Wireshark-users: Re: [Wireshark-users] How to rid of queries swamping logs in non-online Wireshar

From: Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx>
Date: Tue, 29 Mar 2016 15:12:39 +0200
On 160321-10:54-0400, Jeff Morriss wrote:
> On Sat, Mar 19, 2016 at 10:53 AM, Miroslav Rovis <
> miro.rovis@xxxxxxxxxxxxxxxxx> wrote:
> 
> > Hi!
> >
Hi!
You already helped me with the important link, after which I can't stop
decrypting SSL ;-) :
The SSL tcp stream decoding in Users' Manual?
https://www.wireshark.org/lists/wireshark-users/201509/msg00011.html
And I thanked you here:
(8644 views currently)
SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html#7819968
(and mentioned you later as well, when I found you among the top
Wireshark developers, but can't find that page on Gentoo Forums quickly)

However, two things.

This, the first thing:
> > Here is a recent log:
> >
> > Mar 19 15:07:01 g5n kernel: [10907.301170] grsec: (miro:U:/) exec of
> > /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
> > /usr/bin/dumpcap[wireshark:11319] uid/euid:1000/1000 gid/egid:1000/1000,
> > parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
> > gid/egid:1000/1000
> >
> 
> [...]
> 
has stopped. So it could be something else the reason, as I run dumpcap
from normal user terminal, via sudo.

And back at the time of that periodically occuring kind of log swamping
by Wireshark, I wasn't even running dumpcap...

So it must be something else missing in the picture. The next time it
occurs, if it does, I'll be back to tell about it.

> 
> Wireshark is starting dumpcap periodically to check the status of the
> interfaces (and also get statistics from them).  I think the only way
> you'll be able to disable this (from the Wireshark side) is to make it so
> you don't have permission to start dumpcap (from Wireshark).  Obviously
> this conflicts with your use of dumpcap (as the same user) to actually
> capture.
> 
> I suppose a simpler method would be to simply rename dumpcap to something
> you'll know but Wireshark won't, e.g., `dumpcap-real`.

And the second thing is, I kept looking if there were replies for a day
or two, and then I thought I put a stupid question, and that nobody
would reply.

Thanks, Jeff, you're one of my heroes, and Wireshark is great! (If only
I had such understanding to be able to contribute... I hope at least
when I post about it, I attract a few newbies...)

Regards!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Attachment: signature.asc
Description: PGP signature