Difference between revisions of "Wireshark"

From ArchWiki
Jump to: navigation, search
m (Capturing as normal user: the package already creates the wireshark group now)
m (Capturing as normal user: Improved config)
(20 intermediate revisions by 9 users not shown)
Line 1: Line 1:
[[Category:Security (English)]][[Category:Networking (English)]]
+
[[Category:Security]][[Category:Networking]]
{{Stub}}
+
[[fr:Wireshark]]
 +
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
  
==Wireshark==
+
==Installation==
  
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
+
The {{Pkg|wireshark}} package has been split into the CLI version and GTK frontend, which depends on the CLI.
  
 +
CLI version can be [[pacman|installed]] with the package {{Pkg|wireshark-cli}}, available in the [[official repositories]].
  
==Possible problems and how to solve==
+
GTK frontend can be [[pacman|installed]] with the package {{Pkg|wireshark-gtk}}, available in the [[official repositories]].
  
Your wireshark is not working properly and prints out messages like following even when run as root:
+
==Capturing as normal user==
capset(): Operation not permitted
+
  
This is due libcap and wireshark now needs capability kernel module to be loaded.
+
Running Wireshark as root is insecure.
  
 +
Arch Linux uses
 +
[http://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Other_Linux_based_systems_or_other_installation_methods method from Wireshark wiki]
 +
to separate privileges.  When {{Pkg|wireshark-gtk}} is installed, [[PKGBUILD#install|install script]] sets {{ic|/usr/bin/dumpcap}} capabilities.
  
Include it in your MODULES array in rc.conf so it will be automatically loaded in next boot:
+
{{bc|1=
MODULES=(... capability)
+
$ getcap /usr/bin/dumpcap
And load it now with modprobe:
+
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip}}
modprobe capability
+
  
 +
{{ic|/usr/bin/dumpcap}} is the only process that has privileges to
 +
capture packets. {{ic|/usr/bin/dumpcap}} can only be run by root and
 +
members of the {{ic|wireshark}} group.
  
==Capturing as normal user==
+
To use wireshark as a normal user, add user to the wireshark group:
  
* Add yourself to the wireshark group
+
{{bc|# gpasswd -a "username" wireshark}}
# gpasswd -a "username" wireshark
+
  
==A few capturing techniques==
+
Another way is to use [[sudo]] to temporarily change group to
 +
{{ic|wireshark}}. The following line allows all users in the wheel
 +
group to run programs with GID set to wireshark GID:
  
There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying filters.
+
{{bc|1=%wheel ALL=(:wireshark) /usr/bin/wireshark, /usr/bin/tshark}}
  
* Filtering TCP packets
+
Then run wireshark with
If you want to see all the current TCP packets, type "tcp" followed by enter into the "Filter" bar.
+
{{bc|$ sudo -g wireshark wireshark}}
  
* Filtering UDP packets
+
==A few capturing techniques==
If you want to see all the current UDP packets, type "udp" followed by enter into the "Filter" bar.
+
  
* Filter packets to a specific IP Address
+
There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying filters.
If you would like to see all the traffic going to a specific address, you would enter this into the "Filter" bar.
+
Please remember to replace 127.0.0.1 with the IP address the outgoing traffic is being sent to.
+
  
{{Note|Do not add the number sign in the "Filter" bar as it is not required nor part of the filter syntax.}}
+
{{Note|To learn the filter syntax, see man pcap-filter(7).}}
  
# ip.dst == 1.0.0.1
+
===Filtering TCP packets===
 +
If you want to see all the current TCP packets, type {{ic|tcp}} into the "Filter" bar.
  
If you would like to see all the incoming traffic for a specific address, you would enter this into the "Filter" bar.
+
===Filtering UDP packets===
Please remember to replace 127.0.0.1 with the IP address the incoming traffic is being sent to.
+
If you want to see all the current UDP packets, type {{ic|udp}} into the "Filter" bar.
  
# ip.src == 1.0.0.1
+
===Filter packets to a specific IP Address===
 +
* If you would like to see all the traffic going to a specific address, enter {{ic|<nowiki>ip.dst == 1.2.3.4</nowiki>}}, replacing {{ic|1.2.3.4}} with the IP address the outgoing traffic is being sent to.
  
==Sources==
+
* If you would like to see all the incoming traffic for a specific address, enter {{ic|<nowiki>ip.src == 1.2.3.4</nowiki>}}, replacing {{ic|1.2.3.4}} with the IP address the incoming traffic is being sent to.
* Bug [http://bugs.archlinux.org/task/9201 #9101]
+
* [http://wiki.wireshark.org/CaptureSetup/CapturePrivileges Capture Privileges]
+

Revision as of 16:58, 5 November 2012

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.

Installation

The wireshark package has been split into the CLI version and GTK frontend, which depends on the CLI.

CLI version can be installed with the package wireshark-cli, available in the official repositories.

GTK frontend can be installed with the package wireshark-gtk, available in the official repositories.

Capturing as normal user

Running Wireshark as root is insecure.

Arch Linux uses method from Wireshark wiki to separate privileges. When wireshark-gtk is installed, install script sets /usr/bin/dumpcap capabilities.

$ getcap /usr/bin/dumpcap 
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

/usr/bin/dumpcap is the only process that has privileges to capture packets. /usr/bin/dumpcap can only be run by root and members of the wireshark group.

To use wireshark as a normal user, add user to the wireshark group:

# gpasswd -a "username" wireshark

Another way is to use sudo to temporarily change group to wireshark. The following line allows all users in the wheel group to run programs with GID set to wireshark GID:

%wheel ALL=(:wireshark) /usr/bin/wireshark, /usr/bin/tshark

Then run wireshark with

$ sudo -g wireshark wireshark

A few capturing techniques

There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying filters.

Note: To learn the filter syntax, see man pcap-filter(7).

Filtering TCP packets

If you want to see all the current TCP packets, type tcp into the "Filter" bar.

Filtering UDP packets

If you want to see all the current UDP packets, type udp into the "Filter" bar.

Filter packets to a specific IP Address

  • If you would like to see all the traffic going to a specific address, enter ip.dst == 1.2.3.4, replacing 1.2.3.4 with the IP address the outgoing traffic is being sent to.
  • If you would like to see all the incoming traffic for a specific address, enter ip.src == 1.2.3.4, replacing 1.2.3.4 with the IP address the incoming traffic is being sent to.