Wireshark-users: Re: [Wireshark-users] Unable to get tshark to capture packets when running as us
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 18 May 2010 13:52:14 -0700
On May 18, 2010, at 1:28 PM, Fisher, AJ wrote:

>> I'm surprised that it's not giving you an error on Linux.  What's printed if you run it under strace?
> 
> Tons of info...

Some of that is just the usual startup stuff you have with dynamic linking on modern UN*Xes - you'll see the same sort of thing in *BSD, Mac OS X, Solaris, etc..

> One thing I noticed was there were a number of files that did not exist:
> Example:
> stat("/usr/share/wireshark/snmp_users", 0x7fbffff4b0) = -1 ENOENT (No such file or directory)

> 
> Other files that don't exist:
> 
> k12_protos sccp_users user_dlts dfilter_macros smi_paths preferences wireshark.conf disabled_protos

Yes, Wireshark supports both global and personal configuration files that you *can* have, but you're not *required* to have, and for which there's no default file that we provide, so

	1) Wireshark could get ENOENT for them;

	2) it doesn't bother reporting that as an error, because it's not an error.

> Here is the info at the end of the strace:
> 
> write(2, "Capturing on eth0\n", 18Capturing on eth0
> )     = 18
> pipe([4, 5])                            = 0
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2a9557b7d0) = 15891
> close(5)                                = 0
> read(4, "caps", 4)                      = 4
> read(4, "et(): Operation not permitted\nE\0"..., 4092) = 237
> wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 15891

Is there a "dumpcap" program installed?  I'd forgotten when we made dumpcap the program that does all the capturing - I guess it was before the 1.0 release.

I'm a bit surprised that the error message sent up the pipe wasn't reported by tshark.  I'll have to try that with a newer version of Wireshark.

If there's a dumpcap program installed, you can probably make it set-UID root, which should allow you to capture as an ordinary user.  (You really don't want to run the N million lines of Wireshark/TShark code as root.)

>> You cannot capture promiscuously on HP-UX unless you're root.
>> 
>> If you only want to capture traffic to and from the HP machine, and broadcast and multicast traffic received by the HP machine, use "tshark -p", to turn promiscuous mode off.
> 
> "tshark -p" didn't help...

What did tshark print when you didn't specify "-p"?  You might have to make the appropriate device in /dev (/dev/dlpi?) readable and writable by you - or, again, make dumpcap set-UID root.