Wireshark mailing list archives
Re: Unable to get tshark to capture packets when running as user on RHEL 4.6, HP-UX 11.31
From: Guy Harris <guy () alum mit edu>
Date: Tue, 18 May 2010 13:52:14 -0700
On May 18, 2010, at 1:28 PM, Fisher, AJ wrote:
I'm surprised that it's not giving you an error on Linux. What's printed if you run it under strace?Tons of info...
Some of that is just the usual startup stuff you have with dynamic linking on modern UN*Xes - you'll see the same sort of thing in *BSD, Mac OS X, Solaris, etc..
One thing I noticed was there were a number of files that did not exist: Example: stat("/usr/share/wireshark/snmp_users", 0x7fbffff4b0) = -1 ENOENT (No such file or directory)
Other files that don't exist: k12_protos sccp_users user_dlts dfilter_macros smi_paths preferences wireshark.conf disabled_protos
Yes, Wireshark supports both global and personal configuration files that you *can* have, but you're not *required* to have, and for which there's no default file that we provide, so 1) Wireshark could get ENOENT for them; 2) it doesn't bother reporting that as an error, because it's not an error.
Here is the info at the end of the strace: write(2, "Capturing on eth0\n", 18Capturing on eth0 ) = 18 pipe([4, 5]) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2a9557b7d0) = 15891 close(5) = 0 read(4, "caps", 4) = 4 read(4, "et(): Operation not permitted\nE\0"..., 4092) = 237 wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 15891
Is there a "dumpcap" program installed? I'd forgotten when we made dumpcap the program that does all the capturing - I guess it was before the 1.0 release. I'm a bit surprised that the error message sent up the pipe wasn't reported by tshark. I'll have to try that with a newer version of Wireshark. If there's a dumpcap program installed, you can probably make it set-UID root, which should allow you to capture as an ordinary user. (You really don't want to run the N million lines of Wireshark/TShark code as root.)
You cannot capture promiscuously on HP-UX unless you're root. If you only want to capture traffic to and from the HP machine, and broadcast and multicast traffic received by the HP machine, use "tshark -p", to turn promiscuous mode off."tshark -p" didn't help...
What did tshark print when you didn't specify "-p"? You might have to make the appropriate device in /dev (/dev/dlpi?) readable and writable by you - or, again, make dumpcap set-UID root. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Unable to get tshark to capture packets when running as user on RHEL 4.6, HP-UX 11.31 Fisher, AJ (May 18)
- Re: Unable to get tshark to capture packets when running as user on RHEL 4.6, HP-UX 11.31 Guy Harris (May 18)
- <Possible follow-ups>
- Re: Unable to get tshark to capture packets when running as user on RHEL 4.6, HP-UX 11.31 Fisher, AJ (May 18)
- Re: Unable to get tshark to capture packets when running as user on RHEL 4.6, HP-UX 11.31 Guy Harris (May 18)