Difference between revisions of "Wireshark"

From ArchWiki
Jump to: navigation, search
(A few capturing techniques: add man page link)
 
(59 intermediate revisions by 33 users not shown)
Line 1: Line 1:
[[Category:Security (English)]][[Category:Networking (English)]]
+
[[Category:Security]]
{{Stub}}
+
[[Category:Networking]]
==Possible problems and how to solve==
+
[[fr:Wireshark]]
 +
[[ja:Wireshark]]
 +
[[pt:Wireshark]]
 +
[[ru:Wireshark]]
 +
[[zh-hans:Wireshark]]
 +
[https://www.wireshark.org/ Wireshark] is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
  
Your wireshark is not working properly and prints out messages like following even when run as root:
+
==Installation==
capset(): Operation not permitted
 
  
This is due libcap and wireshark now needs capability kernel module to be loaded.
+
Wireshark's default interface uses Qt, the GTK+ interface is deprecated and might be removed in the future.
  
 +
[[Install]] {{pkg|wireshark-qt}} or {{pkg|wireshark-gtk}} when you prefer the GTK+ interface.
  
Include it in your MODULES array in rc.conf so it will be automatically loaded in next boot:
+
Both frontends depend on the {{pkg|wireshark-cli}} package that provides the {{ic|tshark}} CLI.
MODULES=(... capability)
 
And load it now with modprobe:
 
modprobe capability
 
  
 +
== Capturing as normal user ==
  
==Capturing as normal user==
+
Do not run Wireshark as root, it is insecure. Wireshark has implemented privilege separation. [https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes]
Running Wireshark as root is not a good thing, and can be dangerous for your system.
 
To be able to capture as normal user do this (as root):
 
  
* Make wireshark group
+
The {{Pkg|wireshark-cli}} [[PKGBUILD#install|install script]] sets packet capturing [[capabilities]] on the {{ic|/usr/bin/dumpcap}} executable.
groupadd wireshark
 
  
* Add your self to the wireshark group
+
{{ic|/usr/bin/dumpcap}} can only be executed by root and members of the {{ic|wireshark}} group.
gpasswd -a "your_username" wireshark
 
  
* Change permissions for /usr/bin/dumpcap (eventually, you'll have to do this after every update of Wireshark)
+
Therefore to use Wireshark as a normal user you just have to add your user to the {{ic|wireshark}} [[group]]:
chgrp wireshark /usr/bin/dumpcap
 
chmod 754 /usr/bin/dumpcap
 
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap
 
  
 +
sudo gpasswd -a $USER wireshark
 +
 +
Re-login to apply the change or use {{ic|newgrp wireshark}} to open a shell with the new group and start Wireshark from there.
  
 
==A few capturing techniques==
 
==A few capturing techniques==
  
There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying filters.
+
There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying [https://wiki.wireshark.org/CaptureFilters capture filters] or [https://wiki.wireshark.org/DisplayFilters display filters].
  
* Filtering TCP packets
+
{{Note|To learn the capture filter syntax, see {{man|7|pcap-filter}}. For display filters, see {{man|4|wireshark-filter}}.}}
If you want to see all the current TCP packets, type "tcp" followed by enter into the "Filter" bar.
 
  
* Filtering UDP packets
+
===Filtering TCP packets===
If you want to see all the current UDP packets, type "udp" followed by enter into the "Filter" bar.
+
If you want to see all the current TCP packets, type {{ic|tcp}} into the "Filter" bar or in the CLI, enter:
  
* Filter packets to a specific IP Address
+
  $ tshark -f "tcp"
  If you would like to see all the traffic going to a specific address, you would enter this into the "Filter" bar.
 
Please remember to replace 127.0.0.1 with the IP address the outgoing traffic is being sent to.
 
  
# ip.dst == 1.0.0.1
+
===Filtering UDP packets===
 +
If you want to see all the current UDP packets, type {{ic|udp}} into the "Filter" bar or in the CLI, enter:
  
* Filter packets to a specific IP Address
+
  $ tshark -f "udp"
  If you would like to see all the incoming traffic for a specific address, you would enter this into the "Filter" bar.
 
Please remember to replace 127.0.0.1 with the IP address the incoming traffic is being sent to.
 
  
# ip.src == 1.0.0.1
+
===Filter packets to a specific IP Address===
 +
* If you would like to see all the traffic going to a specific address, enter display filter {{ic|<nowiki>ip.dst == 1.2.3.4</nowiki>}}, replacing {{ic|1.2.3.4}} with the IP address the outgoing traffic is being sent to.
  
 +
* If you would like to see all the incoming traffic for a specific address, enter display filter {{ic|<nowiki>ip.src == 1.2.3.4</nowiki>}}, replacing {{ic|1.2.3.4}} with the IP address the incoming traffic is being sent to.
  
==Sources==
+
* If you would like to see all the incoming and outgoing traffic for a specific address, enter display filter {{ic|<nowiki>ip.addr == 1.2.3.4</nowiki>}}, replacing {{ic|1.2.3.4}} with the relevant IP address.
* Bug [http://bugs.archlinux.org/task/9201 #9101]
 
* [http://wiki.wireshark.org/CaptureSetup/CapturePrivileges Capture Privileges]
 

Latest revision as of 00:35, 26 December 2017

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Installation

Wireshark's default interface uses Qt, the GTK+ interface is deprecated and might be removed in the future.

Install wireshark-qt or wireshark-gtk when you prefer the GTK+ interface.

Both frontends depend on the wireshark-cli package that provides the tshark CLI.

Capturing as normal user

Do not run Wireshark as root, it is insecure. Wireshark has implemented privilege separation. [1]

The wireshark-cli install script sets packet capturing capabilities on the /usr/bin/dumpcap executable.

/usr/bin/dumpcap can only be executed by root and members of the wireshark group.

Therefore to use Wireshark as a normal user you just have to add your user to the wireshark group:

sudo gpasswd -a $USER wireshark

Re-login to apply the change or use newgrp wireshark to open a shell with the new group and start Wireshark from there.

A few capturing techniques

There are a number of different ways to capture exactly what you are looking for in Wireshark, by applying capture filters or display filters.

Note: To learn the capture filter syntax, see pcap-filter(7). For display filters, see wireshark-filter(4).

Filtering TCP packets

If you want to see all the current TCP packets, type tcp into the "Filter" bar or in the CLI, enter:

$ tshark -f "tcp"

Filtering UDP packets

If you want to see all the current UDP packets, type udp into the "Filter" bar or in the CLI, enter:

$ tshark -f "udp"

Filter packets to a specific IP Address

  • If you would like to see all the traffic going to a specific address, enter display filter ip.dst == 1.2.3.4, replacing 1.2.3.4 with the IP address the outgoing traffic is being sent to.
  • If you would like to see all the incoming traffic for a specific address, enter display filter ip.src == 1.2.3.4, replacing 1.2.3.4 with the IP address the incoming traffic is being sent to.
  • If you would like to see all the incoming and outgoing traffic for a specific address, enter display filter ip.addr == 1.2.3.4, replacing 1.2.3.4 with the relevant IP address.