Beyond Linux® From Scratch (systemd edition) - Version 7.6-systemd

Chapter 16. Networking Utilities

Wireshark-1.12.1

Introduction to Wireshark

The Wireshark package contains a network protocol analyzer, also known as a “sniffer”. This is useful for analyzing data captured “off the wire” from a live network connection, or data read from a capture file. Wireshark provides both a graphical and a TTY-mode front-end for examining captured network packets from over 500 protocols, as well as the capability to read capture files from many other popular network analyzers.

This package is known to build and work properly using an LFS-7.6 systemd platform.

Package Information

Additional Downloads

From this page you can download many different docs in a variety of formats.

Wireshark dependencies

Required

GLib-2.40.0 (to build the TTY-mode front-end only)

Note that you need GTK+ or Qt installed, otherwise, pass --disable-wireshark to the configure command.

Recommended

GTK+-3.12.2 (to build the GTK+3 GUI) and libpcap-1.6.2 (required to capture data)

Optional

GnuTLS-3.3.7, libgcrypt-1.6.2, Lua-5.2.3, MIT Kerberos V5-1.12.2, OpenSSL-1.0.1i, adns, GeoIP, and PortAudio

Optional (to build different GUI front-ends)

GTK+-2.24.24 and Qt-4.8.6 or Qt-5.3.1

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/wireshark

Kernel Configuration

The kernel must have the Packet protocol enabled for Wireshark to capture live packets from the network. 

Networking support: Y
  Networking options:
    Packet: sockets monitoring interface: M or Y

If built as a module, the name is af_packet.ko.

Installation of Wireshark

Optionally, fix the description of the program in the title. The first change overwrites the default "SVN Unknown" in the title and the second overwrites a utility script that resets the version to "unknown". 

cat > svnversion.h << "EOF"
#define SVNVERSION "BLFS"
#define SVNPATH "source"
EOF

cat > make-version.pl << "EOF"
#!/usr/bin/perl
EOF

Wireshark is a very large and complex application. These instructions provide additional security measures to ensure that only trusted users are allowed to view network traffic. First, set up a system group for wireshark. As the root user: 

groupadd -g 62 wireshark

If you want an unpriviledged user to execute wireshark, run the following command as the root user: 

usermod -a -G wireshark <username>

If you have both GTK+2 and GTK+3, and both Qt4 and Qt5 installed, the GTK+ GUI will be linked against GTK+3 and Qt GUI will be linked against Qt5. The instructions below only cover building of the GTK+3 GUI. Additional modifications must be made to the commands below if building a GUI front-end against different supported toolkits. Examine "Command Explanations" section for information on necessary modifications to the configure command.

If you want to build the Qt5 GUI and have both Qt4 and Qt5 installed, issue: 

export QT_SELECT=qt5

If you want to build the Qt4 GUI and have both Qt4 and Qt5 installed, issue: 

sed -i "s:Qt5 Qt:Qt:g" configure

Install Wireshark by running the following commands: 

./configure --prefix=/usr     \
            --sysconfdir=/etc \
            --with-gtk3       \
            --without-qt      &&
make

This package does not come with a test suite.

Now, as the root user: 

make install &&

install -v -dm755 /usr/share/doc/wireshark-1.12.1 &&
install -v -m644  README{,.linux} doc/README.* doc/*.{pod,txt} \
                  /usr/share/doc/wireshark-1.12.1 &&

pushd /usr/share/doc/wireshark-1.12.1 &&
   for FILENAME in ../../wireshark/*.html; do
      ln -sfv $FILENAME
   done &&
popd &&

if [ -e /usr/bin/wireshark ]; then
   install -v -Dm644 wireshark.desktop /usr/share/applications/wireshark.desktop
fi &&

if [ -e /usr/bin/wireshark-qt ]; then
   install -v -Dm644 wireshark.desktop /usr/share/applications/wireshark-qt.desktop &&
   sed -i "/Exec/s:wireshark:&-qt:g" /usr/share/applications/wireshark-qt.desktop
fi &&

for size in 16 24 32 48 64 128 256 ; do
    install -v -Dm644 image/wsicon${size}.png \
                      /usr/share/icons/hicolor/${size}x${size}/apps/wireshark.png &&
    install -v -Dm644 image/WiresharkDoc-${size}.png \
                      /usr/share/icons/hicolor/${size}x${size}/mimetypes/application-vnd.tcpdump.pcap.png
done &&

unset size &&
unset QT_SELECT

If you downloaded any of the documentation files from the page listed in the 'Additional Downloads', install them by issuing the following commands as the root user: 

install -v -m644 <Downloaded_Files> /usr/share/doc/wireshark-1.12.1

Now, set ownership and permissions of sensitive applications to only allow authorized users. As the root user: 

chown -v root:wireshark /usr/bin/{tshark,dumpcap} &&
chmod -v 6550 /usr/bin/{tshark,dumpcap}

Finally, add any users to the wireshark group (as root user): 

usermod -a -G wireshark <username>

Command Explanations

--with-gtk3: This switch enables building of the GTK+3 GUI front-end. Replace it with --with-gtk2 if you have both GTK+2 and GTK+3 installed but wish to use GTK+2 to build the GUI front-end.

--without-qt: This switch disables building of the Qt GUI front-end. Replace it with --with-qt if you have installed either Qt4 or Qt5 and wish to build the Qt GUI front-end.

--disable-wireshark: Use this switch if you don't want to build the GUI front-end.

Configuring Wireshark

Config Files

/etc/wireshark.conf and ~/.wireshark/*

Configuration Information

Though the default configuration parameters are very sane, reference the configuration section of the Wireshark User's Guide for configuration information. Most of Wireshark's configuration can be accomplished using the menu options of the wireshark graphical interfaces.

[Note]

Note

If you want to look at packets, make sure you don't filter them out with Iptables-1.4.21. If you want to exclude certain classes of packets, it is more efficient to do it with iptables than it is with Wireshark.

Contents

Installed Programs: capinfos, captype, dftest, dumpcap, editcap, mergecap, randpkt, rawshark, reordercap, text2pcap, tshark, wireshark and wireshark-qt
Installed Libraries: libfiletap.so, libwireshark.so, libwiretap.so and libwsutil.so
Installed Directories: /usr/lib/wireshark, /usr/share/doc/wireshark-1.12.1 and /usr/share/wireshark

Short Descriptions

capinfos

reads a saved capture file and returns any or all of several statistics about that file. It is able to detect and read any capture supported by the Wireshark package.

captype

prints the file types of capture files.

dftest

is a display-filter-compiler test program.

dumpcap

is a network traffic dump tool. It lets you capture packet data from a live network and write the packets to a file.

editcap

edits and/or translates the format of capture files. It knows how to read libpcap capture files, including those of tcpdump, Wireshark and other tools that write captures in that format.

mergecap

combines multiple saved capture files into a single output file.

randpkt

creates random-packet capture files.

rawshark

dump and analyze raw libpcap data.

reordercap

reorder timestamps of input file frames into output file.

text2pcap

reads in an ASCII hex dump and writes the data described into a libpcap-style capture file.

tshark

is a TTY-mode network protocol analyzer. It lets you capture packet data from a live network or read packets from a previously saved capture file.

wireshark

is the GTK+ GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file.

wireshark-qt

is the Qt GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file.

libwireshark.so

contains functions used by the Wireshark programs to perform filtering and packet capturing.

libwiretap.so

is a library being developed as a future replacement for libpcap, the current standard Unix library for packet capturing. For more information, see the README file in the source wiretap directory.

Last updated on 2014-09-21 21:10:06 -0700