Skip to content
Read-only mirror of Wireshark's Git repository. GitHub won't let us disable pull requests. ☞ THEY WILL BE IGNORED HERE ☜ Please upload them at https://code.wireshark.org/review/ .
C C++ Objective-C Python Perl CMake Other
Branch: master
Clone or download

Latest commit

Guy Harris and guyharris Clean up a number of things.
Pass to the routines that handle particular ISIS PDU types a tvbuff for
the *full* PDU; some PDU types may have a checksum CLV type that
checksums the *entire* PDU.

Pass an isis_data_t * around to various routines, rather than passing
some individual bits of information around.

Add to that structure:

	the PDU length from the common-to-all-PDU-types part of the ISIS
	header;

	a proto_item * for the header length field;

	an expert_field * for a "the header length is bad" error.

Use the PDU length from that structure when handling the aforementioned
checksum CLV.

When dissecting the PDU-type-specific part of the ISIS header, check to
make sure we're not going past the header length and, if we are, report
it with an expert info, using the header length field proto_item * and
expert_field * from that structure.

Show the type field in sub-TLVs of the Group Address TLV (RFC 7176
section 2.1) and, if the type is unknown, add a top-level item with the
type and length fields under it.

This fixes some bugs.

Bug: 16477
Change-Id: I875306d9d4fd8f65a60b7a6d3be7e356afabe851
Reviewed-on: https://code.wireshark.org/review/36671
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Latest commit ec2ca11 Apr 2, 2020

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github/workflows github: fix job names. Mar 27, 2020
.tx Qt: Add Spanish (es) translation assets. Jan 3, 2020
capchild Have callback function pointers in a capture_session structure. Mar 25, 2020
caputils Handle -k better on platforms that don't support it. Apr 1, 2020
cmake CMake: fix detection of Lua development package Mar 19, 2020
debian debian: Ship codecs libraries in libwireshark0 Mar 15, 2020
diameter Diameter 3GPP: Fix output of AVP 713 Requested-Nodes Feb 11, 2020
doc Document the -k option. Apr 1, 2020
docbook wslua: Update the GUI docs. Mar 30, 2020
dtds HTTPS In More Places, update some URLs. Jul 27, 2019
epan Clean up a number of things. Apr 3, 2020
extcap More modeline fixes to put HT tab stops every 8 characters. Mar 15, 2020
fix FIX: fix spelling typo found by lintian Nov 2, 2016
fuzz HTTPS (almost) everywhere. Jul 26, 2019
idl HTTPS In More Places, update some URLs. Jul 27, 2019
image Qt: Add Spanish (es) translation assets. Jan 3, 2020
macosx-support-lib-patches macos-setup.sh: More GTK and minimum supported version cleanups Apr 10, 2018
packaging Windows: upgrade Npcap to 0.9989 Mar 19, 2020
plugins pluginifdemo: fix compilation when it's enabled. Apr 2, 2020
profiles [Automatic update for 2020-02-09] Feb 9, 2020
radius dictionary.meinberg: Add some values Mar 10, 2020
randpkt_core HTTPS (almost) everywhere. Jul 26, 2019
speexdsp CMake: Check for and use system SpeexDSP library May 2, 2019
test dot11decrypt: Fix decryption of MFP enabled connections Mar 23, 2020
tools Windows: upgrade Npcap to 0.9989 Mar 19, 2020
tpncp TPNCP: Support IPv6 without modifying tpncp.dat Feb 11, 2020
ui Remove duplicate status messages. Apr 2, 2020
wimaxasncp Fix a lot of typos and misspellings Jan 8, 2016
wiretap Handle nanosecond-resolution pcap files. Mar 21, 2020
writecap Write the if_hardware option, if available, to pcapng files when capt… Mar 28, 2020
wsutil nstime: make declaration arg order match definition Mar 25, 2020
.bzrignore Unify the bzr and git ignore files - they're the exact same format, Oct 6, 2012
.cirrus.yml cirrus-ci: update freebsd 12.0 to 12.1. Mar 21, 2020
.editorconfig macOS: Use dmgbuild to build our .dmg. Sep 25, 2019
.gitattributes version: include version information for tarballs from git May 16, 2019
.gitignore Remove some entries from .gitignore. Feb 25, 2020
.gitlab-ci.yml gitlab/travis: remove nopcap tests. Mar 29, 2020
.gitreview Fix the host entry. Feb 11, 2014
.mailmap .mailmap: Update of April/May (2019) Jun 5, 2019
.travis.yml gitlab/travis: remove nopcap tests. Mar 29, 2020
AUTHORS [Automatic update for 2020-03-29] Mar 29, 2020
AUTHORS.src AUTHORS: remove newlines. Jan 7, 2020
CMakeGraphVizOptions.cmake cmake: Add CMakeGraphVizOptions.cmake to improve the generated layout. Nov 11, 2018
CMakeLists.txt CMake: FindGLIB2 depends on FindWSLibrary module Mar 20, 2020
CMakeListsCustom.txt.example HTTPS (almost) everywhere. Jul 26, 2019
CMakeOptions.txt RTP: decode iLBC payload Jan 20, 2020
COPYING Always use html2text.py for FAQ, improve output Mar 25, 2015
ChangeLog 3.1.1 → 3.1.2. Nov 18, 2019
ConfigureChecks.cmake HTTPS (almost) everywhere. Jul 26, 2019
INSTALL More Qt minimum version updates. Dec 10, 2019
NEWS [Automatic update for 2020-03-29] Mar 29, 2020
README.DECT Continue to remove $Id$ from top of file Mar 31, 2014
README.aix HTTPS In More Places, update some URLs. Jul 27, 2019
README.bsd More Qt minimum version updates. Dec 10, 2019
README.hpux HTTPS In More Places, update some URLs. Jul 27, 2019
README.linux Note that newer versions of various distributions won't have these pr… Aug 2, 2017
README.macos macOS: Remove more obsolete documentation Sep 28, 2019
README.md README: add more operating systems in the opening sentence. Apr 8, 2019
README.windows Windows: Get rid of textify.ps1. Dec 17, 2019
Vagrantfile Bump Ubuntu version to 18.04 in Vagrantfile May 30, 2019
WiresharkConfig.cmake.in CMake: Modernize config-file package support Aug 25, 2018
appveyor.yml appveyor: upload installer artifacts for development branches Feb 11, 2019
capinfos.c HTTPS (almost) everywhere. Jul 26, 2019
capture_opts.c Write the if_hardware option, if available, to pcapng files when capt… Mar 28, 2020
capture_opts.h Write the if_hardware option, if available, to pcapng files when capt… Mar 28, 2020
captype.c HTTPS (almost) everywhere. Jul 26, 2019
cfile.c HTTPS (almost) everywhere. Jul 26, 2019
cfile.h HTTPS (almost) everywhere. Jul 26, 2019
cfilters Remove IPX from our default filters. Jun 27, 2018
cli_main.c cli_main: remove real_main from stack traces for non-Windows Jan 2, 2019
cli_main.h cli_main: remove real_main from stack traces for non-Windows Jan 2, 2019
cmakeconfig.h.in Require at least libpcap 0.8/WinPcap 3.1. Mar 13, 2020
colorfilters Remove keep alives from "Bad TCP" coloring rules Mar 2, 2020
dfilter_macros ship the dfilter_macros file. Jun 5, 2019
dfilters Remove IPX from our default filters. Jun 27, 2018
dftest.c HTTPS (almost) everywhere. Jul 26, 2019
doxygen.cfg.in Point to the Wayback Machine for a now-dead link. Jul 27, 2019
doxygen_global.cfg HTTPS In More Places, update some URLs. Jul 27, 2019
dumpcap.c Handle -k better on platforms that don't support it. Apr 1, 2020
editcap.c editcap: Remove an arbitrary time boundary. Feb 24, 2020
enterprises.tsv [Automatic update for 2020-03-29] Mar 29, 2020
extcap.c extcap: Check for valid PID before killing child process Feb 1, 2020
extcap.h HTTPS (almost) everywhere. Jul 26, 2019
extcap_parser.c HTTPS (almost) everywhere. Jul 26, 2019
extcap_parser.h Revert "extcap: Pass --extcap-version if extcap supports it" Dec 10, 2019
file.c Remove duplicate status messages. Apr 2, 2020
file.h Qt: Do not display alerts on repeated failed reads Feb 28, 2020
file_packet_provider.c Try to squeeze some bytes out of the frame_data structure. Dec 27, 2018
fileset.c HTTPS (almost) everywhere. Jul 26, 2019
fileset.h HTTPS (almost) everywhere. Jul 26, 2019
frame_tvbuff.c HTTPS (almost) everywhere. Jul 26, 2019
frame_tvbuff.h HTTPS (almost) everywhere. Jul 26, 2019
globals.h HTTPS (almost) everywhere. Jul 26, 2019
ipmap.html Re-implement "Map" feature for Endpoints Feb 16, 2019
log.h HTTPS (almost) everywhere. Jul 26, 2019
manuf [Automatic update for 2020-03-29] Mar 29, 2020
manuf.tmpl Manuf fixups. Sep 10, 2018
mergecap.c HTTPS (almost) everywhere. Jul 26, 2019
mmdbresolve.c mmdbresolve: check the return value of malloc Jun 26, 2019
pdml2html.xsl epan,packaging: convert http URLs to https Jul 20, 2019
pytest.ini test: enable parallelism by default for pytest Jan 5, 2019
randpkt.c HTTPS (almost) everywhere. Jul 26, 2019
rawshark.c Remove unwanted newline. Mar 15, 2020
reordercap.c HTTPS (almost) everywhere. Jul 26, 2019
ringbuffer.c CMake: Remove wsutil pcap dependency May 3, 2019
ringbuffer.h dumpcap: fix memory leak in ringbuffer mode Jan 26, 2019
services [Automatic update for 2020-03-15] Mar 15, 2020
sharkd.c Kill libwscodecs plugin library, just use plugins Jun 11, 2019
sharkd.h HTTPS (almost) everywhere. Jul 26, 2019
sharkd_daemon.c HTTPS (almost) everywhere. Jul 26, 2019
sharkd_session.c Add c-ares to the required library list. Nov 23, 2019
smi_modules remove (for now) the COPS PIBs from the list, as I have added a repro… Aug 28, 2007
sync_pipe.h HTTPS (almost) everywhere. Jul 26, 2019
sync_pipe_write.c HTTPS (almost) everywhere. Jul 26, 2019
text2pcap-scanner.l text2pcap: gracefully handle hexdump without trailing LF Oct 13, 2018
text2pcap.c Write the if_hardware option, if available, to pcapng files when capt… Mar 28, 2020
text2pcap.h HTTPS (almost) everywhere. Jul 26, 2019
tfshark.c tshark/tfshark: fix error message. Jun 9, 2019
tshark.c Have callback function pointers in a capture_session structure. Mar 25, 2020
vagrant_build.sh Vagrant: Fix provisioning script Sep 20, 2019
version_info.c HTTPS In Still More Places, update more URLs. Jul 27, 2019
version_info.h Move more version-info-related stuff to version_info.c. Dec 13, 2018
wireshark-mime-package.xml A bunch of "{Mac} OS X" -> "macOS" changes. Apr 5, 2017
wireshark.appdata.xml appdata: rename updatecontact to update_contact to be more compliant Sep 17, 2019
wireshark.desktop HTTPS In Even More Places, update some links. Jul 28, 2019
wireshark.dox Switch the Doxygen API reference build to CMake. Apr 17, 2018
wireshark.pc.in plugins: Minor interface improvement Aug 21, 2018
wka wka: Add Cisco ACI gleaning src MAC Jan 9, 2020
ws_attributes.h MSVC: Warn about unused formal parameters Sep 21, 2019
ws_compiler_tests.h replace SPDX identifier GPL-2.0+ with GPL-2.0-or-later. Feb 8, 2018
ws_diag_control.h Revert "Make versions of DIAG_OFF() and DIAG_ON() for GCC 4.2 through… Sep 11, 2018
ws_symbol_export.h HTTPS In More Places, update some URLs. Jul 27, 2019
ws_version.h.in plugins: Minor interface improvement Aug 21, 2018
wspcap.h Update comments - Npcap no longer requires HAVE_REMOTE to be defined. Mar 13, 2020

README.md

General Information

Wireshark is a network traffic analyzer, or "sniffer", for Linux, macOS, *BSD and other Unix and Unix-like operating systems and for Windows. It uses Qt, a graphical user interface library, and libpcap and npcap as packet capture and filtering libraries.

The Wireshark distribution also comes with TShark, which is a line-oriented sniffer (similar to Sun's snoop or tcpdump) that uses the same dissection, capture-file reading and writing, and packet filtering code as Wireshark, and with editcap, which is a program to read capture files and write the packets from that capture file, possibly in a different capture file format, and with some packets possibly removed from the capture.

The official home of Wireshark is https://www.wireshark.org.

The latest distribution can be found in the subdirectory https://www.wireshark.org/download

Installation

The Wireshark project builds and tests regularly on the following platforms:

  • Linux (Ubuntu)
  • Microsoft Windows
  • macOS / {Mac} OS X

Official installation packages are available for Microsoft Windows and macOS.

It is available as either a standard or add-on package for many popular operating sytems and Linux distributions including Debian, Ubuntu, Fedora, CentOS, RHEL, Arch, Gentoo, openSUSE, FreeBSD, DragonFly BSD, NetBSD, and OpenBSD.

Additionaly it is available through many third-party packaging systems such as pkgsrc, OpenCSW, Homebrew, and MacPorts.

It should run on other Unix-ish systems without too much trouble.

In some cases the current version of Wireshark might not support your operating system. This is the case for Windows XP, which is supported by Wireshark 1.10 and earlier. In other cases the standard package for Wireshark might simply be old. This is the case for Solaris and HP-UX.

NOTE: The Makefile depends on GNU "make"; it doesn't appear to work with the "make" that comes with Solaris 7 nor the BSD "make".

Both Perl and Python are needed, the former for building the man pages.

If you decide to modify the yacc grammar or lex scanner, then you need "flex" - it cannot be built with vanilla "lex" - and either "bison" or the Berkeley "yacc". Your flex version must be 2.5.1 or greater. Check this with flex -V.

You must therefore install Perl, Python, GNU "make", "flex", and either "bison" or Berkeley "yacc" on systems that lack them.

Full installation instructions can be found in the INSTALL file and in the Developer's Guide at https://www.wireshark.org/docs/wsdg_html_chunked/

See also the appropriate README.OS files for OS-specific installation instructions.

Usage

In order to capture packets from the network, you need to make the dumpcap program set-UID to root or you need to have access to the appropriate entry under /dev if your system is so inclined (BSD-derived systems, and systems such as Solaris and HP-UX that support DLPI, typically fall into this category). Although it might be tempting to make the Wireshark and TShark executables setuid root, or to run them as root please don't. The capture process has been isolated in dumpcap; this simple program is less likely to contain security holes and is thus safer to run as root.

Please consult the man page for a description of each command-line option and interface feature.

Multiple File Types

Wireshark can read packets from a number of different file types. See the Wireshark man page or the Wireshark User's Guide for a list of supported file formats.

Wireshark can transparently read gzipped versions of any of those files if zlib was available when Wireshark was compiled. CMake will automatically use zlib if it is found on your system. You can disable zlib support by running cmake -DENABLE_ZLIB=OFF.

Although Wireshark can read AIX iptrace files, the documentation on AIX's iptrace packet-trace command is sparse. The iptrace command starts a daemon which you must kill in order to stop the trace. Through experimentation it appears that sending a HUP signal to that iptrace daemon causes a graceful shutdown and a complete packet is written to the trace file. If a partial packet is saved at the end, Wireshark will complain when reading that file, but you will be able to read all other packets. If this occurs, please let the Wireshark developers know at wireshark-dev@wireshark.org; be sure to send us a copy of that trace file if it's small and contains non-sensitive data.

Support for Lucent/Ascend products is limited to the debug trace output generated by the MAX and Pipline series of products. Wireshark can read the output of the wandsession, wandisplay, wannext, and wdd commands.

Wireshark can also read dump trace output from the Toshiba "Compact Router" line of ISDN routers (TR-600 and TR-650). You can telnet to the router and start a dump session with snoop dump.

CoSine L2 debug output can also be read by Wireshark. To get the L2 debug output first enter the diags mode and then use create-pkt-log-profile and apply-pkt-lozg-profile commands under layer-2 category. For more detail how to use these commands, you should examine the help command by layer-2 create ? or layer-2 apply ?.

To use the Lucent/Ascend, Toshiba and CoSine traces with Wireshark, you must capture the trace output to a file on disk. The trace is happening inside the router and the router has no way of saving the trace to a file for you. An easy way of doing this under Unix is to run telnet <ascend> | tee <outfile>. Or, if your system has the "script" command installed, you can save a shell session, including telnet, to a file. For example to log to a file named tracefile.out:

$ script tracefile.out
Script started on <date/time>
$ telnet router
..... do your trace, then exit from the router's telnet session.
$ exit
Script done on <date/time>

Name Resolution

Wireshark will attempt to use reverse name resolution capabilities when decoding IPv4 and IPv6 packets.

If you want to turn off name resolution while using Wireshark, start Wireshark with the -n option to turn off all name resolution (including resolution of MAC addresses and TCP/UDP/SMTP port numbers to names) or with the -N mt option to turn off name resolution for all network-layer addresses (IPv4, IPv6, IPX).

You can make that the default setting by opening the Preferences dialog using the Preferences item in the Edit menu, selecting "Name resolution", turning off the appropriate name resolution options, and clicking "OK".

SNMP

Wireshark can do some basic decoding of SNMP packets; it can also use the libsmi library to do more sophisticated decoding by reading MIB files and using the information in those files to display OIDs and variable binding values in a friendlier fashion. CMake will automatically determine whether you have the libsmi library on your system. If you have the libsmi library but do not want Wireshark to use it, you can run cmake with the -DENABLE_SMI=OFF option.

How to Report a Bug

Wireshark is under constant development, so it is possible that you will encounter a bug while using it. Please report bugs at https://bugs.wireshark.org. Be sure you enter into the bug:

  1. The complete build information from the "About Wireshark" item in the Help menu or the output of wireshark -v for Wireshark bugs and the output of tshark -v for TShark bugs;

  2. If the bug happened on Linux, the Linux distribution you were using, and the version of that distribution;

  3. The command you used to invoke Wireshark, if you ran Wireshark from the command line, or TShark, if you ran TShark, and the sequence of operations you performed that caused the bug to appear.

If the bug is produced by a particular trace file, please be sure to attach to the bug a trace file along with your bug description. If the trace file contains sensitive information (e.g., passwords), then please do not send it.

If Wireshark died on you with a 'segmentation violation', 'bus error', 'abort', or other error that produces a UNIX core dump file, you can help the developers a lot if you have a debugger installed. A stack trace can be obtained by using your debugger ('gdb' in this example), the wireshark binary, and the resulting core file. Here's an example of how to use the gdb command 'backtrace' to do so.

$ gdb wireshark core
(gdb) backtrace
..... prints the stack trace
(gdb) quit
$

The core dump file may be named "wireshark.core" rather than "core" on some platforms (e.g., BSD systems). If you got a core dump with TShark rather than Wireshark, use "tshark" as the first argument to the debugger; the core dump may be named "tshark.core".

Disclaimer

There is no warranty, expressed or implied, associated with this product. Use at your own risk.

Gerald Combs gerald@wireshark.org

Gilbert Ramirez gram@alumni.rice.edu

Guy Harris guy@alum.mit.edu

You can’t perform that action at this time.