95 lines
4.4 KiB
Plaintext
95 lines
4.4 KiB
Plaintext
|
|
I. Capturing packets with Wireshark/Tshark
|
|
|
|
There are two ways of installing Wireshark/Tshark on Debian; the
|
|
installation process may offer a choice between these two ways,
|
|
asking "Should non-superuser be able to capture packets?"
|
|
|
|
I./a. Installing dumpcap without allowing non-root users to capture packets
|
|
|
|
Only root user will be able to capture packets. It is advised to capture
|
|
packets with the bundled dumpcap program as root and then run
|
|
Wireshark/Tshark as an ordinary user to analyze the captured logs. [2]
|
|
|
|
This is the default on Debian systems; it is selected by answering
|
|
"<No>" to the question mentioned above.
|
|
|
|
I./b. Installing dumpcap and allowing non-root users to capture packets
|
|
|
|
Members of the wireshark group will be able to capture packets on network
|
|
interfaces. This is the preferred way of installation if Wireshark/Tshark
|
|
will be used for capturing and displaying packets at the same time, since
|
|
that way only the dumpcap process has to be run with elevated privileges
|
|
thanks to the privilege separation[1].
|
|
|
|
This is selected by answering "<Yes>" to the question mentioned
|
|
above.
|
|
|
|
Note that no user will be added to group wireshark automatically;
|
|
a system administrator has to add them manually, using the usermod
|
|
command:
|
|
|
|
sudo usermod -a -G wireshark {username}
|
|
|
|
or, if you're using a desktop environment that includes a tool for
|
|
managing users, such as the "Users and Groups" tool in GNOME (found
|
|
in the gnome-system-tools package), using that tool. After a user
|
|
is added to the wireshark group, she/he may need to log in again to
|
|
make her/his new group membership take effect and be able to capture
|
|
packets.
|
|
|
|
The additional privileges are provided using the Linux Capabilities
|
|
system where it is available and resorting to setting the set-user-id
|
|
bit of the dumpcap binary as a fall-back, where the Linux Capabilities
|
|
system is not present (Debian GNU/kFreeBSD, Debian GNU/Hurd).
|
|
|
|
Linux kernels provided by Debian support Linux Capabilities, but custom
|
|
built kernels may lack this support. If the support for Linux
|
|
Capabilities is not present at the time of installing wireshark-common
|
|
package, the installer will fall back to set the set-user-id bit to
|
|
allow non-root users to capture packets.
|
|
|
|
If installation succeeds with using Linux Capabilities, non-root users
|
|
will not be able to capture packets while running kernels not supporting
|
|
Linux Capabilities.
|
|
|
|
Note that capturing USB packets is not enabled for non-root users by using
|
|
Linux Capabilities. You have to capture the packets using the method
|
|
described in I./a., setting the set-user-id permanently using
|
|
dpkg-statoverride or running dumpcap as root.
|
|
|
|
The installation method can be changed any time by running:
|
|
|
|
sudo dpkg-reconfigure wireshark-common
|
|
|
|
The question mentioned above will be asked; answer "<Yes>" to it.
|
|
|
|
|
|
II. Installing SNMP MIBs
|
|
|
|
SNMP [4] OIDs can be decoded using MIBs provided by other packages.
|
|
wireshark-common suggests snmp-mibs-downloader which package can be used to
|
|
download a set of common MIBs Wireshark/Tshark tries to load at startup.
|
|
|
|
At the time of writing, MIBs are distributed under DFSG incompatible terms
|
|
[5] thus snmp-mibs-downloader has to be in the non-free archive area.
|
|
To keep wireshark in the main area [7], wireshark-common does not depend on
|
|
or recommend snmp-mibs-downloader and as a result snmp-mibs-downloader is
|
|
not installed automatically with wireshark.
|
|
|
|
To make Wireshark/Tshark able to decode OIDs, please install
|
|
snmp-mibs-downloader manually.
|
|
|
|
To help Wireshark/Tshark to decode OIDs without having to install packages
|
|
manually, please support the initiative of requesting additional rights
|
|
from RFC authors [5].
|
|
|
|
|
|
[1] https://gitlab.com/wireshark/wireshark/-/wikis/Development/PrivilegeSeparation
|
|
[2] https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/CapturePrivileges
|
|
[3] https://blog.wireshark.org/2010/02/running-wireshark-as-you
|
|
[4] https://gitlab.com/wireshark/wireshark/-/wikis/SNMP
|
|
[5] https://wiki.debian.org/NonFreeIETFDocuments
|
|
[6] https://www.debian.org/doc/debian-policy/ch-archive.html#s-non-free
|
|
[7] https://www.debian.org/doc/debian-policy/ch-archive.html#s-main
|