Difference between revisions of "Wireshark"

From ArchWiki
Jump to: navigation, search
m (Capturing as normal user: Improved config)
(25 intermediate revisions by 10 users not shown)
Line 1: Line 1:
[[Category:Security (English)]][[Category:Networking (English)]]
+
[[Category:Security]][[Category:Networking]]
{{Stub}}
+
[[fr:Wireshark]]
==Possible problems and how to solve==
+
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
  
Your wireshark is not working properly and prints out messages like following even when run as root:
+
==Installation==
capset(): Operation not permitted
+
  
This is due libcap and wireshark now needs capability kernel module to be loaded.
+
The {{Pkg|wireshark}} package has been split into the CLI version and GTK frontend, which depends on the CLI.
  
 +
CLI version can be [[pacman|installed]] with the package {{Pkg|wireshark-cli}}, available in the [[official repositories]].
  
Include it in your MODULES array in rc.conf so it will be automatically loaded in next boot:
+
GTK frontend can be [[pacman|installed]] with the package {{Pkg|wireshark-gtk}}, available in the [[official repositories]].
MODULES=(... capability)
+
And load it now with modprobe:
+
modprobe capability
+
 
+
  
 
==Capturing as normal user==
 
==Capturing as normal user==
Running Wireshark as root is not a good thing, and can be dangerous for your system.
 
To be able to capture as normal user do this (as root):
 
  
* Make wireshark group
+
Running Wireshark as root is insecure.
groupadd wireshark
+
  
* Add your self to the wireshark group
+
Arch Linux uses
  gpasswd -a "your_username" wireshark
+
[http://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Other_Linux_based_systems_or_other_installation_methods method from Wireshark wiki]
 +
to separate privileges. When {{Pkg|wireshark-gtk}} is installed, [[PKGBUILD#install|install script]] sets {{ic|/usr/bin/dumpcap}} capabilities.
  
* Change permissions for /usr/bin/dumpcap (eventually, you'll have to do this after every update of Wireshark)
+
{{bc|1=
chgrp wireshark /usr/bin/dumpcap
+
$ getcap /usr/bin/dumpcap  
chmod 754 /usr/bin/dumpcap
+
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip}}
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap
+
  
 +
{{ic|/usr/bin/dumpcap}} is the only process that has privileges to
 +
capture packets. {{ic|/usr/bin/dumpcap}} can only be run by root and
 +
members of the {{ic|wireshark}} group.
  
==A few capturing techniques==
+
To use wireshark as a normal user, add user to the wireshark group:
  
There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying filters.
+
{{bc|# gpasswd -a "username" wireshark}}
  
* Filtering TCP packets
+
Another way is to use [[sudo]] to temporarily change group to
If you want to see all the current TCP packets, type "tcp" followed by enter into the "Filter" bar.
+
{{ic|wireshark}}. The following line allows all users in the wheel
 +
group to run programs with GID set to wireshark GID:
  
* Filtering UDP packets
+
{{bc|1=%wheel ALL=(:wireshark) /usr/bin/wireshark, /usr/bin/tshark}}
If you want to see all the current UDP packets, type "udp" followed by enter into the "Filter" bar.
+
  
* Filter packets to a specific IP Address
+
Then run wireshark with
If you would like to see all the traffic going to a specific address, you would enter this into the "Filter" bar.
+
{{bc|$ sudo -g wireshark wireshark}}
Please remember to replace 127.0.0.1 with the IP address the outgoing traffic is being sent to.
+
 
 +
==A few capturing techniques==
 +
 
 +
There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying filters.
  
# ip.dst == 1.0.0.1
+
{{Note|To learn the filter syntax, see man pcap-filter(7).}}
  
* Filter packets to a specific IP Address
+
===Filtering TCP packets===
If you would like to see all the incoming traffic for a specific address, you would enter this into the "Filter" bar.
+
If you want to see all the current TCP packets, type {{ic|tcp}} into the "Filter" bar.
Please remember to replace 127.0.0.1 with the IP address the incoming traffic is being sent to.
+
  
# ip.src == 1.0.0.1
+
===Filtering UDP packets===
 +
If you want to see all the current UDP packets, type {{ic|udp}} into the "Filter" bar.
  
 +
===Filter packets to a specific IP Address===
 +
* If you would like to see all the traffic going to a specific address, enter {{ic|<nowiki>ip.dst == 1.2.3.4</nowiki>}}, replacing {{ic|1.2.3.4}} with the IP address the outgoing traffic is being sent to.
  
==Sources==
+
* If you would like to see all the incoming traffic for a specific address, enter {{ic|<nowiki>ip.src == 1.2.3.4</nowiki>}}, replacing {{ic|1.2.3.4}} with the IP address the incoming traffic is being sent to.
* Bug [http://bugs.archlinux.org/task/9201 #9101]
+
* [http://wiki.wireshark.org/CaptureSetup/CapturePrivileges Capture Privileges]
+

Revision as of 16:58, 5 November 2012

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.

Installation

The wireshark package has been split into the CLI version and GTK frontend, which depends on the CLI.

CLI version can be installed with the package wireshark-cli, available in the official repositories.

GTK frontend can be installed with the package wireshark-gtk, available in the official repositories.

Capturing as normal user

Running Wireshark as root is insecure.

Arch Linux uses method from Wireshark wiki to separate privileges. When wireshark-gtk is installed, install script sets /usr/bin/dumpcap capabilities.

$ getcap /usr/bin/dumpcap 
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

/usr/bin/dumpcap is the only process that has privileges to capture packets. /usr/bin/dumpcap can only be run by root and members of the wireshark group.

To use wireshark as a normal user, add user to the wireshark group:

# gpasswd -a "username" wireshark

Another way is to use sudo to temporarily change group to wireshark. The following line allows all users in the wheel group to run programs with GID set to wireshark GID:

%wheel ALL=(:wireshark) /usr/bin/wireshark, /usr/bin/tshark

Then run wireshark with

$ sudo -g wireshark wireshark

A few capturing techniques

There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying filters.

Note: To learn the filter syntax, see man pcap-filter(7).

Filtering TCP packets

If you want to see all the current TCP packets, type tcp into the "Filter" bar.

Filtering UDP packets

If you want to see all the current UDP packets, type udp into the "Filter" bar.

Filter packets to a specific IP Address

  • If you would like to see all the traffic going to a specific address, enter ip.dst == 1.2.3.4, replacing 1.2.3.4 with the IP address the outgoing traffic is being sent to.
  • If you would like to see all the incoming traffic for a specific address, enter ip.src == 1.2.3.4, replacing 1.2.3.4 with the IP address the incoming traffic is being sent to.