Wireshark-users: Re: [Wireshark-users] Unable to get tshark to capture packets when running as us
On May 18, 2010, at 1:28 PM, Fisher, AJ wrote:
>> I'm surprised that it's not giving you an error on Linux. What's printed if you run it under strace?
>
> Tons of info...
Some of that is just the usual startup stuff you have with dynamic linking on modern UN*Xes - you'll see the same sort of thing in *BSD, Mac OS X, Solaris, etc..
> One thing I noticed was there were a number of files that did not exist:
> Example:
> stat("/usr/share/wireshark/snmp_users", 0x7fbffff4b0) = -1 ENOENT (No such file or directory)
>
> Other files that don't exist:
>
> k12_protos sccp_users user_dlts dfilter_macros smi_paths preferences wireshark.conf disabled_protos
Yes, Wireshark supports both global and personal configuration files that you *can* have, but you're not *required* to have, and for which there's no default file that we provide, so
1) Wireshark could get ENOENT for them;
2) it doesn't bother reporting that as an error, because it's not an error.
> Here is the info at the end of the strace:
>
> write(2, "Capturing on eth0\n", 18Capturing on eth0
> ) = 18
> pipe([4, 5]) = 0
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2a9557b7d0) = 15891
> close(5) = 0
> read(4, "caps", 4) = 4
> read(4, "et(): Operation not permitted\nE\0"..., 4092) = 237
> wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 15891
Is there a "dumpcap" program installed? I'd forgotten when we made dumpcap the program that does all the capturing - I guess it was before the 1.0 release.
I'm a bit surprised that the error message sent up the pipe wasn't reported by tshark. I'll have to try that with a newer version of Wireshark.
If there's a dumpcap program installed, you can probably make it set-UID root, which should allow you to capture as an ordinary user. (You really don't want to run the N million lines of Wireshark/TShark code as root.)
>> You cannot capture promiscuously on HP-UX unless you're root.
>>
>> If you only want to capture traffic to and from the HP machine, and broadcast and multicast traffic received by the HP machine, use "tshark -p", to turn promiscuous mode off.
>
> "tshark -p" didn't help...
What did tshark print when you didn't specify "-p"? You might have to make the appropriate device in /dev (/dev/dlpi?) readable and writable by you - or, again, make dumpcap set-UID root.