Wireshark

About

Wireshark is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education. In June 2006 the project was renamed from Ethereal due to trademark issues.

Installation

Just use emerge to install wireshark. emerge --ask --verbose wireshark. If you want a GUI to comfortably look at all the data you captured, add the gtk useflag before building wireshark: echo net-analyzer/wireshark gtk >> /etc/portage/package.use

It's also advised to add your normal user to the wireshark group, although it seems to work without doing this on my machine. If you want to add the user "noname" to the wireshark group, do a usermod -a -G wireshark noname

Usage

Running Wireshark the right way

The Wireshark wiki advises users of linux distributions to capture the network data with the program dumpcap (included with Wireshark), as Wireshark itself should not be trusted with root privileges.

Type dumpcap -h to get an idea of possible ways to use it. An example would be dumpcap -i eth0 -a duration:60 -w output.pca, which captures all data (= promiscious mode) coming to the device eth0 for a duration of 60 seconds and writes the resulting data into the file "output.pca".

When the capturing process is finished you should give the user read access to the "output.pca" file, startup Wireshark as a non-root user and open the output.pca file.

Running Wireshark as root (Possibly dangerous!)

Wireshark warns the user to not run it as root during install, but it's apperantly not possible to use the GUI to capture network traffic if you start it without root-privileges. If you absolutely need this functionality, do the following:

• Allow root to run Xapps

1. Edit /etc/profile
2. Add this line to /etc/profile:

   export XAUTHORITY="${HOME}/.Xauthority"  

• Use su to become root: su root

• Run Wireshark: wireshark