diff options
Diffstat (limited to 'docbook/wsug_src/wsug_introduction.adoc')
| -rw-r--r-- | docbook/wsug_src/wsug_introduction.adoc | 521 |
1 files changed, 0 insertions, 521 deletions
diff --git a/docbook/wsug_src/wsug_introduction.adoc b/docbook/wsug_src/wsug_introduction.adoc deleted file mode 100644 index 78f32f57..00000000 --- a/docbook/wsug_src/wsug_introduction.adoc +++ /dev/null @@ -1,521 +0,0 @@ -// WSUG Chapter Introduction - -[#ChapterIntroduction] - -== Introduction - -[#ChIntroWhatIs] - -=== What is Wireshark? - -Wireshark is a network packet analyzer. A network packet analyzer -presents captured packet data in as much detail as possible. - -You could think of a network packet analyzer as a measuring device for -examining what’s happening inside a network cable, just like an electrician uses -a voltmeter for examining what’s happening inside an electric cable (but at a -higher level, of course). - -In the past, such tools were either very expensive, proprietary, or both. -However, with the advent of Wireshark, that has changed. Wireshark is -available for free, is open source, and is one of the best packet -analyzers available today. - -[#ChIntroPurposes] - -==== Some intended purposes - -Here are some reasons people use Wireshark: - -* Network administrators use it to _troubleshoot network problems_ - -* Network security engineers use it to _examine security problems_ - -* QA engineers use it to _verify network applications_ - -* Developers use it to _debug protocol implementations_ - -* People use it to _learn network protocol_ internals - -Wireshark can also be helpful in many other situations. - -[#ChIntroFeatures] - -==== Features - -The following are some of the many features Wireshark provides: - -* Available for _UNIX_ and _Windows_. - -* _Capture_ live packet data from a network interface. - -* _Open_ files containing packet data captured with tcpdump/WinDump, -Wireshark, and many other packet capture programs. - -* _Import_ packets from text files containing hex dumps of packet data. - -* Display packets with _very detailed protocol information_. - -* _Save_ packet data captured. - -* _Export_ some or all packets in a number of capture file formats. - -* _Filter packets_ on many criteria. - -* _Search_ for packets on many criteria. - -* _Colorize_ packet display based on filters. - -* Create various _statistics_. - -* ...and _a lot more!_ - -However, to really appreciate its power you have to start using it. - -<<ChIntroFig1>> shows Wireshark having captured some packets and waiting for you -to examine them. - -[#ChIntroFig1] -.Wireshark captures packets and lets you examine their contents. -image::images/ws-main.png[{screenshot-attrs}] - -==== Live capture from many different network media - -Wireshark can capture traffic from many different network media types, -including Ethernet, Wireless LAN, Bluetooth, USB, and more. The specific media -types supported may be limited by several factors, including your hardware -and operating system. An overview of the supported media types can be found at -link:{wireshark-wiki-url}CaptureSetup/NetworkMedia[]. - -==== Import files from many other capture programs - -Wireshark can open packet captures from a large number of capture -programs. For a list of input formats see <<ChIOInputFormatsSection>>. - -==== Export files for many other capture programs - -Wireshark can save captured packets in many formats, including those used by other -capture programs. For a list of output formats see <<ChIOOutputFormatsSection>>. - -==== Many protocol dissectors - -There are protocol dissectors (or decoders, as they are known in other products) -for a great many protocols: see <<AppProtocols>>. - -==== Open Source Software - -Wireshark is an open source software project, and is released under the -{gplv2-url}[GNU General Public License] (GPL). You can freely use -Wireshark on any number of computers you like, without worrying about license -keys or fees or such. In addition, all source code is freely available under the -GPL. Because of that, it is very easy for people to add new protocols to -Wireshark, either as plugins, or built into the source, and they often do! - -[#ChIntroNoFeatures] - -==== What Wireshark is not - -Here are some things Wireshark does not provide: - -* Wireshark isn’t an intrusion detection system. It will not warn you when - someone does strange things on your network that he/she isn’t allowed to do. - However, if strange things happen, Wireshark might help you figure out what is - really going on. - -* Wireshark will not manipulate things on the network, it will only “measure” - things from it. Wireshark doesn’t send packets on the network or do other - active things (except domain name resolution, but that can be disabled). - -[#ChIntroPlatforms] - -=== System Requirements - -The amount of resources Wireshark needs depends on your environment and on the -size of the capture file you are analyzing. The values below should be fine for -small to medium-sized capture files no more than a few hundred MB. Larger -capture files will require more memory and disk space. - -[NOTE] -.Busy networks mean large captures -==== -A busy network can produce huge capture files. Capturing on -even a 100 megabit network can produce hundreds of megabytes of -capture data in a short time. A computer with a fast processor, and lots of -memory and disk space is always a good idea. -==== - -If Wireshark runs out of memory it will crash. See -{wireshark-wiki-url}KnownBugs/OutOfMemory for details and workarounds. - -Although Wireshark uses a separate process to capture packets, the packet -analysis is single-threaded and won’t benefit much from multi-core systems. - -==== Microsoft Windows - -Wireshark should support any version of Windows that is still within its -https://windows.microsoft.com/en-us/windows/lifecycle[extended support -lifetime]. At the time of writing this includes Windows 11, 10, -Server 2022, -Server 2019, -and Server 2016. -It also requires the following: - -* The Universal C Runtime. This is included with Windows 10 and Windows - Server 2019 and is installed automatically on earlier versions if - Microsoft Windows Update is enabled. Otherwise you must install - https://support.microsoft.com/kb/2999226[KB2999226] or - https://support.microsoft.com/kb/3118401[KB3118401]. - -* Any modern 64-bit Intel or Arm processor. - -* 500 MB available RAM. Larger capture files require more RAM. - -* 500 MB available disk space. Capture files require additional disk space. - -* Any modern display. 1280 {multiplication} 1024 or higher resolution is - recommended. Wireshark will make use of HiDPI or Retina resolutions if - available. Power users will find multiple monitors useful. - -* A supported network card for capturing - - - Ethernet. Any card supported by Windows should work. See the wiki pages on - link:{wireshark-wiki-url}CaptureSetup/Ethernet[Ethernet capture] and - link:{wireshark-wiki-url}CaptureSetup/Offloading[offloading] for issues that - may affect your environment. - - - 802.11. See the {wireshark-wiki-url}CaptureSetup/WLAN#Windows[Wireshark - wiki page]. Capturing raw 802.11 information may be difficult without - special equipment. - - - Other media. See link:{wireshark-wiki-url}CaptureSetup/NetworkMedia[]. - -Older versions of Windows which are outside Microsoft’s extended lifecycle -support window are no longer supported. It is often difficult or impossible to -support these systems due to circumstances beyond our control, such as third -party libraries on which we depend or due to necessary features that are only -present in newer versions of Windows such as hardened security or memory -management. - -* Wireshark 4.0 was the last release branch to officially support Windows 8.1 and Windows Server 2012. -* Wireshark 3.6 was the last release branch to officially support 32-bit Windows. -* Wireshark 3.2 was the last release branch to officially support Windows 7 and Windows Server 2008 R2. -* Wireshark 2.2 was the last release branch to support Windows Vista and Windows Server 2008 sans R2 -* Wireshark 1.12 was the last release branch to support Windows Server 2003. -* Wireshark 1.10 was the last release branch to officially support Windows XP. - -See the link:{wireshark-wiki-url}Development/LifeCycle[Wireshark -release lifecycle] page for more details. - -==== macOS - -Wireshark supports macOS 10.14 and later. -Similar to Windows, supported macOS versions depend on third party libraries and on Apple’s requirements. -Apple Silicon hardware is supported natively starting with version 4.0 - -// Wireshark 4.0 ships with Qt 6.2.4, which requires macOS 10.14 and later -// Wireshark 3.6 ships with Qt 5.15, which requires macOS 10.13 and later. -// Wireshark 3.4, 3.2 and 3.0 ship with Qt 5.12, which requires macOS 10.12 and later. -// Wireshark 2.6 ships with Qt 5.3, which was the last release to support 10.6: https://wiki.qt.io/New_Features_in_Qt_5.3 -// "Mac OS 10.6 support is deprecated and scheduled for removal in Qt 5.4" - -* Wireshark 3.6 was the last release branch to support macOS 10.13. -* Wireshark 3.4 was the last release branch to support macOS 10.12. -* Wireshark 2.6 was the last release branch to support Mac OS X 10.6 and 10.7 and OS X 10.8 to 10.11. -* Wireshark 2.0 was the last release branch to support OS X on 32-bit Intel. -* Wireshark 1.8 was the last release branch to support Mac OS X on PowerPC. - -The system requirements should be comparable to the specifications listed above for Windows. - -==== UNIX, Linux, and BSD - -Wireshark runs on most UNIX and UNIX-like platforms including Linux and most BSD variants. -The system requirements should be comparable to the specifications listed above for Windows. - -Binary packages are available for most Unices and Linux distributions -including the following platforms: - -* Alpine Linux - -* Arch Linux - -* Canonical Ubuntu - -* Debian GNU/Linux - -* FreeBSD - -* Gentoo Linux - -* HP-UX - -* NetBSD - -* OpenPKG - -* Oracle Solaris - -* Red Hat Enterprise Linux / CentOS / Fedora - -If a binary package is not available for your platform you can download -the source and try to build it. Please report your experiences to -mailto:{wireshark-dev-list-email}[]. - -[#ChIntroDownload] - -=== Where To Get Wireshark - -You can get the latest copy of the program from the Wireshark website at {wireshark-download-url}. -The download page should automatically highlight the appropriate download for your platform and direct you to the nearest mirror. -Official Windows and macOS installers are signed using trusted certificates on those platforms. -macOS installers are additionally notarized. - -A new Wireshark version typically becomes available every six weeks. - -If you want to be notified about new Wireshark releases you should subscribe to the wireshark-announce mailing list. -You will find more details in <<ChIntroMailingLists>>. - -Each release includes a list of file hashes which are sent to the wireshark-announce mailing list and placed in a file named SIGNATURES-_x_._y_._z_.txt. -Announcement messages are archived at https://www.wireshark.org/lists/wireshark-announce/ and SIGNATURES files can be found at https://www.wireshark.org/download/src/all-versions/. -Both are GPG-signed and include verification instructions for Windows, Linux, and macOS. -As noted above, you can also verify downloads on Windows and macOS using the code signature validation features on those systems. - -[#ChIntroHistory] - -=== A Brief History Of Wireshark - -In late 1997 Gerald Combs needed a tool for tracking down network problems -and wanted to learn more about networking so he started writing Ethereal (the -original name of the Wireshark project) as a way to solve both problems. - -Ethereal was initially released after several pauses in development in July -1998 as version 0.2.0. Within days patches, bug reports, and words of -encouragement started arriving and Ethereal was on its way to success. - -Not long after that Gilbert Ramirez saw its potential and contributed a -low-level dissector to it. - -In October, 1998 Guy Harris was looking for something better than tcpview so he -started applying patches and contributing dissectors to Ethereal. - -In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential -on such courses and started looking at it to see if it supported the protocols -he needed. While it didn’t at that point new protocols could be easily added. -So he started contributing dissectors and contributing patches. - -The list of people who have contributed to the project has become very long -since then, and almost all of them started with a protocol that they needed that -Wireshark did not already handle. So they copied an existing dissector and -contributed the code back to the team. - -In 2006 the project moved house and re-emerged under a new name: Wireshark. - -In 2008, after ten years of development, Wireshark finally arrived at version -1.0. This release was the first deemed complete, with the minimum features -implemented. Its release coincided with the first Wireshark Developer and User -Conference, called Sharkfest. - -In 2015 Wireshark 2.0 was released, which featured a new user interface. - -In 2023 Wireshark moved to the link:{wireshark-foundation-url}[Wireshark Foundation], a nonprofit corporation that operates under section 501(c)(3) of the U.S. tax code. -The foundation provides the project's infrastructure, hosts link:{sharkfest-url}[SharkFest], our developer and user conference, and promotes low level network education. - -[#ChIntroMaintenance] - -=== Development And Maintenance Of Wireshark - -Wireshark was initially developed by Gerald Combs. Ongoing development and -maintenance of Wireshark is handled by the Wireshark team, a loose group of -individuals who fix bugs and provide new functionality. - -There have also been a large number of people who have contributed -protocol dissectors to Wireshark, and it is expected that this will -continue. You can find a list of the people who have contributed code to -Wireshark by checking the about dialog box of Wireshark, or at the -link:{wireshark-authors-url}[authors] page on the Wireshark web site. - -Wireshark is an open source software project, and is released under the -{gplv2-url}[GNU General Public License] (GPL) version 2. All source code is -freely available under the GPL. You are welcome to modify Wireshark to suit your -own needs, and it would be appreciated if you contribute your improvements back -to the Wireshark team. - -You gain three benefits by contributing your improvements back to the community: - -. Other people who find your contributions useful will appreciate them, and you - will know that you have helped people in the same way that the developers of - Wireshark have helped you. - -. The developers of Wireshark can further improve your changes or implement - additional features on top of your code, which may also benefit you. - -. The maintainers and developers of Wireshark will maintain your code, - fixing it when API changes or other changes are made, and generally keeping it - in tune with what is happening with Wireshark. So when Wireshark is updated - (which is often), you can get a new Wireshark version from the website - and your changes will already be included without any additional effort from you. - -The Wireshark source code and binary kits for some platforms are all -available on the download page of the Wireshark website: -{wireshark-download-url}. - -[#ChIntroHelp] - -=== Reporting Problems And Getting Help - -If you have problems or need help with Wireshark there are several places that -may be of interest (besides this guide, of course). - -[#ChIntroHomepage] - -==== Website - -You will find lots of useful information on the Wireshark homepage at -{wireshark-main-url}. - -[#ChIntroWiki] - -==== Wiki - -The Wireshark Wiki at {wireshark-wiki-url} provides a -wide range of information related to Wireshark and packet capture in general. -You will find a lot of information not part of this user’s guide. For example, -it contains an explanation how to capture on a switched network, an ongoing effort -to build a protocol reference, protocol-specific information, and much more. - -And best of all, if you would like to contribute your knowledge on a specific -topic (maybe a network protocol you know well), you can edit the wiki pages -with your web browser. - -[#ChIntroQA] - -==== Q&A Site - -The Wireshark Q&A site at {wireshark-qa-url} offers a resource where -questions and answers come together. You can search for -questions asked before and see what answers were given by people who -knew about the issue. Answers are ranked, so you can easily pick out the best -ones. If your question hasn’t been discussed before you can post -one yourself. - -[#ChIntroFAQ] - -==== FAQ - -The Frequently Asked Questions lists often asked questions and their -corresponding answers. - -[NOTE] -.Read the FAQ -==== -Before sending any mail to the mailing lists below, be sure to read the FAQ. It -will often answer any questions you might have. This will save yourself and -others a lot of time. Keep in mind that a lot of people are subscribed to the -mailing lists. -==== - -You will find the FAQ inside Wireshark by clicking the menu item Help/Contents -and selecting the FAQ page in the dialog shown. - -An online version is available at the Wireshark website at -{wireshark-faq-url}. You might prefer this online version, as it’s -typically more up to date and the HTML format is easier to use. - -[#ChIntroMailingLists] - -==== Mailing Lists - -There are several mailing lists of specific Wireshark topics available: - -link:{wireshark-mailing-lists-url}wireshark-announce[wireshark-announce]:: - Information about new program releases, which usually appear about every six weeks. - -link:{wireshark-mailing-lists-url}wireshark-users[wireshark-users]:: - Topics of interest to users of Wireshark. - People typically post questions about using Wireshark and others (hopefully) provide answers. - -link:{wireshark-mailing-lists-url}wireshark-dev[wireshark-dev]:: - Topics of interest to developers of Wireshark. - If you want to develop a protocol dissector or update the user interface, join this list. - -You can subscribe to each of these lists from the Wireshark web site: -{wireshark-mailing-lists-url}. From there, you can choose which mailing -list you want to subscribe to by clicking on the -Subscribe/Unsubscribe/Options button under the title of the relevant -list. The links to the archives are included on that page as well. - -[TIP] -.The lists are archived -==== -You can search in the list archives to see if someone asked the same question -some time before and maybe already got an answer. That way you don’t have to -wait until someone answers your question. -==== - -==== Reporting Problems - -[NOTE] -==== -Before reporting any problems, please make sure you have installed the latest -version of Wireshark. -==== - - -When reporting problems with Wireshark please supply the following information: - -. The version number of Wireshark and the dependent libraries linked with it, - such as Qt or GLib. You can obtain this from Wireshark’s about box or the - command _wireshark -v_. - -. Information about the platform you run Wireshark on -(Windows, Linux, etc. and 32-bit, 64-bit, etc.). - -. A detailed description of your problem. - -. If you get an error/warning message, copy the text of that message (and also a - few lines before and after it, if there are some) so others may find the - place where things go wrong. Please don’t give something like: “I get a - warning while doing x” as this won’t give a good idea where to look. - -[WARNING] -.Don’t send confidential information! -==== -If you send capture files to the mailing lists be sure they don’t contain any -sensitive or confidential information like passwords or personally identifiable -information (PII). - -In many cases you can use a tool like link:https://www.tracewrangler.com/[TraceWrangler] to sanitize a capture file before sharing it. -==== - -[NOTE] -.Don’t send large files -==== -Do not send large files (> 1 MB) to the mailing lists. Instead, provide a -download link. For bugs and feature requests, you can create an issue on -link:{wireshark-bugs-url}[GitLab Issues] and upload the file there. -==== - -==== Reporting Crashes on UNIX/Linux platforms - -When reporting crashes with Wireshark it is helpful if you supply the traceback -information along with the information mentioned in “Reporting Problems”. - -You can obtain this traceback information with the following commands on UNIX or -Linux (note the backticks): - ----- -$ gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& backtrace.txt -backtrace -^D ----- - -If you do not have _gdb_ available, you will have to check out your operating system’s debugger. - -Email _backtrace.txt_ to mailto:{wireshark-dev-list-email}[]. - -==== Reporting Crashes on Windows platforms - -The Windows distributions don’t contain the symbol files (.pdb) because they are -very large. You can download them separately at -{wireshark-main-url}download/win64/all-versions/ . - -// End of WSUG Chapter 1 |