Wireshark · Wireshark-users: Re: [Wireshark-users] Unable to get tshark to capture packets when running as user on RHEL 4.6, HP-U

Wireshark-users: Re: [Wireshark-users] Unable to get tshark to capture packets when running as us

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Tue, 18 May 2010 10:58:26 -0700

On May 18, 2010, at 10:50 AM, Fisher, AJ wrote:

> I can capture packets just fine when I run tshark as root but not as local user.
> 
> This is the output I get as user on RHEL 4.6:
> 
> $ tshark
> Capturing on eth0
> 0 packets captured

I'm surprised that it's not giving you an error on Linux.  What's printed if you run it under strace?

> This is the output I get when I run as user on HP-UX 11.31:
> $ tshark
> tshark: Couldn't load module /opt/iexpress/wireshark/lib/wireshark/plugins/1.0.11/asn1.so: Unsatisfied code symbol 'g_node_insert_before' in load module '/opt/iexpress/wireshark/lib/wireshark/plugins/1.0.11/asn1.so'.
> Capturing on lan0
> tshark: Can't install filter (recv_ack: promisc_phys: UNIX error - Not owner).

You cannot capture promiscuously on HP-UX unless you're root.

If you only want to capture traffic to and from the HP machine, and broadcast and multicast traffic received by the HP machine, use "tshark -p", to turn promiscuous mode off.

References:
- [Wireshark-users] Unable to get tshark to capture packets when running as user on RHEL 4.6, HP-UX 11.31
  - From: Fisher, AJ

Prev by Date: Re: [Wireshark-users] The capturefile appears to be damaged orcorrupt. (pcap: Fileshas 109736-byte packet, bigger than maximum of 65535)
Next by Date: Re: [Wireshark-users] The capturefile appears to be damaged orcorrupt. (pcap: Fileshas 109736-byte packet, bigger than maximum of 65535)
Previous by thread: [Wireshark-users] Unable to get tshark to capture packets when running as user on RHEL 4.6, HP-UX 11.31
Next by thread: Re: [Wireshark-users] Unable to get tshark to capture packets when running as user on RHEL 4.6, HP-UX 11.31
Index(es):
- Date
- Thread