Wireshark-dev: Re: [Wireshark-dev] nflog in qt and gtk

From: Dario Lombardo <dario.lombardo.ml@xxxxxxxxx>
Date: Fri, 19 Dec 2014 11:55:47 +0100


On Fri, Dec 19, 2014 at 11:44 AM, Peter Wu <peter@xxxxxxxxxxxxx> wrote:

If I need to perform a capture, i just overwrite dumpcap with:
ln -sfv /usr/bin/dumpcap /tmp/wsbuild/run/

It looks like you also avoid overwriting this file/symlink by disabling
dumpcap building:

    cmake -DBUILD_dumpcap=0 ...


Nice suggestions, thank you.
Nope, it won't work at the moment. The problem is that NFLOG can only be
opened by one user which is a kernel limitation. From
net/netfilter/nfnetlink_log.c:

        inst = instance_lookup_get(log, group_num);
        if (inst && inst->peer_portid != NETLINK_CB(skb).portid) {
                ret = -EPERM;
                goto out_put;
        }


When wireshark-qt waits in the main screen, it shows a graph for each interface. Is it generated by "dumpcap -S -Z none"? When capture starts, those graphs are not shown anymore. Wouldn't be a solution to kill "dumpcap -S -Z none" when in capture and re-run it again when in home screen?