Wireshark-users: Re: [Wireshark-users] How to rid of queries swamping logs in non-online Wireshar

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Mon, 21 Mar 2016 10:54:34 -0400

On Sat, Mar 19, 2016 at 10:53 AM, Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx> wrote:
Hi!

I don't use Wireshark with all the X for capturing traffic. Also because it
takes me long to grasp what's going on, and I mostly I just can't do it in real
time, the figuring of what I need to about the capture.

I capture with the engine of Wireshark, the dumpcap, instead.

But I use Wireshark for analysis of the traffic. (Often on some other
machine.)

And I was wondering how I could disable, from Wireshark if possible, the
persistent (and futile, in the scenario above given) querying of
Wireshark of my interfaces?

Here is a recent log:

Mar 19 15:07:01 g5n kernel: [10907.301170] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:11319] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000

[...]

It's a grsecurity-hardened kernel on a Gentoo box, and the query is shown only
because I have the Role Based Access (RBAC) set up and the exec_logging option
enabled, which logs it. So that, firstly, don't show on a non-exec-logging
kernel, grsec or any other, and secondly also makes it possibly a question for
https://forums.grsecurity.net (and I might try and see there too, or if I get
a solution, report it there for other users).

But I was hoping to try and see what advice I might get on Wireshark ML first.

Because it really swamps the logs uselessly. I don't want to be shutting down
Wireshark just not to swamp my system logs.

Wireshark is starting dumpcap periodically to check the status of the interfaces (and also get statistics from them).  I think the only way you'll be able to disable this (from the Wireshark side) is to make it so you don't have permission to start dumpcap (from Wireshark).  Obviously this conflicts with your use of dumpcap (as the same user) to actually capture.

I suppose a simpler method would be to simply rename dumpcap to something you'll know but Wireshark won't, e.g., `dumpcap-real`.