Ubuntu
wireshark package

9.10 Karmic upgrades removes Wireshark (as root)

Asked by Matt Burkhardt

Binary package hint: wireshark

When the upgrade from 9.04 to 9.10, the process removed Wireshark (as root) from the list of menu options and left Wireshark. I ended up having to do a little digging to recreate the right command to get Wireshark to run as root. Otherwise, it does not list any capture devices.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu wireshark Edit question
Assignee:
No assignee Edit question
Solved by:
Mathieu Trudel-Lapierre
Solved:
Last query:
Last reply:

This question was originally filed as bug #471046.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) said : 		#1

Indeed, it is no longer there is the package, so this is "expected" behavior, upgrade or otherwise...

Apparently, this was done in the Debian packaging in version 1.2.1-2:

wireshark (1.2.1-2) unstable; urgency=low

  * added option to install dumpcap with setuid root
  * removed wireshark-root.desktop to discourage running Wireshark as root
  * dropped umask patch

 -- Balint Reczey <email address hidden> Tue, 28 Jul 2009 18:30:03 +0200

This is because running Wireshark as root potentially puts you at risk, as it could compromise your computer in the event that a malicious packet was intercepted or willingly sent to the capture device.

I'm converting this to a question, in order to provide the information on how to deal with this special case.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) said : 		#2

This rather requires an explanation of the rationale for not running wireshark as root, as well as proposing an alternative workflow.

Revision history for this message
Best Mathieu Trudel-Lapierre (cyphermox) said : 		#3

Here is the detailed information from the wireshark wiki on why you should not run Wireshark as root:
http://wiki.wireshark.org/CaptureSetup/CapturePrivileges

Essentially, it is because it puts you at risk, and the various parts that make up wireshark, when running on a live packet capture and as root, could be exploited by malicious packets towards various ends, such as giving root access to your system to an attacker.

Instead of running wireshark as root, consider using the dumpcap or tcpdump commands, such as like this:
dumpcap -w ./dumpfile
which will create "dumpfile" in the current directory, which you could later open with wireshark, and view and parse in a much safer way -- or on a different, secured system.

Revision history for this message
Matt Burkhardt (matthewboh) said : 		#4

I understand, but then why not make Wireshark behave that way - create a dump file and then read that in. It just seems so much more difficult to go to the command line, create a dump file, you probably then have to stop the dumping(?) open Wireshark and read your dump file in.

Perhaps you could have a button to sign on as root within Wireshark but with a strong warning along the lines of "Do not use this in government facilities or with any information or systems that will put you in non-compliance with security standards". I'm running it on my home systems and if someone gets my mp3's, it's not going to kill me.

I have used Wireshark mainly to do some basic debugs and troubleshooting and find it very helpful.

Revision history for this message
Alexandr Udovichenko (gragdanin) said : 		#5

>I have used Wireshark mainly to do some basic debugs and troubleshooting and find it very helpful.

and I too...