Wireshark · Frequently Asked Questions (2024)

Wireshark Frequently Asked Questions

1.1 What is Wireshark?

1.2 What's up with the name change? Is Wireshark a fork?

1.3 Where can I get help?

1.4 What kind of shark is Wireshark?

1.5 How is Wireshark pronounced, spelled and capitalized?

1.6 How much does Wireshark cost?

1.7 But I just paid someone on eBay for a copy of Wireshark! Did I get ripped off?

1.8 Can I use Wireshark commercially?

1.9 Can I use Wireshark as part of my commercial product?

1.10 What protocols are currently supported?

1.11 Are there any plans to support {your favorite protocol}?

1.12 Can Wireshark read capture files from {your favorite networkanalyzer}?

1.13 What devices can Wireshark use to capture packets?

1.14 Does Wireshark work on Windows Vista or Windows Server 2008?

2.1 I installed the Wireshark RPM (or other package); why didit install TShark but not Wireshark?

3.1 I have libpcap installed; why did the configure script notfind pcap.h or bpf.h?

3.2 When I try to build Wireshark on Windows, why does the build fail becauseof conflicts between winsock.h and winsock2.h?

4.1 When I try to run Wireshark, why does it complain aboutsprint_realloc_objid being undefined?

4.2 I've installed Wireshark from Fink on macOS; why is it very slow tostart up?

5.1 I have an XXX network card on my machine; if I try to capture on it, whydoes my machine crash or reset itself?

5.2 Why does my machine crash or reset itself when I select "Start" from the"Capture" menu or select "Preferences" from the "Edit" menu?

6.1 When I use Wireshark to capture packets, why do I see onlypackets to and from my machine, or not see all the traffic I'm expectingto see from or to the machine I'm trying to monitor?

6.2 When I capture with Wireshark, why can't I see any TCPpackets other than packets to and from my machine, even though anotheranalyzer on the network sees those packets?

6.3 Why am I only seeing ARP packets when I try to capturetraffic?

6.4 Why am I not seeing any traffic when I try to capture traffic?

6.5 Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?

6.6 How do I put an interface into promiscuous mode?

6.7 I can set a display filter just fine; why don't capture filters work?

6.8 I'm entering valid capture filters; why do I still get"parse error" errors?

6.9 How can I capture packets with CRC errors?

6.10 How can I capture entire frames, including the FCS?

6.11 I'm capturing packets on a machine on a VLAN; why don't the packets I'mcapturing have VLAN tags?

6.12 Why does Wireshark hang after I stop a capture?

7.1 I'm running Wireshark on Windows; why does some network interface on mymachine not show up in the list of interfaces in the "Interface:" fieldin the dialog box popped up by "Capture->Start", and/or why doesWireshark give me an error if I try to capture on that interface?

7.2 I'm running Wireshark on Windows; why do no network interfaces show up inthe list of interfaces in the "Interface:" field in the dialog boxpopped up by "Capture->Start"?

7.3 I'm running Wireshark on Windows; why doesn't my serial port/ADSLmodem/ISDN modem show up in the list of interfaces in the "Interface:"field in the dialog box popped up by "Capture->Start"?

7.4 I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows XP/WindowsServer 2003; my machine has a PPP (dial-up POTS, ISDN, etc.) interface,and it shows up in the "Interface" item in the "Capture Options" dialogbox. Why can no packets be sent on or received from that network whileI'm trying to capture traffic on that interface?

7.5 I'm running Wireshark on Windows; why am I not seeing any traffic beingsent by the machine running Wireshark?

7.6 When I capture on Windows in promiscuous mode, I can see packets otherthan those sent to or from my machine; however, those packets show upwith a "Short Frame" indication, unlike packets to or from my machine.What should I do to arrange that I see those packets in their entirety?

7.7 I'm trying to capture 802.11 traffic on Windows; why am I not seeing anypackets?

7.8 I'm trying to capture 802.11 traffic on Windows; why am I seeing packetsreceived by the machine on which I'm capturing traffic, but not packetssent by that machine?

7.9 I'm trying to capture Ethernet VLAN traffic on Windows, and I'mcapturing on a "raw" Ethernet device rather than a "VLAN interface", sothat I can see the VLAN headers; why am I seeing packets received by themachine on which I'm capturing traffic, but not packets sent by thatmachine?

8.1 I'm running Wireshark on a UNIX-flavored OS; why does some networkinterface on my machine not show up in the list of interfaces in the"Interface:" field in the dialog box popped up by "Capture->Start",and/or why does Wireshark give me an error if I try to capture on thatinterface?

8.2 I'm running Wireshark on a UNIX-flavored OS; why do no network interfacesshow up in the list of interfaces in the "Interface:" field in thedialog box popped up by "Capture->Start"?

8.3 I'm capturing packets on Linux; why do the time stamps haveonly 100ms resolution, rather than 1us resolution?

9.1 How can I capture raw 802.11 frames, including non-data (management,beacon) frames?

9.2 How do I capture on an 802.11 device in monitor mode?

10.1 Why am I seeing lots of packets with incorrect TCP checksums?

10.2 I've just installed Wireshark, and the traffic on my local LANis boring. Where can I find more interesting captures?

10.3 Why doesn't Wireshark correctly identify RTP packets? It shows themonly as UDP.

10.4 Why doesn't Wireshark show Yahoo Messenger packets in captures thatcontain Yahoo Messenger traffic?

11.1 I saved a filter and tried to use its name to filter thedisplay; why do I get an "Unexpected end of filter string" error?

11.2 How can I search for, or filter, packets that have a particular stringanywhere in them?

11.3 How do I filter a capture to see traffic for virus XXX?

1. General Questions

Q 1.1: What is Wireshark?

A:Wireshark® is a network protocol analyzer. It lets you capture andinteractively browse the traffic running on a computer network. It hasa rich and powerful feature set and is world's most popular tool of itskind. It runs on most computing platforms including Windows, macOS,Linux, and UNIX. Network professionals, security experts, developers,and educators around the world use it regularly. It is freely availableas open source, and is released under the GNU General Public Licenseversion 2.
It is developed and maintained by a global team of protocol experts, andit is an example of adisruptivetechnology.
Wireshark used to be known as Ethereal®. See the next questionfor details about the name change. If you're still using Ethereal, itis strongly recommended that you upgrade to Wireshark as Ethereal isunsupported and has known security vulnerabilities.
For more information, please see theAbout Wiresharkpage.

Q 1.2: What's up with the name change? Is Wireshark a fork?

A:In May of 2006, Gerald Combs (the original author of Ethereal)went to work for CACE Technologies (best known for WinPcap).Unfortunately, he had to leave the Ethereal trademarks behind.
This left the project in an awkward position. The only reasonable wayto ensure the continued success of the project was to change the name.This is how Wireshark was born.
Wireshark is almost (but not quite) a fork. Normally a "fork" of an open sourceproject results in two names, web sites, development teams, supportinfrastructures, etc. This is the case with Wireshark except for one notableexception -- every member of the core development team is now working onWireshark. There has been no active development on Ethereal since the namechange. Several parts of the Ethereal web site (such as the mailing lists,source code repository, and build farm) have gone offline.
More information on the name change can be found here:

• Original press release
• NewsForge article
• Many other articles in our bibliography

Q 1.3: Where can I get help?

A:Community support is available on the and on thewireshark-users mailing list. Subscription information and archives forall of Wireshark's mailing lists can be found at https://www.wireshark.org/mailman/listinfo. An IRC channeldedicated to Wireshark can be found at irc://irc.freenode.net/wireshark.
Self-paced and instructor-led training is available at Wireshark University.Wireshark University also offers certification via the WiresharkCertified Network Analyst program.

Q 1.4: What kind of shark is Wireshark?

A:carcharodon photoshopia.

Q 1.5: How is Wireshark pronounced, spelled and capitalized?

A:Wireshark is pronounced as the word wire followed immediately bythe word shark. Exact pronunciation and emphasis may varydepending on your locale (e.g. Arkansas).
It's spelled with a capital W, followed by a lower-caseireshark. It is not a CamelCase word, i.e., WireSharkis incorrect.

Q 1.6: How much does Wireshark cost?

A:Wireshark is "free software"; you can download it without paying anylicense fee. The version of Wireshark you download isn't a "demo"version, with limitations not present in a "full" version; itis the full version.
The license under which Wireshark is issued is the GNU General PublicLicense version 2. See the GNUGPL FAQ for some more information.

Q 1.7: But I just paid someone on eBay for a copy of Wireshark! Did I get ripped off?

A:That depends. Did they provide any sort of value-added product or service, suchas installation support, installation media, training, trace file analysis, orfunky-colored shark-themed socks? Probably not.
Wireshark is available foranyone to download, absolutely free, at any time. Paying for a copy impliesthat you should get something for your money.

Q 1.8: Can I use Wireshark commercially?

A:Yes, if, for example, you mean "I work for a commercial organization;can I use Wireshark to capture and analyze network traffic in ourcompany's networks or in our customer's networks?"
If you mean "Can I use Wireshark as part of my commercial product?", seethe next entry in the FAQ.

Q 1.9: Can I use Wireshark as part of my commercial product?

A:As noted, Wireshark is licensed under the GNU General PublicLicense, version 2. The GPL imposes conditions on your use of GPL'edcode in your own products; you cannot, for example, make a "derivedwork" from Wireshark, by making modifications to it, and then sell theresulting derived work and not allow recipients to give away theresulting work. You must also make the changes you've made to theWireshark source available to all recipients of your modified version;those changes must also be licensed under the terms of the GPL. See theGPLFAQ for more details; in particular, note the answer to thequestion about modifying a GPLed program and selling itcommercially, and thequestion about linking GPLed code with other code to make a proprietaryprogram.
You can combine a GPLed program such as Wireshark and a commercialprogram as long as they communicate "at arm's length", as per thisitem in the GPL FAQ.
We recommend keeping Wireshark and your product completely separate,communicating over sockets or pipes. If you're loading any part ofWireshark as a DLL, you're probably doing it wrong.

Q 1.10: What protocols are currently supported?

A:There are currently hundreds of supportedprotocols and media. Details can be found in thewireshark(1)man page.

Q 1.11: Are there any plans to support {your favorite protocol}?

A:Support for particular protocols is added to Wireshark as a result ofpeople contributing that support; no formal plans for adding support forparticular protocols in particular future releases exist.

Q 1.12: Can Wireshark read capture files from {your favorite networkanalyzer}?

A:Support for particular capture file formats is added to Wireshark as a resultof people contributing that support; no formal plans for adding support forparticular capture file formats in particular future releases exist.
If a network analyzer writes out files in a format already supported byWireshark (e.g., in libpcap format), Wireshark may already be able to readthem, unless the analyzer has added its own proprietary extensions tothat format.
If a network analyzer writes out files in its own format, or has addedproprietary extensions to another format, in order to make Wireshark readcaptures from that network analyzer, we would either have to have aspecification for the file format, or the extensions, sufficient to giveus enough information to read the parts of the file relevant toWireshark, or would need at least one capture file in that formatAND a detailed textual analysis of the packets in thatcapture file (showing packet time stamps, packet lengths, and thetop-level packet header) in order to reverse-engineer the fileformat.
Note that there is no guarantee that we will be able to reverse-engineera capture file format.

Q 1.13: What devices can Wireshark use to capture packets?

A:Wireshark can read live data from Ethernet, Token-Ring, FDDI, serial (PPPand SLIP) (if the OS on which it's running allows Wireshark to do so),802.11 wireless LAN (if the OS on which it's running allows Wireshark todo so), ATM connections (if the OS on which it's running allows Wiresharkto do so), and the "any" device supported on Linux by recent versions oflibpcap.
See the list ofsupported capture media on various OSes for details (several itemsin there say "Unknown", which doesn't mean "Wireshark can't capture onthem", it means "we don't know whether it can capture on them"; weexpect that it will be able to capture on many of them, but we haven'ttried it ourselves - if you try one of those types and it works, pleaseupdate the wiki page accordingly.
It can also read a variety of capture file formats, including:

• AG Group/WildPackets/Savvius EtherPeek/TokenPeek/AiroPeek/EtherHelp/Packet Grabber captures
• AIX's iptrace captures
• Accellent's 5Views LAN agent output
• Cinco Networks NetXRay captures
• Cisco Secure Intrusion Detection System IPLog output
• CoSine L2 debug output
• DBS Etherwatch VMS text output
• Endace Measurement Systems' ERF format captures
• EyeSDN USB S0 traces
• HP-UX nettl captures
• ISDN4BSD project i4btrace captures
• Linux Bluez Bluetooth stack hcidump -w traces
• Lucent/Ascend router debug output
• Microsoft Network Monitor captures
• Network Associates Windows-based Sniffer captures
• Network General/Network Associates DOS-based Sniffer (compressed or uncompressed) captures
• Network Instruments Observer version 9 captures
• Novell LANalyzer captures
• RADCOM's WAN/LAN analyzer captures
• Shomiti/Finisar Surveyor captures
• Toshiba's ISDN routers dump output
• VMS TCPIPtrace/TCPtrace/UCX$TRACE output
• Visual Networks' Visual UpTime traffic capture
• libpcap, tcpdump and various other tools using tcpdump's capture format
• snoop and atmsnoop output

so that it can read traces from various network types, as captured byother applications or equipment, even if it cannot itself capture onthose network types.

Q 1.14: Does Wireshark work on Windows Vista or Windows Server 2008?

A:Yes, but if you want to capture packets as a normal user, you must make surenpf.sys is loaded. Wireshark's installer enables this by default. This is not aconcern if you run Wireshark as Administrator, but this is discouraged. See theCapturePrivilegespage on the wiki for more details.

2. Installing Wireshark

Q 2.1: I installed the Wireshark RPM (or other package); why didit install TShark but not Wireshark?

A:Many distributions have separate Wireshark packages, one for non-GUIcomponents such as TShark, editcap, dumpcap, etc. and one for the GUI.If this is the case on your system, there's probably a separate packagenamed wireshark-qt. Find it and install it.

3. Building Wireshark

Q 3.1: I have libpcap installed; why did the configure script notfind pcap.h or bpf.h?

A:Are you sure pcap.h and bpf.h are installed? The official distributionof libpcap only installs the libpcap.a library file when "make install"is run. To install pcap.h and bpf.h, you must run "make install-incl".If you're running Debian or Redhat, make sure you have the "libpcap-dev"or "libpcap-devel" packages installed.
It's also possible that pcap.h and bpf.h have been installed in a strangelocation. If this is the case, you may have to tweak aclocal.m4.

Q 3.2: When I try to build Wireshark on Windows, why does the build fail becauseof conflicts between winsock.h and winsock2.h?

A:As of Wireshark 0.9.5, you must install WinPcap 2.3 or later, and thecorresponding version of the developer's pack, in order to be able tocompile Wireshark; it will not compile with older versions of thedeveloper's pack. The symptoms of this failure are conflicts betweendefinitions in winsock.h and in winsock2.h; Wiresharkuses winsock2.h, but pre-2.3 versions of the WinPcapdeveloper's packet use winsock.h. (2.3 useswinsock2.h, so if Wireshark were to use winsock.h, itwould not be able to build with current versions of the WinPcapdeveloper's pack.)
Note that the installed version of the developer's pack should be thesame version as the version of WinPcap you have installed.

4. Starting Wireshark

Q 4.1: When I try to run Wireshark, why does it complain aboutsprint_realloc_objid being undefined?

A:Wireshark can only be linked with version 4.2.2 or later of UCD SNMP.Your version of Wireshark was dynamically linked with such a version ofUCD SNMP; however, you have an older version of UCD SNMP installed,which means that when Wireshark is run, it tries to link to the olderversion, and fails. You will have to replace that version of UCD SNMPwith version 4.2.2 or a later version.

Q 4.2: I've installed Wireshark from Fink on macOS; why is it very slow tostart up?

A:When an application is installed on macOS, prior to 10.4, it is usually"prebound" to speed up launching the application. (That's what the"Optimizing" phase of installation is.)
Fink normally performs prebinding automatically when you install apackage. However, in some rare cases, for whatever reason the prebindingcaches get corrupt, and then not only does prebinding fail, but startupactually becomes much slower, because the system tries in vain toperform prebinding "on the fly" as you launch the application. Thisfails, causing sometimes huge delays.
To fix the prebinding caches, run the command

sudo /sw/var/lib/fink/prebound/update-package-prebinding.pl -f

5. Crashes and other fatal errors

Q 5.1: I have an XXX network card on my machine; if I try to capture on it, whydoes my machine crash or reset itself?

A:This is almost certainly a problem with one or more of:

• the operating system you're using;
• the device driver for the interface you're using;
• the libpcap/WinPcap library and, if this is Windows, the WinPcapdevice driver;

so:

• if you are using Windows, see the WinPcap supportpage - check the "Submitting bugs" section;
• if you are using some Linux distribution, some version of BSD, orsome other UNIX-flavored OS, you should report the problem to thecompany or organization that produces the OS (in the case of a Linuxdistribution, report the problem to whoever produces the distribution).

Q 5.2: Why does my machine crash or reset itself when I select "Start" from the"Capture" menu or select "Preferences" from the "Edit" menu?

A:Both of those operations cause Wireshark to try to build a list of theinterfaces that it can open; it does so by getting a list of interfacesand trying to open them. There is probably an OS, driver, or, forWindows, WinPcap bug that causes the system to crash when this happens;see the previous question.

6. Capturing packets

Q 6.1: When I use Wireshark to capture packets, why do I see onlypackets to and from my machine, or not see all the traffic I'm expectingto see from or to the machine I'm trying to monitor?

A:This might be because the interface on which you're capturing is pluggedinto an Ethernet or Token Ring switch; on a switched network, unicasttraffic between two ports will not necessarily appear on other ports -only broadcast and multicast traffic will be sent to all ports.
Note that even if your machine is plugged into a hub, the "hub" may bea switched hub, in which case you're still on a switched network.
Note also that on the Linksys Web site, they say that theirauto-sensing hubs "broadcast the 10Mb packets to the port that operateat 10Mb only and broadcast the 100Mb packets to the ports that operateat 100Mb only", which would indicate that if you sniff on a 10Mb port,you will not see traffic coming sent to a 100Mb port, and viceversa. This problem has also been reported for Netgear dual-speedhubs, and may exist for other "auto-sensing" or "dual-speed" hubs.
Some switches have the ability to replicate all traffic on all ports toa single port so that you can plug your analyzer into that single port tosniff all traffic. You would have to check the documentation for theswitch to see if this is possible and, if so, to see how to do this.See the switchreference page on the WiresharkWiki for information on some switches. (Note that it's a Wiki, soyou can update or fix that information, or add additional information onthose switches or information on new switches, yourself.)
Note also that many firewall/NAT boxes have a switch built into them;this includes many of the "cable/DSL router" boxes. If you have a boxof that sort, that has a switch with some number of Ethernet ports intowhich you plug machines on your network, and another Ethernet port usedto connect to a cable or DSL modem, you can, at least, sniff trafficbetween the machines on your network and the Internet by pluggingthe Ethernet port on the router going to the modem, the Ethernet port onthe modem, and the machine on which you're running Wireshark into a hub(make sure it's not a switching hub, and that, if it's a dual-speed hub,all three of those ports are running at the same speed.
If your machine is not plugged into a switched network or adual-speed hub, or it is plugged into a switched network but the port isset up to have all traffic replicated to it, the problem might be thatthe network interface on which you're capturing doesn't support"promiscuous" mode, or because your OS can't put the interface intopromiscuous mode. Normally, network interfaces supply to the host only:

• packets sent to one of that host's link-layer addresses;
• broadcast packets;
• multicast packets sent to a multicast address that the host has configured the interface to accept.

Most network interfaces can also be put in "promiscuous" mode, in whichthey supply to the host all network packets they see. Wireshark will tryto put the interface on which it's capturing into promiscuous modeunless the "Capture packets in promiscuous mode" option is turned off inthe "Capture Options" dialog box, and TShark will try to put theinterface on which it's capturing into promiscuous mode unless the-p option was specified. However, some network interfacesdon't support promiscuous mode, and some OSes might not allow interfacesto be put into promiscuous mode.
If the interface is not running in promiscuous mode, it won't see anytraffic that isn't intended to be seen by your machine. Itwill see broadcast packets, and multicast packets sentto a multicast MAC address the interface is set up to receive.
You should ask the vendor of your network interface whether it supportspromiscuous mode. If it does, you should ask whoever supplied thedriver for the interface (the vendor, or the supplier of the OS you'rerunning on your machine) whether it supports promiscuous mode with thatnetwork interface.
In the case of token ring interfaces, the drivers for some of them, onWindows, may require you to enable promiscuous mode in order to capturein promiscuous mode. See the WiresharkWiki item on Token Ring capturing for details.
In the case of wireless LAN interfaces, it appears that, when thoseinterfaces are promiscuously sniffing, they're running in asignificantly different mode from the mode that they run in when they'rejust acting as network interfaces (to the extent that it would be asignificant effort for those drivers to support for promiscuouslysniffing and acting as regular network interfaces at the sametime), so it may be that Windows drivers for those interfaces don'tsupport promiscuous mode.

Q 6.2: When I capture with Wireshark, why can't I see any TCPpackets other than packets to and from my machine, even though anotheranalyzer on the network sees those packets?

A:You're probably not seeing any packets other than unicastpackets to or from your machine, and broadcast and multicast packets; aswitch will normally send to a port only unicast traffic sent to the MACaddress for the interface on that port, and broadcast and multicasttraffic - it won't send to that port unicast traffic sent to a MACaddress for some other interface - and a network interface not inpromiscuous mode will receive only unicast traffic sent to the MACaddress for that interface, broadcast traffic, and multicast trafficsent to a multicast MAC address the interface is set up to receive.
TCP doesn't use broadcast or multicast, so you will only see your ownTCP traffic, but UDP services may use broadcast or multicast so you'llsee some UDP traffic - however, this is not a problem with TCP traffic,it's a problem with unicast traffic, as you also won't see all UDPtraffic between other machines.
I.e., this is probably the same questionas this earlier one; see the response to that question.

Q 6.3: Why am I only seeing ARP packets when I try to capturetraffic?

A:You're probably on a switched network, and running Wireshark on a machinethat's not sending traffic to the switch and not being sent any trafficfrom other machines on the switch. ARP packets are often broadcastpackets, which are sent to all switch ports.
I.e., this is probably the same questionas this earlier one; see the response to that question.

Q 6.4: Why am I not seeing any traffic when I try to capture traffic?

A:Is the machine running Wireshark sending out any traffic on the networkinterface on which you're capturing, or receiving any traffic on thatnetwork, or is there any broadcast traffic on the network or multicasttraffic to a multicast group to which the machine running Wiresharkbelongs?
If not, this may just be a problem with promiscuous sniffing, either dueto running on a switched network or a dual-speed hub, or due to problemswith the interface not supporting promiscuous mode; see the response tothis earlier question.
Otherwise, on Windows, see the response to thisquestion and, on a UNIX-flavored OS, see the response to this question.

Q 6.5: Can Wireshark capture on (my T1/E1 line, SS7 links, etc.)?

A:Wireshark can only capture on devices supported by libpcap/WinPcap. Onmost OSes, only devices that can act as network interfaces of the typethat support IP are supported as capture devices for libpcap/WinPcap,although the device doesn't necessarily have to be running as an IPinterface in order to support traffic capture.
On Linux and FreeBSD, libpcap 0.8 and later support the API for Endace Measurement Systems'DAG cards, so that a system with one of those cards, and its driverand libraries, installed can capture traffic with those cards withlibpcap-based applications. You would either have to have a version ofWireshark built with that version of libpcap, or a dynamically-linkedversion of Wireshark and a shared libpcap library with DAG support, inorder to do so with Wireshark. You should ask Endace whether that couldbe used to capture traffic on, for example, your T1/E1 link.
See the SS7 capturesetup page on the WiresharkWiki for current information on capturing SS7 traffic on TDMlinks.

Q 6.6: How do I put an interface into promiscuous mode?

A:By not disabling promiscuous mode when running Wireshark or TShark.
Note, however, that:

• the form of promiscuous mode that libpcap (the library thatprograms such as tcpdump, Wireshark, etc. use to do packet capture)turns on will not necessarily be shown if you runifconfig on the interface on a UNIX system;
• some network interfaces might not support promiscuous mode, and somedrivers might not allow promiscuous mode to be turned on - see this earlier question for more information onthat;
• the fact that you're not seeing any traffic, or are only seeingbroadcast traffic, or aren't seeing any non-broadcast traffic other thantraffic to or from the machine running Wireshark, does not mean thatpromiscuous mode isn't on - see this earlierquestion for more information on that.

I.e., this is probably the same questionas this earlier one; see the response to that question.

Q 6.7: I can set a display filter just fine; why don't capture filters work?

A:Capture filters currently use a different syntax than display filters. Here'sthe corresponding section from thewireshark(1)man page:
"Display filters in Wireshark are very powerful; more fields are filterablein Wireshark than in other protocol analyzers, and the syntax you canuse to create your filters is richer. As Wireshark progresses, expectmore and more protocol fields to be allowed in display filters.
Packet capturing is performed with the pcap library. The capture filtersyntax follows the rules of the pcap library. This syntax is differentfrom the display filter syntax."
The capture filter syntax used by libpcap can be found in thetcpdump(8)man page.

Q 6.8: I'm entering valid capture filters; why do I still get"parse error" errors?

A:There is a bug in some versions of libpcap/WinPcap that cause it toreport parse errors even for valid expressions if a previous filterexpression was invalid and got a parse error.
Try exiting and restarting Wireshark; if you are using a version oflibpcap/WinPcap with this bug, this will "erase" its memory of theprevious parse error. If the capture filter that got the "parse error"now works, the earlier error with that filter was probably due to thisbug.
The bug was fixed in libpcap 0.6; 0.4[.x] and 0.5[.x] versions oflibpcap have this bug, but 0.6[.x] and later versions don't.
Versions of WinPcap prior to 2.3 are based on pre-0.6 versions oflibpcap, and have this bug; WinPcap 2.3 is based on libpcap 0.6.2, anddoesn't have this bug.
If you are running Wireshark on a UNIX-flavored platform, run "wireshark-v", or select "About Wireshark..." from the "Help" menu in Wireshark, tosee what version of libpcap it's using. If it's not 0.6 or later, youwill need either to upgrade your OS to get a later version of libpcap,or will need to build and install a later version of libpcap from the tcpdump.org Web site and thenrecompile Wireshark from source with that later version of libpcap.
If you are running Wireshark on Windows with a pre-2.3 version ofWinPcap, you will need to un-install WinPcap and then download andinstall WinPcap 2.3.

Q 6.9: How can I capture packets with CRC errors?

A:Wireshark can capture only the packets that the packet capture library -libpcap on UNIX-flavored OSes, and the WinPcap port to Windows of libpcapon Windows - can capture, and libpcap/WinPcap can capture only thepackets that the OS's raw packet capture mechanism (or the WinPcapdriver, and the underlying OS networking code and network interfacedrivers, on Windows) will allow it to capture.
Unless the OS always supplies packets with errors such as invalid CRCsto the raw packet capture mechanism, or can be configured to do so,invalid CRCs to the raw packet capture mechanism, Wireshark - and otherprograms that capture raw packets, such as tcpdump - cannot capturethose packets. You will have to determine whether your OS needs to beso configured and, if so, can be so configured, configure it ifnecessary and possible, and make whatever changes to libpcap and thepacket capture program you're using are necessary, if any, to supportcapturing those packets.
Most OSes probably do not support capturing packetswith invalid CRCs on Ethernet, and probably do not support it on mostother link-layer types. Some drivers on some OSes do support it, suchas some Ethernet drivers on FreeBSD; in those OSes, you might always getthose packets, or you might only get them if you capture in promiscuousmode (you'd have to determine which is the case).
Note that libpcap does not currently supply to programs that use it anindication of whether the packet's CRC was invalid (because the driversthemselves do not supply that information to the raw packet capturemechanism); therefore, Wireshark will not indicate which packets had CRCerrors unless the FCS was captured (see the next question) and you'reusing Wireshark 0.9.15 and later, in which case Wireshark will check theCRC and indicate whether it's correct or not.

Q 6.10: How can I capture entire frames, including the FCS?

A:Wireshark can only capture data that the packet capture library -libpcap on UNIX-flavored OSes, and the WinPcap port to Windows oflibpcap on Windows - can capture, and libpcap/WinPcap can capture onlythe data that the OS's raw packet capture mechanism (or the WinPcapdriver, and the underlying OS networking code and network interfacedrivers, on Windows) will allow it to capture.
For any particular link-layer network type, unless the OS supplies theFCS of a frame as part of the frame, or can be configured to do so,Wireshark - and other programs that capture raw packets, such as tcpdump- cannot capture the FCS of a frame. You will have to determine whetheryour OS needs to be so configured and, if so, can be so configured,configure it if necessary and possible, and make whatever changes tolibpcap and the packet capture program you're using are necessary, ifany, to support capturing the FCS of a frame.
Most OSes do not support capturing the FCS of a frameon Ethernet, and probably do not support it on most other link-layertypes. Some drivres on some OSes do support it, such as some (all?)Ethernet drivers on NetBSD and possibly the driver for Apple's gigabitEthernet interface in macOS; in those OSes, you might always get theFCS, or you might only get the FCS if you capture in promiscuous mode(you'd have to determine which is the case).
Versions of Wireshark prior to 0.9.15 will not treat an Ethernet FCS in acaptured packet as an FCS. 0.9.15 and later will attempt to determinewhether there's an FCS at the end of the frame and, if it thinks thereis, will display it as such, and will check whether it's the correctCRC-32 value or not.

Q 6.11: I'm capturing packets on a machine on a VLAN; why don't the packets I'mcapturing have VLAN tags?

A:You might be capturing on what might be called a "VLAN interface" - theway a particular OS makes VLANs plug into the networking stack might,for example, be to have a network device object for the physicalinterface, which takes VLAN packets, strips off the VLAN header andconstructs an Ethernet header, and passes that packet to an internalnetwork device object for the VLAN, which then passes the packets ontovarious higher-level protocol implementations.
In order to see the raw Ethernet packets, rather than "de-VLANized"packets, you would have to capture not on the virtual interface for theVLAN, but on the interface corresponding to the physical network device,if possible. See the Wireshark Wikiitem on VLAN capturing for details.

Q 6.12: Why does Wireshark hang after I stop a capture?

A:The most likely reason for this is that Wireshark is trying to look up anIP address in the capture to convert it to a name (so that, for example,it can display the name in the source address or destination addresscolumns), and that lookup process is taking a very long time.
Wireshark calls a routine in the OS of the machine on which it's runningto convert of IP addresses to the corresponding names. That routineprobably does one or more of:

• a search of a system file listing IP addresses and names;
• a lookup using DNS;
• on UNIX systems, a lookup using NIS;
• on Windows systems, a NetBIOS-over-TCP query.

If a DNS server that's used in an address lookup is not responding, thelookup will fail, but will only fail after a timeout while the systemroutine waits for a reply.
In addition, on Windows systems, if the DNS lookup of the address fails,either because the server isn't responding or because there are norecords in the DNS that could be used to map the address to a name, aNetBIOS-over-TCP query will be made. That query involves sending amessage to the NetBIOS-over-TCP name service on that machine, asking forthe name and other information about the machine. If the machine isn'trunning software that responds to those queries - for example, manynon-Windows machines wouldn't be running that software - the lookup willonly fail after a timeout. Those timeouts can cause the lookup to takea long time.
If you disable network address-to-name translation - for example, byturning off the "Enable network name resolution" option in the "CaptureOptions" dialog box for starting a network capture - the lookups of theaddress won't be done, which may speed up the process of reading thecapture file after the capture is stopped. You can make that settingthe default by selecting "Preferences" from the "Edit" menu, turning offthe "Enable network name resolution" option in the "Name resolution"options in the preferences disalog box, and using the "Save" button inthat dialog box; note that this will save all your currentpreference settings.
If Wireshark hangs when reading a capture even with network nameresolution turned off, there might, for example, be a bug in one ofWireshark's dissectors for a protocol causing it to loop infinitely. Ifyou're not running the most recent release of Wireshark, you should firstupgrade to that release, as, if there's a bug of that sort, it might'vebeen fixed in a release after the one you're running. If the hangoccurs in the most recent release of Wireshark, the bug should bereported to the Wiresharkdevelopers' mailing list at [emailprotected].
On UNIX-flavored OSes, please try to force Wireshark to dump core, bysending it a SIGABRT signal (usually signal 6) with thekill command, and then get a stack trace if you have a debuggerinstalled. A stack trace can be obtained by using your debugger(gdb in this example), the Wireshark binary, and the resultingcore file. Here's an example of how to use the gdb commandbacktrace to do so.

 $ gdb wireshark core (gdb) backtrace ..... prints the stack trace (gdb) quit $

The core dump file may be named "wireshark.core" rather than "core" onsome platforms (e.g., BSD systems).
Also, if at all possible, please send a copy of the capture file that causedthe problem. When capturing packets, Wireshark normally writes capturedpackets to a temporary file, which will probably be in /tmp or/var/tmp on UNIX-flavored OSes, \TEMP on the main system disk(normally \Documents and Settings\your login name\Local Settings\Temp on the main system disk on WindowsWindows XP and Server 2003, and\Users\your login name\AppData\Local\Temp on the mainsystem disk on Windows Vista and later, so the capture file will probably be there. If youare capturing on a single interface, it will have a name of the form,wireshark_<iface>_YYYYmmddHHMMSS_XXXXXX.<fmt>, where<fmt> is the capture file format (pcap or pcapng), and <iface> isthe actual name of the interface you are capturing on; otherwise, if you arecapturing on multiple interfaces, it will have a name of the form,wireshark_<N>_interfaces_YYYYmmddHHMMSS_XXXXXX.<fmt>, where <N>is the number of simultaneous interfaces you are capturing on. Please don'tsend a trace file greater than 1 MB when compressed; instead, make it availablevia FTP or HTTP, or say it's available but leave it up to a developer to askfor it. If the trace file contains sensitive information (e.g., passwords),then please do not send it.

7. Capturing packets on Windows

Q 7.1: I'm running Wireshark on Windows; why does some network interface on mymachine not show up in the list of interfaces in the "Interface:" fieldin the dialog box popped up by "Capture->Start", and/or why doesWireshark give me an error if I try to capture on that interface?

A:If you are running Wireshark on Windows XP,or Windows Server 2003, and this is the first time you have run aWinPcap-based program (such as Wireshark, or TShark, or WinDump, orAnalyzer, or...) since the machine was rebooted, you need to run thatprogram from an account with administrator privileges; once you have runsuch a program, you will not need administrator privileges to run anysuch programs until you reboot.
If you are running on Windows Windows XP or Windows Server2003 and have administrator privileges or a WinPcap-based program hasbeen run with those privileges since the machine rebooted, this problemmight clear up if you completely un-install WinPcap and thenre-install it.
If that doesn't work, then note that Wireshark relies on the WinPcaplibrary, on the WinPcap device driver, and on the facilities that comewith the OS on which it's running in order to do captures.
Therefore, if the OS, the WinPcap library, or the WinPcap driver don'tsupport capturing on a particular network interface device, Wiresharkwon't be able to capture on that device.
WinPcap 2.3 has problems supporting PPP WAN interfaces on Windows NT4.0, Windows 2000, Windows XP, and Windows Server 2003, and, to avoidthose problems, support for PPP WAN interfaces on those versions ofWindows has been disabled in WinPcap 3.0. Regular dial-up lines, ISDNlines, ADSL connections using PPPoE or PPPoA, and various other linessuch as T1/E1 lines are all PPP interfaces, so those interfaces mightnot show up on the list of interfaces in the "Capture Options"dialog on those OSes.
On Windows 2000, Windows XP, and Windows Server 2003, butnot Windows NT 4.0 or Windows Vista Beta 1, you shouldbe able to capture on the "GenericDialupAdapter" with WinPcap 3.1. (3.1beta releases called it the "NdisWanAdapter"; if you're using a 3.1 betarelease, you should un-install it and install the final 3.1 release.)See the WiresharkWiki item on PPP capturing for details.
WinPcap prior to 3.0 does not support multiprocessor machines (notethat machines with a single multi-threaded processor, such as Intel'snew multi-threaded x86 processors, are multiprocessor machines as far asthe OS and WinPcap are concerned), and recent 2.x versions of WinPcaprefuse to operate if they detect that they're running on amultiprocessor machine, which means that they may not show any networkinterfaces. You will need to use WinPcap 3.0 to capture on amultiprocessor machine.
If an interface doesn't show up in the list of interfaces in the"Interface:" field, and you know the name of the interface, try enteringthat name in the "Interface:" field and capturing on that device.
If the attempt to capture on it succeeds, the interface is somehow notbeing reported by the mechanism Wireshark uses to get a list ofinterfaces. Try listing the interfaces with WinDump; see the WinDump Web sitefor information on using WinDump.
You would run WinDump with the -D flag; if it lists theinterface, please report this to [emailprotected]giving full details of the problem, including

• the operating system you're using, and the version of that operatingsystem;
• the type of network device you're using;
• the output of WinDump.

If WinDump does not list the interface,this is almost certainly a problem with one or more of:

• the operating system you're using;
• the device driver for the interface you're using;
• the WinPcap library and/or the WinPcap device driver;

so first check theWinPcap FAQ to see if your problem is mentioned there. If not, then see the WinPcap support page- check the "Submitting bugs" section.
If you are having trouble capturing on a particular network interface,first try capturing on that device with WinDump; see the WinDump Web sitefor information on using WinDump.
If you can capture on the interface with WinDump, send mail to [emailprotected]giving full details of the problem, including

• the operating system you're using, and the version of that operatingsystem;
• the type of network device you're using;
• the error message you get from Wireshark.

If you cannot capture on the interface with WinDump,this is almost certainly a problem with one or more of:

• the operating system you're using;
• the device driver for the interface you're using;
• the WinPcap library and/or the WinPcap device driver;

so first check theWinPcap FAQ to see if your problem is mentioned there. If not, then see the WinPcap support page- check the "Submitting bugs" section.
You may also want to ask the [emailprotected]and the [emailprotected]mailing lists to see if anybody happens to know about the problem andknow a workaround or fix for the problem. (Note that you will have tosubscribe to that list in order to be allowed to mail to it; see the WinPcap supportpage for information on the mailing list.) In your mail,please give full details of the problem, as described above, and alsoindicate that the problem occurs with WinDump, not just with Wireshark.

Q 7.2: I'm running Wireshark on Windows; why do no network interfaces show up inthe list of interfaces in the "Interface:" field in the dialog boxpopped up by "Capture->Start"?

A:This is really the same question as a previousone; see the response to that question.

Q 7.3: I'm running Wireshark on Windows; why doesn't my serial port/ADSLmodem/ISDN modem show up in the list of interfaces in the "Interface:"field in the dialog box popped up by "Capture->Start"?

A:Internet access on those devices is often done with the Point-to-Point(PPP) protocol; WinPcap 2.3 has problems supporting PPP WAN interfaceson Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003,and, to avoid those problems, support for PPP WAN interfaces on thoseversions of Windows has been disabled in WinPcap 3.0.
On Windows 2000, Windows XP, and Windows Server 2003, butnot Windows NT 4.0 or Windows Vista Beta 1, you shouldbe able to capture on the "GenericDialupAdapter" with WinPcap 3.1. (3.1beta releases called it the "NdisWanAdapter"; if you're using a 3.1 betarelease, you should un-install it and install the final 3.1 release.)See the WiresharkWiki item on PPP capturing for details.

Q 7.4: I'm running Wireshark on Windows NT 4.0/Windows 2000/Windows XP/WindowsServer 2003; my machine has a PPP (dial-up POTS, ISDN, etc.) interface,and it shows up in the "Interface" item in the "Capture Options" dialogbox. Why can no packets be sent on or received from that network whileI'm trying to capture traffic on that interface?

A:Some versions of WinPcap have problems with PPP WAN interfaces onWindows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003; onesymptom that may be seen is that attempts to capture in promiscuous modeon the interface cause the interface to be incapable of sending orreceiving packets. You can disable promiscuous mode using the-p command-line flag or the item in the "Capture Preferences"dialog box, but this may mean that outgoing packets, or incomingpackets, won't be seen in the capture.
On Windows 2000, Windows XP, and Windows Server 2003, butnot Windows NT 4.0 or Windows Vista Beta 1, you shouldbe able to capture on the "GenericDialupAdapter" with WinPcap 3.1. (3.1beta releases called it the "NdisWanAdapter"; if you're using a 3.1 betarelease, you should un-install it and install the final 3.1 release.)See the WiresharkWiki item on PPP capturing for details.

Q 7.5: I'm running Wireshark on Windows; why am I not seeing any traffic beingsent by the machine running Wireshark?

A:If you are running some form of VPN client software, it might be causingthis problem; people have seen this problem when they have Check Point'sVPN software installed on their machine. If that's the cause of theproblem, you will have to remove the VPN software in order to haveWireshark (or any other application using WinPcap) see outgoing packets;unfortunately, neither we nor the WinPcap developers know any way tomake WinPcap and the VPN software work well together.
Also, some drivers for Windows (especially some wireless networkinterface drivers) apparently do not, when running in promiscuous mode,arrange that outgoing packets are delivered to the software thatrequested that the interface run promiscuously; try turning promiscuousmode off.

Q 7.6: When I capture on Windows in promiscuous mode, I can see packets otherthan those sent to or from my machine; however, those packets show upwith a "Short Frame" indication, unlike packets to or from my machine.What should I do to arrange that I see those packets in their entirety?

A:In at least some cases, this appears to be the result of PGPnet runningon the network interface on which you're capturing; turn it off on thatinterface.

Q 7.7: I'm trying to capture 802.11 traffic on Windows; why am I not seeing anypackets?

A:At least some 802.11 card drivers on Windows appear not to see anypackets if they're running in promiscuous mode. Try turning promiscuousmode off; you'll only be able to see packets sent by and received byyour machine, not third-party traffic, and it'll look like Ethernettraffic and won't include any management or control frames, but that's alimitation of the card drivers.
See the archived MicroLogix'slist of cards supported with WinPcap for information onsupport of various adapters and drivers with WinPcap.

Q 7.8: I'm trying to capture 802.11 traffic on Windows; why am I seeing packetsreceived by the machine on which I'm capturing traffic, but not packetssent by that machine?

A:This appears to be another problem with promiscuous mode; try turning itoff.

Q 7.9: I'm trying to capture Ethernet VLAN traffic on Windows, and I'mcapturing on a "raw" Ethernet device rather than a "VLAN interface", sothat I can see the VLAN headers; why am I seeing packets received by themachine on which I'm capturing traffic, but not packets sent by thatmachine?

A:The way the Windows networking code works probably means that packetsare sent on a "VLAN interface" rather than the "raw" device, so packetssent by the machine will only be seen when you capture on the "VLANinterface". If so, you will be unable to see outgoing packets whencapturing on the "raw" device, so you are stuck with a choice betweenseeing VLAN headers and seeing outgoing packets.

8. Capturing packets on UN*Xes

Q 8.1: I'm running Wireshark on a UNIX-flavored OS; why does some networkinterface on my machine not show up in the list of interfaces in the"Interface:" field in the dialog box popped up by "Capture->Start",and/or why does Wireshark give me an error if I try to capture on thatinterface?

A:You may need to run Wireshark from an account with sufficient privilegesto capture packets, such as the super-user account, or may need to giveyour account sufficient privileges to capture packets. Only thoseinterfaces that Wireshark can open for capturing show up in that list; ifyou don't have sufficient privileges to capture on any interfaces, nointerfaces will show up in the list. SeetheWireshark Wiki item on capture privileges for details on how to givea particular account or account group capture privileges on platformswhere that can be done.
If you are running Wireshark from an account with sufficient privileges,then note that Wireshark relies on the libpcap library, and on thefacilities that come with the OS on which it's running in order to docaptures. On some OSes, those facilities aren't present by default; seetheWireshark Wiki item on adding capture support for details.
And, even if you're running with an account that has sufficientprivileges to capture, and capture support is present in your OS, if theOS or the libpcap library don't support capturing on a particularnetwork interface device or particular types of devices, Wireshark won'tbe able to capture on that device.
On Solaris, note that libpcap 0.6.2 and earlier didn't support TokenRing interfaces; the current version, 0.7.2, does support Token Ring,and the current version of Wireshark works with libpcap 0.7.2 and later.
If an interface doesn't show up in the list of interfaces in the"Interface:" field, and you know the name of the interface, try enteringthat name in the "Interface:" field and capturing on that device.
If the attempt to capture on it succeeds, the interface is somehow notbeing reported by the mechanism Wireshark uses to get a list ofinterfaces; please report this to [emailprotected]giving full details of the problem, including

• the operating system you're using, and the version of that operatingsystem (for Linux, give both the version number of the kernel and thename and version number of the distribution you're using);
• the type of network device you're using.

If you are having trouble capturing on a particular network interface,and you've made sure that (on platforms that require it) you've arrangedthat packet capture support is present, as per the above, first trycapturing on that device with tcpdump.
If you can capture on the interface with tcpdump, send mail to[emailprotected]giving full details of the problem, including

• the operating system you're using, and the version of that operatingsystem (for Linux, give both the version number of the kernel and thename and version number of the distribution you're using);
• the type of network device you're using;
• the error message you get from Wireshark.

If you cannot capture on the interface with tcpdump,this is almost certainly a problem with one or more of:

• the operating system you're using;
• the device driver for the interface you're using;
• the libpcap library;

so you should report the problem to the company or organization thatproduces the OS (in the case of a Linux distribution, report the problemto whoever produces the distribution).
You may also want to ask the [emailprotected]and the [emailprotected]mailing lists to see if anybody happens to know about the problem andknow a workaround or fix for the problem. In your mail, please givefull details of the problem, as described above, and also indicate thatthe problem occurs with tcpdump not just with Wireshark.

Q 8.2: I'm running Wireshark on a UNIX-flavored OS; why do no network interfacesshow up in the list of interfaces in the "Interface:" field in thedialog box popped up by "Capture->Start"?

A:This is really the same question as the previousone; see the response to that question.

Q 8.3: I'm capturing packets on Linux; why do the time stamps haveonly 100ms resolution, rather than 1us resolution?

A:Wireshark gets time stamps from libpcap/WinPcap, andlibpcap/WinPcap get them from the OS kernel, so Wireshark - and any otherprogram using libpcap, such as tcpdump - is at the mercy of the timestamping code in the OS for time stamps.
At least on x86-based machines, Linux can get high-resolution timestamps on newer processors with the Time Stamp Counter (TSC) register;for example, Intel x86 processors, starting with the Pentium Pro, andincluding all x86 processors since then, have had a TSC, and othervendors probably added the TSC at some point to their families of x86processors.The Linux kernel must be configured with the CONFIG_X86_TSC optionenabled in order to use the TSC. Make sure this option is enabled inyour kernel.
In addition, some Linux distributions may have bugs in their versions ofthe kernel that cause packets not to be given high-resolution timestamps even if the TSC is enabled. See, for example, bug 61111 for RedHat Linux 7.2. If your distribution has a bug such as this, you mayhave to run a standard kernel from kernel.org in order to gethigh-resolution time stamps.

9. Capturing packets on wireless LANs

Q 9.1: How can I capture raw 802.11 frames, including non-data (management,beacon) frames?

A:That depends on the operating system on which you're running, and on the802.11 interface on which you're capturing.
This would probably require that you capture in promiscuous mode or inthe mode called "monitor mode" or "RFMON mode". On some platforms, orwith some cards, this might require that you capture in monitor mode -promiscuous mode might not be sufficient. If you want to capturetraffic on networks other than the one with which you're associated, youwill have to capture in monitor mode.
Not all operating systems support capturing non-data packets and, evenon operating systems that do support it, not all drivers, and thus notall interfaces, support it. Even on those that do, monitor mode mightnot be supported by the operating system or by the drivers for allinterfaces.
NOTE: an interface running in monitor mode will, onmost if not all platforms, not be able to act as a regular networkinterface; putting it into monitor mode will, in effect, take yourmachine off of whatever network it's on as long as the interface is inmonitor mode, allowing it only to passively capture packets.
This means that you should disable name resolution when capturing inmonitor mode; otherwise, when Wireshark (or TShark, or tcpdump) triesto display IP addresses as host names, it will probably block for a longtime trying to resolve the name because it will not be able tocommunicate with any DNS or NIS servers.
See the WiresharkWiki item on 802.11 capturing for details.

Q 9.2: How do I capture on an 802.11 device in monitor mode?

A:Whether you will be able to capture in monitor mode depends on theoperating system, adapter, and driver you're using.See the previous question for informationon monitor mode, including a link to the Wireshark Wiki page that givesdetails on 802.11 capturing.

10. Viewing traffic

Q 10.1: Why am I seeing lots of packets with incorrect TCP checksums?

A:If the packets that have incorrect TCP checksums are all being sent bythe machine on which Wireshark is running, this is probably because thenetwork interface on which you're capturing does TCP checksumoffloading. That means that the TCP checksum is added to the packet bythe network interface, not by the OS's TCP/IP stack; when capturing onan interface, packets being sent by the host on which you're capturingare directly handed to the capture interface by the OS, which means thatthey are handed to the capture interface without a TCP checksum beingadded to them.
The only way to prevent this from happening would be to disable TCPchecksum offloading, but

1. that might not even be possible on some OSes;
2. that could reduce networking performance significantly.

However, you can disable the check that Wireshark does of the TCPchecksum, so that it won't report any packets as having TCP checksumerrors, and so that it won't refuse to do TCP reassembly due to a packethaving an incorrect TCP checksum. That can be set as an Wiresharkpreference by selecting "Preferences" from the "Edit" menu, opening upthe "Protocols" list in the left-hand pane of the "Preferences" dialogbox, selecting "TCP", from that list, turning off the "Check thevalidity of the TCP checksum when possible" option, clicking "Save" ifyou want to save that setting in your preference file, and clicking"OK".
It can also be set on the Wireshark or TShark command line with a-o tcp.check_checksum:false command-line flag, or manually setin your preferences file by adding a tcp.check_checksum:falseline.

Q 10.2: I've just installed Wireshark, and the traffic on my local LANis boring. Where can I find more interesting captures?

A:We have a collection of strange and exotic sample capturefiles at https://wiki.wireshark.org/SampleCaptures

Q 10.3: Why doesn't Wireshark correctly identify RTP packets? It shows themonly as UDP.

A:Wireshark can identify a UDP datagram as containing a packet of aparticular protocol running atop UDP only if

1. The protocol in question has a particular standard portnumber, and the UDP source or destination port number is that port
2. Packets of that protocol can be identified by looking for a"signature" of some type in the packet - i.e., some datathat, if Wireshark finds it in some particular part of apacket, means that the packet is almost certainly a packet ofthat type.
3. Some other traffic earlier in the capture indicated that,for example, UDP traffic between two particular addresses andports will be RTP traffic.

RTP doesn't have a standard port number, so 1) doesn't work; it doesn't,as far as I know, have any "signature", so 2) doesn't work.
That leaves 3). If there's RTSP traffic that sets up an RTP session,then, at least in some cases, the RTSP dissector will set things up sothat subsequent RTP traffic will be identified. Currently, that's theonly place we do that; there may be other places.
However, there will always be places where Wireshark is simplyincapable of deducing that a given UDP flow is RTP; a mechanismwould be needed to allow the user to specify that a given conversationshould be treated as RTP. As of Wireshark 0.8.16, such a mechanismexists; if you select a UDP or TCP packet, the right mouse button menuwill have a "Decode As..." menu item, which will pop up a dialog boxletting you specify that the source port, the destination port, or boththe source and destination ports of the packet should be dissected assome particular protocol.

Q 10.4: Why doesn't Wireshark show Yahoo Messenger packets in captures thatcontain Yahoo Messenger traffic?

A:Wireshark only recognizes as Yahoo Messenger traffic packets to or from TCPport 3050 that begin with "YPNS", "YHOO", or "YMSG". TCP segments thatstart with the middle of a Yahoo Messenger packet that takes more than oneTCP segment will not be recognized as Yahoo Messenger packets (even if theTCP segment also contains the beginning of another Yahoo Messengerpacket).

11. Filtering traffic

Q 11.1: I saved a filter and tried to use its name to filter thedisplay; why do I get an "Unexpected end of filter string" error?

A:You cannot use the name of a saved display filter as a filter. Tofilter the display, you can enter a display filter expression -not the name of a saved display filter - in the"Filter:" box at the bottom of the display, and type the <Enter> key orpress the "Apply" button (that does not require you to have a savedfilter), or, if you want to use a saved filter, you can press the"Filter:" button, select the filter in the dialog box that pops up, andpress the "OK" button.

Q 11.2: How can I search for, or filter, packets that have a particular stringanywhere in them?

A:If you want to do this when capturing, you can't. That's a feature thatwould be hard to implement in capture filters without changes to thecapture filter code, which, on many platforms, is in the OS kernel and,on other platforms, is in the libpcap library.
After capture, you can search for text by selecting Edit→FindPacket... and making sure String is selected. Alternately, you canuse the "contains" display filter operator or "matches" operator if it'ssupported on your system.

Q 11.3: How do I filter a capture to see traffic for virus XXX?

A:For some viruses/worms there might be a capture filter to recognize thevirus traffic. Check the CaptureFilters pageon the Wireshark Wiki to see ifanybody's added such a filter.
Note that Wireshark was not designed to be an intrusion detection system;you might be able to use it as an IDS, but in most cases softwaredesigned to be an IDS, such as Snortor Prelude, will probably workbetter.