[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: netstat ?

On Wed, Feb 24, 2010 at 2:26 PM, Celejar <celejar@gmail.com> wrote:
> On Wed, 24 Feb 2010 12:55:31 -0500
> Jordan Metzmeier <titan8990@gmail.com> wrote:
>> On Wed, Feb 24, 2010 at 12:35 PM, Eduardo M KALINOWSKI
>> <eduardo@kalinowski.com.br> wrote:
>> > On Qua, 24 Fev 2010, Jon Dowland wrote:
>> >>
>> >> What is the actual protocol you are trying to read?  You
>> >> probably need to use a friendly protocol dissector to read
>> >> and interpret your packet capture. Wireshark can do this.
>> >>
>> >>    # tcpdump src -w output-file
>> >>    $ sudo wireshark output-file
>> >
>> > Since wireshark will be only looking at a previously captured file (and not
>> > doing captures itself), it does not need root privileges, right?
>> >
>> This is correct. I always open previously captured files in wireshark
>> as an unprivledged user.
> In Debian, Wireshark should probably never be run as root, even when
> capturing packets.  See the README.Debian:
> I. Capturing packets with Wireshark/Tshark
>   There are two ways of installing Wireshark/Tshark on Debian:
>   I./a. Installing dumpcap and allowing non-root users to capture packets
>      Members of the wireshark group will be able to capture packets on network
>      interfaces. This is the preferred way of installation if Wireshark/Tshark
>      will be used for capturing and displaying packets at the same time, since
>      that way only the dumpcap process has to be run with elevated privileges
>      thanks to the privilege separation[1].
>      Note that no user will be added to group wireshark automatically, the
>      system administrator has to add them manually.
>      The additional priviliges are provided using the Linux Capabilities
>      system where possible or using the set-user-id bit, where the Linux
>      Capabilities are not present (Debian GNU/kFreeBSD, Debian GNU/Hurd).
>      Linux kernels provided by Debian support Linux Capabilities, but custom
>      built kernels may lack this support. If the support for Linux
>      Capabilities is not present at the time of installing wireshark-common
>      package, the installer will fall back to set the set-user-id bit to
>      allow non-root users to capture packets.
>      If installation succeeds with using Linux Capabilities, non-root users
>      will not be able to capture packets while running kernels not supporting
>      Linux Capabilities.
>    I./b. Installing dumpcap without allowing non-root users to capture packets
>      Only root user will be able to capture packets. It is advised to capture
>      packets with the bundled dumpcap program as root and then run
>      Wireshark/Tshark as an ordinary user to analyze the captured logs. [2]
>      The installation method can be changed any time by running:
>      dpkg-reconfigure wireshark-common
>   [1] http://wiki.wireshark.org/Development/PrivilegeSeparation
>   [2] http://wiki.wireshark.org/CaptureSetup/CapturePrivileges
>   [3] https://blog.wireshark.org/2010/02/running-wireshark-as-you
> Celejar
> --
> foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
> mailmin.sourceforge.net - remote access via secure (OpenPGP) email
> ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: 20100224142606.681c1000.celejar@gmail.com">http://lists.debian.org/20100224142606.681c1000.celejar@gmail.com

I am familiar with the wireshark group from usage on non-Debian
systems. IIRC on gentoo I had to build wireshark with particular USE
flags so that non-root users in the wireshark group could capture
(could be mistaken here).

I have a feeling that is not the wireshark version from stable that
you are displaying the README.Debian from.

>From my Debian Lenny system:

jordan@pc-tesla ~ $ apt-file find /usr/share/doc/wireshark
wireshark: /usr/share/doc/wireshark/changelog.Debian.gz
wireshark: /usr/share/doc/wireshark/changelog.gz
wireshark: /usr/share/doc/wireshark/copyright
wireshark-common: /usr/share/doc/wireshark-common/README.Debian
wireshark-common: /usr/share/doc/wireshark-common/changelog.Debian.gz
wireshark-common: /usr/share/doc/wireshark-common/changelog.gz
wireshark-common: /usr/share/doc/wireshark-common/copyright

The only README.Debian does not contain any of the information you
have specified (although it did contain useful information about
ip.addr and the != boolean operator):

jordan@pc-tesla ~ $ cat /usr/share/doc/wireshark-common/README.Debian

Using the != operator on combined expressions like: eth.addr, ip.addr, tcp.port,
udp.port and alike will probably not work as expected!

Often people use a filter string to display something like ip.addr ==
which will display all packets containing the IP address

Then they use ip.addr != to see all packets not containing the
IP address in it. Unfortunately, this does not do the expected.
Instead, that expression will even be true for packets where either source
or destination IP address equals The reason for this, is that the
expression ip.addr != must be read as "the packet contains a field
named ip.addr with a value different from". As an IP datagram
contains both a source and a destination address, the expression will evaluate
to true whenever at least one of the two addresses differs from
If you want to filter out all packets containing IP datagrams to or from
IP address, then the correct filter is !(ip.addr == as it
reads "show me all the packets for which it is not true that a field named
ip.addr exists with a value of", or in other words, "filter out all
packets for which there are no occurrences of a field named ip.addr with the

 -- Joost Yervante Damad <andete@debian.org>  Sat, 26 Apr 2008 10:17:17 +0200


Last up we have the wireshark group. This was not created by wireshark
installation. `dpkg-reconfigure wireshark-common` does not provide an
option separate installation methods.

I am afraid these features and documentation you are referring to are
not present in Debian stable.

Jordan Metzmeier

Reply to: