Setting Up A Network Capture Box With Ubuntu And Wireshark

It's easier than you think to set up a machine for network traffic capture and analysis.

By Den Delimarsky in Hackery

March 22, 2012

For a college project I had to set up an Ubuntu box and work on a network analysis assignment. I worked with this kind of tasks on Windows, and got some pretty interesting results by sniffing Windows Phone, Xbox and Windows 8 traffic with Wireshark. Ubuntu is a new environment for me, and I figured that the actual capture process is set a bit differently.

I downloaded Wireshark, but was greeted with this:

Image lost since transition to new blog.

There are no interfaces I could capture data on. With a little research, I found out that it is, in fact, a built in restriction. When Wireshark is running outside the administrative sandbox, without root permissions, it won’t allow the user to capture data on any of the registered network interfaces. So what are the options?

First and foremost it is still possible to use the dumpcap tool. Open the Terminal (Ctrl+ALT+T) and type in dumpcap -i NAME_OF_THE_INTERFACE. Depending on individual system configurations, there might be a different number of network interfaces. To make sure that you are capturing on the right one, use the ifconfig command. That will give you a list of registered interfaces.

In my case, the computer was connected to a wireless network, so I had to monitor the wlan0 interface.

The file that is captured is a PCAP-formatted entity, so it can be easily analyzed in Wireshark. A problem appeared when I tried to open the file, however.

When dumpcap was ran, it was elevated - remember the sudo prefix. This means that the file created will also be only accessible with elevated permissions. I ran Wireshark from the Terminal - sudo wireshark. I was able to read the file, as well as see the available capture interfaces:

Image lost since transition to new blog.

This is one way to make capture easier, by the way. If you are absolutely sure about the people who are using a specific machine and want to enable capture without elevated permissions, run sudo dpkg-reconfigure wireshark-common. You will be prompted with a security dialog:

Image lost since transition to new blog.

NOTE: Make sure you are aware of the security implications that come with this decision.

Subscribe to The Den:

A monthly newsletter about technology, machine learning, security, and just tinkering with code.

Feedback

Have any thoughts? Let me know on Twitter!