Introduction to Wireshark
The Wireshark package contains a
network protocol analyzer, also known as a “sniffer”. This is useful for analyzing data
captured “off the wire” from
a live network connection, or data read from a capture file.
Wireshark provides both a
graphical and a TTY-mode front-end for examining captured network
packets from over 500 protocols, as well as the capability to read
capture files from many other popular network analyzers.
This package is known to build and work properly using an LFS-7.6
platform.
Package Information
Additional Downloads
From this page you can download many different docs in a variety of
formats.
Wireshark dependencies
Required
GLib-2.40.0 (to build the TTY-mode front-end
only)
Note that you need Gtk+ or
Qt4 installed, otherwise, pass
--disable-wireshark
to the configure command. SBU and disk
space required are larger for the Qt GUI.
Recommended
GTK+-3.12.2 (to build the Gtk+3 GUI) and libpcap-1.6.2 (required to
capture data)
Optional
GnuTLS-3.3.7, libgcrypt-1.6.2, Lua-5.2.3, MIT Kerberos V5-1.12.2, OpenSSL-1.0.1i, adns, GeoIP, and
PortAudio
Optional (to build the GUI front-end)
GTK+-2.24.24, Qt-4.8.6, or Qt-5.3.1
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/wireshark
Installation of Wireshark
Optionally, fix the description of the program in the title. The
first change overwrites the default "SVN Unknown" in the title and
the second overwrites a utility script that resets the version to
"unknown".
cat > svnversion.h << "EOF"
#define SVNVERSION "BLFS"
#define SVNPATH "source"
EOF
cat > make-version.pl << "EOF"
#!/usr/bin/perl
EOF
Wireshark is a very large and
complex application. These instructions provide additional security
measures to ensure that only trusted users are allowed to view
network traffic. First, set up a system group for wireshark. As the
root
user:
groupadd -g 62 wireshark
If you want an unpriviledged user to execute wireshark, run the following command as the
root
user:
usermod -a -G wireshark <username>
If you have GTK+2 and 3, and
Qt4 and 5, one GUI linked to
GTK+3 and another one linked to
Qt5 are built, by default.
Instead, we chose to only build the GTK+3 GUI, as the BLFS default. If you prefer
otherwise, some modifications are mecessary. For modifications in
the configure
switches, see "Command Explanations".
If you want to build a Qt GUI and have both Qt4 and 5 installed, issue either:
source setqt5
if you want the Qt5 GUI built, or:
source setqt4 &&
sed -i 's/Qt5 Qt/Qt/' configure
if you want the Qt4 GUI built.
Continue to install Wireshark by
running the following commands:
./configure --prefix=/usr \
--with-gtk3=yes \
--with-qt=no \
--sysconfdir=/etc &&
make
This package does not come with a test suite.
Now, as the root
user:
make install &&
install -v -m755 -d /usr/share/doc/wireshark-1.12.1 &&
install -v -m755 -d /usr/share/pixmaps/wireshark &&
install -v -m644 README{,.linux} doc/README.* doc/*.{pod,txt} \
/usr/share/doc/wireshark-1.12.1 &&
pushd /usr/share/doc/wireshark-1.12.1 &&
for FILENAME in ../../wireshark/*.html; do
ln -s -v -f $FILENAME .
done &&
popd &&
install -v -m644 -D wireshark.desktop \
/usr/share/applications/wireshark.desktop &&
install -v -m644 -D image/wsicon48.png \
/usr/share/pixmaps/wireshark.png &&
install -v -m644 image/*.{png,ico,xpm,bmp} \
/usr/share/pixmaps/wireshark
If you downloaded any of the documentation files from the page
listed in the 'Additional Downloads', install them by issuing the
following commands as the root
user:
install -v -m644 <Downloaded_Files>
/usr/share/doc/wireshark-1.12.1
Now, set ownership and permissions of sensitive applications to
only allow authorized users. As the root
user:
chown -v root:wireshark /usr/bin/{tshark,dumpcap} &&
chmod -v 6550 /usr/bin/{tshark,dumpcap}
Finally, add any users to the wireshark group (as root user):
usermod -a -G wireshark <username>
Command Explanations
sed -i 's/Qt5 Qt/Qt/'
...: This command is required because, without it,
libraries and includes from Qt5
are found and used first, if both versions are installed, when
trying to build with Qt4, and
make does not
complete.
--disable-wireshark
: This option is
required if you have GTK+
installed but do not want to build the GTK+ and Qt GUIs.
--with-gtk3=yes
: This
switch is required to use GTK+3
for the GUI, if you are using --with-qt=no
. Change gtk3 by gtk2,to
use GTK+3 for the GUI.
--with-qt=no
: This switch
disables build of the Qt GUI. Replace "no" by "yes", if you want it
to be built.
--with-gtk2=yes
: This option is
required if you want to use GTK+2,
instead of 3, for the GUI. Notice that the GUI for only one GTK+
version (either 2 or 3) can be built.
Configuring Wireshark
Config Files
/etc/wireshark.conf
and
~/.wireshark/*
Configuration Information
Though the default configuration parameters are very sane,
reference the configuration section of the Wireshark User's
Guide for configuration information. Most of Wireshark's configuration can be
accomplished using the menu options of the wireshark graphical interfaces.
Desktop file for the Qt GUI
If Qt GUI was built and you wish an entry in the desktop menu,
there are two possibilities (instructions must be run as root).
If only the Qt GUI was built:
mv -v /usr/share/applications/wireshark.desktop \
/usr/share/applications/wireshark-qt.desktop
If both, GTK+ and Qt GUIs were built:
cp -v /usr/share/applications/wireshark.desktop \
/usr/share/applications/wireshark-qt.desktop
Now, fix it for wireshark-qt:
sed -e 's/ireshark/&-qt/' \
-e 's/^\(Icon=wireshark\)-qt/\1/' \
-i /usr/share/applications/wireshark-qt.desktop
Note
If you want to look at packets, make sure you don't filter them
out with Iptables-1.4.21. If you want to exclude
certain classes of packets, it is more efficient to do it with
iptables than it is with
Wireshark.