Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Wireshark does not show physical interfaces for capture

70 views
Skip to first unread message

Victor Sudakov

unread,
Apr 29, 2023, 3:20:05 AM4/29/23
to
Dear Colleages,

My user is a member of the "wireshark" group and can start /usr/bin/dumpcap all right:

$ ls -al /usr/bin/dumpcap
-rwxr-xr-- 1 root wireshark 129696 мар 4 2022 /usr/bin/dumpcap

$ id
uid=1000(vas) gid=1000(vas)
группы=1000(vas),4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),27(sudo),30(dip),44(video),46(plugdev),121(lpadmin),136(lxd),137(sambashare),138(wireshark),1002(admin)

$ /usr/bin/dumpcap
Capturing on 'enp3s0'
File: /tmp/wireshark_enp3s0Y3LW31.pcapng
Packets captured: 126
Packets received/dropped on interface 'enp3s0': 126/0
(pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (100.0%)
$

However when I startup wireshark from the GUI, it does not show the
physical interfaces in the list of interfaces to capture from, so I
cannot really capture anything from the non-root user. When started
via sudo, it does show enp3s0 and other interfaces and can capture.

What am I missing?

--
Victor Sudakov VAS4-RIPE
http://vas.tomsk.ru/
2:5005/49@fidonet
signature.asc

Lee

unread,
Apr 29, 2023, 12:00:06 PM4/29/23
to
See if the interfaces have been hidden from the GUI. eg
$ grep devices_hide .config/wireshark/preferences
capture.devices_hide: any,nflog,nfqueue,dbus-system,dbus-session

Or check from the GUI:
Capture / Refresh Interfaces
Capture / Options
select the Input tab and click Manage Interfaces
select the Local Interfaces tab and make sure there's a checkmark
under Show for all the physical interface names

Regards,
Lee

Victor Sudakov

unread,
Apr 29, 2023, 1:00:06 PM4/29/23
to
Lee wrote:
> On 4/29/23, Victor Sudakov <v...@sibptus.ru> wrote:

[dd]

> >
> > However when I startup wireshark from the GUI, it does not show the
> > physical interfaces in the list of interfaces to capture from, so I
> > cannot really capture anything from the non-root user. When started
> > via sudo, it does show enp3s0 and other interfaces and can capture.
> >
> > What am I missing?
>
> See if the interfaces have been hidden from the GUI. eg
> $ grep devices_hide .config/wireshark/preferences
> capture.devices_hide: any,nflog,nfqueue,dbus-system,dbus-session

Nothing much there:

$ grep devices_hide .config/wireshark/preferences
#capture.devices_hide:

>
> Or check from the GUI:
> Capture / Refresh Interfaces

Does not add the NICs to the list.

> Capture / Options
> select the Input tab and click Manage Interfaces
> select the Local Interfaces tab and make sure there's a checkmark
> under Show for all the physical interface names

I don't see any physical interfaces there, this is all I see: https://ibb.co/190ytwv
signature.asc

Victor Sudakov

unread,
Apr 29, 2023, 1:10:06 PM4/29/23
to
Victor Sudakov wrote:
>
> I don't see any physical interfaces there, this is all I see: https://ibb.co/190ytwv

Sorry I forgot to mention that dumpcap sees the NICs, but the
Wireshark GUI does not:

$ whoami ; dumpcap -D
vas
1. enp3s0
2. any
3. lo (Loopback)
4. bluetooth-monitor
5. nflog
6. nfqueue
7. dbus-system
8. dbus-session
$
signature.asc

Lee

unread,
Apr 29, 2023, 1:40:06 PM4/29/23
to
On 4/29/23, Victor Sudakov wrote:
> Lee wrote:
>> On 4/29/23, Victor Sudakov wrote:
>
> [dd]
>
>> >
>> > However when I startup wireshark from the GUI, it does not show the
>> > physical interfaces in the list of interfaces to capture from, so I
>> > cannot really capture anything from the non-root user. When started
>> > via sudo, it does show enp3s0 and other interfaces and can capture.
>> >
>> > What am I missing?
>>
>> See if the interfaces have been hidden from the GUI. eg
>> $ grep devices_hide .config/wireshark/preferences
>> capture.devices_hide: any,nflog,nfqueue,dbus-system,dbus-session
>
> Nothing much there:
>
> $ grep devices_hide .config/wireshark/preferences
> #capture.devices_hide:
>
>>
>> Or check from the GUI:
>> Capture / Refresh Interfaces
>
> Does not add the NICs to the list.
>
>> Capture / Options
>> select the Input tab and click Manage Interfaces
>> select the Local Interfaces tab and make sure there's a checkmark
>> under Show for all the physical interface names
>
> I don't see any physical interfaces there, this is all I see:
> https://ibb.co/190ytwv

Have you looked at
https://www.wireshark.org/faq.html#capprobunix

I have a vague memory of having to do
sudo dpkg-reconfigure wireshark-common
a few years ago before I was able to capture packets without using sudo

Regards
Lee

dave...@tuxfamily.org

unread,
Apr 29, 2023, 7:10:06 PM4/29/23
to
Hello
Good memory, actually. The full steps are

$ sudo dpkg-reconfigure wireshark-common # [1]
Should non-superusers be able to capture packets => Yes

$ sudo usermod -a -G wireshark $USER # [1]
$ newgrp wireshark
$ groups # The output should now include "wireshark" group name

1. Or execute these commands as root, if sudo is not installed.

>
> Regards
> Lee

Victor Sudakov

unread,
May 1, 2023, 7:10:07 AM5/1/23
to
Lee wrote:
> >
> >> >
> >> > However when I startup wireshark from the GUI, it does not show the
> >> > physical interfaces in the list of interfaces to capture from, so I
> >> > cannot really capture anything from the non-root user. When started
> >> > via sudo, it does show enp3s0 and other interfaces and can capture.
> >> >
> >> > What am I missing?
> >>
> >> See if the interfaces have been hidden from the GUI. eg
> >> $ grep devices_hide .config/wireshark/preferences
> >> capture.devices_hide: any,nflog,nfqueue,dbus-system,dbus-session
> >
> > Nothing much there:
> >
> > $ grep devices_hide .config/wireshark/preferences
> > #capture.devices_hide:
> >
> >>
> >> Or check from the GUI:
> >> Capture / Refresh Interfaces
> >
> > Does not add the NICs to the list.
> >
> >> Capture / Options
> >> select the Input tab and click Manage Interfaces
> >> select the Local Interfaces tab and make sure there's a checkmark
> >> under Show for all the physical interface names
> >
> > I don't see any physical interfaces there, this is all I see:
> > https://ibb.co/190ytwv
>
> Have you looked at
> https://www.wireshark.org/faq.html#capprobunix

Yes, I have, and I have also read
https://gitlab.com/wireshark/wireshark/-/raw/master/packaging/debian/README.Debian

>
> I have a vague memory of having to do
> sudo dpkg-reconfigure wireshark-common
> a few years ago before I was able to capture packets without using sudo

All this command does IMHO is create the "wireshark" group with sufficient
privileges to capture packets. I clearly remember answering "Yes" to
that question while installing Wireshark.

That is why I wrote in my first mail that dumpcap can list interfaces
and capture packets when run from my account:

$ whoami ; dumpcap -D
vas
1. enp3s0
2. any
3. lo (Loopback)
4. bluetooth-monitor
5. nflog
6. nfqueue
7. dbus-system
8. dbus-session
$

signature.asc

Victor Sudakov

unread,
May 1, 2023, 7:20:06 AM5/1/23
to
dave...@tuxfamily.org wrote:

[dd]
> >
> > I have a vague memory of having to do
> > sudo dpkg-reconfigure wireshark-common
> > a few years ago before I was able to capture packets without using sudo
>
> Good memory, actually. The full steps are
>
> $ sudo dpkg-reconfigure wireshark-common # [1]
> Should non-superusers be able to capture packets => Yes

This interactive step is performed by "apt install wireshark" actually.

>
> $ sudo usermod -a -G wireshark $USER # [1]
> $ newgrp wireshark

I even did a full logout/login from Mate to make sure my user picks up
the new group.

> $ groups # The output should now include "wireshark" group name

Turns out these steps are not sufficient now.

I wonder if Wireshark uses `dumpcap -D` internally to show the list of
interfaces? I can do this now from my user account:

$ dumpcap -D
1. enp3s0
2. any
3. lo (Loopback)
4. bluetooth-monitor
5. nflog
6. nfqueue
7. dbus-system
8. dbus-session


but still cannot see those interfaces in the Wireshark GUI.
signature.asc
0 new messages