|
|
|
|
Installing Wireshark on FreeBSD/OpenBSD/NetBSD/DragonFly BSD
|
|
|
|
|
========================================================================
|
|
|
|
|
|
|
|
|
|
1. Berkeley Packet Filter (BPF) requirement
|
|
|
|
|
2. Running Wireshark as a non-root user
|
|
|
|
|
|
|
|
|
|
For general installation instructions, see the INSTALL file, along with
|
|
|
|
|
the Developer's Guide located at https://www.wireshark.org/docs/ and
|
|
|
|
|
in the docbook/ directory. Additional BSD specific notes and requirements
|
|
|
|
|
follow.
|
|
|
|
|
|
|
|
|
|
1. Berkeley Packet Filter (BPF) requirement
|
|
|
|
|
--------------------------------------------
|
|
|
|
|
In order to capture packets (with Wireshark/TShark, tcpdump, or any
|
|
|
|
|
other packet capture program) on a BSD system, your kernel must have the
|
|
|
|
|
Berkeley Packet Filter mechanism enabled. The default kernel
|
|
|
|
|
configurations in recent versions of BSD systems have this enabled
|
|
|
|
|
already. To verify the bpf device is present, look in the /dev
|
|
|
|
|
directory:
|
|
|
|
|
|
|
|
|
|
ls -l /dev/bpf*
|
|
|
|
|
|
|
|
|
|
You should see one or more bpf devices listed similar to this:
|
|
|
|
|
|
|
|
|
|
crw------- 1 root wheel 0, 90 Aug 10 21:05 /dev/bpf0
|
|
|
|
|
crw------- 1 root wheel 0, 91 Aug 10 21:05 /dev/bpf1
|
|
|
|
|
|
|
|
|
|
Packet-capturing programs will pick the first bpf device that's not in
|
|
|
|
|
use. Recent versions of most BSDs will create bpf devices as needed, so
|
|
|
|
|
you don't have to configure the number of devices that will be
|
|
|
|
|
available.
|
|
|
|
|
|
|
|
|
|
2. Running wireshark as a non-root user
|
|
|
|
|
-------------------------------------------
|
|
|
|
|
Since the bpf devices are read-only by the owner (root), you normally
|
|
|
|
|
have to run packet capturing programs such as Wireshark as root. It is
|
|
|
|
|
safer to run programs as a non-root user if possible. To run Wireshark
|
|
|
|
|
as a non-root user, you must change the permissions on the bpf device(s).
|
|
|
|
|
If you are the only user that needs to use Wireshark, the easiest way
|
|
|
|
|
is to change the owner of each bpf device to your username. You can also
|
|
|
|
|
add the read/write ability to the group (typically wheel) and add users
|
|
|
|
|
that need to use Wireshark to the wheel group. Check your operating
|
|
|
|
|
system's documentation on how to make permanent these changes as they
|
|
|
|
|
are often reset upon reboot; if /dev is implemented with devfs, it might
|
|
|
|
|
be possible to configure devfs to create all bpf devices owned by a
|
|
|
|
|
particular user and/or group and with particular permissions. In
|
|
|
|
|
FreeBSD 6.0 and later this can be done by creating an /etc/devfs.rules
|
|
|
|
|
file with content such as
|
|
|
|
|
|
|
|
|
|
[localrules=10]
|
|
|
|
|
add path 'bpf*' {mode and permissions}
|
|
|
|
|
|
|
|
|
|
where "mode and permissions" can include clauses such as
|
|
|
|
|
|
|
|
|
|
mode {octal permissions}
|
|
|
|
|
|
|
|
|
|
to set the permissions on the device (e.g., "mode 0660" to set the
|
|
|
|
|
permissions to rw-rw-r--),
|
|
|
|
|
|
|
|
|
|
user {user}
|
|
|
|
|
|
|
|
|
|
to set the user who owns the device, or
|
|
|
|
|
|
|
|
|
|
group {group}
|
|
|
|
|
|
|
|
|
|
to set the group that owns the device and adding a line such as
|
|
|
|
|
|
|
|
|
|
devfs_system_ruleset=localrules
|
|
|
|
|
|
|
|
|
|
to /etc/rc.conf. For example, an /etc/devfs.rules file with
|
|
|
|
|
|
|
|
|
|
[localrules=10]
|
|
|
|
|
add path 'bpf*' mode 0660 group wheel
|
|
|
|
|
|
|
|
|
|
will grant read and write permissions on all BPF devices to all users in
|
|
|
|
|
the "wheel" group.
|
