Beyond Linux^® From Scratch - Version 6.3

Chapter 17. Basic Networking Utilities

Prev
BIND Utilities-9.4.1-P1
Next
Mail/News Clients
Up
Home

Wireshark-0.99.6

Introduction to Wireshark

The Wireshark package contains a network protocol analyzer, also known as a “sniffer”. This is useful for analyzing data captured “off the wire” from a live network connection, or data read from a capture file. Wireshark provides both a graphical and TTY-mode front-end for examining captured network packets from over 500 protocols, as well as the capability to read capture files from many other popular network analyzers.

Package Information

Download (HTTP): http://www.wireshark.org/download/src/all-versions/wireshark-0.99.6.tar.bz2
Download (FTP): ftp://anduin.linuxfromscratch.org/BLFS/6.3/w/wireshark-0.99.6.tar.bz2
Download MD5 sum: e57a8c8b364c38df3da97e2ee9f0d0bc
Download size: 11.8 MB
Estimated disk space required: 449 MB
Estimated build time: 6.4 SBU

Additional Downloads

Additional Documentation: http://www.wireshark.org/docs/

From this page you can download many different docs in a variety of formats.

Wireshark dependencies

Required

GLib-1.2.10 or GLib-2.12.12 (to build the TTY-mode front-end only)

Note that if you don't have Gtk+ installed, you will need to pass --disable-wireshark to the configure command.

Recommended

libpcap-0.9.6 (required to capture data)

Optional

pkg-config-0.22, GTK+-1.2.10 or GTK+-2.10.13 (to build the GUI front-end), OpenSSL-0.9.8g, Heimdal-1.1 or MIT Kerberos V5-1.6, Python-2.5.2, PCRE-7.6, GnuTLS-1.6.3, Net-SNMP, adns, and Lua

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/wireshark

Kernel Configuration

The kernel must have the Packet protocol enabled for Wireshark to capture live packets from the network. Enable the Packet protocol by choosing “Y” in the “Networking” – “Packet socket” configuration parameter. Alternatively, build the af_packet.ko module by choosing “M” in this parameter.

Installation of Wireshark

Install Wireshark by running the following commands:

./configure --prefix=/usr \
            --sysconfdir=/etc \
            --enable-threads &&
make

This package does not come with a test suite.

Now, as the root user:

make install &&

install -v -m755 -d /usr/share/doc/wireshark-0.99.6 &&
install -v -m644    FAQ README{,.linux} doc/README.* doc/*.{pod,txt} \
                    /usr/share/doc/wireshark-0.99.6 &&
pushd /usr/share/doc/wireshark-0.99.6 &&
for FILENAME in ../../wireshark/*.html; do \
    ln -s -v $FILENAME .
done &&
popd &&

install -v -m644 -D wireshark.desktop \
                    /usr/share/applications/wireshark.desktop &&
install -v -m644 -D image/wsicon48.png \
                    /usr/share/pixmaps/wireshark.png &&
install -v -m755 -d /usr/share/pixmaps/wireshark &&
install -v -m644 image/*.{png,ico,xpm,bmp} \
                 /usr/share/pixmaps/wireshark

If you downloaded any of the documentation files from the page listed in the 'Additional Downloads', install them by issuing the following commands as the root user:

install -v -m644 <Downloaded_Files> /usr/share/doc/wireshark-0.99.6

Command Explanations

--enable-threads: This parameter enables the use of threads in wireshark.

--with-ssl: This parameter is required if you are linking Kerberos libraries into the build so that the OpenSSL libcrypto library is found.

Configuring Wireshark

Config Files

/etc/wireshark.conf and ~/.wireshark/*

Configuration Information

Though the default configuration parameters are very sane, reference the configuration section of the Wireshark User's Guide for configuration information. Most of Wireshark's configuration can be accomplished using the menu options of the wireshark graphical interface.

[Note]

Note

If you want to look at packets, make sure you don't filter them out with iptables-1.3.8. If you want to exclude certain classes of packets, it is more efficient to do it with iptables than it is with Wireshark.

Contents

Installed Programs: capinfos, dftest, dumpcap, editcap, idl2wrs, mergecap, randpkt, text2pcap, tshark and wireshark

Installed Libraries: libwireshark.so, libwiretap.so and numerous dissector plugin modules

Installed Directories: /usr/lib/wireshark, /usr/share/doc/wireshark-0.99.6, /usr/share/pixmaps/wireshark and /usr/share/wireshark

Short Descriptions

capinfos	reads a saved capture file and returns any or all of several statistics about that file. It is able to detect and read any capture supported by the Wireshark package.
dftest	is a display-filter-compiler test program.
dumpcap	is a network traffic dump tool. It lets you capture packet data from a live network and write the packets to a file.
editcap	edits and/or translates the format of capture files. It knows how to read libpcap capture files, including those of tcpdump, Wireshark and other tools that write captures in that format.
idl2wrs	takes a user specified CORBA IDL file and generates “C” source code that can be used to create an Wireshark plugin.
mergecap	combines multiple saved capture files into a single output file.
randpkt	creates random-packet capture files.
text2pcap	reads in an ASCII hex dump and writes the data described into a libpcap-style capture file.
tshark	is a TTY-mode network protocol analyzer. It lets you capture packet data from a live network or read packets from a previously saved capture file.
wireshark	is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file.
`libwireshark.so`	contains functions used by the Wireshark programs to perform filtering and packet capturing.
`libwiretap.so`	is a library being developed as a future replacement for `libpcap`, the current standard Unix library for packet capturing. For more information, see the `README` file in the source `wiretap` directory.

Last updated on 2008-05-10 18:53:20 -0500

Prev
BIND Utilities-9.4.1-P1
Next
Mail/News Clients
Up
Home