Difference between revisions of "Wireshark"

From Notes_Wiki
m
m
Line 1: Line 1:
<yambe:breadcrumb>Network related tools</yambe:breadcrumb>
=Wireshark=
=Wireshark=



Revision as of 04:44, 7 April 2014

<yambe:breadcrumb>Network related tools</yambe:breadcrumb>

Wireshark

Wireshark is very useful packet analysis tool which can give detailed protocol analysis.



Running wireshark as normal user

Since wireshark needs to capture packets from network interface, it usually requires root privileges to run. There are many ways to run wireshark as normal user without requiring root password. Some of them are:


Giving user sudo access

We can configure sudo access for some normal user so that they can run wireshark executable with root privileges without requiring root password. For that following line can be appended to /etc/sudoers file via 'echo' or 'visudo'

<user_name> ALL = NOPASSWD: /usr/sbin/wireshark

Note: /usr/bin/wireshark is not path of wireshark executable, it is link to console helper. Actual executable is usually present in /usr/sbin/wireshark'


Giving wireshark or dumpcap set-uid permissions

We can make wireshark executable set-uid so that it runs with root privileges and all users on system can run it directly. We can also make dumpcap executable set-uid so that it runs with root privileges and all users on system can run it directly and thereby wireshark. This method is not recommended.

chmod +s /usr/sbin/wireshark

or

chmod +s /usr/sbin/dumpcap

Since wireshark uses dumpcap for capturing packets giving set-uid permissions to either just wireshark or just dumpcap is enough. We do not need to make both programs set-uid to be able to run wireshark from normal user accounts.


Creating a special group for wireshark or dumpcap

We can create a special group for wireshark and/or dumpcap and make dumpcap executable readable / executable by just that group. Then we can add users to the created group so that they can run wireshark without requiring root password. This is more safer then previous method where all users can run wireshark without requiring root password.

groupadd -g wireshark
usermod -a -G wireshark <username>
chgrp wireshark /usr/sbin/dumpcap
chmod 4750 /usr/bin/dumpcap