How do I run ethereal after installing it via the RPM?

abefroman · 05-07-2005, 10:13 AM

How do I run ethereal after installing it via the RPM?

It doesnt seem to be finding the ethereal binary:
[root@business root]# ethereal
bash: ethereal: command not found
[root@business root]# ethereal
bash: ethereal: command not found

The install seems to have worked properly:
[root@business root]# yum install ethereal
Gathering header information file(s) from server(s)
Server: CentOS-3 - Addons
Server: CentOS-3 - Base
Server: CentOS-3 - Extras
Server: CentOS-3 - Updates
Finding updated packages
Downloading needed headers
nasm-0-0.98.35-3.EL3.i386 100% |=========================| 3.2 kB 00:00
nasm-doc-0-0.98.35-3.EL3. 100% |=========================| 2.6 kB 00:00
nasm-rdoff-0-0.98.35-3.EL 100% |=========================| 2.4 kB 00:00
Resolving dependencies
..Dependencies resolved
I will do the following:
[install: ethereal 0.10.10-1.EL3.1.i386]
I will install/upgrade these to satisfy the dependencies:
[deps: net-snmp-libs 5.0.9-2.30E.12.i386]
[deps: net-snmp 5.0.9-2.30E.12.i386]
[deps: libpcap 14:0.7.2-7.E3.2.i386]
Is this ok [y/N]: y
Downloading Packages
Getting net-snmp-libs-5.0.9-2.30E.12.i386.rpm
net-snmp-libs-5.0.9-2.30E 100% |=========================| 1.4 MB 00:15
Getting ethereal-0.10.10-1.EL3.1.i386.rpm
ethereal-0.10.10-1.EL3.1. 100% |=========================| 5.0 MB 00:59
Getting net-snmp-5.0.9-2.30E.12.i386.rpm
net-snmp-5.0.9-2.30E.12.i 100% |=========================| 713 kB 00:08
Getting libpcap-0.7.2-7.E3.2.i386.rpm
libpcap-0.7.2-7.E3.2.i386 100% |=========================| 153 kB 00:02
Running test transaction:
Test transaction complete, Success!
libpcap 100 % done 1/4
net-snmp-libs 100 % done 2/4
net-snmp 100 % done 3/4
ethereal 100 % done 4/4
Installed: ethereal 0.10.10-1.EL3.1.i386
Dep Installed: net-snmp-libs 5.0.9-2.30E.12.i386 net-snmp 5.0.9-2.30E.12.i386 libpcap 14:0.7.2-7.E3.2.i386
Transaction(s) Complete
[root@business root]# ethereal
bash: ethereal: command not found
[root@business root]#
[root@business root]# rpm -qa ethereal
ethereal-0.10.10-1.EL3.1

Which one of these files starts ethereal?
[root@business root]# updatedb
[root@business root]# locate ethereal
/var/cache/yum/base/headers/ethereal-0-0.10.5-0.30E.2.i386.hdr
/var/cache/yum/base/headers/ethereal-gnome-0-0.10.5-0.30E.2.i386.hdr
/var/cache/yum/update/packages/ethereal-0.10.10-1.EL3.1.i386.rpm
/var/cache/yum/update/headers/ethereal-0-0.10.10-1.EL3.1.i386.hdr
/var/cache/yum/update/headers/ethereal-gnome-0-0.10.10-1.EL3.1.i386.hdr
/etc/pam.d/ethereal
/etc/security/console.apps/ethereal
/usr/share/doc/ethereal-0.10.10
/usr/share/doc/ethereal-0.10.10/ChangeLog
/usr/share/doc/ethereal-0.10.10/AUTHORS
/usr/share/doc/ethereal-0.10.10/COPYING
/usr/share/doc/ethereal-0.10.10/README.aix
/usr/share/doc/ethereal-0.10.10/INSTALL
/usr/share/doc/ethereal-0.10.10/NEWS
/usr/share/doc/ethereal-0.10.10/README
/usr/share/doc/ethereal-0.10.10/README.linux
/usr/share/doc/ethereal-0.10.10/README.bsd
/usr/share/doc/ethereal-0.10.10/README.hpux
/usr/share/doc/ethereal-0.10.10/README.irix
/usr/share/doc/ethereal-0.10.10/doc
/usr/share/doc/ethereal-0.10.10/doc/Makefile.nmake
/usr/share/doc/ethereal-0.10.10/doc/Makefile
/usr/share/doc/ethereal-0.10.10/doc/Makefile.am
/usr/share/doc/ethereal-0.10.10/doc/Makefile.in
/usr/share/doc/ethereal-0.10.10/doc/README.developer
/usr/share/doc/ethereal-0.10.10/doc/README.capture
/usr/share/doc/ethereal-0.10.10/doc/README.design
/usr/share/doc/ethereal-0.10.10/doc/README.regression
/usr/share/doc/ethereal-0.10.10/doc/README.idl2eth
/usr/share/doc/ethereal-0.10.10/doc/README.plugins
/usr/share/doc/ethereal-0.10.10/doc/README.xml-output
/usr/share/doc/ethereal-0.10.10/doc/README.tapping
/usr/share/doc/ethereal-0.10.10/doc/README.tvbuff
/usr/share/doc/ethereal-0.10.10/doc/ethereal-filter.pod
/usr/share/doc/ethereal-0.10.10/doc/capinfos.pod
/usr/share/doc/ethereal-0.10.10/doc/dfilter2pod.pl
/usr/share/doc/ethereal-0.10.10/doc/editcap.pod
/usr/share/doc/ethereal-0.10.10/doc/mergecap.pod
/usr/share/doc/ethereal-0.10.10/doc/idl2eth.pod
/usr/share/doc/ethereal-0.10.10/doc/ethereal-filter.pod.template
/usr/share/doc/ethereal-0.10.10/doc/ethereal-tmp.pod
/usr/share/doc/ethereal-0.10.10/doc/ethereal.pod
/usr/share/doc/ethereal-0.10.10/doc/pod2htmd.x~~
/usr/share/doc/ethereal-0.10.10/doc/pod2htmi.x~~
/usr/share/doc/ethereal-0.10.10/doc/randpkt.txt
/usr/share/doc/ethereal-0.10.10/doc/tethereal.pod
/usr/share/doc/ethereal-0.10.10/doc/text2pcap.pod
/usr/share/doc/ethereal-0.10.10/README.macos
/usr/share/doc/ethereal-0.10.10/README.tru64
/usr/share/doc/ethereal-0.10.10/README.vmware
/usr/share/doc/ethereal-0.10.10/README.win32
/usr/share/man/man1/tethereal.1.gz
/usr/share/man/man4/ethereal-filter.4.gz
/usr/share/ethereal
/usr/share/ethereal/diameter
/usr/share/ethereal/diameter/dictionary.dtd
/usr/share/ethereal/diameter/dictionary.xml
/usr/share/ethereal/diameter/imscxdx.xml
/usr/share/ethereal/diameter/mobileipv4.xml
/usr/share/ethereal/diameter/nasreq.xml
/usr/share/ethereal/diameter/sunping.xml
/usr/share/ethereal/help
/usr/share/ethereal/help/toc
/usr/share/ethereal/help/capture_filters.txt
/usr/share/ethereal/help/capturing.txt
/usr/share/ethereal/help/display_filters.txt
/usr/share/ethereal/help/faq.txt
/usr/share/ethereal/help/getting_started.txt
/usr/share/ethereal/help/overview.txt
/usr/share/ethereal/AUTHORS-SHORT
/usr/share/ethereal/capinfos.html
/usr/share/ethereal/ethereal-filter.html
/usr/share/ethereal/editcap.html
/usr/share/ethereal/ethereal.html
/usr/share/ethereal/idl2eth.html
/usr/share/ethereal/manuf
/usr/share/ethereal/mergecap.html
/usr/share/ethereal/tethereal.html
/usr/share/ethereal/text2pcap.html
/usr/sbin/tethereal
/usr/lib/python2.2/site-packages/ethereal_be.py
/usr/lib/python2.2/site-packages/ethereal_gen.py
/usr/lib/ethereal
/usr/lib/ethereal/plugins
/usr/lib/ethereal/plugins/0.10.10
/usr/lib/ethereal/plugins/0.10.10/agentx.so
/usr/lib/ethereal/plugins/0.10.10/acn.so
/usr/lib/ethereal/plugins/0.10.10/coseventcomm.so
/usr/lib/ethereal/plugins/0.10.10/artnet.so
/usr/lib/ethereal/plugins/0.10.10/asn1.so
/usr/lib/ethereal/plugins/0.10.10/ciscosm.so
/usr/lib/ethereal/plugins/0.10.10/cosnaming.so
/usr/lib/ethereal/plugins/0.10.10/docsis.so
/usr/lib/ethereal/plugins/0.10.10/enttec.so
/usr/lib/ethereal/plugins/0.10.10/gryphon.so
/usr/lib/ethereal/plugins/0.10.10/irda.so
/usr/lib/ethereal/plugins/0.10.10/lwres.so
/usr/lib/ethereal/plugins/0.10.10/mate.so
/usr/lib/ethereal/plugins/0.10.10/megaco.so
/usr/lib/ethereal/plugins/0.10.10/mgcp.so
/usr/lib/ethereal/plugins/0.10.10/opsi.so
/usr/lib/ethereal/plugins/0.10.10/pcli.so
/usr/lib/ethereal/plugins/0.10.10/rdm.so
/usr/lib/ethereal/plugins/0.10.10/rlm.so
/usr/lib/ethereal/plugins/0.10.10/rtnet.so
/usr/lib/ethereal/plugins/0.10.10/rudp.so
/usr/lib/ethereal/plugins/0.10.10/stats_tree.so
/usr/lib/ethereal/plugins/0.10.10/v5ua.so
/usr/lib/ethereal/plugins/0.10.10/xml.so
/usr/lib/libethereal.so
/usr/lib/libethereal.so.0.0.1
/usr/lib/libethereal.so.0

Got any tips?

fancypiper · 05-07-2005, 10:53 AM

The binaries in Linux are usually in a directory with bin in it's name. According to your post, the binary is here:

/usr/sbin/tethereal

Also see:
man tethereal
info tethereal

abefroman · 05-07-2005, 11:00 AM

That appears to be the binary for tethereal, not ethereal.

Can anyone confirm or deny that?

fancypiper · 05-07-2005, 11:05 AM

The man and info pages confirm it.

Ethereal Documentation

abefroman · 05-07-2005, 11:38 AM

How do I get the ethereal binary then?

fancypiper · 05-07-2005, 12:02 PM

Are you saying tethereal isn't the binary for ethereal?

Code:

Sat May 07 01:12 PM root@uilleann ~ #  ethereal -h
-bash: ethereal: command not found
Sat May 07 01:12 PM root@uilleann ~ # tethereal -h
This is GNU tethereal 0.10.5
 (C) 1998-2004 Gerald Combs <gerald@ethereal.com>
Compiled with GLib 2.2.3, with libpcap 0.7.2, with libz 1.2.0.7,
without libpcre, with Net-SNMP 5.1, without ADNS.
NOTE: this build does not support the "matches" operator for Ethereal filter
syntax.
Running with libpcap (version unknown) on Linux 2.4.22-1.2199.nptl.
 
tethereal [ -vh ] [ -DlLnpqSVx ] [ -a <capture autostop condition> ] ...
        [ -b <number of ring buffer files>[:<duration>] ] [ -c <count> ]
        [ -d <layer_type>==<selector>,<decode_as_protocol> ] ...
        [ -f <capture filter> ] [ -F <output file type> ] [ -i <interface> ]
        [ -N <resolving> ] [ -o <preference setting> ] ... [ -r <infile> ]
        [ -R <read filter> ] [ -s <snaplen> ] [ -t <time stamp format> ]
        [ -T pdml|ps|text ] [ -w <savefile> ] [ -y <link type> ]
        [ -z <statistics string> ]
Valid file type arguments to the "-F" flag:
        libpcap - libpcap (tcpdump, Ethereal, etc.)
        rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump)
        suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)
        modlibpcap - modified libpcap (tcpdump)
        nokialibpcap - Nokia libpcap (tcpdump)
        lanalyzer - Novell LANalyzer
        ngsniffer - Network Associates Sniffer (DOS-based)
        snoop - Sun snoop
        netmon1 - Microsoft Network Monitor 1.x
        netmon2 - Microsoft Network Monitor 2.x
        ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1
        ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x
        visual - Visual Networks traffic capture
        5views - Accellent 5Views capture
        niobserverv9 - Network Instruments Observer version 9
        default is libpcap

Ethereal User's Guide

abefroman · 05-07-2005, 12:14 PM

Yes, according to the manual:
4.1. Start Capturing
There are two methods you can use to start capturing packets with Ethereal:

From the command line using the following:

ethereal -i eth0 -k

This will start Ethereal capturing on interface eth0.

By starting Ethereal and then selecting Start... from the Capture menu (or use the corresponding item in the "Main" toolbar), this brings up the Capture Options dialog box.

fancypiper · 05-07-2005, 12:53 PM

I think the documentation must be out of date.

I have it installed, but haven't really used it and the command ethereal doesn't exist, but tethereal does. The -k option is invalid with tethereal, however.

If I were you, I would subscribe to the users mailing list. They can be of great help.

Ethereal Mailing Lists

Capt_Caveman · 05-08-2005, 11:51 PM

From the docs:
"Tethereal is a terminal oriented version of ethereal designed for capturing and displaying packets when an interactive user interface isn't necessary or available. It supports the same options as ethereal. For more information on tethereal, see the manual pages (man tethereal)."

AFAIK, if you install ethereal and don't have the proper X/GTK files installed, it will install only tethereal (tty-ethereal binary) since running ethereal wouldn't work without the required libs.

pk21 · 05-10-2005, 08:25 AM

To see all files that you have installed with the ethereal rpm, type: rpm -q --filesbypkg ethereal

The binary should be in the output somewhere.