Read-only mirror of Wireshark's Git repository. GitHub won't let us disable pull requests. ☞ THEY WILL BE IGNORED HERE ☜ Please upload them at https://code.wireshark.org/review/ .
C C++ Objective-C Python Perl CMake Other
Switch branches/tags
wireshark-2.6.2 wireshark-2.6.1 wireshark-2.6.0 wireshark-2.5.0 wireshark-2.4.8 wireshark-2.4.7 wireshark-2.4.6 wireshark-2.4.5 wireshark-2.4.4 wireshark-2.4.3 wireshark-2.4.2 wireshark-2.4.1 wireshark-2.4.0 wireshark-2.2.16 wireshark-2.2.15 wireshark-2.2.14 wireshark-2.2.13 wireshark-2.2.12 wireshark-2.2.11 wireshark-2.2.10 wireshark-2.2.9 wireshark-2.2.8 wireshark-2.2.7 wireshark-2.2.6 wireshark-2.2.5 wireshark-2.2.4 wireshark-2.2.3 wireshark-2.2.2 wireshark-2.2.1 wireshark-2.2.0 wireshark-2.2.0rc2 wireshark-2.2.0rc1 wireshark-2.1.1 wireshark-2.1.0 wireshark-2.0.16 wireshark-2.0.15 wireshark-2.0.14 wireshark-2.0.13 wireshark-2.0.12 wireshark-2.0.11 wireshark-2.0.10 wireshark-2.0.9 wireshark-2.0.8 wireshark-2.0.7 wireshark-2.0.6 wireshark-2.0.5 wireshark-2.0.4 wireshark-2.0.3 wireshark-2.0.2 wireshark-2.0.1 wireshark-2.0.0 wireshark-1.99.9 wireshark-1.99.8 wireshark-1.99.7 wireshark-1.99.6 wireshark-1.99.5 wireshark-1.99.4 wireshark-1.99.3 wireshark-1.99.2 wireshark-1.99.1 wireshark-1.99.0 wireshark-1.12.13 wireshark-1.12.12 wireshark-1.12.11 wireshark-1.12.10 wireshark-1.12.9 wireshark-1.12.8 wireshark-1.12.7 wireshark-1.12.6 wireshark-1.12.5 wireshark-1.12.4 wireshark-1.12.3 wireshark-1.12.2 wireshark-1.12.1 wireshark-1.12.0 wireshark-1.11.3 wireshark-1.10.14 wireshark-1.10.13 wireshark-1.10.12 wireshark-1.10.11 wireshark-1.10.10 wireshark-1.10.9 wireshark-1.10.8 wireshark-1.10.7 wireshark-1.10.6 wireshark-1.10.5 wireshark-1.10.4 wireshark-1.10.3 wireshark-1.10.2 wireshark-1.10.1 wireshark-1.10.0 wireshark-1.8.15 wireshark-1.8.14 wireshark-1.8.13 wireshark-1.8.12 wireshark-1.8.11 wireshark-1.8.10 wireshark-1.8.9 wireshark-1.8.8 wireshark-1.8.7
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.tx Transifex: Add type of translation file Oct 22, 2015
capchild Fix comment end after SPDX identifier May 1, 2018
caputils Put the interface descrptions into the IDB when capturing to pcapng. Aug 13, 2018
cmake Clean up tests. Jul 20, 2018
codecs Fix build paths for cmake's Xcode project generator on macOS. Jun 21, 2018
debian wsutil: Add Curve25519 ECDH (X25519) using Gcrypt Aug 8, 2018
diameter diameter: Update with some AVPs from TS 29.272 Jul 26, 2018
doc Docs: AUTHORS formatting updates. Aug 18, 2018
docbook [Automatic update for 2018-08-12] Aug 12, 2018
dtds Continue to remove $Id$ from top of file Mar 31, 2014
epan [Automatic update for 2018-08-19] Aug 19, 2018
extcap Extcap programs must write to the packet pipe in binary mode. Jul 19, 2018
fix FIX: fix spelling typo found by lintian Nov 2, 2016
help We're not using autotools/libtool any more. Apr 25, 2018
idl tango: update idl file and regen dissector with idl2wrs Apr 21, 2018
image Qt: Move wireshark-qt.cpp back to ui/qt/main.cpp. Jun 8, 2018
macosx-support-lib-patches macos-setup.sh: More GTK and minimum supported version cleanups Apr 10, 2018
packaging Windows: upgrade USBPcap to 1.2.0.4 Aug 16, 2018
plugins Add a tap "finish" callback, called when a listener is removed. Jul 21, 2018
profiles Bluetooth profile: configure columns and layout for Bluetooth Dec 14, 2016
radius Another dictionary fix. Aug 6, 2018
randpkt_core randpktdump: add --delay option Jul 1, 2018
test TLS13: add final tests for RFC 8446 Aug 17, 2018
tools Docs: AUTHORS formatting updates. Aug 18, 2018
tpncp Continue to remove $Id$ from top of file Mar 31, 2014
ui export_pdu.c: Fix a memory leak Aug 14, 2018
wimaxasncp Fix a lot of typos and misspellings Jan 8, 2016
wiretap Add support for reading and writing the new if_hardware IDB option. Aug 11, 2018
writecap Remove autotools build system. Apr 18, 2018
wsutil Do not pass pipe handle to WaitForMultipleObjects Aug 16, 2018
.bzrignore Unify the bzr and git ignore files - they're the exact same format, Oct 6, 2012
.editorconfig NSIS: Modernize the installer and remove GTK+ entries. May 11, 2018
.gitattributes Ensure test directories are included with git archive Apr 26, 2018
.gitignore Replaced "wireshark-win32-libs/" and "wireshark-win64-libs/" by "wire… Aug 16, 2018
.gitlab-ci.yml gitlab-ci: add fedora build. Jun 19, 2018
.gitreview Fix the host entry. Feb 11, 2014
.mailmap .mailmap: update of July (2018) Jul 23, 2018
.travis.yml travis: fix typo. Jul 6, 2018
AUTHORS Docs: AUTHORS formatting updates. Aug 18, 2018
AUTHORS.src Docs: AUTHORS formatting updates. Aug 18, 2018
CMakeLists.txt Include dumpcap amongst the programs built with -Werror. Aug 12, 2018
CMakeListsCustom.txt.example Allow extra plugins to be missing e.g. because they are in another br… May 24, 2018
CMakeOptions.txt extcap: Support for DisplayPort AUX channel monitors May 14, 2018
COPYING Always use html2text.py for FAQ, improve output Mar 25, 2015
ChangeLog Build 2.5.1. Mar 15, 2018
ConfigureChecks.cmake ifaddrs.h may require sys/types.h to be included first. May 30, 2018
INSTALL Remove now obsolete information. Apr 25, 2018
NEWS Build 2.5.1. Mar 15, 2018
README.DECT Continue to remove $Id$ from top of file Mar 31, 2014
README.aix Continue to remove $Id$ from top of file Mar 31, 2014
README.bsd Remove some references to Qt4. Apr 6, 2018
README.hpux Note that we probably don't support HP-UX. Aug 28, 2017
README.linux Note that newer versions of various distributions won't have these pr… Aug 2, 2017
README.macos Fix build paths for cmake's Xcode project generator on macOS. Jun 21, 2018
README.md Convert README to README.md. Aug 15, 2017
README.windows Change a lot of http:// URLs to https://. Mar 10, 2015
Vagrantfile Fix and update the vagrant build system Mar 19, 2018
abi-descriptor.template Fix 'make dumpapi' target Nov 23, 2015
capinfos.c Don't use dladdr() to get a pathname for the current executable(). May 5, 2018
capture_info.c Move what capture_info_close() does into its only caller. Mar 3, 2018
capture_info.h Qt: Implement the capture info dialog. May 16, 2018
capture_opts.c tshark: free exp_pdu_filename and capture_opts->save_file Aug 17, 2018
capture_opts.h Put the interface descrptions into the IDB when capturing to pcapng. Aug 13, 2018
capture_stop_conditions.c replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
capture_stop_conditions.h replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
captype.c Don't use dladdr() to get a pathname for the current executable(). May 5, 2018
cfile.c replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
cfile.h file: fix packet list update after dfilter change during live capture Jul 3, 2018
cfilters Remove IPX from our default filters. Jun 27, 2018
cmakeconfig.h.in If we have fseek/ftell variants with 64-bit offsets, use them. Jul 20, 2018
colorfilters Remove IPX from our default filters. Jun 27, 2018
conditions.c replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
conditions.h replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
dfilter_macros The UAT gui starts to work Jan 29, 2007
dfilters Remove IPX from our default filters. Jun 27, 2018
dftest.c Don't use dladdr() to get a pathname for the current executable(). May 5, 2018
doxygen.cfg.in Doxygen updates. Jun 12, 2018
doxygen_global.cfg Upgrade doxygen configuration (with doxyen 1.8) Apr 14, 2014
dumpcap.c Put the interface descrptions into the IDB when capturing to pcapng. Aug 13, 2018
editcap.c editcap: Add ability to skip radiotap header. Aug 6, 2018
enterprises.tsv [Automatic update for 2018-08-19] Aug 19, 2018
extcap.c Revert "Pass all arguments to options as --option=argument." Jul 26, 2018
extcap.h extcap: Always use byte mode in pipes Apr 7, 2018
extcap_parser.c extcap: Group arguments May 8, 2018
extcap_parser.h extcap: Group arguments May 8, 2018
file.c No need to tell the BER dissector the file name for RFC 7468 files. Aug 1, 2018
file.h Fix the calculation of a file's "basename". Jul 6, 2018
file_packet_provider.c Add support for reading and writing the new if_hardware IDB option. Aug 11, 2018
fileset.c replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
fileset.h replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
frame_tvbuff.c fix missing parentheses in 'if' statement May 3, 2018
frame_tvbuff.h replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
globals.h replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
log.h replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
make-version.pl make-version.pl: If the VCS isn't git there is no commit_id. Jun 19, 2018
manuf [Automatic update for 2018-08-19] Aug 19, 2018
manuf.tmpl manuf: Overwrite entry for OUI 08:00:30 Apr 6, 2018
mergecap.c Don't use dladdr() to get a pathname for the current executable(). May 5, 2018
mmdbresolve.c maxmind: Move request processing to a thread. May 24, 2018
pdml2html.xsl spdx: more licenses converted. Mar 9, 2018
randpkt.c randpktdump: add --delay option Jul 1, 2018
rawshark.c Add a tap "finish" callback, called when a listener is removed. Jul 21, 2018
reordercap.c Don't use dladdr() to get a pathname for the current executable(). May 5, 2018
ringbuffer.c replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
ringbuffer.h replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
services [Automatic update for 2018-08-19] Aug 19, 2018
sharkd.c sharkd: Return frame's color-filter colors Aug 4, 2018
sharkd.h sharkd: Return frame's color-filter colors Aug 4, 2018
sharkd_daemon.c Windows: Always assign newly-created processes to our job. Mar 13, 2018
sharkd_session.c sharkd: Add support for hidden and generated fields Aug 9, 2018
smi_modules remove (for now) the COPS PIBs from the list, as I have added a repro… Aug 28, 2007
sync_pipe.h replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
sync_pipe_write.c replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
text2pcap-scanner.l spdx: more licenses converted. Mar 7, 2018
text2pcap.c Get rid of TestBigEndian and AC_C_BIGENDIAN. Mar 13, 2018
text2pcap.h Squelch redundant declaration warnings. Feb 16, 2018
tfshark.c Don't use dladdr() to get a pathname for the current executable(). May 5, 2018
trigcap.c replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
tshark.c tshark: free exp_pdu_filename and capture_opts->save_file Aug 17, 2018
vagrant_build.sh Fix and update the vagrant build system Mar 19, 2018
vagrant_provision.sh Fix and update the vagrant build system Mar 19, 2018
version_info.c Remove some references to PortAudio. Apr 15, 2018
version_info.h Remove some references to PortAudio. Apr 15, 2018
wireshark-mime-package.xml A bunch of "{Mac} OS X" -> "macOS" changes. Apr 5, 2017
wireshark.appdata.xml Add an appdata entry for Wireshark. Feb 18, 2015
wireshark.desktop Register a few more file extensions as belonging to Wireshark. Jun 1, 2016
wireshark.dox Switch the Doxygen API reference build to CMake. Apr 17, 2018
wireshark.pc.in Refactor plugin registration and loading Dec 14, 2017
wka packet-cisco-fp-mim.c: Add support for FP packets that contain an ext… Jun 30, 2018
ws_attributes.h replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
ws_compiler_tests.h replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
ws_diag_control.h Older versions of Clang don't understand -Wpedantic. May 18, 2018
ws_symbol_export.h replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018

README.md

General Information

Wireshark is a network traffic analyzer, or "sniffer", for Unix and Unix-like operating systems. It uses Qt, a graphical user interface library, and libpcap, a packet capture and filtering library.

The Wireshark distribution also comes with TShark, which is a line-oriented sniffer (similar to Sun's snoop, or tcpdump) that uses the same dissection, capture-file reading and writing, and packet filtering code as Wireshark, and with editcap, which is a program to read capture files and write the packets from that capture file, possibly in a different capture file format, and with some packets possibly removed from the capture.

The official home of Wireshark is https://www.wireshark.org.

The latest distribution can be found in the subdirectory https://www.wireshark.org/download

Installation

The Wireshark project builds and tests regularly on the following platforms:

  • Linux (Ubuntu)
  • Microsoft Windows
  • macOS / {Mac} OS X

Official installation packages are available for Microsoft Windows and macOS.

It is available as either a standard or add-on package for many popular operating sytems and Linux distributions including Debian, Ubuntu, Fedora, CentOS, RHEL, Arch, Gentoo, openSUSE, FreeBSD, DragonFly BSD, NetBSD, and OpenBSD.

Additionaly it is available through many third-party packaging systems such as pkgsrc, OpenCSW, Homebrew, and MacPorts.

It should run on other Unix-ish systems without too much trouble.

In some cases the current version of Wireshark might not support your operating system. This is the case for Windows XP, which is supported by Wireshark 1.10 and earlier. In other cases the standard package for Wireshark might simply be old. This is the case for Solaris and HP-UX.

NOTE: The Makefile depends on GNU "make"; it doesn't appear to work with the "make" that comes with Solaris 7 nor the BSD "make".

Both Perl and Python are needed, the former for building the man pages.

If you decide to modify the yacc grammar or lex scanner, then you need "flex" - it cannot be built with vanilla "lex" - and either "bison" or the Berkeley "yacc". Your flex version must be 2.5.1 or greater. Check this with flex -V.

You must therefore install Perl, Python, GNU "make", "flex", and either "bison" or Berkeley "yacc" on systems that lack them.

Full installation instructions can be found in the INSTALL file and in the Developer's Guide at https://www.wireshark.org/docs/wsdg_html_chunked/

See also the appropriate README.OS files for OS-specific installation instructions.

Usage

In order to capture packets from the network, you need to make the dumpcap program set-UID to root, or you need to have access to the appropriate entry under /dev if your system is so inclined (BSD-derived systems, and systems such as Solaris and HP-UX that support DLPI, typically fall into this category). Although it might be tempting to make the Wireshark and TShark executables setuid root, or to run them as root please don't. The capture process has been isolated in dumpcap; this simple program is less likely to contain security holes, and thus safer to run as root.

Please consult the man page for a description of each command-line option and interface feature.

Multiple File Types

The wiretap library is a packet-capture library currently under development parallel to wireshark. In the future it is hoped that wiretap will have more features than libpcap, but wiretap is still in its infancy. However, wiretap is used in wireshark for its ability to read multiple file types. See the Wireshark man page or the Wireshark User's Guide for a list of supported file formats.

In addition, it can read gzipped versions of any of those files automatically, if you have the zlib library available when compiling Wireshark. Wireshark needs a modern version of zlib to be able to use zlib to read gzipped files; version 1.1.3 is known to work. Versions prior to 1.0.9 are missing some functions that Wireshark needs and won't work. ./configure should detect if you have the proper zlib version available and, if you don't, should disable zlib support. You can always use ./configure --disable-zlib to explicitly disable zlib support.

Although Wireshark can read AIX iptrace files, the documentation on AIX's iptrace packet-trace command is sparse. The iptrace command starts a daemon which you must kill in order to stop the trace. Through experimentation it appears that sending a HUP signal to that iptrace daemon causes a graceful shutdown and a complete packet is written to the trace file. If a partial packet is saved at the end, Wireshark will complain when reading that file, but you will be able to read all other packets. If this occurs, please let the Wireshark developers know at wireshark-dev@wireshark.org, and be sure to send us a copy of that trace file if it's small and contains non-sensitive data.

Support for Lucent/Ascend products is limited to the debug trace output generated by the MAX and Pipline series of products. Wireshark can read the output of the wandsession wandisplay, wannext, and wdd commands.

Wireshark can also read dump trace output from the Toshiba "Compact Router" line of ISDN routers (TR-600 and TR-650). You can telnet to the router and start a dump session with snoop dump.

CoSine L2 debug output can also be read by Wireshark. To get the L2 debug output, get in the diags mode first and then use create-pkt-log-profile and apply-pkt-lozg-profile commands under layer-2 category. For more detail how to use these commands, you should examine the help command by layer-2 create ? or layer-2 apply ?.

To use the Lucent/Ascend, Toshiba and CoSine traces with Wireshark, you must capture the trace output to a file on disk. The trace is happening inside the router and the router has no way of saving the trace to a file for you. An easy way of doing this under Unix is to run telnet <ascend> | tee <outfile>. Or, if your system has the "script" command installed, you can save a shell session, including telnet to a file. For example, to a file named tracefile.out:

$ script tracefile.out
Script started on <date/time>
$ telnet router
..... do your trace, then exit from the router's telnet session.
$ exit
Script done on <date/time>

Name Resolution

Wireshark will attempt to use reverse name resolution capabilities when decoding IPv4 and IPv6 packets.

If you want to turn off name resolution while using Wireshark, start Wireshark with the -n option to turn off all name resolution (including resolution of MAC addresses and TCP/UDP/SMTP port numbers to names), or with the -N mt option to turn off name resolution for all network-layer addresses (IPv4, IPv6, IPX).

You can make that the default setting by opening the Preferences dialog box using the Preferences item in the Edit menu, selecting "Name resolution", turning off the appropriate name resolution options, clicking "Save", and clicking "OK".

SNMP

Wireshark can do some basic decoding of SNMP packets; it can also use the libsmi library to do more sophisticated decoding, by reading MIB files and using the information in those files to display OIDs and variable binding values in a friendlier fashion. The configure script will automatically determine whether you have the libsmi library on your system. If you have the libsmi library but do not want to have Wireshark use it, you can run configure with the --without-libsmi option.

How to Report a Bug

Wireshark is under constant development, so it is possible that you will encounter a bug while using it. Please report bugs at https://bugs.wireshark.org. Be sure you enter into the bug:

  1. The complete build information from the "About Wireshark" item in the Help menu or the output of wireshark -v for Wireshark bugs and the output of tshark -v for TShark bugs;

  2. If the bug happened on Linux, the Linux distribution you were using, and the version of that distribution;

  3. The command you used to invoke Wireshark, if you ran Wireshark from the command line, or TShark, if you ran TShark, and the sequence of operations you performed that caused the bug to appear.

If the bug is produced by a particular trace file, please be sure to attach to the bug a trace file along with your bug description. If the trace file contains sensitive information (e.g., passwords), then please do not send it.

If Wireshark died on you with a 'segmentation violation', 'bus error', 'abort', or other error that produces a UNIX core dump file, you can help the developers a lot if you have a debugger installed. A stack trace can be obtained by using your debugger ('gdb' in this example), the wireshark binary, and the resulting core file. Here's an example of how to use the gdb command 'backtrace' to do so.

$ gdb wireshark core
(gdb) backtrace
..... prints the stack trace
(gdb) quit
$

The core dump file may be named "wireshark.core" rather than "core" on some platforms (e.g., BSD systems). If you got a core dump with TShark rather than Wireshark, use "tshark" as the first argument to the debugger; the core dump may be named "tshark.core".

Disclaimer

There is no warranty, expressed or implied, associated with this product. Use at your own risk.

Gerald Combs gerald@wireshark.org

Gilbert Ramirez gram@alumni.rice.edu

Guy Harris guy@alum.mit.edu