Wireshark-dev: Re: [Wireshark-dev] nflog in qt and gtk

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Fri, 19 Dec 2014 11:44:25 +0100
On Friday 19 December 2014 11:08:01 Dario Lombardo wrote:
> On Thu, Dec 18, 2014 at 4:29 PM, Peter Wu <peter@xxxxxxxxxxxxx> wrote:
> >
> >
> > You should not run Wireshark with sudo, instead set the appropriate
> > privileges on the dumpcap binary as described at
> > http://wiki.wireshark.org/CaptureSetup/CapturePrivileges
> >
> >
> Generally speaking, you are right, and it's waht I do with my stable
> wireshark. But with my development version, the setcapped binary is
> overwritten every time I recompile. So I use the master compiled version
> with sudo.

If I need to perform a capture, i just overwrite dumpcap with:
ln -sfv /usr/bin/dumpcap /tmp/wsbuild/run/

It looks like you also avoid overwriting this file/symlink by disabling
dumpcap building:

    cmake -DBUILD_dumpcap=0 ...

> > > What did I do wrong?
> >
> > I have spend some minutes into debugging it and it turns out that you
> > cannot have two open sockets for NFLOG.
> >
> > Reproducer:
> > $ dumpcap -i nflog -w /dev/null
> > Capturing on 'nflog'
> > File: /dev/null
> > (in a different shell)
> > $ dumpcap -i nflog -w /dev/null
> > Capturing on 'nflog'
> > dumpcap: The capture session could not be initiated on interface 'nflog'
> > (Can't listen on group group index: Operation not permitted).
> > Please check to make sure you have sufficient permissions, and that you
> > have the proper interface or pipe specified.
> >
> > The difference between GTK and Qt is that Qt additionally executes
> > `dumpcap -S -Z none` which seems to open a socket for each available
> > interface to collect stats.
> >
> > At this point I stopped debugging, hope it helps.
> 
> 
> If I've got the point, wireshark QT is not expected to work with nflog,
> right? If stats can't be stopped, it won't work.

Nope, it won't work at the moment. The problem is that NFLOG can only be
opened by one user which is a kernel limitation. From
net/netfilter/nfnetlink_log.c:

	inst = instance_lookup_get(log, group_num);
	if (inst && inst->peer_portid != NETLINK_CB(skb).portid) {
		ret = -EPERM;
		goto out_put;
	}
-- 
Kind regards,
Peter
https://lekensteyn.nl