Run Wireshark in openSUSE as non-root user

There are two aspects of using Wireshark in openSUSE: capturing packets and displaying packets. To display packets or view pcap files you don’t need to run Wireshark as root. You also don’t need to do anything extra other than installing it. However, to capture packets you need root privileges. If you don’t have root privileges or want to capture packets as your regular user then you need a few extra steps.

Install Wireshark: sudo zypper install wireshark

Run Wireshark as non-root user to view captures

There is one caveat to running Wireshark in openSUSE as non-root user: when you run Wireshark from the GUI (say GNOME Shell) you are prompted to enter the root password. There’s a simple workaround to this by creating a local wireshark.desktop file, copied from /usr/share/applications/wireshark.desktop, with a slight modification.

cat /usr/share/applications/wireshark.desktop | sed -e 's!Exec=/usr/bin/xdg-su -c /usr/bin/wireshark %f!Exec=/usr/bin/wireshark %f!g' > /home/cguser/.local/share/applications/wireshark.desktop

In the command above we are creating a copy of /usr/share/applications/wireshark.desktop and saving it to /home/cguser/.local/share/applications/wireshark.desktop. The one change we make is to execute Wireshark as a regular user and not as root. You’ll have to do this for all non-root users who need to run Wireshark.

Now when you start Wireshark as a regular (non-root) user you’ll be able to display packets without providing root credentials.

Run Wireshark as non-root user to capture packets

This portion was taken from Sniffing with Wireshark as a Non-Root User. Read that page first before proceeding.

Install setcap to set the capabilities of /usr/bin/dumpcap: sudo zypper install libcap-progs

Create a new group wireshark to restrict users who can use Wireshark to capture packets: sudo groupadd wireshark

Add your user to the wireshark group to be able to capture packets: sudo usermod -a -G wireshark cguser

Change the group of dumpcap to wireshark: sudo chgrp wireshark /usr/bin/dumpcap

Change the permissions of dumpcap to only allow users in wireshark group to be able to run it: sudo chmod o-rwx /usr/bin/dumpcap

Set the capabilities required by dumpcap to run since its group is no longer root: sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

View the capabilities of dumpcap to confirm they were set correctly: getcap /usr/bin/dumpcap

/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

Logout and login again to finalize the addition of your user to the wireshark group.

Now when you start Wireshark as a regular (non-root) user you’ll be able to capture packets without providing root credentials.

Note: This was tested working in openSUSE 13.1.

Using Wireshark in Ubuntu

There are two aspects of using Wireshark in Ubuntu (or Debian for that matter): capturing packets and displaying packets. To display packets or view pcap files you don’t need to run Wireshark as root. You also don’t need to do anything extra other than installing it. However, to capture packets you need root privileges. If you don’t have root privileges or want to capture packets as your regular user then you need a few extra steps.

Install Wireshark: sudo apt-get install wireshark

Configure Wireshark to allow non-root users to capture packets: sudo dpkg-reconfigure wireshark-common

Add your user to the wireshark group to be able to capture packets: sudo usermod -a -G wireshark cguser

Logout and login again to finalize the addition to the group.

Now when you start Wireshark as a regular (non-root) user you’ll be able to capture and display packets.

Note: This was tested working in Ubuntu 14.04 LTS Trusty Tahr.

Convert PCAP file to Text

I searched high and low on how to convert a Wireshark trace in pcap format into a text file. The only help I got, which really helped, was PCAP format file conversion. On command line, you have to run the following command:

tshark -V -r file_to_convert.pcap

It displays the trace as text. To save the output to file, I did the following on Windows 2003:

tshark -V -r file_to_convert.pcap > file_to_convert.txt

Of course, I am assuming you have tshark installed. Since I installed everything when I installed Wireshark, tshark was installed already.

Wireshark Filters

Wireshark or Ethereal traces can be filtered to show exactly what you need. Their website has an awesome Display Filter Reference but sometimes it isn’t very clear on how to use them. This post aims to provide a handful of filters and how to use them.

Filter a SIP Trace by Call ID

You might want to filter a trace when you know the Call ID of a call. You may do it the following way:

sip.Call-ID contains 2211178-3446291419-730335

where 2211178-3446291419-730335 is the Call ID. Some Call IDs may contain other characters which Wireshark may not like (visible by the color of the filter field) so you may have to play with it a bit to get a unique string to look for but something which contains only characters that are “valid”.

How do you get a Call ID? Well, you would have to look through the first INVITE message to get this piece of information.

Wireshark on CentOS

The most obvious way to install Wireshark on CentOS is

yum install wireshark

But if you are in Gnome (I am not sure about KDE because I didn’t test on it), then you have to install this:

yum install wireshark-gnome

Hat tip: SOLVED – Re: [CentOS] wireshark install did not seem to work