setting up Wireshark and tshark

Discussion in 'all things UNIX' started by iceni60, May 4, 2012.

Thread Status:
Not open for further replies.
  1. iceni60

    iceni60 ( ^o^)

    Jun 29, 2004
    this is so you can run both Wireshark and tshark as a user rather than root which is dangerous.

    sudo apt-get install libcap2-bin wireshark 
    sudo chgrp admin /usr/bin/dumpcap 
    sudo chmod 750 /usr/bin/dumpcap 
    sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
    hopefully someone will find it useful :)

    i was following this and getting this error -
    tshark: Lua: Error during loading:
     [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
    the above commands, in the first code box, fixed the problem for me :)

    1. Run the following command (as root or sudo root) to list the network interfaces:

    tshark -D

    2. Let us say you want to trace eth0, run the follwoing command:

    tshark -F libpcap -w /tmp/eth0_tshark_trace.pcap -i eth0

    -F libpcap specifies the file format of the trace. SAP support usually requests for libpcap.
    -w /tmp/eth0_tshark_trace.pcap specifies the file name where the trace is written.
    -i eth0 specifies that the trace is being written for the network interface eth0.

    If you want to see the trace on the scree, use the following command:

    tshark -i eth0

    3. Once you have recreated the problem close tshark with ctrl+c
    Last edited: May 4, 2012
  2. tlu

    tlu Guest

    Exactly. One small additional comment: In Ubuntu 12.04 the "admin" group has been renamed to "adm".

    So the 2nd command should look like this:

    sudo chgrp adm /usr/bin/dumpcap

    Normally I have no use for Wireshark. But recently I installed it to check if DNSCrypt is working on my system following the advice here. It does :) I had installed it using the method described here which changed compared to Ubuntu 11.10 due to 12.04 using dnsmasq as a local DNS cache.
Thread Status:
Not open for further replies.