Wireshark-dev: [Wireshark-dev] tshark using dumpcap almost there - please defer any capture rel
From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Wed, 12 Sep 2007 20:51:23 +0200
Hi List!

I've mostly finished the work to reimplement tshark to call dumpcap instead of pcap directly. This implements the long awaited better privilege seperation for tshark.

As I'll be "on the move" until the end of next week (about Sa. 22nd) please defer any changes in the pcap/dumpcap/tshark code until at least that date, to avoid the ugly need to merge things. I don't want to check in the stuff already today, as this will certainly break the build somehow and I guess it will raise some problems to be solved - and I won't have the time to work on it for the next days.


Some things I've already noticed that still needs a solution:

1) Read filters won't really work as they did before.
dumpcap don't know anything about display filter code (by definition), so it can't handle the read filter by itself and simply writes all packets that goes through the capture filter. With the new implementation, I don't have a good idea to solve this in tshark - BTW we have the same problem in Wireshark already today.

2) Event Loop polling.
tshark now has to read from a pipe to get news from dumpcap. To read from this pipe, tshark needs a sort of an event loop. The method used in Wireshark uses GDK specific things which are not available in "plain glib". I've implemented a very simply loop which tries to read every 200ms (g_usleep) from the pipe. This works for now, but we might want to have a better implementation here in the long run.

3) privileges
As far as I understand it, tshark will now be using normal user privileges and calls setuid dumpcap when it starts capturing. So in the end we won't need any special privilege dropping as it is currently implemented in tshark? We might only want to note the user if he's running tshark as root - but that's it with privileges in the code?


These upcoming tshark changes should also make it possible to move all pcap related code into dumpcap and remove any pcap code from Wireshark / tshark (well, after some general capture code cleanup).

Regards, ULFL