source: networking/netutils/wireshark.xml@ 3b10fa8

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY wireshark-download-http "http://www.wireshark.org/download/src/all-versions/wireshark-&wireshark-version;.tar.bz2">
  <!ENTITY wireshark-download-ftp  "&sources-anduin-ftp;/w/wireshark-&wireshark-version;.tar.bz2">
  <!ENTITY wireshark-md5sum        "e57a8c8b364c38df3da97e2ee9f0d0bc">
  <!ENTITY wireshark-size          "11.8 MB">
  <!ENTITY wireshark-buildsize     "449 MB">
  <!ENTITY wireshark-time          "6.4 SBU">
]>

<sect1 id="wireshark" xreflabel="Wireshark-&wireshark-version;">
  <?dbhtml filename="wireshark.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>Wireshark-&wireshark-version;</title>

  <indexterm zone="wireshark">
    <primary sortas="a-Wireshark">Wireshark</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to Wireshark</title>

    <para>The <application>Wireshark</application> package contains a network
    protocol analyzer, also known as a <quote>sniffer</quote>. This is useful
    for analyzing data captured <quote>off the wire</quote> from a live network
    connection, or data read from a capture file.
    <application>Wireshark</application> provides both a graphical and TTY-mode
    front-end for examining captured network packets from over 500 protocols,
    as well as the capability to read capture files from many other popular
    network analyzers.</para>

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Download (HTTP): <ulink url="&wireshark-download-http;"/></para>
      </listitem>
      <listitem>
        <para>Download (FTP): <ulink url="&wireshark-download-ftp;"/></para>
      </listitem>
      <listitem>
        <para>Download MD5 sum: &wireshark-md5sum;</para>
      </listitem>
      <listitem>
        <para>Download size: &wireshark-size;</para>
      </listitem>
      <listitem>
        <para>Estimated disk space required: &wireshark-buildsize;</para>
      </listitem>
      <listitem>
        <para>Estimated build time: &wireshark-time;</para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>Additional Documentation: <ulink
        url="http://www.wireshark.org/docs/"/></para>
      </listitem>
    </itemizedlist>

    <para>From this page you can download many different docs in a variety
    of formats.</para>

    <bridgehead renderas="sect3">Wireshark dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required"><!--<xref linkend="GLib"/> or --><xref linkend="glib2"/>
    (to build the TTY-mode front-end only)</para>

    <para>Note that if you don't have <application>Gtk+</application>
    installed, you will need to pass <option>--disable-wireshark</option>
    to the <command>configure</command> command.</para>

    <bridgehead renderas="sect4">Recommended</bridgehead>
    <para role="recommended"><xref linkend="libpcap"/>
    (required to capture data)</para>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional"><!-- <xref linkend="pkgconfig"/>, -->
    <xref linkend="gtk2"/> (to build the GUI front-end),
    <xref linkend="openssl"/>,
    <xref linkend="heimdal"/> or <xref linkend="mitkrb"/>,
    <xref linkend="python"/>,
    <xref linkend="pcre"/>,
    <xref linkend="gnutls"/>,
    <ulink url="http://www.net-snmp.org/">Net-SNMP</ulink>,
    <ulink url="http://www.gnu.org/software/adns/adns.html">adns</ulink>, and
    <ulink url="http://www.lua.org/">Lua</ulink></para>

    <!-- Though configure looks for all these, and the developers I'm
         sure use them, the doc sources are not included in the release
         tarball (they are in SVN, though)
    <bridgehead renderas="sect4">Optional (to build additional
    documentation)</bridgehead>
    <para role="optional"><xref linkend="doxygen"/>,
    <xref linkend="libxml"/>,
    <xref linkend="libxslt"/>, and
    <xref linkend="fop"/></para>
    -->

    <para condition="html" role="usernotes">User Notes:
    <ulink url="&blfs-wiki;/wireshark"/></para>

  </sect2>

  <sect2 role="kernel" id="wireshark-kernel">
    <title>Kernel Configuration</title>

      <para>The kernel must have the Packet protocol enabled for
      <application>Wireshark</application> to capture live packets from the
      network. Enable the Packet protocol by choosing <quote>Y</quote> in the
      <quote>Networking</quote> &ndash; <quote>Packet socket</quote>
      configuration parameter. Alternatively, build the
      <filename>af_packet.ko</filename> module by choosing <quote>M</quote> in
      this parameter.</para>

      <indexterm zone="wireshark wireshark-kernel">
        <primary sortas="d-Capturing-network-packets">Capturing network
        packets</primary>
      </indexterm>

  </sect2>

  <sect2 role="installation">
    <title>Installation of Wireshark</title>

    <para>Install <application>Wireshark</application> by running the following
    commands:</para>

<screen><userinput>./configure --prefix=/usr \
            --sysconfdir=/etc \
            --enable-threads &amp;&amp;
make</userinput></screen>

    <para>This package does not come with a test suite.</para>

    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>make install &amp;&amp;

install -v -m755 -d /usr/share/doc/wireshark-&wireshark-version; &amp;&amp;
install -v -m644    FAQ README{,.linux} doc/README.* doc/*.{pod,txt} \
                    /usr/share/doc/wireshark-&wireshark-version; &amp;&amp;
pushd /usr/share/doc/wireshark-&wireshark-version; &amp;&amp;
for FILENAME in ../../wireshark/*.html; do \
    ln -s -v $FILENAME .
done &amp;&amp;
popd &amp;&amp;

install -v -m644 -D wireshark.desktop \
                    /usr/share/applications/wireshark.desktop &amp;&amp;
install -v -m644 -D image/wsicon48.png \
                    /usr/share/pixmaps/wireshark.png &amp;&amp;
install -v -m755 -d /usr/share/pixmaps/wireshark &amp;&amp;
install -v -m644 image/*.{png,ico,xpm,bmp} \
                 /usr/share/pixmaps/wireshark</userinput></screen>

    <para>If you downloaded any of the documentation files from the page
    listed in the 'Additional Downloads', install them by issuing the following
    commands as the <systemitem class="username">root</systemitem> user:</para>

<screen role="root"><userinput>install -v -m644 <replaceable>&lt;Downloaded_Files&gt;</replaceable> /usr/share/doc/wireshark-&wireshark-version;</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para><parameter>--enable-threads</parameter>: This parameter enables the
    use of threads in <command>wireshark</command>.</para>

    <para><option>--with-ssl</option>: This parameter is required if you
    are linking Kerberos libraries into the build so that the
    <application>OpenSSL</application>
    <filename class='libraryfile'>libcrypto</filename> library is found.</para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring Wireshark</title>

    <sect3 id="wireshark-config">
      <title>Config Files</title>

      <para><filename>/etc/wireshark.conf</filename> and
      <filename>~/.wireshark/*</filename></para>

      <indexterm zone="wireshark wireshark-config">
        <primary sortas="e-AA.wireshark-star">~/.wireshark/*</primary>
      </indexterm>

      <indexterm zone="wireshark wireshark-config">
        <primary sortas="e-etc-wireshark.conf">/etc/wireshark.conf</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <para>Though the default configuration parameters are very sane,
      reference the configuration section of the
      <ulink url="http://www.wireshark.org/docs/wsug_html/">Wireshark User's
      Guide</ulink> for configuration information. Most of
      <application>Wireshark</application>'s configuration can be accomplished
      using the menu options of the <command>wireshark</command>
      graphical interface.</para>

      <note>
        <para>If you want to look at packets, make sure you don't filter
        them out with <xref linkend="iptables"/>. If you want to exclude
        certain classes of packets, it is more efficient to do it with
        <application>iptables</application> than it is with
        <application>Wireshark</application>.</para>
      </note>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>capinfos, dftest, dumpcap, editcap, idl2wrs, mergecap, randpkt,
        text2pcap, tshark and wireshark</seg>
        <seg>libwireshark.so, libwiretap.so and numerous dissector plugin
        modules</seg>
        <seg>/usr/lib/wireshark, /usr/share/doc/wireshark-&wireshark-version;,
        /usr/share/pixmaps/wireshark and /usr/share/wireshark</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="capinfos">
        <term><command>capinfos</command></term>
        <listitem>
          <para>reads a saved capture file and returns any or all of several
          statistics about that file. It is able to detect and read any capture
          supported by the <application>Wireshark</application> package.</para>
          <indexterm zone="wireshark capinfos">
            <primary sortas="b-capinfos">capinfos</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dftest">
        <term><command>dftest</command></term>
        <listitem>
          <para>is a display-filter-compiler test program.</para>
          <indexterm zone="wireshark dftest">
            <primary sortas="b-dftest">dftest</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dumpcap">
        <term><command>dumpcap</command></term>
        <listitem>
          <para>is a network traffic dump tool. It lets you capture packet data
          from a live network and write the packets to a file.</para>
          <indexterm zone="wireshark dumpcap">
            <primary sortas="b-dumpcap">dumpcap</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="editcap">
        <term><command>editcap</command></term>
        <listitem>
          <para>edits and/or translates the format of capture files. It knows
          how to read <application>libpcap</application> capture files,
          including those of <command>tcpdump</command>,
          <application>Wireshark</application> and other tools that write
          captures in that format.</para>
          <indexterm zone="wireshark editcap">
            <primary sortas="b-editcap">editcap</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="idl2wrs">
        <term><command>idl2wrs</command></term>
        <listitem>
          <para>takes a user specified CORBA
          IDL file and generates <quote>C</quote> source code that
          can be used to create an <application>Wireshark</application>
          plugin.</para>
          <indexterm zone="wireshark idl2wrs">
            <primary sortas="b-idl2wrs">idl2wrs</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="mergecap">
        <term><command>mergecap</command></term>
        <listitem>
          <para>combines multiple saved capture files into a single output
          file.</para>
          <indexterm zone="wireshark mergecap">
            <primary sortas="b-mergecap">mergecap</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="randpkt">
        <term><command>randpkt</command></term>
        <listitem>
          <para>creates random-packet capture files.</para>
          <indexterm zone="wireshark randpkt">
            <primary sortas="b-randpkt">randpkt</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="text2pcap">
        <term><command>text2pcap</command></term>
        <listitem>
          <para>reads in an ASCII hex dump and writes the
          data described into a <application>libpcap</application>-style
          capture file.</para>
          <indexterm zone="wireshark text2pcap">
            <primary sortas="b-text2pcap">text2pcap</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="tshark">
        <term><command>tshark</command></term>
        <listitem>
          <para>is a TTY-mode network protocol analyzer. It lets you capture
          packet data from a live network or read packets from a
          previously saved capture file.</para>
          <indexterm zone="wireshark tshark">
            <primary sortas="b-tshark">tshark</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="wireshark-prog">
        <term><command>wireshark</command></term>
        <listitem>
          <para>is a GUI network protocol analyzer. It lets you interactively
          browse packet data from a live network or from a previously
          saved capture file.</para>
          <indexterm zone="wireshark wireshark-prog">
            <primary sortas="b-wireshark">wireshark</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libwireshark">
        <term><filename class='libraryfile'>libwireshark.so</filename></term>
        <listitem>
          <para>contains functions used by the
          <application>Wireshark</application> programs to perform filtering and
          packet capturing.</para>
          <indexterm zone="wireshark libwireshark">
            <primary sortas="c-libwireshark">libwireshark.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libwiretap">
        <term><filename class='libraryfile'>libwiretap.so</filename></term>
        <listitem>
          <para>is a library being developed as a future replacement for
          <filename class='libraryfile'>libpcap</filename>, the current
          standard Unix library for packet capturing. For more information,
          see the <filename>README</filename> file in the source
          <filename class='directory'>wiretap</filename> directory.</para>
          <indexterm zone="wireshark libwiretap">
            <primary sortas="c-libwiretap">libwiretap.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>