[PLUG] Using Wireshark
Richard C. Steffens
rsteff at comcast.net
Fri Dec 19 19:43:51 UTC 2008
Tim wrote:
> In order to sniff a network interface, you typically need root access.
>
(Slaps forehead.) Of course. I suppose part of it is that I'm still not
used to the "sudo" way of doing things.
> I'm guessing you weren't running it as root and Wireshark didn't show
> you the interfaces that you don't have access to (though I could be
> wrong). Running Wireshark as root is a *bad idea* because they're
> really not interested in providing a secure product, it seems, and have
> had many overflows in the past.
>
Makes sense.
> So, I suggest running tcpdump as root (through sudo or otherwise),
> storing the output of network traffic, then viewing it as your normal
> user (or better yet, a much less privileged user) in wireshark.
> Something along the lines of:
>
> # tcpdump -vv -n -i eth0 -s 0 -w packet_capture.cap
> ...
> $ wireshark packet_capture.cap
>
> In this example, "eth0" is the ethernet device you want to sniff and
> packet_capture.cap is the file where you'd store the packet capture.
>
OK. That worked. I'll have to spend some time figuring out how to use
filters, but at least I'm on the trail.
Thanks!
--
Regards,
Dick Steffens
www.dicksteffens.com
More information about the PLUG
mailing list