Wireshark Capture and Analysis

737 views
Skip to first unread message

Kevin Young

unread,
Jan 28, 2011, 6:08:52 PM1/28/11
to securit...@googlegroups.com
When I fire up Wireshark to capture some packets, it doesn't show either ETH0 or ETH1 as valid interfaces. However, as confirmed using ifconfig and dhclient, the interfaces DHCP up fine, have IP addresses, subnet masks, and a gateway address. The system can surf the web and PING systems on the network. The Snort engine and Sguil can see traffic. So the interfaces _are_ working properly.

If I run "/user/bin/tshark" in a term window it can't find the interface; If I use "sudo /user/bin/tshark -i ETH0" (or ETH1) it runs fine, so I suspect it's a permission issue when launching the GUI.

I tried writing the Tshark output to a file (sudo /usr/bin/Tshark -i ETH0 -w capture.cap) and it writes the packets as expected. But I can't open the capture file for analysis in Wireshark again, because the GUI runs at user level and Tshark writes as root. Yes, I could push the capture.cap file to a share and open it in Backtrack or on a Windows box, but that defeats the purpose. I could also chmod, chown, chgrp, etc. the capture.cap file. Again, that seems to be the long way around.

Yes, it's Friday...but what am I missing here?

Thoughts from the group?

-Kevin-

Doug Burks

unread,
Jan 28, 2011, 10:28:08 PM1/28/11
to securit...@googlegroups.com
Hi Kevin,

Thanks for using Security Onion!

Wireshark is complex software and, like any complex software, has
bugs. Wireshark has had many vulnerabilities where just viewing
traffic as root could compromise your system. (As a matter of fact,
if you start wireshark using sudo, you'll get a warning to that
effect.) Therefore, it is recommended to run Wireshark as a non-root
user.

If you want to capture packets, you should use a simple tool such as
tcpdump, daemonlogger, or dumpcap. Run your capture tool using sudo
and write to a directory that your non-root user has access to:
sudo tcpdump -w /tmp/test.pcap

Then start wireshark as your non-root user to analyze the resulting pcap:
wireshark /tmp/test.pcap

Please let us know whether or not that helps!

Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com

bobb.harley

unread,
Feb 4, 2011, 8:01:55 PM2/4/11
to security-onion
In /usr/share/applications/wireshark.desktop change Exec=wireshark to
Exec=gksu wireshark and you can run wireshark from the menu.

- Harley

Doug Burks

unread,
Feb 4, 2011, 10:59:09 PM2/4/11
to securit...@googlegroups.com
Hi Bobb,

Welcome to the Security Onion mailing list and thanks for your
suggestion! However, please keep in mind that by doing so you are
running Wireshark as root and are putting yourself at risk. Please
see my previous reply:
https://groups.google.com/d/msg/security-onion/CXbMgjH1XYg/ksKw2HRB9aIJ

--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com

Reply all
Reply to author
Forward
0 new messages