4 Wireshark is a network traffic analyzer, or "sniffer", for Linux, macOS,
5 \*BSD and other Unix and Unix-like operating systems and for Windows.
6 It uses Qt, a graphical user interface library, and libpcap and npcap as
7 packet capture and filtering libraries.
9 The Wireshark distribution also comes with TShark, which is a
10 line-oriented sniffer (similar to Sun's snoop or tcpdump) that uses the
11 same dissection, capture-file reading and writing, and packet filtering
12 code as Wireshark, and with editcap, which is a program to read capture
13 files and write the packets from that capture file, possibly in a
14 different capture file format, and with some packets possibly removed
17 The official home of Wireshark is https://www.wireshark.org.
19 The latest distribution can be found in the subdirectory https://www.wireshark.org/download
25 The Wireshark project builds and tests regularly on the following platforms:
31 Official installation packages are available for Microsoft Windows and
34 It is available as either a standard or add-on package for many popular
35 operating systems and Linux distributions including Debian, Ubuntu, Fedora,
36 CentOS, RHEL, Arch, Gentoo, openSUSE, FreeBSD, DragonFly BSD, NetBSD, and
39 Additionally it is available through many third-party packaging systems
40 such as pkgsrc, OpenCSW, Homebrew, and MacPorts.
42 It should run on other Unix-ish systems without too much trouble.
44 In some cases the current version of Wireshark might not support your
45 operating system. This is the case for Windows XP, which is supported by
46 Wireshark 1.10 and earlier. In other cases the standard package for
47 Wireshark might simply be old. This is the case for Solaris and HP-UX.
49 Python 3 is needed to build Wireshark. AsciiDoctor is required to build
50 the documentation, including the man pages. Perl and flex are required
51 to generate some of the source code.
53 You must therefore install Python 3, AsciiDoctor, and GNU "flex" (vanilla
54 "lex" won't work) on systems that lack them. You might need to install
57 Full installation instructions can be found in the INSTALL file and in the
58 Developer's Guide at https://www.wireshark.org/docs/wsdg_html_chunked/
60 See also the appropriate README._OS_ files for OS-specific installation
66 In order to capture packets from the network, you need to make the
67 dumpcap program set-UID to root or you need to have access to the
68 appropriate entry under `/dev` if your system is so inclined (BSD-derived
69 systems, and systems such as Solaris and HP-UX that support DLPI,
70 typically fall into this category). Although it might be tempting to
71 make the Wireshark and TShark executables setuid root, or to run them as
72 root please don't. The capture process has been isolated in dumpcap;
73 this simple program is less likely to contain security holes and is thus
76 Please consult the man page for a description of each command-line
77 option and interface feature.
83 Wireshark can read packets from a number of different file types. See
84 the Wireshark man page or the Wireshark User's Guide for a list of
85 supported file formats.
87 Wireshark can transparently read compressed versions of any of those files if
88 the required compression library was available when Wireshark was compiled.
89 Currently supported compression formats are:
95 You can disable zlib support by running `cmake -DENABLE_ZLIB=OFF`.
97 Although Wireshark can read AIX iptrace files, the documentation on
98 AIX's iptrace packet-trace command is sparse. The `iptrace` command
99 starts a daemon which you must kill in order to stop the trace. Through
100 experimentation it appears that sending a HUP signal to that iptrace
101 daemon causes a graceful shutdown and a complete packet is written
102 to the trace file. If a partial packet is saved at the end, Wireshark
103 will complain when reading that file, but you will be able to read all
104 other packets. If this occurs, please let the Wireshark developers know
105 at wireshark-dev@wireshark.org; be sure to send us a copy of that trace
106 file if it's small and contains non-sensitive data.
108 Support for Lucent/Ascend products is limited to the debug trace output
109 generated by the MAX and Pipline series of products. Wireshark can read
110 the output of the `wandsession`, `wandisplay`, `wannext`, and `wdd`
113 Wireshark can also read dump trace output from the Toshiba "Compact Router"
114 line of ISDN routers (TR-600 and TR-650). You can telnet to the router
115 and start a dump session with `snoop dump`.
117 CoSine L2 debug output can also be read by Wireshark. To get the L2
118 debug output first enter the diags mode and then use
119 `create-pkt-log-profile` and `apply-pkt-lozg-profile` commands under
120 layer-2 category. For more detail how to use these commands, you
121 should examine the help command by `layer-2 create ?` or `layer-2 apply ?`.
123 To use the Lucent/Ascend, Toshiba and CoSine traces with Wireshark, you must
124 capture the trace output to a file on disk. The trace is happening inside
125 the router and the router has no way of saving the trace to a file for you.
126 An easy way of doing this under Unix is to run `telnet <ascend> | tee <outfile>`.
127 Or, if your system has the "script" command installed, you can save
128 a shell session, including telnet, to a file. For example to log to a file
132 $ script tracefile.out
133 Script started on <date/time>
135 ..... do your trace, then exit from the router's telnet session.
137 Script done on <date/time>
144 Wireshark will attempt to use reverse name resolution capabilities
145 when decoding IPv4 and IPv6 packets.
147 If you want to turn off name resolution while using Wireshark, start
148 Wireshark with the `-n` option to turn off all name resolution (including
149 resolution of MAC addresses and TCP/UDP/SMTP port numbers to names) or
150 with the `-N mt` option to turn off name resolution for all
151 network-layer addresses (IPv4, IPv6, IPX).
153 You can make that the default setting by opening the Preferences dialog
154 using the Preferences item in the Edit menu, selecting "Name resolution",
155 turning off the appropriate name resolution options, and clicking "OK".
161 Wireshark can do some basic decoding of SNMP packets; it can also use
162 the libsmi library to do more sophisticated decoding by reading MIB
163 files and using the information in those files to display OIDs and
164 variable binding values in a friendlier fashion. CMake will automatically
165 determine whether you have the libsmi library on your system. If you
166 have the libsmi library but _do not_ want Wireshark to use it, you can run
167 cmake with the `-DENABLE_SMI=OFF` option.
172 Wireshark is under constant development, so it is possible that you will
173 encounter a bug while using it. Please report bugs at https://gitlab.com/wireshark/wireshark/-/issues.
174 Be sure you enter into the bug:
176 1. The complete build information from the "About Wireshark"
177 item in the Help menu or the output of `wireshark -v` for
178 Wireshark bugs and the output of `tshark -v` for TShark bugs;
180 2. If the bug happened on Linux, the Linux distribution you were
181 using, and the version of that distribution;
183 3. The command you used to invoke Wireshark, if you ran
184 Wireshark from the command line, or TShark, if you ran
185 TShark, and the sequence of operations you performed that
186 caused the bug to appear.
188 If the bug is produced by a particular trace file, please be sure to
189 attach to the bug a trace file along with your bug description. If the
190 trace file contains sensitive information (e.g., passwords), then please
193 If Wireshark died on you with a 'segmentation violation', 'bus error',
194 'abort', or other error that produces a UNIX core dump file, you can
195 help the developers a lot if you have a debugger installed. A stack
196 trace can be obtained by using your debugger ('gdb' in this example),
197 the wireshark binary, and the resulting core file. Here's an example of
198 how to use the gdb command 'backtrace' to do so.
203 ..... prints the stack trace
208 The core dump file may be named "wireshark.core" rather than "core" on
209 some platforms (e.g., BSD systems). If you got a core dump with
210 TShark rather than Wireshark, use "tshark" as the first argument to
211 the debugger; the core dump may be named "tshark.core".
216 Wireshark is distributed under the GNU GPLv2. See the file COPYING for
217 the full text of the license. When in doubt the full text is the legally
218 binding part. These notes are just to make it easier for people that are not
219 familiar with the GPLv2.
221 There are no restrictions on its use. There are restrictions on its distribution
222 in source or binary form.
224 Most parts of Wireshark are covered by a "GPL version 2 or later" license.
225 Some files are covered by different licenses that are compatible with
228 As a notable exception, some utilities distributed with the Wireshark source are
229 covered by other licenses that are not themselves directly compatible with the
230 GPLv2. This is OK, as only the tools themselves are licensed this way, the
231 output of the tools is not considered a derived work, and so can be safely
232 licensed for Wireshark's use. An incomplete selection of these tools includes:
233 - the pidl utility (tools/pidl) is licensed under the GPLv3+.
235 Parts of Wireshark can be built and distributed as libraries. These
236 parts are still covered by the GPL, and NOT by the Lesser General Public
237 License or any other license.
239 If you integrate all or part of Wireshark into your own application and you
240 opt to publish or release it then the combined work must be released under
241 the terms of the GPLv2.
247 There is no warranty, expressed or implied, associated with this product.
248 Use at your own risk.
251 Gerald Combs <gerald@wireshark.org>
253 Gilbert Ramirez <gram@alumni.rice.edu>
255 Guy Harris <gharris@sonic.net>
git.samba.org / metze / wireshark / wip.git / blob