Difference between revisions of "Wireshark"

From ArchWiki
Jump to: navigation, search
m (Capturing as normal user: Improved config)
(25 intermediate revisions by 10 users not shown)
Line 1: Line 1:
[[Category:Security (English)]][[Category:Networking (English)]]
+
[[Category:Security]][[Category:Networking]]
{{Stub}}
+
[[fr:Wireshark]]
==Possible problems and how to solve==
+
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
  
Your wireshark is not working properly and prints out messages like following even when run as root:
+
==Installation==
capset(): Operation not permitted
 
  
This is due libcap and wireshark now needs capability kernel module to be loaded.
+
The {{Pkg|wireshark}} package has been split into the CLI version and GTK frontend, which depends on the CLI.
  
 +
CLI version can be [[pacman|installed]] with the package {{Pkg|wireshark-cli}}, available in the [[official repositories]].
  
Include it in your MODULES array in rc.conf so it will be automatically loaded in next boot:
+
GTK frontend can be [[pacman|installed]] with the package {{Pkg|wireshark-gtk}}, available in the [[official repositories]].
MODULES=(... capability)
 
And load it now with modprobe:
 
modprobe capability
 
  
 +
==Capturing as normal user==
 +
 +
Running Wireshark as root is insecure.
  
==Capturing as normal user==
+
Arch Linux uses
Running Wireshark as root is not a good thing, and can be dangerous for your system.
+
[http://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Other_Linux_based_systems_or_other_installation_methods method from Wireshark wiki]
To be able to capture as normal user do this (as root):
+
to separate privileges.  When {{Pkg|wireshark-gtk}} is installed, [[PKGBUILD#install|install script]] sets {{ic|/usr/bin/dumpcap}} capabilities.
  
* Make wireshark group
+
{{bc|1=
groupadd wireshark
+
$ getcap /usr/bin/dumpcap
 +
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip}}
  
* Add your self to the wireshark group
+
{{ic|/usr/bin/dumpcap}} is the only process that has privileges to
gpasswd -a "your_username" wireshark
+
capture packets. {{ic|/usr/bin/dumpcap}} can only be run by root and
 +
members of the {{ic|wireshark}} group.
  
* Change permissions for /usr/bin/dumpcap (eventually, you'll have to do this after every update of Wireshark)
+
To use wireshark as a normal user, add user to the wireshark group:
chgrp wireshark /usr/bin/dumpcap
 
chmod 754 /usr/bin/dumpcap
 
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap
 
  
 +
{{bc|# gpasswd -a "username" wireshark}}
  
==A few capturing techniques==
+
Another way is to use [[sudo]] to temporarily change group to
 +
{{ic|wireshark}}. The following line allows all users in the wheel
 +
group to run programs with GID set to wireshark GID:
  
There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying filters.
+
{{bc|1=%wheel ALL=(:wireshark) /usr/bin/wireshark, /usr/bin/tshark}}
  
* Filtering TCP packets
+
Then run wireshark with
If you want to see all the current TCP packets, type "tcp" followed by enter into the "Filter" bar.
+
{{bc|$ sudo -g wireshark wireshark}}
  
* Filtering UDP packets
+
==A few capturing techniques==
If you want to see all the current UDP packets, type "udp" followed by enter into the "Filter" bar.
 
  
* Filter packets to a specific IP Address
+
There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying filters.
If you would like to see all the traffic going to a specific address, you would enter this into the "Filter" bar.
 
Please remember to replace 127.0.0.1 with the IP address the outgoing traffic is being sent to.
 
  
# ip.dst == 1.0.0.1
+
{{Note|To learn the filter syntax, see man pcap-filter(7).}}
  
* Filter packets to a specific IP Address
+
===Filtering TCP packets===
If you would like to see all the incoming traffic for a specific address, you would enter this into the "Filter" bar.
+
If you want to see all the current TCP packets, type {{ic|tcp}} into the "Filter" bar.
Please remember to replace 127.0.0.1 with the IP address the incoming traffic is being sent to.
 
  
# ip.src == 1.0.0.1
+
===Filtering UDP packets===
 +
If you want to see all the current UDP packets, type {{ic|udp}} into the "Filter" bar.
  
 +
===Filter packets to a specific IP Address===
 +
* If you would like to see all the traffic going to a specific address, enter {{ic|<nowiki>ip.dst == 1.2.3.4</nowiki>}}, replacing {{ic|1.2.3.4}} with the IP address the outgoing traffic is being sent to.
  
==Sources==
+
* If you would like to see all the incoming traffic for a specific address, enter {{ic|<nowiki>ip.src == 1.2.3.4</nowiki>}}, replacing {{ic|1.2.3.4}} with the IP address the incoming traffic is being sent to.
* Bug [http://bugs.archlinux.org/task/9201 #9101]
 
* [http://wiki.wireshark.org/CaptureSetup/CapturePrivileges Capture Privileges]
 

Revision as of 16:58, 5 November 2012

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.

Installation

The wireshark package has been split into the CLI version and GTK frontend, which depends on the CLI.

CLI version can be installed with the package wireshark-cli, available in the official repositories.

GTK frontend can be installed with the package wireshark-gtk, available in the official repositories.

Capturing as normal user

Running Wireshark as root is insecure.

Arch Linux uses method from Wireshark wiki to separate privileges. When wireshark-gtk is installed, install script sets /usr/bin/dumpcap capabilities.

$ getcap /usr/bin/dumpcap 
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

/usr/bin/dumpcap is the only process that has privileges to capture packets. /usr/bin/dumpcap can only be run by root and members of the wireshark group.

To use wireshark as a normal user, add user to the wireshark group:

# gpasswd -a "username" wireshark

Another way is to use sudo to temporarily change group to wireshark. The following line allows all users in the wheel group to run programs with GID set to wireshark GID:

%wheel ALL=(:wireshark) /usr/bin/wireshark, /usr/bin/tshark

Then run wireshark with

$ sudo -g wireshark wireshark

A few capturing techniques

There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying filters.

Note: To learn the filter syntax, see man pcap-filter(7).

Filtering TCP packets

If you want to see all the current TCP packets, type tcp into the "Filter" bar.

Filtering UDP packets

If you want to see all the current UDP packets, type udp into the "Filter" bar.

Filter packets to a specific IP Address

  • If you would like to see all the traffic going to a specific address, enter ip.dst == 1.2.3.4, replacing 1.2.3.4 with the IP address the outgoing traffic is being sent to.
  • If you would like to see all the incoming traffic for a specific address, enter ip.src == 1.2.3.4, replacing 1.2.3.4 with the IP address the incoming traffic is being sent to.