.  This definition will require changing for different builds (x86 & x64).
891b) set WIRESHARK_TARGET_PLATFORM=win32 (or win64)
901c) set QT5_BASE_DIR=C:\Qt\5.4.1\5.4\msvc2013_opengl (must match the Qt component path
91    on your system)
921d) If you want to use Visual Studio to build rather than msbuild from the command line,
93    make sure that the path to Cygwin is available to GUI applications.
942) mkdir c:\wireshark\build or as appropriate for you.
95   You will need one build directory for each bitness (win32, win64) you wish to build.
963) cd into the directory from 2) above.
974) Run the following to generate the build files:
98   cmake -DENABLE_CHM_GUIDES=on xxx path\to\sources
99   where path\to\sources is the absolute or relative path to the wireshark source tree
100   and xxx is replaced with one of the following:
101       nothing - This will build a VS solution for win32 using the latest version of VS found (preferred).
102       -G "Visual Studio 12" ("12" builds for VS2013. Use "11" for VS2012 or "10" for VS2010.)
103       -G "NMake Makefiles" - to build an nmake makefile.
104       -G "Visual Studio 12 Win64" (Win32 is the default)
1055) Run one of the following to build Wireshark:
106   msbuild /m /p:Configuration=RelWithDebInfo wireshark.sln (preferred).
107   Open Wireshark.sln in Windows Explorer to build in Visual Studio
108   nmake /X- VERBOSE=1 (or cmake --build . -- VERBOSE=1 ) (if you generated nmake files).
109   Subsequent changes to source files and CMakeLists.txt will be automagically detected
110   and new build files generated, i.e. step 4) doesn't need to be run again.
111   Changes to the build environment, e.g. QT_BASE_DIR aren't detected so you must delete the
112   build dir and start form step 2) again.
1136) The executables can be run from the appropriate directory, e.g. run\RelWithDebInfo for VS solutions
114   or run\ for NMake files.
1157) To build an installer, build the nsis_package project, e.g.
116   msbuild /m /p:Configuration=RelWithDebInfo nsis_package.vcxproj
117   nmake ???
118
119Why cmake?
120==========
121- Can create project files for many IDEs including Qt Creator, Visual Studio,
122  and XCode.
123- Fast
124- Easier to understand/learn
125- Doesn't create any files in the source tree in case of out of tree builds
126- One build infrastructure for all of our tier 1 platforms (including Windows)
127
128Why not cmake?
129==============
130- Lots of work to do
131- Everyone who wants to build from source needs cmake
132- Current state of documentation isn't really better than
133  Autotools documentation. In some respects it's even worse
134  (you need to buy a book to get an explanation as to how
135  cmake really works).
136...
137
138What works?
139===========
140
141All the executables now build from clean source on:
142* 32 bit openSUSE 11.3: (gnu)make and gcc
143* 64 bit FedoraXXX
144* 32 bit Ubuntu 9.04
145* 32 bit Ubuntu 10.04
146* 64 bit Ubuntu 14.04
147* 64 bit Debian Wheezy
148* 32 bit OS X
149* 64 bit OS X
150* 32 bit Windows using Visual C++ 2013
151* 64 bit Windows using Visual C++ 2013
152* 64 bit Solaris 10
153
154The Buildbot runs CMake steps on Ubuntu, Win32, Win64, OS X, and Solaris.
155Windows packages are built using CMake steps.
156
157What needs to be done?
158======================
159
160- Add back platform specific objects.
161- Fix places in the cmake files marked as todo.
162- Guides are not installed.
163- Build source package (using CPack).
164  This is obsolete if we decide to release VCS snapshots instead
165- Build packages using CPack: tarball, Windows installer + PortableApps, OS X
166  installer dmg, RPM, SVR4. This includes setting OS target version stuff
167  appropriately for OS X. We currently use NSIS for the Windows installer but
168  should probably use WiX instead.
169- Add support for cmake configurations.
170- Automatically figure out if *shark is running from the build directory
171  (making WIRESHARK_RUN_FROM_BUILD_DIRECTORY unnecessary like it is with
172  autofoo).
173  Sadly:
174
175      $ file run/qtshark
176      run/qtshark: Mach-O 64-bit x86_64 executable
177
178  so what you're running from the build directory is the executable
179  itself.  autofoo includes libtool in our case, so what you're running
180  from the build directory is a script that then runs the executable,
181  and the executable is in a .libs directory; the code that checks for
182  "running from the build directory?" checks for that.  The actual
183  executable isn't supposed to be run directly - it's expected to be run
184  by the wrapper script and might not even work if run directly, as it
185  won't find the relevant shared libraries.
186
187  We could perhaps check for the executable being in a "run" directory
188  instead, if the build drops it there.  However, it's possible, at
189  least on OS X, to copy the executable to another directory and have
190  it run, so the guarantee that it's in a "run" directory is not as
191  strong.
192- Get plugins loading when running *shark from the build directory.
193  That might involve handling ".libs" and "run" differently.  The chance
194  that a random directory the executable was ultimately placed in would
195  be named "run" might also be a bit bigger than the chance that it's
196  named ".libs".
197- Get cross-compilation working (or ensure it does). It works with autofoo--and
198  people use it.
199- Handle -DFORTIFY_SOURCE=2 appropriately.  (Do a Web search for
200  "cmake fortify" for some information.)
201- Define the GTK_DISABLE_ and GDK_DISABLE_ values as appropriate if we
202  care about supporting the GTK+ version.
203- Install the freedesktop integration files (wireshark.desktop,
204  wireshark-mime-package.xml, etc.).
205...
206
207Links regarding cmake
208=====================
209The home page of the cmake project
210	http://www.cmake.org/
211
212The home page of the cmake project documentation
213	http://www.cmake.org/Wiki/CMake
214
215About cmake in general and why KDE4 uses it
216	http://lwn.net/Articles/188693/
217
218Introductory/tutorial presentation
219	http://ait.web.psi.ch/services/linux/hpc/hpc_user_cookbook/tools/cmake/docs/Cmake_VM_2007.pdf
220
221Introductory article in Linux Journal
222	http://www.linuxjournal.com/node/6700/print
223
224Useful variables
225	http://www.cmake.org/Wiki/CMake_Useful_Variables
226
227cmake FAQ
228	http://www.cmake.org/Wiki/CMake_FAQ
229
230Additional cmake modules
231	http://code.google.com/p/cmake-modules/
232

README.DECT

1Description:
2============
3DECT pcap files can be obtained by using tools included with the linux
4kernel driver for the Dosch-and-Amand COM-ON-AIR cards. The driver is
5called com-on-air_cs.
6
7Wireshark cannot directly record from the DECT HW, as the driver
8currently lacks a virtual network interface.
9
10There is ongoing work to change this (see this work by Patrick McHardy):
11git clone git://git.kernel.org/pub/scm/linux/kernel/git/kaber/dect-2.6.git
12git clone git://git.kernel.org/pub/scm/linux/kernel/git/kaber/libnl-dect.git
13git clone git://git.kernel.org/pub/scm/libs/netlink/libnl.git
14Also needed are a proper linktype value assigned by the libpcap team and
15the proper patches for libpcap to support this (the value used in the
16patch below is not officially assigned!):
17git://git.kernel.org/pub/scm/linux/kernel/git/kaber/libpcap-dect.git
18
19To nicely view DECT pcap files in wireshark, set up a custom layout:
20
21Edit->Preferences...
22  User Interface
23    Colums
24
25      No.      | Number
26      Protocol | Protocol
27      Frame    | Custom Column: dect.framenumber
28      TA       | Custom Column: dect.cc.TA
29      A-Field  | Custom Column: dect.cc.AField
30      B-Field  | Custom Column: dect.cc.BField
31  OK
32
33
34Edit->Configuration Profiles...
35  New
36  Profile Name = dect
37  OK
38
39
40

README.hpux

1Contents:
2
31 - Building wireshark
42 - Building GTK+/GLib with HP's C compiler
53 - nettl support
64 - libpcap on HP-UX
75 - HP-UX patches to fix packet capture problems
8
91 - Building wireshark
10
11The Software Porting And Archive Centre for HP-UX, at
12
13	http://hpux.connect.org.uk/
14
15(with mirrors in various countries, listed on the Centre's home page;
16you may want to choose a mirror closer to you) has ported versions, in
17both source and binary form, for Wireshark, as well as for the libpcap,
18GLib, GTK+, and zlib libraries that it uses.
19
20The changes they've made appear largely to be compile option changes; if
21you've downloaded the source to the latest version of Wireshark (the
22version on the Centre's site may not necessarily be the latest version),
23it should be able to compile, perhaps with those changes.
24
25They appear to have used HP-UX's "cc" compiler, with the options "-Ae
26-O"; there's a comment "Add -Dhpux_9 if building under 9.X".  It may
27also build with GCC.
28
29They currently have libpcap 0.6.2; libpcap 0.6.2, and later versions,
30include changes to properly open network devices when given the name
31reported by the lanscan and ifconfig commands - earlier versions didn't
32do this correctly.  Therefore, we strongly suggest you use libpcap 0.6.2
33or later, not libpcap 0.5.2.
34
352 - Building GTK+/GLib with HP's C compiler
36
37By default, HP's C compiler doesn't support "long long int" to provide
3864-bit integral data types on 32-bit platforms; the "-Ae" flag must be
39supplied to enable extensions such as that.
40
41Wireshark's "configure" script automatically includes that flag if it
42detects that the native compiler is being used on HP-UX; however, the
43configure scripts for GTK+ and GLib don't do so, which means that 64-bit
44integer support won't be enabled.
45
46This may prevent some parts of Wireshark from compiling; in order to get
4764-bit integer support in GTK+/GLib, edit all the Makefiles for GTK+ and
48GLib, as generated by the GTK+ and GLib "configure" scripts, to add
49"-Ae" to all "CFLAGS = " definitions found in those Makefiles.  (If a
50Makefile lacks a "CFLAGS = " definition, there's no need to add a
51definition that includes "-Ae".)
52
533 - nettl support
54
55nettl is used on HP-UX to trace various streams based subsystems.  Wireshark
56can read nettl files containing raw IP frames (NS_LS_IP, NS_LS_TCP,
57NS_LS_UDP, NS_LS_ICMP subsystems), all ethernet/tokenring/fddi driver
58level frames (such as BTLAN, BASE100, GELAN, IGELAN subsystems) and LAPB
59frames (SX25L2 subsystem).  Use "ioscan -kfClan" to see the driver
60names and compare that to /etc/nettlgen.conf to find the nettl subsystem
61name for your particular release.
62
63It has been tested with files generated on HP-UX 9.04, 10.20, and 11.x.
64
65Use the following commands to generate a trace (cf. nettl(1M)):
66
67# IP capture:
68nettl -tn pduin pduout -e NS_LS_IP -f tracefile
69# Driver level capture.  Replace btlan with the name of your interface:
70nettl -tn pduin pduout -e btlan -f tracefile
71# X25 capture. You must specify an interface :
72nettl -tn pduin pduout -e SX25l2 -d /dev/x25_0 -f tracefile
73# stop capture. subsystem is NS_LS_IP, btlan, SX25L2 :
74nettl -tf -e subsystem
75
76You may have to use "-tn 0x30000000" instead of "-tn pduin pduout"
77on old versions of 10.20 and 9.04.
78
794 - libpcap on HP-UX
80
81If you want to use Wireshark to capture packets, you will have to install
82libpcap; binary distributions are, as noted above, available from the
83Software Porting And Archive Centre for HP-UX, as well as source code.
84
85Versions of libpcap prior to 0.6 didn't handle HP-UX as well as 0.6 and
86later versions do.  You should install the latest version.
87
88The source code is also available from the official home of libpcap and
89tcpdump, at
90
91	http://www.tcpdump.org/
92
93if you want a version later than the version available from the Software
94Porting And Archive Centre; however, the versions available from
95tcpdump.org might not, for example, include support for building libpcap
96as a shared library.
97
985 - HP-UX patches to fix packet capture problems
99
100Note that packet-capture programs such as Wireshark/TShark or tcpdump
101may, on HP-UX, not be able to see packets sent from the machine on which
102they're running.  Make sure you have a recent "LAN Cummulative/DLPI" patch
103installed.
104
105Some articles on groups.google.com discussing this are:
106
107	http://groups.google.com/groups?selm=82ld3v%2480i%241%40mamenchi.zrz.TU-Berlin.DE
108
109which says:
110
111  Newsgroups: comp.sys.hp.hpux 
112  Subject:  Re: Did someone made tcpdump working on 10.20 ?
113  Date: 12/08/1999
114  From: Lutz Jaenicke <jaenicke@emserv1.ee.TU-Berlin.DE>
115
116  In article <82ks5i$5vc$1@news1.dti.ne.jp>, mtsat <mtsat@iris.dti.ne.jp>
117  wrote:
118   >Hello,
119   >
120   >I downloaded and compiled tcpdump3.4 a couple of week ago. I tried to use
121   >it, but I can only see incoming data, never outgoing.
122   >Someone (raj) explained me that a patch was missing, and that this patch
123   >must me "patched" (poked) in order to see outbound data in promiscuous mode.
124   >Many things to do .... So the question is : did someone has already this
125   >"ready to use" PHNE_**** patch ?
126  
127   Two things:
128   1. You do need a late "LAN products cumulative patch" (e.g.  PHNE_18173
129  for   s700/10.20).
130   2. You must use
131echo 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem
132     You can insert this e.g. into /sbin/init.d/lan
133  
134   Best regards,
135   Lutz
136
137and
138
139	http://groups.google.com/groups?selm=88cf4t%24p03%241%40web1.cup.hp.com
140
141which says:
142
143  Newsgroups: comp.sys.hp.hpux 
144  Subject: Re: tcpdump only shows incoming packets
145  Date: 02/15/2000
146  From: Rick Jones <foo@bar.baz.invalid>
147
148  Harald Skotnes <harald@cc.uit.no> wrote:
149  > I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have
150  > compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a
151  > closer look I only get to see the incoming packets not the
152  > outgoing. I have tried tcpflow-0.12 which also uses libpcap and the
153  > same thing happens.  Could someone please give me a hint on how to
154  > get this right?
155  
156  Search/Read the archives ?-)
157  
158  What you are seeing is expected, un-patched, behaviour for an HP-UX
159  system.  On 11.00, you need to install the latest lancommon/DLPI
160  patches, and then the latest driver patch for the interface(s) in use. 
161  At that point, a miracle happens and you should start seeing outbound
162  traffic.
163
164[That article also mentions the patch that appears below.]
165
166and
167
168	http://groups.google.com/groups?selm=38AA973E.96BE7DF7%40cc.uit.no
169
170which says:
171
172  Newsgroups: comp.sys.hp.hpux
173  Subject: Re: tcpdump only shows incoming packets
174  Date: 02/16/2000
175  From: Harald Skotnes <harald@cc.uit.no>
176
177  Rick Jones wrote:
178  
179	...
180
181  > What you are seeing is expected, un-patched, behaviour for an HP-UX
182  > system. On 11.00, you need to install the latest lancommon/DLPI
183  > patches, and then the latest driver patch for the interface(s) in
184  > use. At that point, a miracle happens and you should start seeing
185  > outbound traffic.
186  
187  Thanks a lot.  I have this problem on several machines running HPUX
188  10.20 and 11.00.  The machines where patched up before y2k so did not
189  know what to think.  Anyway I have now installed PHNE_19766,
190  PHNE_19826, PHNE_20008, PHNE_20735 on the C200 and now I can see the
191  outbound traffic too.  Thanks again.
192
193(although those patches may not be the ones to install - there may be
194later patches).
195
196And another message to tcpdump-workers@tcpdump.org, from Rick Jones:
197
198  Date: Mon, 29 Apr 2002 15:59:55 -0700
199  From: Rick Jones
200  To: tcpdump-workers@tcpdump.org 
201  Subject: Re: [tcpdump-workers] I Can't Capture the Outbound Traffic
202
203	...
204
205  http://itrc.hp.com/ would be one place to start in a search for the most
206  up-to-date patches for DLPI and the lan driver(s) used on your system (I
207  cannot guess because 9000/800 is too generic - one hs to use the "model"
208  command these days and/or an ioscan command (see manpage) to guess what
209  the drivers (btlan[3456], gelan, etc) might be involved in addition to
210  DLPI.
211
212  Another option is to upgrade to 11i as outbound promiscuous mode support
213  is there in the base OS, no patches required.
214
215Another posting:
216
217	http://groups.google.com/groups?selm=7d6gvn%24b3%241%40ocean.cup.hp.com
218
219indicates that you need to install the optional STREAMS product to do
220captures on HP-UX 9.x:
221
222  Newsgroups: comp.sys.hp.hpux
223  Subject:  Re: tcpdump HP/UX 9.x
224  Date: 03/22/1999
225  From: Rick Jones <foo@bar.baz>
226
227  Dave Barr (barr@cis.ohio-state.edu) wrote:
228  : Has anyone ported tcpdump (or something similar) to HP/UX 9.x?
229  
230  I'm reasonably confident that any port of tcpdump to 9.X would require
231  the (then optional) STREAMS product.  This would bring DLPI, which is
232  what one uses to access interfaces in promiscuous mode.
233  
234  I'm not sure that HP even sells the 9.X STREAMS product any longer,
235  since HP-UX 9.X is off the pricelist (well, maybe 9.10 for the old 68K
236  devices). 
237  
238  Your best bet is to be up on 10.20 or better if that is at all
239  possible.  If your hardware is supported by it, I'd go with HP-UX 11. 
240  If you want to see the system's own outbound traffic, you'll never get
241  that functionality on 9.X, but it might happen at some point for 10.20
242  and 11.X. 
243  
244  rick jones
245
246(as per other messages cited here, the ability to see the system's own
247outbound traffic did happen).
248
249Rick Jones reports that HP-UX 11i needs no patches for outbound
250promiscuous mode support.
251
252An additional note, from Jost Martin, for HP-UX 10.20:
253
254	Q: How do I get wireshark on HPUX to capture the _outgoing_ packets
255	   of an interface
256	A: You need to get PHNE_20892,PHNE_20725 and PHCO_10947 (or
257	   newer, this is as of 4.4.00) and its dependencies.  Then you can
258	   enable the feature as described below:
259
260	Patch Name: PHNE_20892
261	Patch Description: s700 10.20 PCI 100Base-T cumulative patch
262		To trace the outbound packets, please do the following
263		to turn on a global promiscuous switch before running
264		the promiscuous applications like snoop or tcpdump:
265
266		adb -w /stand/vmunix /dev/mem
267		lanc_outbound_promisc_flag/W 1
268		(adb will echo the result showing that the flag has
269		been changed)
270		$quit
271	(Thanks for this part to HP-support, Ratingen)
272
273		The attached hack does this and some security-related stuff
274	(thanks to hildeb@www.stahl.bau.tu-bs.de (Ralf Hildebrandt) who
275	posted the security-part some time ago)
276
277		 <<hack_ip_stack>> 
278
279		(Don't switch IP-forwarding off, if you need it !)
280		Install the hack as /sbin/init.d/hacl_ip_stack (adjust
281	permissions !) and make a sequencing-symlink
282	/sbin/rc2.d/S350hack_ip_stack pointing to this script. 
283		Now all this is done on every reboot.
284
285According to Rick Jones, the global promiscuous switch also has to be
286turned on for HP-UX 11.00, but not for 11i - and, in fact, the switch
287doesn't even exist on 11i.
288
289Here's the "hack_ip_stack" script:
290
291-----------------------------------Cut Here-------------------------------------
292#!/sbin/sh
293#
294# nettune:  hack kernel parms for safety
295
296OKAY=0
297ERROR=-1
298
299# /usr/contrib/bin fuer nettune auf Pfad
300PATH=/sbin:/usr/sbin:/usr/bin:/usr/contrib/bin
301export PATH
302
303
304##########
305#  main  #
306##########
307
308case $1 in
309   start_msg)
310      print "Tune IP-Stack for security"
311      exit $OKAY
312      ;;
313
314   stop_msg)
315      print "This action is not applicable"
316      exit $OKAY
317      ;;
318
319   stop)
320      exit $OKAY
321      ;;
322
323   start)
324      ;;  # fall through
325
326   *)
327      print "USAGE: $0 {start_msg | stop_msg | start | stop}" >&2
328      exit $ERROR
329      ;;
330   esac
331
332###########
333#  start  #
334###########
335
336#
337# tcp-Sequence-Numbers nicht mehr inkrementieren sondern random
338# Syn-Flood-Protection an
339# ip_forwarding aus
340# Source-Routing aus
341# Ausgehende Packets an ethereal/tcpdump etc.
342
343/usr/contrib/bin/nettune -s tcp_random_seq 2 || exit $ERROR
344/usr/contrib/bin/nettune -s hp_syn_protect 1 || exit $ERROR
345/usr/contrib/bin/nettune -s ip_forwarding 0 || exit $ERROR
346echo 'ip_block_source_routed/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem || exit $ERROR
347echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem  || exit $ERROR
348
349exit $OKAY
350-----------------------------------Cut Here-------------------------------------
351

README.linux

1In order to capture packets (with Wireshark/TShark, tcpdump, or any
2other libpcap-based packet capture program) on a Linux system, the
3"packet" protocol must be supported by your kernel.  If it is not, you
4may get error messages such as
5
6	modprobe: can't locate module net-pf-17
7
8in "/var/adm/messages", or may get messages such as
9
10	socket: Address family not supported by protocol
11
12from applications using libpcap.
13
14You must configure the kernel with the CONFIG_PACKET option for this
15protocol; the following note is from the Linux "Configure.help" file for
16the 2.0[.x] kernel:
17
18	Packet socket
19	CONFIG_PACKET
20	  The Packet protocol is used by applications which communicate
21	  directly with network devices without an intermediate network
22	  protocol implemented in the kernel, e.g. tcpdump. If you want them
23	  to work, choose Y. 
24
25	  This driver is also available as a module called af_packet.o ( =
26	  code which can be inserted in and removed from the running kernel
27	  whenever you want). If you want to compile it as a module, say M
28	  here and read Documentation/modules.txt; if you use modprobe or
29	  kmod, you may also want to add "alias net-pf-17 af_packet" to 
30	  /etc/modules.conf.
31
32and the note for the 2.2[.x] kernel says:
33
34	Packet socket
35	CONFIG_PACKET
36	  The Packet protocol is used by applications which communicate
37	  directly with network devices without an intermediate network
38	  protocol implemented in the kernel, e.g. tcpdump. If you want them
39	  to work, choose Y. This driver is also available as a module called
40	  af_packet.o ( = code which can be inserted in and removed from the
41	  running kernel whenever you want). If you want to compile it as a
42	  module, say M here and read Documentation/modules.txt.  You will
43	  need to add 'alias net-pf-17 af_packet' to your /etc/conf.modules
44	  file for the module version to function automatically.  If unsure,
45	  say Y.
46
47In addition, there is an option that, in 2.2 and later kernels, will
48allow packet capture filters specified to programs such as tcpdump to be
49executed in the kernel, so that packets that don't pass the filter won't
50be copied from the kernel to the program, rather than having all packets
51copied to the program and libpcap doing the filtering in user mode. 
52
53Copying packets from the kernel to the program consumes a significant
54amount of CPU, so filtering in the kernel can reduce the overhead of
55capturing packets if a filter has been specified that discards a
56significant number of packets.  (If no filter is specified, it makes no
57difference whether the filtering isn't performed in the kernel or isn't
58performed in user mode. :-))
59
60The option for this is the CONFIG_FILTER option; the "Configure.help"
61file says:
62
63	Socket filtering
64	CONFIG_FILTER
65	  The Linux Socket Filter is derived from the Berkeley Packet Filter.
66	  If you say Y here, user-space programs can attach a filter to any
67	  socket and thereby tell the kernel that it should allow or disallow
68	  certain types of data to get through the socket. Linux Socket
69	  Filtering works on all socket types except TCP for now. See the text
70	  file linux/Documentation/networking/filter.txt for more information.
71	  If unsure, say N.
72
73An additional problem, on Linux, with older versions of libpcap, is that
74capture filters do not work when snooping loopback devices; if you're
75capturing on a Linux loopback device, do not use a capture filter, as it
76will probably reject most if not all packets, including the packets it's
77intended to accept - instead, capture all packets and use a display
78filter to select the packets you want to see.  Most recent Linux
79distribution releases will not have this problem.
80
81In addition, older versions of libpcap will, on Linux systems with a
822.0[.x] kernel, or if built for systems with a 2.0[.x] kernel, not turn
83promiscuous mode off on a network device until the program using
84promiscuous mode exits, so if you start a capture with Wireshark on some
85Linux distributions, the network interface will be put in promiscuous
86mode and will remain in promiscuous mode until Wireshark exits.  There
87might be additional libpcap bugs that cause it not to be turned off even
88when Wireshark exits; if your network is busy, this could cause the Linux
89networking stack to do a lot more work discarding packets not intended
90for the machine, so you may want to check, after running Wireshark,
91whether any network interfaces are in promiscuous mode (the output of
92"ifconfig -a" will say something such as
93
94eth0      Link encap:Ethernet  HWaddr 00:00:66:66:66:66
95          inet addr:66.66.66.66  Bcast:66.66.66.255  Mask:255.255.255.0
96          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
97          RX packets:6493 errors:0 dropped:0 overruns:0 frame:0
98          TX packets:3380 errors:0 dropped:0 overruns:0 carrier:0
99          collisions:0 txqueuelen:100 
100          Interrupt:18 Base address:0xfc80 
101
102with "PROMISC" indicating that the interface is in promiscuous mode),
103and, if any interfaces are in promiscuous mode and no capture is being
104done on that interface, turn promiscuous mode off by hand with
105
106	ifconfig <ifname> -promisc
107
108where "<ifname>" is the name of the interface.
109
110Newer versions of libpcap shouldn't have this problem, even on 2.0[.x]
111kernels; no version of libpcap should have that problem on systems with
1122.2 or later kernels.
113

README.macos

1This file tries to help building Wireshark for (Mac) OS X (Wireshark
2does not work on earlier versions of Mac OS).
3
4You must have the developer tools (called Xcode) installed.  For
5versions of OS X up to and including Snow Leopard, Xcode 3 should be
6available on the install DVD; Xcode 4 is available for download from
7developer.apple.com and, for Lion and later releases, from the Mac App
8Store.  See
9
10	http://guide.macports.org/chunked/installing.xcode.html
11
12for details.  For Xcode 4, you will need to install the command-line
13tools; select Preferences from the Xcode menu, select Downloads in the
14Preferences window, and install Command Line Tools.
15
16You must also have GLib and, if you want to build Wireshark as well as
17TShark, you must have also Qt installed.  You can download precompiled
18Qt packages and source code from
19
20	https://www.qt.io/download-open-source/
21
22or use the macosx-setup.sh script described below.
23
24The macosx-setup.sh script can be used to download, patch as necessary,
25build, and install those libraries and the libraries on which they
26depend; it will, by default, also install other libraries that can be
27used by Wireshark and TShark.  The versions of libraries to download are
28specified by variables set early in the script; you can comment out the
29settings of optional libraries if you don't want them downloaded and
30installed.  Before running the macosx-setup.sh script, and before
31attempting to build Wireshark, make sure your PKG_CONFIG_PATH
32environment variable's setting includes both /usr/X11/lib/pkgconfig and
33/usr/local/lib/pkgconfig.
34
35If you wish to build the legacy (GTK+) UI you must have X11 and the X11
36developer headers and libraries installed, as well as the Pango, ATK,
37and GTK+ libraries; otherwise, you will not be able to build or install
38GTK+.  The X11 and X11 SDK that come with OS X releases for releases
39from Panther to Lion can be used to build and run Wireshark.  Mountain
40Lion and later do not include X11; you should install X11 from
41elsewhere, such as
42
43	http://xquartz.macosforge.org/
44
45After you have installed those libraries:
46
47If you are building from a Git tree, rather than from a source
48distribution tarball, run the autogen.sh script.  This should not be
49necessary if you're building from a source distribution tarball, unless
50you've added new source files to the Wireshark source.
51
52Then run the configure script, and run make to build Wireshark.
53
54If you upgrade the major release of OS X on which you are building
55Wireshark, we advise that, before you do any builds after the upgrade,
56you do, in the build directory:
57
58    If you are building from a release tarball:
59	make distclean
60
61    If you are building from Git:
62	make maintainer-clean
63	./autogen.sh
64
65Then re-run the configure script and rebuild from scratch.
66
67On Snow Leopard (10.6) and later releases, if you are building on a
68machine with a 64-bit processor (with the exception of the early Intel
69Core Duo and Intel Core Solo machines, all Apple machines with Intel
70processors have 64-bit processors), the C/C++/Objective-C compiler will
71build 64-bit by default.
72
73This means that you will, by default, get a 64-bit version of Wireshark.
74
75One consequence of this is that, if you built and installed any required
76or optional libraries for Wireshark on an earlier release of OS X, those
77are probably 32-bit versions of the libraries, and you will need to
78un-install them and rebuild them on your current version of OS X, to get
7964-bit versions.
80
81Some required and optional libraries require special attention if you
82install them by building from source code on Snow Leopard and later
83releases; the macosx-setup.sh script will handle that for you.
84
85GLib - the GLib configuration script determines whether the system's
86libiconv is GNU iconv or not by checking whether it has libiconv_open(),
87and the compile will fail if that test doesn't correctly indicate
88whether libiconv is GNU iconv.  In OS X, libiconv is GNU iconv, but the
8964-bit version doesn't have libiconv_open(); a workaround for this is to
90replace all occurrences of "libiconv_open" with "iconv_open" in the
91configure script before running the script.  The macosx-setup.sh setup
92script will patch GLib to work around this.
93
94GTK+ - GTK+ 2.24.10, at least, doesn't build on Mountain Lion with the
95CUPS printing backend - either the CUPS API changed incompatibly or the
96backend was depending on non-API implementation details.  The
97macosx-setup.sh setup script will, on Mountain Lion and later, configure
98GTK+ with the CUPS printing backend disabled.
99
100libgcrypt - the libgcrypt configuration script attempts to determine
101which flavor of assembler-language routines to use based on the platform
102type determined by standard autoconf code.  That code uses uname to
103determine the processor type; however, in OS X, uname always reports
104"i386" as the processor type on Intel machines, even Intel machines with
10564-bit processors, so it will attempt to assemble the 32-bit x86
106assembler-language routines, which will fail.  The workaround for this
107is to run the configure script with the --disable-asm argument, so that
108the assembler-language routines are not used.  The macosx-setup.sh will
109configure libgcrypt with that option.
110
111PortAudio - when compiling on OS X, the configure script for the
112pa_stable_v19_20071207 version of PortAudio will cause certain
113platform-dependent build environment #defines to be set in the Makefile
114rules, and to cause a universal build to be done; those #defines will be
115incorrect for all but one of the architectures for which the build is
116being done, and that will cause a compile-time error on Snow Leopard. 
117Newer versions don't have this problem, but still fail to build on Lion
118if a universal build is attempted.  The macosx-setup.sh script downloads
119a newer version, and also suppresses the universal build.
120
121GeoIP - Their man pages "helpfully" have an ISO 8859-1 copyright symbol
122in the copyright notice, but OS X's default character encoding is UTF-8. 
123sed on Mountain Lion barfs at the "illegal character sequence"
124represented by an ISO 8859-1 copyright symbol, as it's not a valid UTF-8
125sequence.  The macosx-setup.sh script uses iconv to convert the man page
126files from ISO 8859-1 to UTF-8.
127
128If you want to build Wireshark installer packages on a system that
129doesn't include Xcode 3.x or earlier, you will need to install some
130additional tools.  From the Xcode menu, select the Open Developer Tool
131menu, and then select More Developer Tools... from that menu.  That will
132open up a page on the Apple Developer Connection Web site; you may need
133a developer account to download the additional tools.  Download the
134Auxiliary Tools for Xcode package; when the dmg opens, drag all its
135contents to the Contents/Applications subdirectory of the Xcode.app
136directory (normally /Applications/Xcode.app/Contents/Applications); then
137copy .../Contents/Applications/PackageMaker.app/Contents/MacOS/PackageMaker
138to /usr/bin/packagemaker (the PackageMaker app, when run from the
139command line rather than as a double-clicked app, is the packagemaker
140command).
141

README.tru64

1The following instructions are applicable to Tru64 UNIX 
2(formerly Digital UNIX (formerly DEC OSF/1)) version 4.0, and
3probably to later versions as well; at least some options apply to
4Digital UNIX 3.2 - perhaps all do.
5
6In order to use kernel packet filtering on this system, you have
7to configure it in such a way : 
8
9Kernel configuration
10--------------------
11
12The packet filtering kernel option must be enabled at kernel
13installation.  If it was not the case, you can rebuild the kernel with
14"doconfig -c" after adding the following line in the kernel
15configuration file (/sys/conf/<HOSTNAME>):
16
17	option PACKETFILTER
18
19or use "doconfig" without any arguments to add the packet filter driver
20option via the kernel option menu (see the system administration
21documentation for information on how to do this).
22
23Device configuration
24--------------------
25
26Devices used for packet filtering must be created thanks to
27the following command (executed in the /dev directory):
28
29	./MAKEDEV pfilt
30
31Interface configuration
32-----------------------
33
34In order to capture all packets on a network, you may want to allow
35applications to put the interface on that network into "local copy"
36mode, so that Wireshark can see packets sent by the host on which it's
37running as well as packets received by that host, and to put the
38interface into "promiscuous" mode, so that Wireshark can see packets on
39the network segment not sent to the host on which it's running, by using
40the pfconfig(1) command:
41
42	pfconfig +c +p <network_device>
43
44or allow application to put any interface into "local copy" or
45"promiscuous" mode by using the command:
46
47	pfconfig +c +p -a
48
49Note: all instructions given require root privileges.
50

README.vmware

1If you are a registered user of VMware on Linux, you can contact their
2support staff via e-mail and ask for a libpcap patch which will allow
3you to sniff the virtual NIC of your virtual machine.
4
5vmware configures 4 devices, /dev/vmnet[0-3]. 
6
7/dev/vmnet0 is your ethernet bridge, giving your virtual machine its
8own MAC address on your physical ethernet LAN.
9
10/dev/vmnet1 is for host-only networking. Your host OS will be routing IP
11packets between the physical LAN and the guest OS. When up and running,
12you'll see a 'vmnet1' interface from 'ifconfig'. 
13
14/dev/vmnet2 and /dev/vmnet3 act as hubs for virtual machines, but are
15not connected to anything else. That is, the VM's that are connected
16to these devices can talk to each other (if connected to the same
17virtual "hub"), but not to the outside world, or to your host OS
18(as far as I understand).
19
20With the patch from VMware, you can sniff the packets on these
21network devices. Note the distinction between "network device", where a
22device driver file exists in /dev, and "interface", which is a namespace
23private to the kernel (not on the filesystem). You have to supply the
24full pathname  of the device to Wireshark (i.e., "/dev/vmnetN").
25When vmnet1 is up, you will be able to select it from the list of
26interfaces, since it will have both a device name (/dev/vmnet1) and
27an interface name "vmnet1"
28
29See also http://www.vmware.com/products/scenarios/networks.html
30

README.windows

1Installing Wireshark on Windows
2=============================
3To install Wireshark, simply download the appropriate installer program from
4
5https://www.wireshark.org/download.html
6
7and start it. Just keep the default settings and start Wireshark after the 
8installation finished (e.g. using the start menu entry).
9
10For detailed descriptions on how to install and use Wireshark and the 
11related command line tools, see the Wireshark User's Guide at: 
12
13https://www.wireshark.org/docs/
14
15
16Compiling the Wireshark distribution from source
17================================================
18In case you want to develop Wireshark code yourself, you can find a 
19comprehensive guide how to do this in the Developer's Guide,  which
20you can find (and much more info) at: 
21
22https://wiki.wireshark.org/Development
23