Re: Unable to get tshark to capture packets when running as user on RHEL 4.6, HP-UX 11.31

[Guy Harris <guy () alum mit edu>]

On May 18, 2010, at 1:28 PM, Fisher, AJ wrote:

> > I'm surprised that it's not giving you an error on Linux.  What's printed if you run it under strace?
>
> Tons of info...

Some of that is just the usual startup stuff you have with dynamic linking on modern UN*Xes - you'll see the same sort 
of thing in *BSD, Mac OS X, Solaris, etc..

> One thing I noticed was there were a number of files that did not exist:
> Example:
> stat("/usr/share/wireshark/snmp_users", 0x7fbffff4b0) = -1 ENOENT (No such file or directory)

> Other files that don't exist:
>
> k12_protos sccp_users user_dlts dfilter_macros smi_paths preferences wireshark.conf disabled_protos

Yes, Wireshark supports both global and personal configuration files that you *can* have, but you're not *required* to 
have, and for which there's no default file that we provide, so

        1) Wireshark could get ENOENT for them;

        2) it doesn't bother reporting that as an error, because it's not an error.

> Here is the info at the end of the strace:
>
> write(2, "Capturing on eth0\n", 18Capturing on eth0
> )     = 18
> pipe([4, 5])                            = 0
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2a9557b7d0) = 15891
> close(5)                                = 0
> read(4, "caps", 4)                      = 4
> read(4, "et(): Operation not permitted\nE\0"..., 4092) = 237
> wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 15891

Is there a "dumpcap" program installed?  I'd forgotten when we made dumpcap the program that does all the capturing - I 
guess it was before the 1.0 release.

I'm a bit surprised that the error message sent up the pipe wasn't reported by tshark.  I'll have to try that with a 
newer version of Wireshark.

If there's a dumpcap program installed, you can probably make it set-UID root, which should allow you to capture as an 
ordinary user.  (You really don't want to run the N million lines of Wireshark/TShark code as root.)

> > You cannot capture promiscuously on HP-UX unless you're root.
> >
> > If you only want to capture traffic to and from the HP machine, and broadcast and multicast traffic received by the 
> > HP machine, use "tshark -p", to turn promiscuous mode off.
>
> "tshark -p" didn't help...

What did tshark print when you didn't specify "-p"?  You might have to make the appropriate device in /dev (/dev/dlpi?) 
readable and writable by you - or, again, make dumpcap set-UID root.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe