I'm using tshark to decode on the fly the SMPP protocol, e.g.: tshark -i any -V -Y smpp This will show, in real time, every single SMPP packet, e.g. Short Message Peer to Peer, Command: Submit_sm, Seq: 8475778, Len: 215 Length: 215 Operation: Submit_sm (0x00000004) Sequence #: 8475778 Service type: (Default) Type of number (originator): Alphanumeric (0x05) Numbering plan indicator (originator): Unknown (0x00) Originator address: \123\110\123\123\123aaa\123 Type of number (recipient): Unknown (0x00) Numbering plan indicator (recipient): ISDN (E163/E164) (0x01) Recipient address: 44123456789 .... ..00 = Messaging mode: Default SMSC mode (0x00) ..00 00.. = Message type: Default message type (0x00) 00.. .... = GSM features: No specific features selected (0x00) Protocol id.: 0x43 Is there a way to grep specific fields and output only these? I tried with: tshark -i any -V -Y smpp | grep 'Operation|Type of number|Numbering plan indicator|Recipient address' But it doesn't work. I tried also with: tshark -i any -V -Y smpp -T fields -e 'smpp.dest_addr_ton' -e 'smpp.destination_addr' But this will output only the value and I would like to output something like; Type of number (recipient): Unknown (0x00) Numbering plan indicator (recipient): ISDN (E163/E164) (0x01) Recipient address: 44123456789 Could someone advice? Thank you, Lucas

I want to print captured packets using tshark. However I want to use "time-shift" functionality in tshark (which is readily available in wireshark GUI). I couldn't find any relevant information in --help menu. Any possible guidance is welcome. Thanks in advance.

I have some PCAP files from which I'm trying to extract metadata. I am doing this using tshark, opening the file, extracting a couple dozen fields, then writing the table to disk. I've noticed that this process can be pretty time consuming, sometimes up to 30 minutes for a single PCAP file. I am performing reverse DNS on the data, using the default settings (-N dmN) and I have the same reverse DNS settings in Wireshark. I understand that reverse DNS is a fairly time-consuming process relative to other processes that tshark/Wireshark is performing. However, when opening the same file in Wireshark and in tshark, Wireshark loads the file in a matter of seconds, while tshark will take minutes. My tshark command is:

tshark -r my_pcap_file.pcap \
    -2 \
    -T fields \
    -E separator=/t \
    -E header=y \
    -E quote=d \
    -e frame.time_epoch \
    -e frame.len \
    -e frame.protocols \
    -e _ws.malformed \
    -e _ws.col.Protocol \
    -e _ws.col.Length \
    -e ip.rec_rt \
    -e ip.src \
    -e ip.dst \
    -e ip.src_host \
    -e ip.dst_host \
    > my_pcap_file.tsv

Is there a known reason for this speed difference?

I followed [this answer here](https://unix.stackexchange.com/a/666973) , but it seems that my system clock doesn't synchronize with NTP server:

$ cat /etc/debian_version
10.9
$ egrep -v "^$|^#" /etc/systemd/timesyncd.conf
[Time]
NTP=x.y.z.t1
FallbackNTP=x.y.z.t2
$ sudo timedatectl set-ntp true
$ sudo systemctl restart systemd-timesyncd
$ systemctl status systemd-timesyncd
● systemd-timesyncd.service - Network Time Synchronization
   Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/systemd-timesyncd.service.d
           └─disable-with-time-daemon.conf
   Active: active (running) since Wed 2022-08-24 16:46:29 CEST; 2ms ago
     Docs: man:systemd-timesyncd.service(8)
 Main PID: 23412 (systemd-timesyn)
   Status: "Idle."
    Tasks: 2 (limit: 4915)
   Memory: 1.4M
   CGroup: /system.slice/systemd-timesyncd.service
           └─23412 /lib/systemd/systemd-timesyncd

Aug 24 16:46:29 EncoderBack systemd: Starting Network Time Synchronization...
Aug 24 16:46:29 EncoderBack systemd: Started Network Time Synchronization.
$ timedatectl timesync-status
       Server: x.y.z.t1 (x.y.z.t1)
Poll interval: 1min 4s (min: 32s; max 34min 8s)
 Packet count: 0
$ timedatectl show-timesync
SystemNTPServers=x.y.z.t1
FallbackNTPServers=x.y.z.t2
ServerName=x.y.z.t1
ServerAddress=x.y.z.t1
RootDistanceMaxUSec=5s
PollIntervalMinUSec=32s
PollIntervalMaxUSec=34min 8s
PollIntervalUSec=1min 4s
Frequency=0
$ journalctl -u systemd-timesyncd.service -n 5
-- Logs begin at Mon 2022-08-22 15:20:05 CEST, end at Wed 2022-08-24 16:46:29 CEST. --
Aug 24 16:46:29 EncoderBack systemd: Stopping Network Time Synchronization...
Aug 24 16:46:29 EncoderBack systemd: systemd-timesyncd.service: Succeeded.
Aug 24 16:46:29 EncoderBack systemd: Stopped Network Time Synchronization.
Aug 24 16:46:29 EncoderBack systemd: Starting Network Time Synchronization...
Aug 24 16:46:29 EncoderBack systemd: Started Network Time Synchronization.
$ timedatectl status
               Local time: Wed 2022-08-24 16:46:29 CEST
           Universal time: Wed 2022-08-24 14:46:29 UTC
                 RTC time: Wed 2022-08-24 14:46:19
                Time zone: Europe/Paris (CEST, +0200)
System clock synchronized: no
              NTP service: active
          RTC in local TZ: no
$

EDIT0 : Here is a [tcpdump](https://www.tcpdump.org/manpages/tcpdump.1.html) trace while restarting systemd-timesyncd.service :

$ sudo tcpdump -v dst port 123
tcpdump: listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:46:34.136278 IP (tos 0x10, ttl 64, id 18841, offset 0, flags [DF], proto UDP (17), length 76)
    ntpclient.lan.53695 > ntpserver.lan.ntp: NTPv4, length 48
        Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s), precision 0
        Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
          Reference Timestamp:  0.000000000
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   3870427594.031728329 (2022/08/25 16:46:34)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 3870427594.031728329 (2022/08/25 16:46:34)
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel

EDIT1 : Here is a [tshark](https://www.wireshark.org/docs/man-pages/tshark.html) trace while restarting systemd-timesyncd.service :

$ sudo tshark -n -f 'udp port 123' -c2
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eno1'
    1 0.000000000 a.b.c.d  → x.y.z.t1 NTP 90 NTP Version 4, client
    2 0.000678872 x.y.z.t1 → a.b.c.d  NTP 90 NTP Version 3, server
C2 packets captured

EDIT2 : Thanks to @Bib and to the tshark output, it seems the systemd-timesyncd client sends NTPv4 protocol requests but the server responds with NTPv3 protocol answers. As @QuartzCristal and @Bib suggest, I will be using ntpsec. EDIT3: After having configured the /etc/ntpsec/ntp.conf file and restarted the ntpsec service, it works fine now :

$ grep ^server /etc/ntpsec/ntp.conf
server x.y.z.t1 iburst
server x.y.z.t2 iburst
$ sudo mkdir /var/log/ntpsec/
$ sudo chown ntpsec:ntpsec /var/log/ntpsec/
$ sudo systemctl restart ntpsec
$ systemctl status ntpsec.service
● ntpsec.service - Network Time Service
   Loaded: loaded (/lib/systemd/system/ntpsec.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2022-08-26 11:06:49 CEST; 2s ago
     Docs: man:ntpd(8)
  Process: 22622 ExecStart=/usr/lib/ntp/ntp-systemd-wrapper (code=exited, status=0/SUCCESS)
 Main PID: 22625 (ntpd)
    Tasks: 1 (limit: 4915)
   Memory: 1.6M
   CGroup: /system.slice/ntpsec.service
           └─22625 /usr/sbin/ntpd -p /run/ntpd.pid -c /etc/ntpsec/ntp.conf -g -N -u ntpsec:ntpsec

Aug 26 11:06:49 EncoderBack ntpd: CLOCK: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): loaded, expire=2021-12-28T00:00Z last=2017-01-01T00:00Z ofs=37
Aug 26 11:06:49 EncoderBack ntpd: CLOCK: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): expired less than 242 days ago
Aug 26 11:06:49 EncoderBack ntpd: INIT: Using SO_TIMESTAMPNS
Aug 26 11:06:49 EncoderBack ntpd: IO: Listen and drop on 0 v6wildcard [::]:123
Aug 26 11:06:49 EncoderBack ntpd: IO: Listen and drop on 1 v4wildcard 0.0.0.0:123
Aug 26 11:06:49 EncoderBack ntpd: IO: Listen normally on 2 lo 127.0.0.1:123
Aug 26 11:06:49 EncoderBack ntpd: IO: Listen normally on 3 eno1 a.b.c.d:123
Aug 26 11:06:49 EncoderBack ntpd: IO: Listen normally on 4 lo [::1]:123
Aug 26 11:06:49 EncoderBack ntpd: IO: Listen normally on 5 eno1 [fe80::3e7c:3fff:fed4:a223%2]:123
Aug 26 11:06:49 EncoderBack ntpd: IO: Listening on routing socket on fd #22 for interface updates

Now the system clock is synchronized :

$ timedatectl
               Local time: Fri 2022-08-26 11:08:05 CEST
           Universal time: Fri 2022-08-26 09:08:05 UTC
                 RTC time: Fri 2022-08-26 09:08:05
                Time zone: Europe/Paris (CEST, +0200)
System clock synchronized: yes
              NTP service: n/a
          RTC in local TZ: no

EDIT4 : Here is a tcpdump output of what is going on when using ntpsec, the source packet tos has changed and the source port is now 123 :

$ sudo tcpdump dst port 123 -n -c 2 -v
tcpdump: listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:53:49.185280 IP (tos 0xb8, ttl 64, id 54505, offset 0, flags [DF], proto UDP (17), length 76)
    a.b.c.d.123 > x.y.z.t1: NTPv4, length 48
        Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s), precision 32
        Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
          Reference Timestamp:  0.000000000
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   1839874488.898661747 (2094/05/28 04:43:04)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 1839874488.898661747 (2094/05/28 04:43:04)
11:53:49.185929 IP (tos 0x0, ttl 126, id 18818, offset 0, flags [none], proto UDP (17), length 76)
    x.y.z.t1.123 > a.b.c.d.123: NTPv3, length 48
        Server, Leap indicator:  (0), Stratum 1 (primary reference), poll 0 (1s), precision -23
        Root Delay: 0.000000, Root dispersion: 10.751129, Reference-ID: LOCL
          Reference Timestamp:  3870431575.277677199 (2022/08/25 17:52:55)
          Originator Timestamp: 1839874488.898661747 (2094/05/28 04:43:04)
          Receive Timestamp:    3870496473.230674199 (2022/08/26 11:54:33)
          Transmit Timestamp:   3870496473.230678499 (2022/08/26 11:54:33)
            Originator - Receive Timestamp:  +2030621984.332012452
            Originator - Transmit Timestamp: +2030621984.332016752
2 packets captured
2 packets received by filter
0 packets dropped by kernel

And here is a tshark output of what is going on when using ntpsec, the weird is that it is the same output as the one I got from using systemd-timesyncd.service (except the source port is now 123) :

$ sudo tshark -f 'udp port 123' -n -c 2
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eno1'
    1 0.000000000 a.b.c.d  → x.y.z.t1 NTP 90 NTP Version 4, client
    2 0.000787978 x.y.z.t1 → a.b.c.d  NTP 90 NTP Version 3, server
2 packets captured

I need to shuffle TCP sessions from pcap file to new file. How can I do it? The following scripts don't work for me. -------------------- To mix up sessions in a pcap file using Tshark or Wireshark, you can use the following steps: 1. Rename the original pcap file to something else (optional): This step is not necessary but can help keep track of the original pcap file. You can use the following command to rename the file:

-shell
    mv original.pcap original_original.pcap

2. Extract individual sessions from the original pcap file using Tshark: Use Tshark to extract individual sessions from the original pcap file into separate pcap files, like this:

-shell
    tshark -r original_original.pcap -Y "tcp.stream == X" -w session_X.pcap

Replace X with the desired session number. Repeat this command for each session you want to extract, incrementing X accordingly. 3. Mix up the extracted pcap files: Use a bash script to randomly concatenate the extracted pcap files into a new mixed-up pcap file. Here is an example script (mixup_pcap.sh) that uses the shuf command to shuffle the filenames randomly and then appends them to a new file:

-bash
    #!/bin/bash
    output_pcap="mixed_sessions.pcap"
    session_files=(session_*.pcap)
 
    # Randomly shuffle the session files
    shuffled_files=($(shuf -e "${session_files[@]}"))

    # Concatenate the shuffled pcap files into a new mixed-up pcap file
    for file in "${shuffled_files[@]}"; do
        cat "$file" >> "$output_pcap"
    done

    echo "Mixed-up pcap file created: $output_pcap"

Save the above script to mixup_pcap.sh, make it executable using chmod +x mixup_pcap.sh, and then run it using ./mixup_pcap.sh. 4. Analyze the mixed-up pcap file: You can open the generated mixed-up pcap file (mixed_sessions.pcap) in Wireshark or use Tshark to analyze it further. Note: Make sure you have Tshark installed on your system to execute the above steps. To mix up sessions in a pcap file using Tshark or Wireshark, you can use the following steps: 1. Rename the original pcap file to something else (optional): This step is not necessary but can help keep track of the original pcap file. You can use the following command to rename the file:

-shell
    mv original.pcap original_original.pcap

2. Extract individual sessions from the original pcap file using Tshark: Use Tshark to extract individual sessions from the original pcap file into separate pcap files, like this:

-shell
    tshark -r original_original.pcap -Y "tcp.stream == X" -w session_X.pcap

Replace X with the desired session number. Repeat this command for each session you want to extract, incrementing X accordingly. 3. Mix up the extracted pcap files: Use a bash script to randomly concatenate the extracted pcap files into a new mixed-up pcap file. Here is an example script (mixup_pcap.sh) that uses the shuf command to shuffle the filenames randomly and then appends them to a new file:

-bash
    #!/bin/bash
    output_pcap="mixed_sessions.pcap"
    session_files=(session_*.pcap)
    
    # Randomly shuffle the session files
    shuffled_files=($(shuf -e "${session_files[@]}"))
    
    # Concatenate the shuffled pcap files into a new mixed-up pcap file
    for file in "${shuffled_files[@]}"; do
        cat "$file" >> "$output_pcap"
    done
    
    echo "Mixed-up pcap file created: $output_pcap"

Save the above script to mixup_pcap.sh, make it executable using chmod +x mixup_pcap.sh, and then run it using ./mixup_pcap.sh. 4. Analyze the mixed-up pcap file: You can open the generated mixed-up pcap file (mixed_sessions.pcap) in Wireshark or use Tshark to analyze it further. Note: Make sure you have Tshark installed on your system to execute the above steps.

I have a setup of three computers that are all on the same subnet and connected to a switch. All services are reachable. I'm pinging from PC(1) to PC(2). Opening tshark with PC(3) but cannot see packages that are not destined (or have the source) for PC(3). All kinds of capturing software like Wireshark, tcpdump, tshark, etc., even in promiscuous mode, just cannot see traffic that is not destined for the capturing host.

I am trying to filter a capture file that was captured by a remote AP. If i pull the file to my laptop i can open in Wireshark decode as peekremote and create the display filter EAPOL to get the packets i want. However i have about 100Gbs of data on the capture server and i would like to know if i can do this with Tshark or other tool on the linux server directly Something like this but this just copies the file I just want to output the files to the EAP traffic. Does anyone have any thoughts I am not use to dealing with tshark. tshark -r capture-18.pcap -J eapol -w test.pcap

tshark get data from interface or pcap files. When it read data from interface, user has to write filter with -f (accortding to pcap-filter(7)) and when read from file user has to write filter with -Y (according to wireshark-filter(4)) **My scenario:** I have to read pcap files, So I have to use wireshark-filter syntax.
I have src address, dst address, src port and dst port. But I don't know type of session(TCP or UDP). wireshark syntax has the following options for port: tcp.dstport tcp.srcport udp.dstport udp.srcport tcp.port udp.port I don't know my packets are TCP or UDP, and I need to write filter according to dst port and src port. How to implement with tshark and -Y?

I am working with lots of PCAP files and trying to convert them into .tsv files for tabular analysis. So I'm using tshark in a Ubuntu 22 VirtualBox machine to dissect each packet. I have a bash command that I use within a for loop to process each PCAP file.

tshark -r "${pcapFile}" -2 \
		-T fields \
		-E separator=/t \
		-E header=y \
		-E quote=d \
		-e frame.time_epoch \
		-e _ws.col.Info \
		-e _ws.col.Protocol \
		-e ip.src \
		-e ip.dst \
		-e ip.proto \
		-e ip.version \
		-e ip.hdr_len \
		-e ip.src_host \
		-e ip.dst_host \
		-e ip.geoip.dst_city \
		-e ip.geoip.dst_country_iso \
		-e ip.geoip.dst_asnum \
		-e ip.geoip.src_city \
		-e ip.geoip.src_country_iso \
		-e ip.geoip.src_asnum \
		-e eth.src \
		-e eth.dst > "${OUTPUT_FOLDER}/${filename}.tsv"

I'm encountering some strange results. 1. When I run this command as sudo the processing runs *much* faster than when I run without sudo. 2. When I run this command as sudo, the geoip fields are empty, but when I run without sudo they are filled. I'm hoping to get the best of both worlds here, since I have many pcap files to process and would like it to move quickly, but also, I very much want the geoip information. Why can't I get the geoip fields as sudo and/or why doesn't the processing run as quickly without sudo? tshark version: 3.6.7-1~ubuntu22.04.0+wiresharkdevstable \ wireshark version: 3.6.7-1~ubuntu22.04.0+wiresharkdevstable \ System specs: 12 CPU, 24 GB RAM, Ubuntu 22.04

How can I capture traffic specifically from a network interface inside a network namespace using tshark? In my case, the network interface tun0 is moved into the network namespace called vpn. Normally running tshark -f "port 53" clutters the output because it includes DNS queries from the main interface that the network namespace ends up using. This is my network namespace setup (for what it's worth, this is from the openvpn netns-up script here: http://www.naju.se/articles/openvpn-netns.html)

$ ip netns add vpn
$ ip netns exec vpn ip link set dev lo up
$ ip link set dev tun0 up netns vpn mtu 1500
$ ip netns exec vpn ip addr add dev tun0 "10.14.0.3/16"

$ ip netns exec vpn ip addr add dev tun0 "$ifconfig_ipv6_local"/112

$ ip netns exec vpn ip route add default via 10.14.0.1

$ ip netns exec vpn ip route add default via "$ifconfig_ipv6_remote"

I have created a wireless access point on ubuntu and I have written a program that parses network traffic obtained via tshark and condenses it into a readable form. I am able to capture traffic going to and from the internet. Now i have three nodes on my network: **Node A**: The wireless access point running tshark **Node B**: Computer 1 **Node C**: Computer 2 To create TCP traffic in my network, i used nmap on Node A to scan Node B but i am unable to capture that traffic. Any clue how to do that? I tried putting my network interface card in promiscuous mode but that didn't help.

I have pcap file and I want to find min and max data rate. I use Capinfos, it shows only average data rate. I would ask how to do that?

I am using tshark to diagnose an asymetric route problem. I am filtering the traffic so only src/dest to a specific ip is being captured, but I would like to display a field that shows which interface the traffic is going in/out on so I can see the impact as I work with route tables. With Wireshark I can get partway there by displaying the MAC address using **Hardware dest addr** and **Hardware src addr**, but in TShark I can't find that filter. Can anyone suggest a way to display the NIC name, or MAC address with TShark? Here is the tshark command I have tried: tshark -i eno1 -i enp5s0 -T fields -E header=y -e ip.src -e ip.dst -e _ws.col.Protocol -e _ws.col.Info -Y "ip.addr==10.10.10.30"

Object: to find the IP addresses of HTTP servers in a pcap file with a specific header string. Can or should the -l option to flush be used? One way: the following was done but am wondering if it can be shortened. If this question is too broad, please advise.

tshark -r file.pcap -T fields -e ip.src -e http.server > name.txt &&
  cat name.txt | sort | uniq -c | sort -nr | grep "xxx_xxx"

In order to secure a packet capture, which method would you use to make all (or close to all) past captured packet utterly unaccessible unless a given password is given. My habbits are - to mount an ecrypt partition mount -t ecryptfs /srv /srv - to run tshark with a buffer and save files on the encrypted filesystem /media/ tshark -B 100k -i wlan0 -w /srv/capture-file.pcap The problem with this method is that the file capture-file.pcap is only unaccessible once the ecryptfs system is unmounted. **How can I do a capture with no non-encrypted version of the capture on the system at all?**

Many people will still know about those old ethernet "hub"-devices - also called "dumb" device or "Ethernet signal concentrator". Did anyone ever try to "listen to ANY traffic" on such port through an interface in promiscuous mode? Some tcpdump or tshark or wireshark probably can be used for that, right?

I have noticed that there' s **always** traffic going on on my loopback interface. It's not a lot but I don't know where it's coming from and I'd like to stop it. There's syn request going from port X to port 9229, then a rst/ack response. Half a second later I get the same from X+4 to 9229, then X+8 and so on? Is there some service that could be originating it? This is debian testing... and updated a few days ago. Update 1: I was able to capture this with netstat: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 1 127.0.0.1:60024 127.0.0.1:9229 SYN_SENT 314481/chromium --s And this process has: /usr/lib/chromium/chromium --show-component-extension-options --enable-gpu-rasterization --no-default-browser-check --disable-pings --media-router=0 --enable-remote-extensions --load-extension What the hell is chromium doing? Update 2: A HTTP request is sent:

GET /json/version HTTP/1.1
Host: 127.0.0.1:9229

But what is chromium trying to find?

I have this command that i need to repeat for ever till i stop it. I have to send a capture to my supplier for VOIP support for a intermitent trouble. But 10mb is taking like five minutes to complete... But its the format they asking me -_- So do you have an idea to make this to repeat? Thanks Running on debian 9.8 TShark (Wireshark) 2.6.7 `tshark -i any -b filesize:10240 -w /mnt/dav/date '+%d%m%Y%H'.pcap`

I want to convert pcap files to json files using shell script (and tshark). As soon as one or more new pcap files are copied into a folder, the command tshark should be executed and the resulting json data should be stored in another file (in a different order). As soon as the conversion is finished the pacap file should be deleted. The idea looks something like that: while(true){ wait_for_IN_folder_changed tshark -T ek -x -r \in\in.pcap > \out\out.json rm \in\in.pcap } It would be best to start the tshark process multithreaded to increase the parallelism and thus the throughput. But would different threads probably get in each other's way here?

It looks like installing a later version of wireshark is near impossible on redhat 6. I've searched the web extensively and can't find any questions where someone has said their issue was resolved. Don't care how I do it. Here's what I have tried: yum install wireshark = 3.1.10 not found checking for LIBGNUTLS... no GnuTLS >= 1.2.0, = 1.1.92... no libgcrypt not found, disabling ipsec decryption checking whether to use libnl for various network interface purposes... yes checking for LIBNL3... no checking for LIBNL2... no checking for LIBNL1... no checking if nl80211.h is new enough... yes checking for NL80211_SET_CHANNEL... yes checking for libsmi >= 2... not found checking for a2x... no checking for a2x... no checking for elinks... no checking for elinks... no checking for fop... no checking for fop... no checking for lynx... /usr/bin/lynx checking for lynx... yes checking for w3m... no checking for w3m... no checking for xmllint... /usr/bin/xmllint checking for xmllint... yes checking for xsltproc... no checking for xsltproc... no checking for desktop-file-install... no checking for pkgproto... no checking for pkgmk... no checking for pkgtrans... no checking for rpm... yes checking to see if we can redefine _topdir... yes checking for dpkg-buildpackage... no checking for xcodebuild... no checking for hdiutil... no checking for bless... no checking whether the compiler fails when given an unknown warning option... yes checking whether the compiler fails when given an warning option not supported for C++... yes checking whether we can add -Wall -W to CFLAGS... yes checking whether we can add -Wall -W to CXXFLAGS... no ./configure: line 22271: test: ) expected, found -W checking whether we can add -Wextra to CFLAGS... yes checking whether we can add -Wextra to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wdeclaration-after-statement to CFLAGS... yes checking whether we can add -Wendif-labels to CFLAGS... yes checking whether we can add -Wendif-labels to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wpointer-arith to CFLAGS... yes checking whether we can add -Wpointer-arith to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wno-pointer-sign to CFLAGS... yes checking whether we can add -Warray-bounds to CFLAGS... yes checking whether we can add -Warray-bounds to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wformat-security to CFLAGS... yes checking whether we can add -Wformat-security to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -fwrapv to CFLAGS... yes checking whether we can add -fwrapv to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -fno-strict-overflow to CFLAGS... yes checking whether we can add -fno-strict-overflow to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -fno-delete-null-pointer-checks to CFLAGS... yes checking whether we can add -fno-delete-null-pointer-checks to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wold-style-definition to CFLAGS... yes checking whether we can add -Wshorten-64-to-32 to CFLAGS... no checking whether we can add -Wstrict-prototypes to CFLAGS... yes checking whether we can add -Wjump-misses-init to CFLAGS... no checking whether we can add -Wvla to CFLAGS... yes checking whether we can add -Wvla to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Waddress to CFLAGS... yes checking whether we can add -Waddress to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wattributes to CFLAGS... yes checking whether we can add -Wattributes to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wdiv-by-zero to CFLAGS... yes checking whether we can add -Wdiv-by-zero to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wignored-qualifiers to CFLAGS... yes checking whether we can add -Wignored-qualifiers to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wpragmas to CFLAGS... yes checking whether we can add -Wpragmas to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wno-overlength-strings to CFLAGS... yes checking whether we can add -Wno-overlength-strings to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wwrite-strings to CFLAGS... yes checking whether we can add -Wwrite-strings to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wno-long-long to CFLAGS... yes checking whether we can add -Wno-long-long to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wc++-compat to CFLAGS... yes checking whether we can add -Wheader-guard to CFLAGS... no checking whether we can add -Wheader-guard to CXXFLAGS... no checking whether we can add -Wshadow to CFLAGS... yes checking whether -Wshadow warns about variables in function declarations shadowing other variables... no checking whether we can add -Wlogical-op to CFLAGS... yes checking whether -Wlogical-op generates warnings from strchr()... yes checking whether we can add -fexcess-precision=fast to CFLAGS... no checking whether we can add -fexcess-precision=fast to CXXFLAGS... no checking whether we can add -fvisibility=hidden to CFLAGS... yes checking whether we can add -fvisibility=hidden to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -Wl,--as-needed to LDFLAGS... yes checking whether we can add -fPIE to CFLAGS... yes checking whether we can add -fPIE to CXXFLAGS... no configure: WARNING: gcc and appear to be a mismatched pair checking whether we can add -fPIE -pie to LDFLAGS... yes checking whether -D_FORTIFY_SOURCE=... can be used (without generating a warning)... yes checking whether we should treat compiler warnings as errors... no checking for platform-specific compiler flags... none needed checking for platform-specific linker flags... none needed checking whether make supports nested variables... (cached) yes checking whether to use /usr/local for headers and libraries... yes checking for sed... (cached) /bin/sed checking for GNU sed as first sed in PATH... yes checking if profile builds must be generated... no configure: error: Need a working C++ compiler to build Wireshark with Qt I have done a yum install on gcc, bison, flex, qt4-devel and libstdc++.