[PLUG] Using Wireshark

[wes]

On Fri, Dec 19, 2008 at 11:29 AM, Tim <tim-pdxlug at sentinelchicken.org>wrote:

> > When I choose Capture > Interfaces from the Wireshark menu I get a
> > window with the title Wireshark: Capture Interfaces. It has a column
> > header line that says, Device Description   IP   Packets   Packets/s.
> > There is no list of devices below that header line.
> >
> > Any ideas on what step Synaptic didn't include, or I didn't know I
> > needed to do?
>
> In order to sniff a network interface, you typically need root access.
> I'm guessing you weren't running it as root and Wireshark didn't show
> you the interfaces that you don't have access to (though I could be
> wrong).  Running Wireshark as root is a *bad idea* because they're
> really not interested in providing a secure product, it seems, and have
> had many overflows in the past.
>
> So, I suggest running tcpdump as root (through sudo or otherwise),
> storing the output of network traffic, then viewing it as your normal
> user (or better yet, a much less privileged user) in wireshark.
> Something along the lines of:
>
> # tcpdump -vv -n -i eth0 -s 0 -w packet_capture.cap
> ...
> $ wireshark packet_capture.cap
>
>
> In this example, "eth0" is the ethernet device you want to sniff and
> packet_capture.cap is the file where you'd store the packet capture.
>
> HTH,
> tim
>

the downside to this method is that it doesn't allow you to use Wireshark's
built-in methods for overcoming the switch. As he mentioned in the original
post, 1 machine connected to a switch will not be able to see traffic from
another machine connected to the same switch..... unless you use Wireshark
(or something else that supports this) to instruct the switch (via ARP cache
poisoning) to send all traffic to the machine Wireshark is running on.

I consider this method to be "lame" and that's why I use the one I
mentioned: stick a machine in between the router and modem.

-wes