Ethereal for Mac OS X, how?

[rtfm]

Update:

Yes, there's a "tethereal" in /sw/bin. I thought I'd read that was one part of the ethereal package.

We never found an executable "ethereal" file, anywhere.

But with the VPN to my MDD working; I went to a friend's & he poked at it remotely and did what I was reluctant to do; follow sao's 10.4 sticky note.

THAT seems to work; we started it w/o bringing up X and it ran briefly before erroring out on NO DISPLAY.

I suggested we just pipe it back to a display on HIS xterm. Note he's stuck on a oh-sh-skinny 56Kbps pipe. I got a seriously annoyed look over THAT leg-pull. [For those who've never done so, remote X sessions make fast/fat pipes look small and slow; and if you start out small & slow, screen paints take MANY minutes.....]

I'll try it locally tomorrow & let everyone know what happens.


I have some logs if anyone cares...

[rtfm]

Ethereal starts. After a minutes or so with the logo up, "registering dissectors" it opens an X11 window with the main screen.

Help says:

Version 0.10.12 (C) 1998-2005 Gerald Combs <gerald@ethereal.com>
Compiled with GTK+ 2.4.9, with GLib 2.4.6, with libpcap 0.8.3, with libz 1.1.4, with libpcre 4.2, without UCD-SNMP or Net-SNMP, without ADNS.

Running with libpcap version 0.8.3 on Darwin 7.9.0.




I started a live capture from the main window, let it run. No other output appeared. I stopped the capture & got a pop-up of:

Child capture process died: Signal 30



suggestions?

[yellow]

I don't have any suggestions..

How long was your capture? Seconds? Minutes? Hours?
You're running Panther, correct?
When was the last time you updated fink & ethereal (and it's dependancies)?

[hayne]

Are you starting Ethereal via a command like 'sudo ethereal' (in an xterm)?
That's the right way to do it.
It needs to be run as 'root'

[yellow]

Quote: Originally Posted by hayne Are you starting Ethereal via a command like 'sudo ethereal' (in an xterm)?

I was gonna ask the same thing, but he wouldn't have been able to do a capture without doing that (at least in my quick testing it complained and wouldn't capture).

I asked what I asked because I was wondering if the capture was exceedingly large that ethereal died long before it could convert the cap to "text". Shot in the dark here..

[rtfm]

Quote: Originally Posted by yellow I don't have any suggestions..

{Why am I reminded of Click&Clack's Mechanic's Shrug?}

And yes, I started from an xterm with sudo...

Quote: How long was your capture? Seconds? Minutes? Hours?

A minute or two; I ran a POP fetch to be sure there was some traffic.

Quote: You're running Panther, correct?

10.3.9
Build 7W98
Dual 867 PowerPC G4

Quote: When was the last time you updated fink & ethereal (and it's dependancies)?

Well, I {re}installed it yesterday...

But:
Number6:/sw/bin nerdcave$ ./fink selfupdate
Password:

(1) Delete it and download again
(2) Assume it is a partial download and try to continue
(3) Don't download, use existing file
The file "CURRENT-FINK-10.3" already exists. How do you want to proceed? [1]

---

I ^C'ed out at that...

Will doing this break more things?


Waitasec.. my problems may be more mundane than that....

Number6:~ nerdcave$ printenv
TERM_PROGRAM=Apple_Terminal
TERM=xterm
SHELL=/bin/tcsh
TERM_PROGRAM_VERSION=100.1.8
USER=nerdcave
__CF_USER_TEXT_ENCODING=0x1F6:0:0
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/opt/local/bin
PWD=/Users/nerdcave
SHLVL=1
HOME=/Users/nerdcave

[what happened to /sw?]

Number6:~ nerdcave$ cat .cshrc
test -r /sw/bin/init.csh && source /sw/bin/init.csh

Number6:~ nerdcave$

And if I manually run it:
Number6:~ nerdcave$ source /sw/bin/init.csh
-bash: alias: append_path: not found
-bash: alias: if ( $\!:1 !~ \!:2\:* && $\!:1 !~ *\:\!:2\:* && $\!:1 !~ *\:\!:2 && $\!:1 !~ \!:2 ) setenv \!:1 ${\!:1}\:\!:2: not found
-bash: alias: prepend_path: not found
-bash: alias: if ( $\!:1 !~ \!:2\:* && $\!:1 !~ *\:\!:2\:* && $\!:1 !~ *\:\!:2 && $\!:1 !~ \!:2 ) setenv \!:1 \!:2\:${\!:1}; if ( $\!:1 !~ \!:2\:* ) setenv \!:1 \!:2`echo \:${\!:1} | /usr/bin/sed -e s%^\!:2\:%% -e s%:\!:2\:%:%g -e s%:\!:2\$%%`: not found
-bash: /sw/bin/init.csh: line 104: syntax error near unexpected token `('
-bash: /sw/bin/init.csh: line 104: ` foreach i ( /sw/etc/profile.d/*.csh )'

Number6:~ nerdcave$

[yellow]

the X11 xterms don't honor your .cshrc by default.

Odd error... you know I can't figure out why you have a bash-looking shell, but it's clearly declared as tcsh. Did you change the prompt?

[rtfm]

Quote: Originally Posted by yellow the X11 xterms don't honor your .cshrc by default. Odd error... you know I can't figure out why you have a bash-looking shell, but it's clearly declared as tcsh. Did you change the prompt?

I at some point fiddled with the shell; and I can't recall why. ISTM it had to do with char set grief when SSH'ed into another machine.

And why does .bash_history have a current timestamp if...

[yellow]

Do us a favor.. create a NEW admin user, log in as that user, open X11, and try and run ethereal (after sourcing the fink init.csh).

Unless you fiddled with the shell resources in /etc...

[rtfm]

Quote: Originally Posted by yellow Do us a favor.. create a NEW admin user, log in as that user, open X11, and try and run ethereal (after sourcing the fink init.csh). Unless you fiddled with the shell resources in /etc...

New user; bash is shell

"source pathsetup.sh" yes, go ahead, all is OK for fink.

sudo /sw/bin/ethereal

20+ sec later, get logo

20+ after that, X11 window opens.

Start capture, do a ping & a ssh out

stop capture...

Signal 30 again... Child process.. etc.

[hayne]

Quote: Originally Posted by rtfm Signal 30 again... Child process.. etc.

Any relevant error messages in console.log or system.log ?
(Use Console.app to look at the logs)

And see what happens if you do the same capture using '/usr/sbin/tcpdump' - read 'man tcpdump'.
We don't care at the moment about being able to understand the captured packets - this is just a test to see if the packet capture library is working.

[rtfm]

Quote: Any relevant error messages in console.log or system.log ?

Attached... a minor pain to find same when ssh'ed in... but there they are...

Quote: And see what happens if you do the same capture using '/usr/sbin/tcpdump' - read 'man tcpdump'.

I'll try that in the AM.

[rtfm]

Quote: And see what happens if you do the same capture using '/usr/sbin/tcpdump' - read 'man tcpdump'.

That generates a dump to the console...

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, capture size 96 bytes
12:46:54.632824 192.168.1.73.54410 > 153.2.225.56.https: FP 2558126520:2558126557(37) ack 4095081454 win 65535 (DF)
etc..

[yellow]

Well, I'm stumped.

All I can say is that ethereal 0.10.12-11 (via fink) works great on Tiger. I don't have any Panther boxes left to test with.

[rtfm]

Well, I can try on a separate machine & see if that helps...

We do not use Tiger since it broke filesharing with OS9 boxes..

[yellow]

Dunno about OS9/Tiger filesharing issues. We ditched OS9 long ago.

Your best troubleshooting step at this point would be to try and get a vanilla Panther set up and install DevTools/fink/etheral/etc. Keep the fiddling to a minimum. See if it works. If it does, there's hope.. if not..

[rtfm]

Quote: Your best troubleshooting step at this point would be to try and get a vanilla Panther set up and install DevTools/fink/etheral/etc.

grumble...

Well, I started out to do just that, but in the middle of copying over the needed files, my MDD workstation lost not one, but two of the three drives therein, the ones on the ATA-100 channel. They claim to have lost their superblocks...but SMART says they are fine, and the one drive is fine when plugged into the ATA-66 bus... Huh?

MANY hours later, it looks like the one drive somehow disrupted the other.

So next week, I'll try again on Ethereal...

[rtfm]

Quote: Your best troubleshooting step at this point would be to try and get a vanilla Panther set up and install DevTools/fink/etheral/etc. Keep the fiddling to a minimum. See if it works. If it does, there's hope.. if not..

So I moved to another machine, one that should be ordinary...and tried to follow sao's sticky line by line...

I failed out at:

Code:

### execution of /var/tmp/tmp.1.NGZFAY failed, exit code 1
Removing build lock...
/sw/bin/dpkg-lockwait -r fink-buildlock-gcc3.1-3.1-0
(Reading database ... 4142 files and directories currently installed.)
Removing fink-buildlock-gcc3.1-3.1-0 ...
Failed: phase compiling: gcc3.1-3.1-0 failed

The end of the console session is attached.... I can grab more the logs, I suspect...

waitasec... did I need a gcc upgrade as well as XTOOLS 1.5?

[dmacks]

Yup, you gotta install gcc3.1 manually after downloading it from Apple, just the like boxed message immediately above what you quoted here says.

[rtfm]

Quote: Originally Posted by dmacks Yup, you gotta install gcc3.1 manually after downloading it from Apple...

..which I just found out in turn needs the 2002 Developers Tools which are downloading SLOWLY... 35 minutes for 300 MB! (I have a full DS-1 here...)