Prev: Compiling kernel took a lot of disk space.
Next: Using gparted GUI to make GPT partition tables
From: Merciadri Luca on 25 Jun 2010 11:00
Hi,

As stated in the title, I would like to launch wireshark without having
to do it as root. I tried being root, but wireshark told me this was
disadviced (astonishing, huh?). The problem is that if I launch it as an
user, it does not detect any interface. How can I give to it rights for
the interfaces, but not su rights?

Thanks.

--
Merciadri Luca
See http://www.student.montefiore.ulg.ac.be/~merciadri/
I use PGP. If there is an incompatibility problem with your mail
client, please contact me.


The biggest mistake people make in life is not trying to make a living
at doing what they most enjoy. (Malcolm Forbes)
The teacher has not taught, until the student has learned.

From: Merciadri Luca on 25 Jun 2010 15:40
Celejar wrote:
> On Fri, 25 Jun 2010 16:46:52 +0200
> Merciadri Luca <Luca.Merciadri(a)student.ulg.ac.be> wrote:
>
>
>
> /usr/share/doc/wireshark-common/README.Debian discusses wireshark and
> necessary privileges. This came up a while back on the lists, and
> someone said that this README, while in Sid, is not in earlier Debian
> versions.
>
I had already read it, but here is what it gives me:

==
Warning!

Using the != operator on combined expressions like: eth.addr, ip.addr,
tcp.port,
udp.port and alike will probably not work as expected!

Often people use a filter string to display something like ip.addr ==
1.2.3.4
which will display all packets containing the IP address 1.2.3.4.

Then they use ip.addr != 1.2.3.4 to see all packets not containing the
IP address 1.2.3.4 in it. Unfortunately, this does not do the expected.
Instead, that expression will even be true for packets where either source
or destination IP address equals 1.2.3.4. The reason for this, is that the
expression ip.addr != 1.2.3.4 must be read as "the packet contains a field
named ip.addr with a value different from 1.2.3.4". As an IP datagram
contains both a source and a destination address, the expression will
evaluate
to true whenever at least one of the two addresses differs from 1.2.3.4.
If you want to filter out all packets containing IP datagrams to or from
IP address 1.2.3.4, then the correct filter is !(ip.addr == 1.2.3.4) as it
reads "show me all the packets for which it is not true that a field named
ip.addr exists with a value of 1.2.3.4", or in other words, "filter out all
packets for which there are no occurrences of a field named ip.addr with the
value 1.2.3.4".
==

This README does not solve my issue (or, if it should, I might be
misunderstanding it). :(

--
Merciadri Luca
See http://www.student.montefiore.ulg.ac.be/~merciadri/
I use PGP. If there is an incompatibility problem with your mail
client, please contact me.


What we do for ourselves dies with us. What we do for others and the
world remains and is immortal. (Albert Pine)

From: Merciadri Luca on 25 Jun 2010 18:10
Celejar wrote:
> [Please don't cc. me.]
>
> On Fri, 25 Jun 2010 21:29:50 +0200
> Merciadri Luca <Luca.Merciadri(a)student.ulg.ac.be> wrote:
>
>
>
> Different README; mine doesn't have that stuff, but:
>
> I. Capturing packets with Wireshark/Tshark
>
> There are two ways of installing Wireshark/Tshark on Debian:
>
> I./a. Installing dumpcap and allowing non-root users to capture packets
>
> Members of the wireshark group will be able to capture packets on network
> interfaces. This is the preferred way of installation if Wireshark/Tshark
> will be used for capturing and displaying packets at the same time, since
> that way only the dumpcap process has to be run with elevated privileges
> thanks to the privilege separation[1].
>
> Note that no user will be added to group wireshark automatically, the
> system administrator has to add them manually.
>
> The additional privileges are provided using the Linux Capabilities
> system where possible or using the set-user-id bit, where the Linux
> Capabilities are not present (Debian GNU/kFreeBSD, Debian GNU/Hurd).
>
> Linux kernels provided by Debian support Linux Capabilities, but custom
> built kernels may lack this support. If the support for Linux
> Capabilities is not present at the time of installing wireshark-common
> package, the installer will fall back to set the set-user-id bit to
> allow non-root users to capture packets.
>
> If installation succeeds with using Linux Capabilities, non-root users
> will not be able to capture packets while running kernels not supporting
> Linux Capabilities.
>
> I./b. Installing dumpcap without allowing non-root users to capture packets
>
> Only root user will be able to capture packets. It is advised to capture
> packets with the bundled dumpcap program as root and then run
> Wireshark/Tshark as an ordinary user to analyze the captured logs. [2]
>
>
> The installation method can be changed any time by running:
> dpkg-reconfigure wireshark-common
>
Thanks. Exactly what I wanted.

--
Merciadri Luca
See http://www.student.montefiore.ulg.ac.be/~merciadri/
I use PGP. If there is an incompatibility problem with your mail
client, please contact me.


The eyes are the window of the soul.

 | 
Pages: 1
Prev: Compiling kernel took a lot of disk space.
Next: Using gparted GUI to make GPT partition tables