EtheReal

Ethereal 0.99.0 Release Notes

Ethereal for Windows
IMPORTANT NOTE ON 802.11
Ethereal's ability to capture traffic on 802.11 networks on Windows is limited by the
support offered by the Windows drivers for 802.11 adapters.
On Windows, you will not be able to capture management or control frames, and you
might not even be able to capture in promiscuous mode, so you might only be able to
capture traffic to and from the machine running Ethereal.
If you want to use a PC running Ethereal to monitor 802.11 traffic to or from other
machines, rather than using Ethereal only to look at traffic to and from the machine on
which you're running Ethereal, you should seriously consider running it on a recent
version of Linux or of one of the free-software BSDs, rather than on Windows. See the
Ethereal Wiki page on capture setup on WLANs for details on capturing 802.11 traffic in
"monitor mode" on Linux and the free-software BSDs.
Quick Instructions
1. Install ethereal-setup-x.y.z.exe below.
2. Enjoy.
Detailed Instructions
To get up and running with Ethereal, download and install ethereal-setup-x.y.z.exe below. The
installer includes the WinPcap packet capture driver, which must be installed if you plan to
capture packets with Ethereal. If you don't install WinPcap, you will not be able to capture
packets with Ethereal!
The latest version of Ethereal can always be found in this directory. Older versions are in the
all-versions directory.
To install WinPcap separately, download the WinPcap installer and run it. 3.1 is the current
recommended version. It is included with the Ethereal installer.
If you have an older version of WinPcap installed, you must un-install it before
installing the current version.
If you do not have WinPcap installed you will be able to open saved capture files, but you
will not be able to capture live network traffic.
Note that merely installing WinPcap will not install Ethereal. You will have to install Ethereal
separately; see above.
You can obtain the source code to Ethereal from the parent of this directory or by following
the instructions on the development page.
For more information, please refer to README.win32 in the Ethereal distribution

Table of Contents
What is Ethereal?
What's New
Bug Fixes
New and Updated Features
New Protocol Support
Updated Protocol Support
 New and Updated Capture File Support
Getting Ethereal
Microsoft Windows
Sun Solaris
Source Code
Vendor-supplied Packages
File Locations
Known Problems
Getting Help
Frequently Asked Questions

What is Ethereal?
Ethereal is the world's most popular network protocol analyzer. It is used for troubleshooting,
analysis, development, and education.

What's New
Bug Fixes

Many security vulnerabilities have been fixed since the previous release. See the application
advisory for more details.

• The H.248 dissector could crash. Versions affected: 0.10.14. CVE: CVE-2006-1937
• The UMA dissector could go into an infinite loop. Versions affected: 0.10.12 -
0.10.14. CVE: CVE-2006-1933
• The X.509if dissector could crash. Versions affected: 0.10.14. CVE: CVE-2006-1937
• The SRVLOC dissector could crash. Versions affected: 0.10.0 - 0.10.14. CVE: CVE-
2006-1937
• The H.245 dissector could crash. Versions affected: 0.10.13 - 0.10.14. CVE: CVE-
2006-1937
• Ethereal's OID printing routine was susceptible to an off-by-one error. Versions
affected: 0.10.14. CVE: CVE-2006-1932
• The COPS dissector could overflow a buffer. Versions affected: 0.9.15 - 0.10.14.
CVE: CVE-2006-1935
• The ALCAP dissector could overflow a buffer. Versions affected: 0.10.14. CVE:
CVE-2006-1934

Under a grant funded by the U.S. Department of Homeland Security, Coverity has uncovered
a number of vulnerabilities in Ethereal:

• The statistics counter could crash Ethereal. Versions affected: 0.10.10 - 0.10.14. CVE:
CVE-2006-1937
• Ethereal could crash while reading a malformed Sniffer capture. Versions affected:
0.8.12 - 0.10.14. CVE: CVE-2006-1938
• An invalid display filter could crash Ethereal. Versions affected: 0.9.16 - 0.10.14.
CVE: CVE-2006-1939
• The general packet dissector could crash Ethereal. Versions affected: 0.10.9 - 0.10.14.
CVE: CVE-2006-1937
 • The AIM dissector could crash Ethereal. Versions affected: 0.10.7 - 0.10.14. CVE:
CVE-2006-1937
• The RPC dissector could crash Ethereal. Versions affected: 0.9.8 - 0.10.14. CVE:
CVE-2006-1939
• The DCERPC dissector could crash Ethereal. Versions affected: 0.9.16 - 0.10.14.
CVE: CVE-2006-1939
• The ASN.1 dissector could crash Ethereal. Versions affected: 0.9.8 - 0.10.14. CVE:
CVE-2006-1939
• The SMB PIPE dissector could crash Ethereal. Versions affected: 0.8.20 - 0.10.14.
CVE: CVE-2006-1938
• The BER dissector could loop excessively. Versions affected: 0.10.4 - 0.10.14. CVE:
CVE-2006-1933
• The SNDCP dissector could abort. Versions affected: 0.10.4 - 0.10.14. CVE: CVE-
2006-1940
• The Network Instruments file code could overrun a buffer. Versions affected: 0.10.0 -
0.10.14. CVE: CVE-2006-1934
• The NetXray/Windows Sniffer file code could overrun a buffer. Versions affected:
0.10.13 - 0.10.14. CVE: CVE-2006-1934
• The GSM SMS dissector could crash Ethereal. Versions affected: 0.9.16 - 0.10.14.
CVE: CVE-2006-1939
• The ALCAP dissector could overrun a buffer. Versions affected: 0.10.14. CVE: CVE-
2006-1934
• The telnet dissector could overrun a buffer. Versions affected: 0.8.5 - 0.10.14. CVE:
CVE-2006-1936
• ASN.1-based dissectors could crash Ethereal. Versions affected: 0.9.10 - 0.10.14.
CVE: CVE-2006-1939
• The H.248 dissector could crash Ethereal. Versions affected: 0.10.11 - 0.10.14. CVE:
CVE-2006-1937
• The DCERPC NT dissector could crash Ethereal. Versions affected: 0.9.14 - 0.10.14.
CVE: CVE-2006-1939
• The PER dissector could crash Ethereal. Versions affected: 0.9.14 - 0.10.14. CVE:
CVE-2006-1939

Under Windows, Unicode characters in profile and configuration file paths could cause
problems. Versions affected: 0.10.14.

The Coverity audit turned up several UI-related bugs that could make Ethereal crash.

New and Updated Features

The following features are new (or have been significantly updated) since the last release:

• The new command line tool dumpcap makes it possible to capture network data
without the drawbacks of (t)ethereal (memory usage, security problems, ...) while
keeping the benefit of advanced techniques like multiple (ringbuffer) files and alike.

The man page of dumpcap in HTML format is available at

http://www.ethereal.com/docs/man-pages/dumpcap.1.html.
 • The source distribution of Ethereal now supports SSL, IPsec ESP, and ISAKMP
decryption. (This feature has not yet been enabled in the Windows installer.)
• Win32: Catch hardware exceptions caused by buggy dissectors. If e.g. a NULL
pointer exceptions occurs, Ethereal won't crash now but displays the exception and
tries to continue decoding packets.
• The Windows version of Ethereal now uses native open and save file dialogs.

In related news, Ethereal now runs as a full-fledged Unicode application under

Windows.

• Recent versions of Ethereal were flagging packets with an incorrect TCP checksum as
malformed. False positives were being triggered on systems that use TCP checksum
offloading. We now check to see if the checksum is not 0x0000 before flagging the
packet as malformed.

Please Note

If your system uses TCP checksum offloading and Ethereal still shows bad
checksums for outgoing TCP packets and the checksums for outgoing TCP
packets are not 0x0000, this could mean that your operating system is
exposing kernel memory unneccessarily. If this is the case, you should report
the problem to your OS vendor.

• The expert analysis feature has been enhanced.

New Protocol Support

ACP133, E.212, Nortel LGE Monitor, OICQ

Updated Protocol Support

3G A11, 802.11, 802.1Q, 802.3 Slow Protocols, AIM, ALCAP, ANSI MAP, ASF, ASN.1
BER, ASN.1 PER, BACapp, BACnet, BFD, BGP, BPDU, BSSAP, BSSGP, Camel, CDP,
CLNP, CMP, COPS, DCERPC (DCERPC, LSA, NT, PNP), DCOM (CBA, DCOM,
Dispatch), DHCP, DIAMETER, DNS, DOCSIS DCC, eDonkey, Ethernet, FC, FCP, FIX,
G.723, GIOP, GRE, GSM A, GSM MAP, GSSAPI, GTP, H.245, H.248, H.450, HTTP, IAPP,
ICMPv6, iFCP, IP, IPMI, IPP, IPsec, IPv6, ISAKMP, iSCSI, ISUP, IuUP, Juniper GGSN,
JXTA, K12, Kerberos, LAPD, LDAP, LLDP, LOOP, M3UA, MEGACO, MPLS, MS MMS,
MS NLB, MS Proxy, MTP3, NBNS, NCP 2222, NDPS, Netflow, NFS, NJACK, NLM, NSIP,
NTLMSSP, PN-DCP, POP, PPP, Q.931, Radiotap, RADIUS, RANAP, RNSAP, RPC,
RSYNC, RTCP, RTP, SCCP, SCCP MG, SCSI, SDP, Sebek, SES, SIGCOMP, SIGCOMP
UDVM, SIP, SKINNY, SMB2, SMB (Mailslot, PIPE, SMB), SMPP, SNDCP, SNMP,
SOCKS, SPNEGO, SRVLOC, SSL, STUN, Syslog, T.38, TACACS, TCAP, TCP, TDS,
Telnet, TIPC, UDP, UMA, WSP, X11, X.411, X.509, XML

New and Updated Capture File Support

iSeries, Snoop, Windows Sniffer

Getting Ethereal
Microsoft Windows

Download ethereal-setup-0.99.0.exe from the Windows download area on the main web site.
Double-click the installer executable.

Sun Solaris

Download the appropriate package from the Solaris download area on the main web site.
Uncompress the package using bzip2, and install it using pkgadd.

Source Code

Download ethereal-0.99.0.tar.gz from the main download area on the web site. Extract the
package using tar and gzip. Run "configure ; make ; make install".

Vendor-supplied Packages

Most Linux and Unix vendors supply their own Ethereal packages. You can install or upgrade
Ethereal using the package management system specific to that platform. A list of third-party
packages can be found on the download page on the Ethereal web site.

File Locations
Ethereal and Tethereal look in several different locations for preference files, plugins, SNMP
MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can
use About->Folders to find the default locations on your system.

Known Problems
On Windows systems the packet list scroll bar can sometimes disappear or become unusable.
Until the problem is fixed you can work around it by resizing the packet list or the main
window. (Bug #220)

The Filter button is nonfunctional in the file dialogs under Windows.

Trying to save flow data may crash Ethereal. (Bug #396)

It may not be possible to re-order coloring rules under Windows. (Bug #699)

Multiple tap interfaces may cause a crash under FreeBSD. (Bug #757)

Ethereal may crash while viewing TCP streams. (Bug #852)

Ethereal may crash while adjusting column preferences. (Bug #886)

Getting Help
Community support is available on the ethereal-users mailing list. Subscription information
and archives for all of Ethereal's mailing lists can be found on the web site. There is also an
IRC channel dedicated to Ethereal.

Commercial support, training, and development services are available from Ethereal
Software.

Frequently Asked Questions

A complete FAQ is available on the Ethereal web site.
Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing
list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions),
please send email to ethereal-web[AT]ethereal.com.
Last modified: Mon, April 24 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.