Wireshark-users: Re: [Wireshark-users] Unable to get tshark to capture packets when running as us
On May 18, 2010, at 10:50 AM, Fisher, AJ wrote:
>> I can capture packets just fine when I run tshark as root but not as local user.
>>
>> This is the output I get as user on RHEL 4.6:
>>
>> $ tshark
>> Capturing on eth0
>> 0 packets captured
>I'm surprised that it's not giving you an error on Linux. What's printed if you run it under strace?
Tons of info... One thing I noticed was there were a number of files that did not exist:
Example:
stat("/usr/share/wireshark/snmp_users", 0x7fbffff4b0) = -1 ENOENT (No such file or directory)
Other files that don't exist:
k12_protos sccp_users user_dlts dfilter_macros smi_paths preferences wireshark.conf disabled_protos
Here is the info at the end of the strace:
write(2, "Capturing on eth0\n", 18Capturing on eth0
) = 18
pipe([4, 5]) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2a9557b7d0) = 15891
close(5) = 0
read(4, "caps", 4) = 4
read(4, "et(): Operation not permitted\nE\0"..., 4092) = 237
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 15891
--- SIGCHLD (Child exited) @ 0 (0) ---
write(2, "0 packets captured\n", 190 packets captured
) = 19
munmap(0x2a983c9000, 593920) = 0
exit_group(0) = ?
>> This is the output I get when I run as user on HP-UX 11.31:
>> $ tshark
>> tshark: Couldn't load module /opt/iexpress/wireshark/lib/wireshark/plugins/1.0.11/asn1.so: Unsatisfied code symbol 'g_node_insert_before' in load module '/opt/iexpress/wireshark/lib/wireshark/plugins/1.0.11/asn1.so'.
>> Capturing on lan0
>> tshark: Can't install filter (recv_ack: promisc_phys: UNIX error - Not owner).
>You cannot capture promiscuously on HP-UX unless you're root.
>If you only want to capture traffic to and from the HP machine, and broadcast and multicast traffic received by the HP machine, use "tshark -p", to turn promiscuous mode off.
"tshark -p" didn't help...
AJ Fisher