Wireshark-users: Re: [Wireshark-users] Mechanism used by Wireshark to list Interfaces for Monitor

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 15 Jul 2014 11:47:08 -0700
On Jul 15, 2014, at 8:12 AM, Jay Flow <jayflow4780@xxxxxxxxx> wrote:

> I am trying to understand the process as to how Wireshark version 1.10.8, running on Fedora 10 64-bit, determines which interfaces it can use to monitor traffic.

It runs dumpcap with the -D option, and reads its output over a pipe.  (It also uses the "-Z" flag, which changes the output format to make it easier for Wireshark to parse.)

Dumpcap determines which interfaces it can use to monitor traffic by calling pcap_findalldevs().

> I have a Riverbed TurboCAP board installed, along with its drivers and using a terminal level command I can verify the eight TurboCAP Ethernet interfaces are active. 

Is the terminal-level command "tcpdump -D"?  If not, then it isn't necessarily a command using libpcap, and therefore isn't necessarily a test that will show you what programs using libpcap, such as tcpdump and Wireshark, will see.

TurboCAP support is part of WinPcap, the port of libpcap to Windows, but support for it on Linux is *not* part of standard libpcap-for-UN*X, unless its driver makes it look exactly like a regular network interface connected to the Linux networking stack, so the libpcap that comes with Linux distributions probably won't support it "out of the box".

Presumably Riverbed has some software that can be installed that will add libpcap support for TurboCAP boards; if so, have you installed it?

> Initially, Wireshark did not show the onboard eth0 interface either, but after performing an “ifup eth0” command, Wireshark was able to list it as an interface it could use.

Most versions of libpcap explicitly reject interfaces that aren't "up"; this was changed recently:

	https://github.com/the-tcpdump-group/libpcap/issues/336

but your system probably doesn't have a version of libpcap with that change.

> I did read a FAQ on the Wireshark website which implied I may have to create a Wireshark group, change its permissions and ensure that only the root or a user in the Wireshark group could start Wireshark.

Presumably you're referring to

	http://wiki.wireshark.org/CaptureSetup/CapturePrivileges

but if you were able to use eth0, you may already have done that.

That Wireshark Wiki item refers only to regular network interfaces; it may or may not apply to TurboCAP interfaces, depending on how Riverbed's software works.

> I also read that I may have to check the kernel has this configuration statement, “packet socket= enabled”.  I will look into this but I’m not sure this will resolve this issue.

As per the Linux section of

	http://wiki.wireshark.org/CaptureSetup/CaptureSupport

the kernel needs to have that configured, but

	1) as that item says, "most recent versions of distributions do so", and Fedora 10 is probably recent enough (I think the default setting has been "enabled" in the Linux kernel configuration process for many many years now)

and

	2) the fact that Wireshark reports eth0 means that it *is* enabled on your kernel

and

	3) that also applies only to regular network interfaces, and may or may not apply to TurboCAP interfaces, depending on how Riverbed's software works.

> Prior to installing Wireshark ver 1.10.8, I did have an earlier version of Wireshark working and it was able to list all of the eight TurboCAP interfaces and eth0,

Was that a standard version of Wireshark, or a special version from Riverbed?