%general-entities; ]> $LastChangedBy$ $Date$ Wireshark The Wireshark package contains a network protocol analyzer, also known as a sniffer. This is useful for analyzing data captured off the wire from a live network connection, or data read from a capture file. Wireshark provides both a graphical and a TTY-mode front-end for examining captured network packets from over 500 protocols, as well as the capability to read capture files from many other popular network analyzers. &lfs75_checked; Package Information Download (HTTP): Download (FTP): Download MD5 sum: &wireshark-md5sum; Download size: &wireshark-size; Estimated disk space required: &wireshark-buildsize; Estimated build time: &wireshark-time; Additional Downloads Additional Documentation: From this page you can download many different docs in a variety of formats. Wireshark dependencies Required (to build the TTY-mode front-end only) Note that you need Gtk+ or Qt4 installed, otherwise, pass --disable-wireshark to the configure command. SBU and disk space required are larger for the Qt GUI. Recommended (to build the Gtk+3 GUI) and (required to capture data) Optional , , , , , adns, GeoIP, and PortAudio Optional (to build the GUI front-end) , , or User Notes: The kernel must have the Packet protocol enabled for Wireshark to capture live packets from the network. Networking support: Y Networking options: Packet: sockets monitoring interface: M or Y If built as a module, the name is af_packet.ko. Capturing network packets Optionally, fix the description of the program in the title. The first change overwrites the default "SVN Unknown" in the title and the second overwrites a utility script that resets the version to "unknown". cat > svnversion.h << "EOF" #define SVNVERSION "BLFS" #define SVNPATH "source" EOF cat > make-version.pl << "EOF" #!/usr/bin/perl EOF Wireshark is a very large and complex application. These instructions provide additional security measures to ensure that only trusted users are allowed to view network traffic. First, set up a system group for wireshark. As the root user: groupadd -g 62 wireshark If you want an unpriviledged user to execute wireshark, run the following command as the root user: usermod -a -G wireshark <username> If you have GTK+2 and 3, and Qt4 and 5, one GUI linked to GTK+3 and another one linked to Qt5 are built, by default. Instead, we chose to only build the GTK+3 GUI, as the BLFS default. If you prefer otherwise, some modifications are mecessary. For modifications in the configure switches, see "Command Explanations". If you want to build a Qt GUI and have both Qt4 and 5 installed, issue either: source setqt5 if you want the Qt5 GUI built, or: source setqt4 && sed -i 's/Qt5 Qt/Qt/' configure if you want the Qt4 GUI built. Continue to install Wireshark by running the following commands: ./configure --prefix=/usr \ --with-gtk3=yes \ --with-qt=no \ --sysconfdir=/etc && make This package does not come with a test suite. Now, as the root user: make install && install -v -m755 -d /usr/share/doc/wireshark-&wireshark-version; && install -v -m755 -d /usr/share/pixmaps/wireshark && install -v -m644 README{,.linux} doc/README.* doc/*.{pod,txt} \ /usr/share/doc/wireshark-&wireshark-version; && pushd /usr/share/doc/wireshark-&wireshark-version; && for FILENAME in ../../wireshark/*.html; do ln -s -v -f $FILENAME . done && popd && install -v -m644 -D wireshark.desktop \ /usr/share/applications/wireshark.desktop && install -v -m644 -D image/wsicon48.png \ /usr/share/pixmaps/wireshark.png && install -v -m644 image/*.{png,ico,xpm,bmp} \ /usr/share/pixmaps/wireshark If you downloaded any of the documentation files from the page listed in the 'Additional Downloads', install them by issuing the following commands as the root user: install -v -m644 <Downloaded_Files> /usr/share/doc/wireshark-&wireshark-version; Now, set ownership and permissions of sensitive applications to only allow authorized users. As the root user: chown -v root:wireshark /usr/bin/{tshark,dumpcap} && chmod -v 6550 /usr/bin/{tshark,dumpcap} Finally, add any users to the wireshark group (as root user): usermod -a -G wireshark <username> sed -i 's/Qt5 Qt/Qt/' ...: This command is required because, without it, libraries and includes from Qt5 are found and used first, if both versions are installed, when trying to build with Qt4, and make does not complete. --disable-wireshark: This option is required if you have GTK+ installed but do not want to build the GTK+ and Qt GUIs. --with-gtk3=yes: This switch is required to use GTK+3 for the GUI, if you are using --with-qt=no. Change gtk3 by gtk2,to use GTK+3 for the GUI. --with-qt=no: This switch disables build of the Qt GUI. Replace "no" by "yes", if you want it to be built. --with-gtk2=yes: This option is required if you want to use GTK+2, instead of 3, for the GUI. Notice that the GUI for only one GTK+ version (either 2 or 3) can be built. /etc/wireshark.conf and ~/.wireshark/* ~/.wireshark/* /etc/wireshark.conf Though the default configuration parameters are very sane, reference the configuration section of the Wireshark User's Guide for configuration information. Most of Wireshark's configuration can be accomplished using the menu options of the wireshark graphical interfaces. If Qt GUI was built and you wish an entry in the desktop menu, there are two possibilities (instructions must be run as root). If only the Qt GUI was built: mv -v /usr/share/applications/wireshark.desktop \ /usr/share/applications/wireshark-qt.desktop If both, GTK+ and Qt GUIs were built: cp -v /usr/share/applications/wireshark.desktop \ /usr/share/applications/wireshark-qt.desktop Now, fix it for wireshark-qt: sed -e 's/ireshark/&-qt/' \ -e 's/^\(Icon=wireshark\)-qt/\1/' \ -i /usr/share/applications/wireshark-qt.desktop If you want to look at packets, make sure you don't filter them out with . If you want to exclude certain classes of packets, it is more efficient to do it with iptables than it is with Wireshark. Installed Programs Installed Libraries Installed Directories capinfos, captype, dftest, dumpcap, editcap, mergecap, randpkt, rawshark, reordercap, text2pcap, tshark, wireshark and wireshark-qt libfiletap.so, libwireshark.so, libwiretap.so, libwsutil.so, and numerous modules under /usr/lib/wireshark/plugins /usr/lib/wireshark, /usr/share/doc/wireshark-&wireshark-version;, /usr/share/pixmaps/wireshark, and /usr/share/wireshark Short Descriptions capinfos reads a saved capture file and returns any or all of several statistics about that file. It is able to detect and read any capture supported by the Wireshark package. capinfos captype prints the file types of capture files. captype dftest is a display-filter-compiler test program. dftest dumpcap is a network traffic dump tool. It lets you capture packet data from a live network and write the packets to a file. dumpcap editcap edits and/or translates the format of capture files. It knows how to read libpcap capture files, including those of tcpdump, Wireshark and other tools that write captures in that format. editcap mergecap combines multiple saved capture files into a single output file. mergecap randpkt creates random-packet capture files. randpkt rawshark dump and analyze raw libpcap data. rawshark reordercap reorder timestamps of input file frames into output file. reordercap text2pcap reads in an ASCII hex dump and writes the data described into a libpcap-style capture file. text2pcap tshark is a TTY-mode network protocol analyzer. It lets you capture packet data from a live network or read packets from a previously saved capture file. tshark wireshark is the GTK+ GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file. wireshark wireshark-qt is the Qt GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file. wireshark-qt libwireshark.so contains functions used by the Wireshark programs to perform filtering and packet capturing. libwireshark.so libwiretap.so is a library being developed as a future replacement for libpcap, the current standard Unix library for packet capturing. For more information, see the README file in the source wiretap directory. libwiretap.so