Wireshark mailing list archives
Re: How to rid of queries swamping logs in non-online Wireshark
From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Mon, 21 Mar 2016 10:54:34 -0400
On Sat, Mar 19, 2016 at 10:53 AM, Miroslav Rovis < miro.rovis () croatiafidelis hr> wrote:
Hi! I don't use Wireshark with all the X for capturing traffic. Also because it takes me long to grasp what's going on, and I mostly I just can't do it in real time, the figuring of what I need to about the capture. I capture with the engine of Wireshark, the dumpcap, instead. But I use Wireshark for analysis of the traffic. (Often on some other machine.) And I was wondering how I could disable, from Wireshark if possible, the persistent (and futile, in the scenario above given) querying of Wireshark of my interfaces? Here is a recent log: Mar 19 15:07:01 g5n kernel: [10907.301170] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:11319] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000 gid/egid:1000/1000
[...] It's a grsecurity-hardened kernel on a Gentoo box, and the query is shown
only because I have the Role Based Access (RBAC) set up and the exec_logging option enabled, which logs it. So that, firstly, don't show on a non-exec-logging kernel, grsec or any other, and secondly also makes it possibly a question for https://forums.grsecurity.net (and I might try and see there too, or if I get a solution, report it there for other users). But I was hoping to try and see what advice I might get on Wireshark ML first. Because it really swamps the logs uselessly. I don't want to be shutting down Wireshark just not to swamp my system logs.
Wireshark is starting dumpcap periodically to check the status of the interfaces (and also get statistics from them). I think the only way you'll be able to disable this (from the Wireshark side) is to make it so you don't have permission to start dumpcap (from Wireshark). Obviously this conflicts with your use of dumpcap (as the same user) to actually capture. I suppose a simpler method would be to simply rename dumpcap to something you'll know but Wireshark won't, e.g., `dumpcap-real`.
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- How to rid of queries swamping logs in non-online Wireshark Miroslav Rovis (Mar 19)
- Re: How to rid of queries swamping logs in non-online Wireshark Jeff Morriss (Mar 21)
- Re: How to rid of queries swamping logs in non-online Wireshark Miroslav Rovis (Mar 29)
- Re: How to rid of queries swamping logs in non-online Wireshark Jeff Morriss (Mar 29)
- Re: How to rid of queries swamping logs in non-online Wireshark Miroslav Rovis (Mar 29)
- Re: How to rid of queries swamping logs in non-online Wireshark Miroslav Rovis (Mar 29)
- Re: How to rid of queries swamping logs in non-online Wireshark Jeff Morriss (Mar 21)