Difference between revisions of "Wireshark"

From ArchWiki
Jump to: navigation, search
(Capturing as normal user: newgrp does *not* apply newly added groups, it changes the default GID; see Users and groups)
 
(65 intermediate revisions by 33 users not shown)
Line 1: Line 1:
[[Category:Security (English)]][[Category:Networking (English)]]
+
[[Category:Security]]
{{Stub}}
+
[[Category:Networking]]
==Possible problems and how to solve==
+
[[fr:Wireshark]]
 +
[[ja:Wireshark]]
 +
[[pt:Wireshark]]
 +
[[ru:Wireshark]]
 +
[[zh-hans:Wireshark]]
 +
[https://www.wireshark.org/ Wireshark] is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
  
Your wireshark is not working properly and prints out messages like following even when run as root:
+
==Installation==
capset(): Operation not permitted
 
  
This is due libcap and wireshark now needs capability kernel module to be loaded.
+
[[Install]] the {{pkg|wireshark-qt}} package for the Wireshark GUI or {{pkg|wireshark-cli}} for just the {{ic|tshark}} CLI.
  
 +
For the deprecated GTK+ interface, install the {{pkg|wireshark-gtk}} package. Note that this package will be removed in the future (Wireshark 3.0).
  
Include it in your MODULES array in rc.conf so it will be automatically loaded in next boot:
+
== Capturing as normal user ==
MODULES=(... capability)
 
And load it now with modprobe:
 
modprobe capability
 
  
 +
Do not run Wireshark as root, it is insecure. Wireshark has implemented privilege separation. [https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes]
  
==Capturing as normal user==
+
The {{Pkg|wireshark-cli}} [[PKGBUILD#install|install script]] sets packet capturing [[capabilities]] on the {{ic|/usr/bin/dumpcap}} executable.
Running Wireshark as root is not a good thing, and can be dangerous for your system.
 
To be able to capture as normal user do this (as root):
 
  
* Make wireshark group
+
{{ic|/usr/bin/dumpcap}} can only be executed by root and members of the {{ic|wireshark}} group.
groupadd wireshark
 
  
* Add your self to the wireshark group
+
{{Remove|Duplicates [[Users and groups]].}}
gpasswd -a "your_username" wireshark
 
  
* Change permissions for /usr/bin/dumpcap (eventually, you'll have to do this after every update of Wireshark)
+
Therefore to use Wireshark as a normal user you just have to add your user to the {{ic|wireshark}} [[group]]:
chgrp wireshark /usr/bin/dumpcap
 
chmod 754 /usr/bin/dumpcap
 
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap
 
  
 +
# gpasswd -a ''username'' wireshark
 +
 +
Re-login to apply the change.
  
 
==A few capturing techniques==
 
==A few capturing techniques==
  
There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying filters.
+
There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying [https://wiki.wireshark.org/CaptureFilters capture filters] or [https://wiki.wireshark.org/DisplayFilters display filters].
  
* Filtering TCP packets
+
{{Note|To learn the capture filter syntax, see {{man|7|pcap-filter}}. For display filters, see {{man|4|wireshark-filter}}.}}
If you want to see all the current TCP packets, type "tcp" followed by enter into the "Filter" bar.
 
  
* Filtering UDP packets
+
===Filtering TCP packets===
If you want to see all the current UDP packets, type "udp" followed by enter into the "Filter" bar.
+
If you want to see all the current TCP packets, type {{ic|tcp}} into the "Filter" bar or in the CLI, enter:
  
* Filter packets to a specific IP Address
+
  $ tshark -f "tcp"
  If you would like to see all the traffic going to a specific address, you would enter this into the "Filter" bar.
 
Please remember to replace 127.0.0.1 with the IP address the outgoing traffic is being sent to.
 
  
# ip.dst == 1.0.0.1
+
===Filtering UDP packets===
 +
If you want to see all the current UDP packets, type {{ic|udp}} into the "Filter" bar or in the CLI, enter:
  
* Filter packets to a specific IP Address
+
  $ tshark -f "udp"
  If you would like to see all the incoming traffic for a specific address, you would enter this into the "Filter" bar.
 
Please remember to replace 127.0.0.1 with the IP address the incoming traffic is being sent to.
 
  
# ip.src == 1.0.0.1
+
===Filter packets to a specific IP Address===
 +
* If you would like to see all the traffic going to a specific address, enter display filter {{ic|<nowiki>ip.dst == 1.2.3.4</nowiki>}}, replacing {{ic|1.2.3.4}} with the IP address the outgoing traffic is being sent to.
  
 +
* If you would like to see all the incoming traffic for a specific address, enter display filter {{ic|<nowiki>ip.src == 1.2.3.4</nowiki>}}, replacing {{ic|1.2.3.4}} with the IP address the incoming traffic is being sent to.
  
==Sources==
+
* If you would like to see all the incoming and outgoing traffic for a specific address, enter display filter {{ic|<nowiki>ip.addr == 1.2.3.4</nowiki>}}, replacing {{ic|1.2.3.4}} with the relevant IP address.
* Bug [http://bugs.archlinux.org/task/9201 #9101]
 
* [http://wiki.wireshark.org/CaptureSetup/CapturePrivileges Capture Privileges]
 

Latest revision as of 20:22, 7 August 2018

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Installation

Install the wireshark-qt package for the Wireshark GUI or wireshark-cli for just the tshark CLI.

For the deprecated GTK+ interface, install the wireshark-gtk package. Note that this package will be removed in the future (Wireshark 3.0).

Capturing as normal user

Do not run Wireshark as root, it is insecure. Wireshark has implemented privilege separation. [1]

The wireshark-cli install script sets packet capturing capabilities on the /usr/bin/dumpcap executable.

/usr/bin/dumpcap can only be executed by root and members of the wireshark group.

Tango-edit-cut.pngThis section is being considered for removal.Tango-edit-cut.png

Reason: Duplicates Users and groups. (Discuss in Talk:Wireshark#)

Therefore to use Wireshark as a normal user you just have to add your user to the wireshark group:

# gpasswd -a username wireshark

Re-login to apply the change.

A few capturing techniques

There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying capture filters or display filters.

Note: To learn the capture filter syntax, see pcap-filter(7). For display filters, see wireshark-filter(4).

Filtering TCP packets

If you want to see all the current TCP packets, type tcp into the "Filter" bar or in the CLI, enter:

$ tshark -f "tcp"

Filtering UDP packets

If you want to see all the current UDP packets, type udp into the "Filter" bar or in the CLI, enter:

$ tshark -f "udp"

Filter packets to a specific IP Address

  • If you would like to see all the traffic going to a specific address, enter display filter ip.dst == 1.2.3.4, replacing 1.2.3.4 with the IP address the outgoing traffic is being sent to.
  • If you would like to see all the incoming traffic for a specific address, enter display filter ip.src == 1.2.3.4, replacing 1.2.3.4 with the IP address the incoming traffic is being sent to.
  • If you would like to see all the incoming and outgoing traffic for a specific address, enter display filter ip.addr == 1.2.3.4, replacing 1.2.3.4 with the relevant IP address.