Wireshark-4.0.3
Introduction to Wireshark
The Wireshark package contains a network
protocol analyzer, also known as a “sniffer”. This is useful
for analyzing data captured “off the wire” from a live
network connection, or data read from a capture file.
Wireshark provides both a graphical and a
TTY-mode front-end for examining captured network packets from over 500
protocols, as well as the capability to read capture files from many
other popular network analyzers.
This package is known to build and work properly
using an LFS 11.3 platform.
Package Information
Additional Downloads
Wireshark dependencies
Required
CMake-3.25.2,
GLib-2.74.5,
libgcrypt-1.10.1, and
Qt-5.15.8
Recommended
libpcap-1.10.3 (required to capture data)
Optional
asciidoctor-2.0.18,
Brotli-1.0.9,
c-ares-1.19.0,
Doxygen-1.9.6,
git-2.39.2,
GnuTLS-3.8.0,
libnl-3.7.0,
libxslt-1.1.37,
libxml2-2.10.3,
Lua-5.2.4,
MIT Kerberos V5-1.20.1,
nghttp2-1.52.0,
SBC-2.0,
Speex-1.2.1,
BCG729,
libilbc,
libsmi,
lz4,
libssh,
MaxMindDB,
Minizip,
Snappy, and
Spandsp
User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/wireshark
Kernel Configuration
The kernel must have the Packet protocol enabled for
Wireshark to capture live packets from the network:
[*] Networking support ---> [CONFIG_NET]
Networking options --->
<*/M> Packet socket [CONFIG_PACKET]
If built as a module, the name is af_packet.ko.
Installation of Wireshark
Wireshark is a very large and complex
application. These instructions provide additional security measures to
ensure that only trusted users are allowed to view network traffic. First,
set up a system group for wireshark. As the root user:
groupadd -g 62 wireshark
Continue to install Wireshark by running
the following commands:
mkdir build &&
cd build &&
cmake -DCMAKE_INSTALL_PREFIX=/usr \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_INSTALL_DOCDIR=/usr/share/doc/wireshark-4.0.3 \
-G Ninja \
.. &&
ninja
This package does not come with a test suite.
Now, as the root user:
ninja install &&
install -v -m755 -d /usr/share/doc/wireshark-4.0.3 &&
install -v -m644 ../README.linux ../doc/README.* ../doc/randpkt.txt \
/usr/share/doc/wireshark-4.0.3 &&
pushd /usr/share/doc/wireshark-4.0.3 &&
for FILENAME in ../../wireshark/*.html; do
ln -s -v -f $FILENAME .
done &&
popd
unset FILENAME
If you downloaded any of the documentation files from the page
listed in the 'Additional Downloads', install them by issuing the
following commands as the root
user:
install -v -m644 <Downloaded_Files> \
/usr/share/doc/wireshark-4.0.3
Now, set ownership and permissions of sensitive applications to only
allow authorized users. As the root
user:
chown -v root:wireshark /usr/bin/{tshark,dumpcap} &&
chmod -v 6550 /usr/bin/{tshark,dumpcap}
Finally, add any users to the wireshark group (as root user):
usermod -a -G wireshark <username>
If you are installing wireshark for the first time, it will be necessary
to logout of your session and login again. This will put wireshark in your
groups, because otherwise Wireshark will not function properly.
Configuring Wireshark
Config Files
/etc/wireshark.conf and
~/.config/wireshark/* (unless there is already
~/.wireshark/* in the system)
Configuration Information
Though the default configuration parameters are very sane, reference
the configuration section of the Wireshark User's Guide
for configuration information. Most of Wireshark
's configuration can be accomplished
using the menu options of the wireshark graphical
interfaces.
![[Note]](../images/note.png)
Note
If you want to look at packets, make sure you don't filter them
out with iptables-1.8.9. If you want to exclude certain
classes of packets, it is more efficient to do it with
iptables than it is with
Wireshark.
Contents
Installed Programs:
capinfos, captype, dumpcap, editcap, idl2wrs,
mergecap, randpkt, rawshark, reordercap, sharkd,
text2pcap, tshark, and wireshark
Installed Libraries:
libwireshark.so, libwiretap.so,
libwsutil.so, and numerous modules under /usr/lib/wireshark/plugins
Installed Directories:
/usr/{include,lib,share}/wireshark and
/usr/share/doc/wireshark-4.0.3
Short Descriptions
capinfos |
reads a saved capture file and returns any or all of several
statistics about that file. It is able to detect and read any
capture supported by the Wireshark
package
|
captype |
prints the file types of capture files
|
dumpcap |
is a network traffic dump tool. It lets you capture packet data
from a live network and write the packets to a file
|
editcap |
edits and/or translates the format of capture files. It knows
how to read libpcap capture files,
including those of tcpdump,
Wireshark and other tools that write
captures in that format
|
idl2wrs |
is a program that takes a user specified CORBA IDL file and
generates “C” source code for a
Wireshark “plugin”. It
relies on two Python programs wireshark_be.py
and wireshark_gen.py, which are not installed
by default. They have to be copied manually from the
tools directory to the
$PYTHONPATH/site-packages/
directory
|
mergecap |
combines multiple saved capture files into a single output file
|
randpkt |
creates random-packet capture files
|
rawshark |
dumps and analyzes raw libpcap data
|
reordercap |
reorders timestamps of input file frames into an output file
|
sharkd |
is a daemon that listens on UNIX sockets
|
text2pcap |
reads in an ASCII hex dump and writes the data described into a
libpcap-style capture file
|
tshark |
is a TTY-mode network protocol analyzer. It lets you capture
packet data from a live network or read packets from a
previously saved capture file
|
wireshark |
is the Qt GUI network protocol analyzer. It lets you interactively
browse packet data from a live network or from a previously saved
capture file
|
libwireshark.so
|
contains functions used by the Wireshark
programs to perform filtering and packet capturing
|
libwiretap.so
|
is a library being developed as a future replacement for
libpcap, the current
standard Unix library for packet capturing. For more information,
see the README file in the source
wiretap directory
|