[Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>]

On Tue, Mar 29, 2016 at 9:12 AM, Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx> wrote:

On 160321-10:54-0400, Jeff Morriss wrote:
> On Sat, Mar 19, 2016 at 10:53 AM, Miroslav Rovis <
> miro.rovis@xxxxxxxxxxxxxxxxx> wrote:
>
> > Hi!
> >
Hi!
You already helped me with the important link, after which I can't stop
decrypting SSL ;-) :
The SSL tcp stream decoding in Users' Manual?
https://www.wireshark.org/lists/wireshark-users/201509/msg00011.html

You mean add the SSL decoding stuff to the manual (rather than just in the Wiki)?  I'm a bit hesitant to duplicate information--especially given how complicated SSL decryption is.  (Anyway as I probably stated earlier I don't know a lot about SSL decryption and have only actually done it while helping others.)

This, the first thing:
> > Here is a recent log:
> >
> > Mar 19 15:07:01 g5n kernel: [10907.301170] grsec: (miro:U:/) exec of
> > /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
> > /usr/bin/dumpcap[wireshark:11319] uid/euid:1000/1000 gid/egid:1000/1000,
> > parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
> > gid/egid:1000/1000
> >
>
> [...]
>
has stopped. So it could be something else the reason, as I run dumpcap
from normal user terminal, via sudo.

And back at the time of that periodically occuring kind of log swamping
by Wireshark, I wasn't even running dumpcap...

So it must be something else missing in the picture. The next time it
occurs, if it does, I'll be back to tell about it.

OK, I was thinking that Wireshark (the GUI) was periodically running dumpcap.  I know it does at least at startup but I don't know how it gets the interface statistics (the sparklines next to the interfaces in the Qt UI)--I assumed it was running it periodically.

And the second thing is, I kept looking if there were replies for a day
or two, and then I thought I put a stupid question, and that nobody
would reply.

Do you mean that you didn't get a copy of the reply?  Are you subscribed to the list?  If not it's generally a good idea to tell people to be sure to Cc: you on their reply otherwise they will reply just to the list (that's the default behavior for the list)--and you'll only see the reply if you go searching in the list archives.

Thanks, Jeff, you're one of my heroes, and Wireshark is great! (If only
I had such understanding to be able to contribute... I hope at least
when I post about it, I attract a few newbies...)

No problem. :-)

On Tue, Mar 29, 2016 at 9:12 AM, Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx> wrote:

On 160321-10:54-0400, Jeff Morriss wrote:
> On Sat, Mar 19, 2016 at 10:53 AM, Miroslav Rovis <
> miro.rovis@xxxxxxxxxxxxxxxxx> wrote:
>
> > Hi!
> >
Hi!
You already helped me with the important link, after which I can't stop
decrypting SSL ;-) :
The SSL tcp stream decoding in Users' Manual?
https://www.wireshark.org/lists/wireshark-users/201509/msg00011.html
And I thanked you here:
(8644 views currently)
SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html#7819968
(and mentioned you later as well, when I found you among the top
Wireshark developers, but can't find that page on Gentoo Forums quickly)

However, two things.

This, the first thing:
> > Here is a recent log:
> >
> > Mar 19 15:07:01 g5n kernel: [10907.301170] grsec: (miro:U:/) exec of
> > /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
> > /usr/bin/dumpcap[wireshark:11319] uid/euid:1000/1000 gid/egid:1000/1000,
> > parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
> > gid/egid:1000/1000
> >
>
> [...]
>
has stopped. So it could be something else the reason, as I run dumpcap
from normal user terminal, via sudo.

And back at the time of that periodically occuring kind of log swamping
by Wireshark, I wasn't even running dumpcap...

So it must be something else missing in the picture. The next time it
occurs, if it does, I'll be back to tell about it.

>
> Wireshark is starting dumpcap periodically to check the status of the
> interfaces (and also get statistics from them).  I think the only way
> you'll be able to disable this (from the Wireshark side) is to make it so
> you don't have permission to start dumpcap (from Wireshark).  Obviously
> this conflicts with your use of dumpcap (as the same user) to actually
> capture.
>
> I suppose a simpler method would be to simply rename dumpcap to something
> you'll know but Wireshark won't, e.g., `dumpcap-real`.

And the second thing is, I kept looking if there were replies for a day
or two, and then I thought I put a stupid question, and that nobody
would reply.

Thanks, Jeff, you're one of my heroes, and Wireshark is great! (If only
I had such understanding to be able to contribute... I hope at least
when I post about it, I attract a few newbies...)

Regards!
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe