Wireshark-users: Re: [Wireshark-users] tshark and /tmp/etherXXXX files

From: "Luis EG Ontanon" <luis@xxxxxxxxxxx>
Date: Mon, 21 Jul 2008 15:49:03 +0200
Have you tried to run it as an unprivileged user?
 (dumpcap should be setuid-root making sure that the
unprivileged-user's group can run it, it is designed to run like
that).

Does it forget to erase the files then?

\Lego

On Mon, Jul 21, 2008 at 3:18 PM, Dan Murphy <danmurphy@xxxxxxxxx> wrote:
> permissions on /tmp
> drwxrwxrwt 4 root root 2584576 Jul 21 13:11 /tmp
>
> permissions on the file do not change from during capture to after:
> -rw------- 1 root root 35590 Jul 21 13:11 etherXXXXLraXXe
>
> umask:
> 0022
>
> id:
> uid=0(root)
>
>
> Thanks,
> Dan
>
> On Mon, Jul 21, 2008 at 7:56 AM, Luis EG Ontanon <luis@xxxxxxxxxxx> wrote:
>>
>> Lets get on this:
>>
>> What are the perms on:
>> - /tmp
>> - the /tmp/XXXX files while capturing
>> - the /tmp/XXXX files once left there
>>
>> Are you running as root or as an unpriviledged user [ id -a ]?
>> What's your [ umask ]?
>>
>> \Lego
>>
>>
>> On Mon, Jul 21, 2008 at 5:43 AM, Dan Murphy <danmurphy@xxxxxxxxx> wrote:
>> > I'm running CentOS 5.0 X64 on all these hosts.
>> > #uname -a
>> > Linux lmon1.mia1.plx 2.6.18-8.1.15.el5 #1 SMP Mon Oct 22 08:32:28 EDT
>> > 2007
>> > x86_64 x86_64 x86_64 GNU/Linux
>> >
>> > No matter how it exits it leaves
>> > these files behind.  I pasted this in a previous email but even just
>> > running
>> > it like this:
>> > #tshark -ni eth5 -c 5
>> > It captures 5 packets then exists cleanly leaving the temp file behind.
>> >  If
>> > I don't use the count
>> > and just ^C it leaves them behind as well.
>> >
>> >
>> > Thanks,
>> > Dan
>> >
>> > On Sun, Jul 20, 2008 at 11:28 PM, Stephen Fisher
>> > <stephentfisher@xxxxxxxxx>
>> > wrote:
>> >>
>> >> On Sat, Jul 19, 2008 at 12:26:46PM -0400, Dan Murphy wrote:
>> >>
>> >> > Am I the only person that has reported this behavior or the only
>> >> > person that it's actually become an issue for?  Is this the expected
>> >> > behavior of tshark?
>> >>
>> >> Wireshark/tshark is supposed to clean up these temporary files after it
>> >> is done with them.  They've been a part of Wireshark/Ethereal for a
>> >> long
>> >> time, including version 0.99.5.  I don't see the problem on my system,
>> >> although it is saving the temporary files into /var/tmp instead of /tmp
>> >> as in your case.  How are you terminating tshark?  A ^C for me allows
>> >> for the cleanup of the temporary file.  What type of Unix are you
>> >> running?
>> >>
>> >>
>> >> Steve
>> >> _______________________________________________
>> >> Wireshark-users mailing list
>> >> Wireshark-users@xxxxxxxxxxxxx
>> >> https://wireshark.org/mailman/listinfo/wireshark-users
>> >
>> >
>> > _______________________________________________
>> > Wireshark-users mailing list
>> > Wireshark-users@xxxxxxxxxxxxx
>> > https://wireshark.org/mailman/listinfo/wireshark-users
>> >
>> >
>>
>>
>>
>> --
>> This information is top security. When you have read it, destroy yourself.
>> -- Marshall McLuhan
>> _______________________________________________
>> Wireshark-users mailing list
>> Wireshark-users@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>



-- 
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan