setting up Wireshark and tshark

[iceni60]

this is so you can run both Wireshark and tshark as a user rather than root which is dangerous.

Code:

sudo apt-get install libcap2-bin wireshark 
sudo chgrp admin /usr/bin/dumpcap 
sudo chmod 750 /usr/bin/dumpcap 
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

hopefully someone will find it useful

i was following this and getting this error -

Code:

tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled

the above commands, in the first code box, fixed the problem for me

1. Run the following command (as root or sudo root) to list the network interfaces:

tshark -D

2. Let us say you want to trace eth0, run the follwoing command:

tshark -F libpcap -w /tmp/eth0_tshark_trace.pcap -i eth0

-F libpcap specifies the file format of the trace. SAP support usually requests for libpcap.
-w /tmp/eth0_tshark_trace.pcap specifies the file name where the trace is written.
-i eth0 specifies that the trace is being written for the network interface eth0.

If you want to see the trace on the scree, use the following command:

tshark -i eth0

3. Once you have recreated the problem close tshark with ctrl+c

[tlu]

Quote:

Originally Posted by iceni60

this is so you can run both Wireshark and tshark as a user rather than root which is dangerous.

Code:

sudo apt-get install libcap2-bin wireshark 
sudo chgrp admin /usr/bin/dumpcap 
sudo chmod 750 /usr/bin/dumpcap 
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

Exactly. One small additional comment: In Ubuntu 12.04 the "admin" group has been renamed to "adm".

So the 2nd command should look like this:

sudo chgrp adm /usr/bin/dumpcap

Normally I have no use for Wireshark. But recently I installed it to check if DNSCrypt is working on my system following the advice here. It does I had installed it using the method described here which changed compared to Ubuntu 11.10 due to 12.04 using dnsmasq as a local DNS cache.