Discussion:
Mechanism used by Wireshark to list Interfaces for Monitoring
Jay Flow
2014-07-15 15:12:17 UTC
Permalink
I am trying to understand the process as to how Wireshark version 1.10.8,
running on Fedora 10 64-bit, determines which interfaces it can use to
monitor traffic. I have a Riverbed TurboCAP board installed, along with
its drivers and using a terminal level command I can verify the eight
TurboCAP Ethernet interfaces are active. Nevertheless, Wireshark does not
show the eight TurboCAP interfaces. Initially, Wireshark did not show the
onboard eth0 interface either, but after performing an “ifup eth0” command,
Wireshark was able to list it as an interface it could use.


I did read a FAQ on the Wireshark website which implied I may have to
create a Wireshark group, change its permissions and ensure that only the
root or a user in the Wireshark group could start Wireshark. I also read
that I may have to check the kernel has this configuration statement,
“packet socket= enabled”. I will look into this but I’m not sure this will
resolve this issue. Prior to installing Wireshark ver 1.10.8, I did have
an earlier version of Wireshark working and it was able to list all of the
eight TurboCAP interfaces and eth0, but I had to install a later version of
Wireshark in order to support LUA and when I removed the earlier version of
Wireshark, that’s when various issues arose. Using the yum command I
removed the previous version of Wireshark but due to subsequent dependency
issues I had to spend a significant amount of time identifying what
packages were needed to install the source package for Wireshark ver.
1.10.8. After all was said and done, I basically ended up installing the
Qt package to get past an error “configure: error: Qt is not available” and
I finally was able to install the source package for Wireshark 1.10.8, but
without access to the TurboCAP interfaces.


The TurboCAP board comes with these software components:



1. 1. Kernel-2.6.27.12-170.2.5.preemptive.kernel.kt.fc10.x86_64.rpm
2. 2.
Kernel-devel-2.6.27.12.-170.2.5.preemptive.kernel.kt.fc10.x86_64.rpm
3. 3.
Kernel-frimware-2.6.27.12.-170.2.5.preemptive.kernel.kt.fc10.x86_64.rpm
4. 4.
Kernel-headers-2.6.27.12.-170.2.5.preemptive.kernel.kt.fc10.x86_64.rpm
5. 5. Libpcap-1.0.0-tc_17.fc10.x86_64.rpm
6. 6. Libpcap-devel-1.0.0-tc_17.fc10.x86_64.rpm
7. 7. Turbocap-1.6.2117-1.fc10.x86_64.rpm
8. 8.
Turbocap-module-2.6.27.12-170.2.5.preemptive.kernel.kt.fc10-1.6.2117-1.fc10.x86_64.rpm


Only item #1, #3, #7, and #8 are needed to support the overall
functionality of the TurboCAP board. I later installed item #2 and #4,
prior to installing the driver for the onboard NIC, eth0. I believe those
software components were needed because prior to that when I installed the
onboard NIC driver, it would break something and I could no longer pull up
the TurboCAP interfaces via the special command, “tcscandev –v”. I am past
that point and know how to get the onboard Ethernet NIC driver to work
along with the driver for the TurboCAP board interfaces, but this latest
issue now is blocking everything I had working.


I am a Linux novice but know enough to be dangerous, which can be good or
bad. I realize this is a complicated issue and there’s more to this whole
process but all I’m looking for is any guide or advice, on where to go to
find out how Wireshark determines which interfaces it will list as
available interfaces for it to capture and monitor traffic. Thanks in
advance for any help.


-= Jesse
Guy Harris
2014-07-15 18:47:08 UTC
Permalink
I am trying to understand the process as to how Wireshark version 1.10.8, running on Fedora 10 64-bit, determines which interfaces it can use to monitor traffic.
It runs dumpcap with the -D option, and reads its output over a pipe. (It also uses the "-Z" flag, which changes the output format to make it easier for Wireshark to parse.)

Dumpcap determines which interfaces it can use to monitor traffic by calling pcap_findalldevs().
I have a Riverbed TurboCAP board installed, along with its drivers and using a terminal level command I can verify the eight TurboCAP Ethernet interfaces are active.
Is the terminal-level command "tcpdump -D"? If not, then it isn't necessarily a command using libpcap, and therefore isn't necessarily a test that will show you what programs using libpcap, such as tcpdump and Wireshark, will see.

TurboCAP support is part of WinPcap, the port of libpcap to Windows, but support for it on Linux is *not* part of standard libpcap-for-UN*X, unless its driver makes it look exactly like a regular network interface connected to the Linux networking stack, so the libpcap that comes with Linux distributions probably won't support it "out of the box".

Presumably Riverbed has some software that can be installed that will add libpcap support for TurboCAP boards; if so, have you installed it?
Initially, Wireshark did not show the onboard eth0 interface either, but after performing an “ifup eth0” command, Wireshark was able to list it as an interface it could use.
Most versions of libpcap explicitly reject interfaces that aren't "up"; this was changed recently:

https://github.com/the-tcpdump-group/libpcap/issues/336

but your system probably doesn't have a version of libpcap with that change.
I did read a FAQ on the Wireshark website which implied I may have to create a Wireshark group, change its permissions and ensure that only the root or a user in the Wireshark group could start Wireshark.
Presumably you're referring to

http://wiki.wireshark.org/CaptureSetup/CapturePrivileges

but if you were able to use eth0, you may already have done that.

That Wireshark Wiki item refers only to regular network interfaces; it may or may not apply to TurboCAP interfaces, depending on how Riverbed's software works.
I also read that I may have to check the kernel has this configuration statement, “packet socket= enabled”. I will look into this but I’m not sure this will resolve this issue.
As per the Linux section of

http://wiki.wireshark.org/CaptureSetup/CaptureSupport

the kernel needs to have that configured, but

1) as that item says, "most recent versions of distributions do so", and Fedora 10 is probably recent enough (I think the default setting has been "enabled" in the Linux kernel configuration process for many many years now)

and

2) the fact that Wireshark reports eth0 means that it *is* enabled on your kernel

and

3) that also applies only to regular network interfaces, and may or may not apply to TurboCAP interfaces, depending on how Riverbed's software works.
Prior to installing Wireshark ver 1.10.8, I did have an earlier version of Wireshark working and it was able to list all of the eight TurboCAP interfaces and eth0,
Was that a standard version of Wireshark, or a special version from Riverbed?
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Loading...