Wireshark for MAC

Index 1. General Questions: 1.1 What is Wireshark? 1.2 What's up with the name change? Is Wireshark a fork? 1.3 Where can I get help? 1.4 What kind of shark is Wireshark? 1.5 How is Wireshark pronounced, spelled and capitalized? 1.6 How much does Wireshark cost? 1.7 But I just paid someone on eBay for a copy of Wireshark! Did I get ripped off? 1.8 Can I use Wireshark commercially? 1.9 Can I use Wireshark as part of my commercial product? 1.10 What protocols are currently supported? 1.11 Are there any plans to support {your favorite protocol}? 1.12 Can Wireshark read capture files from {your favorite network analyzer}? 1.13 What devices can Wireshark use to capture packets? 1.14 Does Wireshark work on Windows Vista or Windows Server 2008? 2. Installing Wireshark: 2.1 I installed the Wireshark RPM (or other package); why did it install TShark but not Wireshark? 3. Building Wireshark: 3.1 I have libpcap installed; why did the configure script not find pcap.h or bpf.h? 3.2 Why do I get the error dftest_DEPENDENCIES was already defined in condition TRUE, which implies condition HAVE_PLUGINS_TRUE when I try to build Wireshark from SVN or a SVN snapshot? 3.3 Why does the linker fail with a number of "Output line too long." messages followed by linker errors when I try to build Wireshark? 3.4 When I try to build Wireshark on Solaris, why does the link fail complaining that plugin_list is undefined? 3.5 When I try to build Wireshark on Windows, why does the build fail because of conflicts between winsock.h and winsock2.h? 4. Starting Wireshark: 4.1 Why does Wireshark crash with a Bus Error when I try to run it on Solaris 8? 4.2 When I try to run Wireshark, why does it complain about sprint_realloc_objid being undefined? 4.3 I've installed Wireshark from Fink on OS X; why is it very slow to start up? 5. Crashes and other fatal errors: 5.1 I have an XXX network card on my machine; if I try to capture on it, why does my machine crash or reset itself? 5.2 Why does my machine crash or reset itself when I select "Start" from the "Capture" menu or select "Preferences" from the "Edit" menu? 6. Capturing packets: 6.1 When I use Wireshark to capture packets, why do I see only packets to and from my machine, or not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor? 6.2 When I capture with Wireshark, why can't I see any TCP packets other than packets to and from my machine, even though another analyzer on the network sees those packets? 6.3 Why am I only seeing ARP packets when I try to capture traffic? 6.4 Why am I not seeing any traffic when I try to capture traffic? 6.5 Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)? 6.6 How do I put an interface into promiscuous mode? 6.7 I can set a display filter just fine; why don't capture filters work? 6.8 I'm entering valid capture filters; why do I still get "parse error" errors? 6.9 How can I capture packets with CRC errors? 6.10 How can I capture entire frames, including the FCS? 6.11 I'm capturing packets on a machine on a VLAN; why don't the packets I'm capturing have VLAN tags? 6.12 Why does Wireshark hang after I stop a capture? 7. Capturing packets on Windows: 7.1 I'm running Wireshark on Windows; why does some network interface on my machine not show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start", and/or why does Wireshark give me an error if I try to capture on that interface? 7.2 I'm running Wireshark on Windows; why do no network interfaces show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start"? 7.3 I'm running Wireshark on Windows; why doesn't my serial port/ADSL modem/ISDN modem show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start"? 7.4 I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows XP/Windows Server 2003; my machine has a PPP (dial-up POTS, ISDN, etc.) interface, and it shows up in the "Interface" item in the "Capture Options" dialog box. Why can no packets be sent on or received from that network while I'm trying to capture traffic on that interface? 7.5 I'm running Wireshark on Windows; why am I not seeing any traffic being sent by the machine running Wireshark? 7.6 When I capture on Windows in promiscuous mode, I can see packets other than those sent to or from my machine; however, those packets show up with a "Short Frame" indication, unlike packets to or from my machine. What should I do to arrange that I see those packets in their entirety? 7.7 I'm trying to capture 802.11 traffic on Windows; why am I not seeing any packets? 7.8 I'm trying to capture 802.11 traffic on Windows; why am I seeing packets received by the machine on which I'm capturing traffic, but not packets sent by that machine? 7.9 I'm trying to capture Ethernet VLAN traffic on Windows, and I'm capturing on a "raw" Ethernet device rather than a "VLAN interface", so that I can see the VLAN headers; why am I seeing packets received by the machine on which I'm capturing traffic, but not packets sent by that machine? 8. Capturing packets on UN*Xes: 8.1 I'm running Wireshark on a UNIX-flavored OS; why does some network interface on my machine not show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start", and/or why does Wireshark give me an error if I try to capture on that interface? 8.2 I'm running Wireshark on a UNIX-flavored OS; why do no network interfaces show up in the list of interfaces in the "Interface:" field in the dialog box popped up by "Capture->Start"? 8.3 I'm capturing packets on Linux; why do the time stamps have only 100ms resolution, rather than 1us resolution? 9. Capturing packets on wireless LANs: 9.1 How can I capture raw 802.11 frames, including non-data (management, beacon) frames? 9.2 How do I capture on an 802.11 device in monitor mode? 10. Viewing traffic: 10.1 Why am I seeing lots of packets with incorrect TCP checksums? 10.2 I've just installed Wireshark, and the traffic on my local LAN is boring. Where can I find more interesting captures? 10.3 Why doesn't Wireshark correctly identify RTP packets? It shows them only as UDP. 10.4 Why doesn't Wireshark show Yahoo Messenger packets in captures that contain Yahoo Messenger traffic? 11. Filtering traffic: 11.1 I saved a filter and tried to use its name to filter the display; why do I get an "Unexpected end of filter string" error? 11.2 How can I search for, or filter, packets that have a particular string anywhere in them? 11.3 How do I filter a capture to see traffic for virus XXX? 1. General Questions Q 1.1: What is Wireshark? A: Wireshark® is a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It has a rich and powerful feature set and is world's most popular tool of its kind. It runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2. It is developed and maintained by a global team of protocol experts, and it is an example of a disruptive technology. Wireshark used to be known as Ethereal®. See the next question for details about the name change. If you're still using Ethereal, it is strongly rec