Den Delimarsky

I am an engineer working on API documentation, security and machine learning.

github twitter linkedin rss

Setting up a network capture box with Ubuntu and Wireshark

Mar 22, 2012
2 minutes read

or a college project I had to set up an Ubuntu box and work on a network analysis assignment. I worked with this kind of tasks on Windows, and got some pretty interesting results by sniffing Windows Phone, Xbox and Windows 8 traffic with Wireshark. Ubuntu is a new environment for me, and I figured that the actual capture process is set a bit differently.

I downloaded Wireshark, but was greeted with this:

Image not available

There are no interfaces I could capture data on. With a little research, I found out that it is, in fact, a built in restriction. When Wireshark is running outside the administrative sandbox, without root permissions, it won’t allow the user to capture data on any of the registered network interfaces. So what are the options?

First and foremost it is still possible to use the dumpcap tool. Open the Terminal (Ctrl+ALT+T) and type in dumpcap -i NAME_OF_THE_INTERFACE. Depending on individual system configurations, there might be a different number of network interfaces. To make sure that you are capturing on the right one, use the ifconfig command. That will give you a list of registered interfaces.

In my case, the computer was connected to a wireless network, so I had to monitor the wlan0 interface.

The file that is captured is a PCAP-formatted entity, so it can be easily analyzed in Wireshark. A problem appeared when I tried to open the file, however.

When dumpcap was ran, it was elevated - remember the sudo prefix. This means that the file created will also be only accessible with elevated permissions. I ran Wireshark from the Terminal - sudo wireshark. I was able to read the file, as well as see the available capture interfaces:

Image not available

This is one way to make capture easier, by the way. If you are absolutely sure about the people who are using a specific machine and want to enable capture without elevated permissions, run sudo dpkg-reconfigure wireshark-common. You will be prompted with a security dialog:

Image not available

NOTE: Make sure you are aware of the security implications that come with this decision.


Back to posts