Wireshark · Ethereal-users: Re: [Ethereal-users] root process, preferences files

Ethereal-users: Re: [Ethereal-users] root process, preferences files

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Tue, 2 Dec 2003 14:18:31 -0800


On Dec 2, 2003, at 1:46 AM, Nosnos wrote:

- Is it possible to launch and start capture in user mode ?


That depends on the OS you're using.

To quote the current CVS tcpdump man page's section on what privilegesare required in order to capture packets:

Reading packets from a network interface may require that youhave spe-

       cial privileges:

       Under SunOS 3.x or 4.x with NIT or BPF:
              You must have read access to /dev/nit or /dev/bpf*.

       Under Solaris with DLPI:

You must have read/write access to the network pseudodevice,e.g. /dev/le. On at least some versions of Solaris,however,this is not sufficient to allow tcpdump to capture inpromiscu-ous mode; on those versions of Solaris, you must beroot, ortcpdump must be installed setuid to root, in order tocapture inpromiscuous mode. Note that, on many (perhaps all)interfaces,if you don't capture in promiscuous mode, you will notsee anyoutgoing packets, so a capture not done in promiscuousmode may

              not be very useful.

       Under HP-UX with DLPI:

You must be root or tcpdump must be installed setuid toroot.


       Under IRIX with snoop:

You must be root or tcpdump must be installed setuid toroot.


       Under Linux:

You must be root or tcpdump must be installed setuidto root(unless your distribution has a kernel that supportscapabilitybits such as CAP_NET_RAW and code to allow thosecapability bitsto be given to particular accounts and to cause thosebits to beset on a user's initial processes when they log in, inwhichcase you must have CAP_NET_RAW in order tocapture andCAP_NET_ADMIN to enumerate network devices with, forexample,

              the -D flag).

       Under ULTRIX and Digital UNIX/Tru64 UNIX:

Any user may capture network traffic with tcpdump.However, nouser (not even the super-user) can capture inpromiscuous modeon an interface unless the super-user has enabledpromiscuous-mode operation on that interface using pfconfig(8), andno user(not even the super-user) can capture unicast trafficreceivedby or sent by the machine on an interface unless thesuper-userhas enabled copy-all-mode operation on thatinterface usingpfconfig, so useful packet capture on an interfaceprobablyrequires that either promiscuous-mode or copy-all-modeopera-tion, or both modes of operation, be enabled on thatinterface.


       Under BSD (this includes Mac OS X):

You must have read access to /dev/bpf*. On BSDs witha devfs(this includes Mac OS X), this might involve more thanjust hav-ing somebody with super-user access setting theownership orpermissions on the BPF devices - it might involveconfiguringdevfs to set the ownership or permissions every time thesystemis booted, if the system even supports that; if itdoesn't sup-port that, you might have to find some other way tomake that

              happen at boot time.

 tethereal could not acces to eth0

Then you're probably running on Linux, in which case you need to beroot, unless there's some way to get Ethereal or Tethereal to run withthe CAP_NET_RAW capability bit (I don't know how to arrange that it runwith that bit set).

- can we specify our preferences files instead of the .preference withis on $HOME ?

The "preference" file in $HOME/.ethereal *IS* your preference file.There is no way to have Ethereal look elsewhere for a user preferencefile (it's not as if you could have your preference file specify wherethe preference file is :-)).

You can have a "global" preference file in the directory in whichEthereal's configuration files are stored (which is probably"/usr/share/ethereal" if Ethereal is in "/usr/bin" and"/usr/local/share/ethereal" if Ethereal is in "/usr/local/bin"), whichapplies to *all* users; your personal preference file will overridesettings in the global preference file, which will override thedefaults.

PS : Is protocol like pop, nntp, ftp will support the desegmentfunction soonly ?

Only if somebody contributes code soon to support them. I don't knowwhether anybody's working on that.

Follow-Ups:
- Re: [Ethereal-users] root process, preferences files
  - From: Richard Urwin

References:
- [Ethereal-users] root process, preferences files
  - From: Nosnos

Prev by Date: [Ethereal-users] Ethereal + Mac OS X 10.3 + Fink + Playback RTP Audio
Next by Date: Re: [Ethereal-users] tethereal and url
Previous by thread: [Ethereal-users] root process, preferences files
Next by thread: Re: [Ethereal-users] root process, preferences files
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$