Context Navigation

source: networking/netutils/wireshark.xml

Visit:

trunk

Last change on this file was 4af3cb8, checked in by Bruce Dubbs <bdubbs@…>, 4 weeks ago
Update to wireshark-4.2.4 (Security update).
Property mode set to `100644`
File size: 19.8 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY wireshark-download-http "https://www.wireshark.org/download/src/all-versions/wireshark-&wireshark-version;.tar.xz">
8	<!ENTITY wireshark-download-ftp " ">
9	<!ENTITY wireshark-md5sum "cebb012489563a8eb9c3829cdcb0579c">
10	<!ENTITY wireshark-size "43 MB">
11	<!ENTITY wireshark-buildsize "910 MB (with all optional dependencies available in the BLFS book; 170 MB installed)">
12	<!ENTITY wireshark-time "3.3 SBU (with parallelism=4 and all optional dependencies available in the BLFS book)">
13	]>
14
15	<!-- Gentle reminder: many Wireshark releases contain vulnerability fixes,
16	we have not always been aware of these. At https://www.wireshark.org/security/
17	there is a list of advisories and the version in which they were fixed.
18
19	If you click on an advisory, after the bug number in the References:
20	there may be a CVE number, although perhaps those get added some time after
21	the release. Perhaps as a general rule treat ALL their advisories for crashes
22	etc as worthy of a security fix. -->
23
24	<sect1 id="wireshark" xreflabel="Wireshark-&wireshark-version;">
25	<?dbhtml filename="wireshark.html"?>
26
27
28	<title>Wireshark-&wireshark-version;</title>
29
30	<indexterm zone="wireshark">
31	<primary sortas="a-Wireshark">Wireshark</primary>
32	</indexterm>
33
34	<sect2 role="package">
35	<title>Introduction to Wireshark</title>
36
37	<para>
38	The <application>Wireshark</application> package contains a network
39	protocol analyzer, also known as a <quote>sniffer</quote>. This is useful
40	for analyzing data captured <quote>off the wire</quote> from a live
41	network connection, or data read from a capture file.
42	</para>
43
44	<para>
45	<application>Wireshark</application> provides both a graphical and a
46	TTY-mode front-end for examining captured network packets from over 500
47	protocols, as well as the capability to read capture files from many
48	other popular network analyzers.
49	</para>
50
51	&lfs121_checked;
52
53	<bridgehead renderas="sect3">Package Information</bridgehead>
54	<itemizedlist spacing="compact">
55	<listitem>
56	<para>
57	Download (HTTP): <ulink url="&wireshark-download-http;"/>
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download (FTP): <ulink url="&wireshark-download-ftp;"/>
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Download MD5 sum: &wireshark-md5sum;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Download size: &wireshark-size;
73	</para>
74	</listitem>
75	<listitem>
76	<para>
77	Estimated disk space required: &wireshark-buildsize;
78	</para>
79	</listitem>
80	<listitem>
81	<para>
82	Estimated build time: &wireshark-time;
83	</para>
84	</listitem>
85	</itemizedlist>
86
87	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
88	<itemizedlist spacing="compact">
89	<!--
90	<listitem>
91	<para>
92	Required patch to build with Python-3.12:
93	<ulink url="&patch-root;/wireshark-&wireshark-version;-py_3.12_fix-1.patch"/>
94	</para>
95	</listitem>
96	-->
97	<listitem>
98	<para>
99	Additional Documentation:
100	<ulink url="https://www.wireshark.org/download/docs/"/>
101	(contains links to several different docs in a variety of formats)
102	</para>
103	</listitem>
104	</itemizedlist>
105
106	<bridgehead renderas="sect3">Wireshark dependencies</bridgehead>
107
108	<bridgehead renderas="sect4">Required</bridgehead>
109	<para role="required">
110	<xref linkend="cmake"/>,
111	<xref linkend="c-ares"/>,
112	<xref linkend="glib2"/>,
113	<xref linkend="libgcrypt"/>,
114	<xref linkend="qt6"/>, and
115	<xref linkend="speex"/>
116	</para>
117
118	<note>
119	<para>
120	<xref linkend="qt6"/> is not strictly required, since it can be
121	replaced with <application>Qt5</application>. See <quote>Command
122	explanations</quote> below.
123	</para>
124	</note>
125
126	<bridgehead renderas="sect4">Recommended</bridgehead>
127	<para role="recommended">
128	<xref linkend="libpcap"/> (required to capture data)
129	</para>
130
131	<bridgehead renderas="sect4">Optional</bridgehead>
132	<para role="optional">
133	<xref linkend="asciidoctor"/>,
134	<xref linkend="brotli"/>,
135	<xref linkend="doxygen"/>,
136	<xref linkend="git"/>,
137	<xref linkend="gnutls"/>,
138	<xref linkend="libnl"/>,
139	<xref linkend="libxslt"/>,
140	<xref linkend="libxml2"/>,
141	<xref linkend="lua52"/>,
142	<xref linkend="mitkrb"/>,
143	<xref linkend="nghttp2"/>,
144	(<xref linkend="qt5"/> or
145	<xref role="nodep" linkend="qt5-components"/> with qtmultimedia)
146	(required if <xref role="nodep" linkend="qt6"/> is not installed),
147	<xref linkend="sbc"/>,
148	<ulink url="https://www.linphone.org/technical-corner/bcg729">BCG729</ulink>,
149	<ulink url="https://github.com/TimothyGu/libilbc">libilbc</ulink>,
150	<ulink url="https://www.ibr.cs.tu-bs.de/projects/libsmi/">libsmi</ulink>,
151	<ulink url="https://www.libssh.org/">libssh</ulink>,
152	<ulink url="https://github.com/maxmind/libmaxminddb">MaxMindDB</ulink>,
153	<ulink url="https://www.winimage.com/zLibDll/minizip.html">Minizip</ulink>,
154	<ulink url="https://google.github.io/snappy/">Snappy</ulink>, and
155	<ulink url="https://github.com/freeswitch/spandsp">Spandsp</ulink>
156	</para>
157
158	</sect2>
159
160	<sect2 role="kernel" id="wireshark-kernel">
161	<title>Kernel Configuration</title>
162
163	<para>
164	The kernel must have the Packet protocol enabled for <application>
165	Wireshark</application> to capture live packets from the network:
166	</para>
167
168	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
169	href="wireshark-kernel.xml"/>
170
171	<para>
172	If built as a module, the name is <filename>af_packet.ko</filename>.
173	</para>
174
175	<indexterm zone="wireshark wireshark-kernel">
176	<primary sortas="d-Capturing-network-packets">
177	Capturing network packets
178	</primary>
179	</indexterm>
180
181	</sect2>
182
183	<sect2 role="installation">
184	<title>Installation of Wireshark</title>
185
186	<para>
187	<application>Wireshark</application> is a very large and complex
188	application. These instructions provide additional security measures to
189	ensure that only trusted users are allowed to view network traffic. First,
190	set up a system group for wireshark. As the <systemitem
191	class="username">root</systemitem> user:
192	</para>
193
194	<screen role="root"><userinput>groupadd -g 62 wireshark</userinput></screen>
195
196	<para>
197	Continue to install <application>Wireshark</application> by running
198	the following commands:
199	</para>
200
201	<screen><userinput>mkdir build &&
202	cd build &&
203
204	cmake -DCMAKE_INSTALL_PREFIX=/usr \
205	-DCMAKE_BUILD_TYPE=Release \
206	-DCMAKE_INSTALL_DOCDIR=/usr/share/doc/wireshark-&wireshark-version; \
207	-G Ninja \
208	.. &&
209	ninja</userinput></screen>
210
211	<para>
212	This package does not come with a test suite.
213	</para>
214
215	<para>
216	Now, as the <systemitem class="username">root</systemitem> user:
217	</para>
218
219	<screen role="root"><userinput>ninja install &&
220
221	install -v -m755 -d /usr/share/doc/wireshark-&wireshark-version; &&
222	install -v -m644 ../README.linux ../doc/README.* ../doc/randpkt.txt \
223	/usr/share/doc/wireshark-&wireshark-version; &&
224
225	pushd /usr/share/doc/wireshark-&wireshark-version; &&
226	for FILENAME in ../../wireshark/*.html; do
227	ln -s -v -f $FILENAME .
228	done &&
229	popd
230	unset FILENAME</userinput></screen>
231
232	<para>
233	If you downloaded any of the documentation files from the page
234	listed in the 'Additional Downloads', install them by issuing the
235	following commands as the <systemitem class="username">root</systemitem>
236	user:
237	</para>
238
239	<screen role="root"
240	remap="doc"><userinput>install -v -m644 <replaceable><Downloaded_Files></replaceable> \
241	/usr/share/doc/wireshark-&wireshark-version;</userinput></screen>
242
243	<para>
244	Now, set ownership and permissions of sensitive applications to only
245	allow authorized users. As the <systemitem class="username">root
246	</systemitem> user:
247	</para>
248
249	<screen role="root"><userinput>chown -v root:wireshark /usr/bin/{tshark,dumpcap} &&
250	chmod -v 6550 /usr/bin/{tshark,dumpcap}</userinput></screen>
251
252	<para>
253	Finally, add any users to the wireshark group (as <systemitem class=
254	"username">root</systemitem> user):
255	</para>
256
257	<screen role="root"><userinput>usermod -a -G wireshark <replaceable><username></replaceable></userinput></screen>
258
259	<para>
260	If you are installing wireshark for the first time, it will be necessary
261	to logout of your session and login again. This will put wireshark in your
262	groups, because otherwise Wireshark will not function properly.
263	</para>
264
265	</sect2>
266
267	<sect2 role="commands">
268	<title>Command Explanations</title>
269
270	<para>
271	<option>-DUSE_qt6=OFF</option>: Use this switch if
272	<xref linkend="qt6"/> is not available. You'll need
273	<xref linkend="qt5"/> or at least <xref linkend="qt5-components"/>
274	with qtmultimedia in this case.
275	</para>
276	<!--
277	<para>
278	<option>- -disable-wireshark</option>: Use this switch if you
279	have <application>Qt</application> installed but do not want to build
280	any of the GUIs.
281	</para>
282	-->
283	</sect2>
284
285	<sect2 role="configuration">
286	<title>Configuring Wireshark</title>
287
288	<sect3 id="wireshark-config">
289	<title>Config Files</title>
290
291	<para>
292	<filename>/etc/wireshark.conf</filename> and
293	<filename>~/.config/wireshark/*</filename> (unless there is already
294	<filename>~/.wireshark/*</filename> in the system)
295	</para>
296
297	<indexterm zone="wireshark wireshark-config">
298	<primary sortas="e-AA.wireshark-star">~/.wireshark/*</primary>
299	</indexterm>
300
301	<indexterm zone="wireshark wireshark-config">
302	<primary sortas="e-etc-wireshark.conf">/etc/wireshark.conf</primary>
303	</indexterm>
304
305	</sect3>
306
307	<sect3>
308	<title>Configuration Information</title>
309
310	<para>
311	Though the default configuration parameters are very sane, reference
312	the configuration section of the <ulink url=
313	"https://www.wireshark.org/docs/wsug_html/">Wireshark User's Guide
314	</ulink> for configuration information. Most of <application>Wireshark
315	</application>'s configuration can be accomplished
316	using the menu options of the <command>wireshark</command> graphical
317	interfaces.
318	</para>
319
320	<note>
321	<para>
322	If you want to look at packets, make sure you don't filter them
323	out with <xref linkend="iptables"/>. If you want to exclude certain
324	classes of packets, it is more efficient to do it with
325	<application>iptables</application> than it is with
326	<application>Wireshark</application>.
327	</para>
328	</note>
329
330	</sect3>
331
332	</sect2>
333
334	<sect2 role="content">
335	<title>Contents</title>
336
337	<segmentedlist>
338	<segtitle>Installed Programs</segtitle>
339	<segtitle>Installed Libraries</segtitle>
340	<segtitle>Installed Directories</segtitle>
341
342	<seglistitem>
343	<seg>
344	capinfos, captype, dumpcap, editcap, idl2wrs,
345	mergecap, randpkt, rawshark, reordercap, sharkd,
346	text2pcap, tshark, and wireshark
347	</seg>
348	<seg>
349	libwireshark.so, libwiretap.so,
350	libwsutil.so, and numerous modules under /usr/lib/wireshark/plugins
351	</seg>
352	<seg>
353	/usr/{lib,share}/wireshark and
354	/usr/share/doc/wireshark-&wireshark-version;
355	</seg>
356	</seglistitem>
357	</segmentedlist>
358
359	<variablelist>
360	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
361	<?dbfo list-presentation="list"?>
362	<?dbhtml list-presentation="table"?>
363
364	<varlistentry id="capinfos">
365	<term><command>capinfos</command></term>
366	<listitem>
367	<para>
368	reads a saved capture file and returns any or all of several
369	statistics about that file. It is able to detect and read any
370	capture supported by the <application>Wireshark</application>
371	package
372	</para>
373	<indexterm zone="wireshark capinfos">
374	<primary sortas="b-capinfos">capinfos</primary>
375	</indexterm>
376	</listitem>
377	</varlistentry>
378
379	<varlistentry id="captype">
380	<term><command>captype</command></term>
381	<listitem>
382	<para>
383	prints the file types of capture files
384	</para>
385	<indexterm zone="wireshark captype">
386	<primary sortas="b-captype">captype</primary>
387	</indexterm>
388	</listitem>
389	</varlistentry>
390
391	<varlistentry id="dumpcap">
392	<term><command>dumpcap</command></term>
393	<listitem>
394	<para>
395	is a network traffic dump tool. It lets you capture packet data
396	from a live network and write the packets to a file
397	</para>
398	<indexterm zone="wireshark dumpcap">
399	<primary sortas="b-dumpcap">dumpcap</primary>
400	</indexterm>
401	</listitem>
402	</varlistentry>
403
404	<varlistentry id="editcap">
405	<term><command>editcap</command></term>
406	<listitem>
407	<para>
408	edits and/or translates the format of capture files. It knows
409	how to read <application>libpcap</application> capture files,
410	including those of <command>tcpdump</command>,
411	<application>Wireshark</application> and other tools that write
412	captures in that format
413	</para>
414	<indexterm zone="wireshark editcap">
415	<primary sortas="b-editcap">editcap</primary>
416	</indexterm>
417	</listitem>
418	</varlistentry>
419
420	<varlistentry id="idl2wrs">
421	<term><command>idl2wrs</command></term>
422	<listitem>
423	<para>
424	is a program that takes a user specified CORBA IDL file and
425	generates <quote>C</quote> source code for a
426	<application>Wireshark</application> <quote>plugin</quote>. It
427	relies on two Python programs <command>wireshark_be.py</command>
428	and <command>wireshark_gen.py</command>, which are not installed
429	by default. They have to be copied manually from the
430	<filename class="directory">tools</filename> directory to the
431	<filename class="directory">$PYTHONPATH/site-packages/</filename>
432	directory
433	</para>
434	<indexterm zone="wireshark idl2wrs">
435	<primary sortas="b-idl2wrs">idl2wrs</primary>
436	</indexterm>
437	</listitem>
438	</varlistentry>
439
440	<varlistentry id="mergecap">
441	<term><command>mergecap</command></term>
442	<listitem>
443	<para>
444	combines multiple saved capture files into a single output file
445	</para>
446	<indexterm zone="wireshark mergecap">
447	<primary sortas="b-mergecap">mergecap</primary>
448	</indexterm>
449	</listitem>
450	</varlistentry>
451
452	<varlistentry id="randpkt">
453	<term><command>randpkt</command></term>
454	<listitem>
455	<para>
456	creates random-packet capture files
457	</para>
458	<indexterm zone="wireshark randpkt">
459	<primary sortas="b-randpkt">randpkt</primary>
460	</indexterm>
461	</listitem>
462	</varlistentry>
463
464	<varlistentry id="rawshark">
465	<term><command>rawshark</command></term>
466	<listitem>
467	<para>
468	dumps and analyzes raw libpcap data
469	</para>
470	<indexterm zone="wireshark rawshark">
471	<primary sortas="b-rawshark">rawshark</primary>
472	</indexterm>
473	</listitem>
474	</varlistentry>
475
476	<varlistentry id="reordercap">
477	<term><command>reordercap</command></term>
478	<listitem>
479	<para>
480	reorders timestamps of input file frames into an output file
481	</para>
482	<indexterm zone="wireshark reordercap">
483	<primary sortas="b-reordercap">reordercap</primary>
484	</indexterm>
485	</listitem>
486	</varlistentry>
487
488	<varlistentry id="sharkd">
489	<term><command>sharkd</command></term>
490	<listitem>
491	<para>
492	is a daemon that listens on UNIX sockets
493	</para>
494	<indexterm zone="wireshark sharkd">
495	<primary sortas="b-sharkd">sharkd</primary>
496	</indexterm>
497	</listitem>
498	</varlistentry>
499
500	<varlistentry id="text2pcap">
501	<term><command>text2pcap</command></term>
502	<listitem>
503	<para>
504	reads in an ASCII hex dump and writes the data described into a
505	<application>libpcap</application>-style capture file
506	</para>
507	<indexterm zone="wireshark text2pcap">
508	<primary sortas="b-text2pcap">text2pcap</primary>
509	</indexterm>
510	</listitem>
511	</varlistentry>
512
513	<varlistentry id="tshark">
514	<term><command>tshark</command></term>
515	<listitem>
516	<para>
517	is a TTY-mode network protocol analyzer. It lets you capture
518	packet data from a live network or read packets from a
519	previously saved capture file
520	</para>
521	<indexterm zone="wireshark tshark">
522	<primary sortas="b-tshark">tshark</primary>
523	</indexterm>
524	</listitem>
525	</varlistentry>
526
527	<varlistentry id="wireshark-prog">
528	<term><command>wireshark</command></term>
529	<listitem>
530	<para>
531	is the Qt GUI network protocol analyzer. It lets you interactively
532	browse packet data from a live network or from a previously saved
533	capture file
534	</para>
535	<indexterm zone="wireshark wireshark-prog">
536	<primary sortas="b-wireshark">wireshark</primary>
537	</indexterm>
538	</listitem>
539	</varlistentry>
540	<!-- seems to have disappeared
541	<varlistentry id="wireshark-gtk-prog">
542	<term><command>wireshark-gtk</command></term>
543	<listitem>
544	<para>
545	is the Gtk+ GUI network protocol analyzer. It lets you interactively
546	browse packet data from a live network or from a previously saved
547	capture file (optional).
548	</para>
549	<indexterm zone="wireshark wireshark-gtk-prog">
550	<primary sortas="b-wireshark-gtk">wireshark-gtk</primary>
551	</indexterm>
552	</listitem>
553	</varlistentry>
554	-->
555	<varlistentry id="libwireshark">
556	<term><filename class="libraryfile">libwireshark.so</filename></term>
557	<listitem>
558	<para>
559	contains functions used by the <application>Wireshark</application>
560	programs to perform filtering and packet capturing
561	</para>
562	<indexterm zone="wireshark libwireshark">
563	<primary sortas="c-libwireshark">libwireshark.so</primary>
564	</indexterm>
565	</listitem>
566	</varlistentry>
567
568	<varlistentry id="libwiretap">
569	<term><filename class="libraryfile">libwiretap.so</filename></term>
570	<listitem>
571	<para>
572	is a library being developed as a future replacement for
573	<filename class="libraryfile">libpcap</filename>, the current
574	standard Unix library for packet capturing. For more information,
575	see the <filename>README</filename> file in the source
576	<filename class="directory">wiretap</filename> directory
577	</para>
578	<indexterm zone="wireshark libwiretap">
579	<primary sortas="c-libwiretap">libwiretap.so</primary>
580	</indexterm>
581	</listitem>
582	</varlistentry>
583
584	</variablelist>
585
586	</sect2>
587
588	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: