This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 52 and 53
Revision 52 as of 2008-05-27 10:56:15
Size: 10001
Editor: 89-149-244-45
Comment: comment4, http://www.ittoolbox.com/profiles/buy_Zyprexa_here buy zyprexa online, :]], http://www.ittoolbox.com/profiles/buy_Bonnisan_here bonnisan, :]], http://www.ittoolbox.com/profiles/buy_Aciphex
Revision 53 as of 2008-05-27 15:27:57
Size: 6625
Editor: UlfLamping
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Platform-Specific information about capture privileges =
Line 2: Line 3:
---- /!\ '''Edit conflict - other version:''' ---- You need to run Wireshark or TShark on an account with sufficient privileges to capture, or need to give the account on which you're running Wireshark or TShark sufficient privileges to capture. The way this is done differs from operating system to operating system.
Line 4: Line 5:
---- /!\ '''Edit conflict - other version:''' ---- To be secure (at least in a way), it is recommended that even an administrator should always run in an account with (limited) user privileges, and only start processes that '''really''' need the administrator privileges. The [[Security]] page provides explanations why this is a good idea.
Line 6: Line 7:
---- /!\ '''Edit conflict - other version:''' ---- <<Anchor(windows)>>
== Windows ==
Line 8: Line 10:
---- /!\ '''Edit conflict - other version:''' ---- The WinPcap driver (called NPF) is loaded by Wireshark when it starts to capture live data. This requires administrator privileges. Once the driver is loaded, every local user can capture from it until it's stopped again.
Line 10: Line 12:
---- /!\ '''Edit conflict - other version:''' ---- Note: Simply stopping Wireshark won't stop the WinPcap driver!
Line 12: Line 14:
---- /!\ '''Edit conflict - other version:''' ---- It might not be desirable that any local user can also capture from the network while the driver is loaded, but this can't be currently circumvented. Please note that this is not a limitation of the Wireshark implementation, but of the underlying WinPcap driver; see [[http://www.winpcap.org/misc/faq.htm#Q-7|this note in the WinPcap FAQ]].
Line 14: Line 16:
---- /!\ '''Edit conflict - other version:''' ---- There are three possible solutions to start Wireshark with the privilege to capture:
 
'''Start Wireshark as Administrator'''
Line 16: Line 20:
---- /!\ '''Edit conflict - other version:''' ---- Advantage: Very easy to work with.
Line 18: Line 22:
---- /!\ '''Edit conflict - other version:''' ---- Disadvantage: It's very unsecure running Wireshark this way as every possible Wireshark exploit will be running with the administrator account being able to compromise the whole system.
Line 20: Line 24:
---- /!\ '''Edit conflict - other version:''' ---- '''Start the NPF driver automatically at system start'''
Line 22: Line 26:
---- /!\ '''Edit conflict - other version:''' ---- The easiest way to do this is to select ''Start WinPcap service "NPF" at startup'' in the Wireshark installer. You can change the start settings of the NPF service to "automatic" or "system" at any time using the following methods:
Line 24: Line 28:
---- /!\ '''Edit conflict - other version:''' ----  * '''From the Device Manager''' you can select ''View->Show hidden devices'', then open ''Non-Plug and Play Drivers'' and right click on ''!NetGroup Packet Filter Driver''. In the driver properties you can set the startup type as well as start and stop the driver manually.
Line 26: Line 30:
---- /!\ '''Edit conflict - other version:''' ----  * '''From the command line''' you can run {{{
    sc config npf start= auto }}}
 (This must be run as Administrator under Vista.)
Line 28: Line 34:
---- /!\ '''Edit conflict - other version:''' ----  * '''In the registry''' you can change HKEY_LOCAL_MACHINE\SYSTEM\!CurrentControlSet\Services\NPF\Start from 0x3 (SERVICE_DEMAND_START) to 0x2 (SERVICE_AUTO_START) or 0x1 (SERVICE_SYSTEM_START).
Line 30: Line 36:
---- /!\ '''Edit conflict - other version:''' ----
comment4, http://www.ittoolbox.com/profiles/buy_Grifulvin_V_here grifulvin v, %PP, http://www.ittoolbox.com/profiles/buy_Combivent_here buy combivent, :], http://www.ittoolbox.com/profiles/buy_Cardizem_here buy cardizem online, =-(, http://www.ittoolbox.com/profiles/buy_Cystone_here buy cystone online, :-]], http://www.ittoolbox.com/profiles/buy_Premium_Diet_Patch_here buy premium diet patch online, 8-)), http://www.ittoolbox.com/profiles/buy_Purinethol_here purinethol, 1122, http://www.ittoolbox.com/profiles/buy_Confido_here confido, hezx,
----
CategoryCategory
As the driver is already started you can run Wireshark as user all the time.
Line 35: Line 38:
---- /!\ '''Edit conflict - your version:''' ----
comment6, http://www.ittoolbox.com/profiles/buy_Vytorin_here buy vytorin online, cwxi, http://www.ittoolbox.com/profiles/buy_Breast_Intense_here buy breast intense, 004, http://www.ittoolbox.com/profiles/buy_Monoket_here buy monoket, 8-], http://www.ittoolbox.com/profiles/buy_Elavil_here elavil, hyi, http://www.ittoolbox.com/profiles/buy_Azulfidine_here azulfidine, 65930, http://www.ittoolbox.com/profiles/buy_Amaryl_here buy amaryl, 498170,
----
CategoryCategory
Advantage: Very easy to work with.
Line 40: Line 40:
---- /!\ '''End of edit conflict''' ---- Disadvantage: ''Every'' local user can ''always'' capture live data.
Line 42: Line 42:
---- /!\ '''Edit conflict - your version:''' ----
comment4, http://www.ittoolbox.com/profiles/buy_Azulfidine_here buy azulfidine online, 642, http://www.ittoolbox.com/profiles/buy_Nimotop_here nimotop, nafpyd, http://www.ittoolbox.com/profiles/buy_Antabuse_here antabuse, %], http://www.ittoolbox.com/profiles/buy_Hair_Loss_Cream_here hair loss cream, apzb,
----
CategoryCategory
'''Start the NPF driver by hand'''
Line 47: Line 44:
---- /!\ '''End of edit conflict''' ---- You can start the driver by hand before starting Wireshark and stop it afterwards.
Line 49: Line 46:
---- /!\ '''Edit conflict - your version:''' ----
comment2, http://www.ittoolbox.com/profiles/buy_Naprosyn_here naprosyn, axfik, http://www.ittoolbox.com/profiles/buy_Prilosec_here prilosec, %(, http://www.ittoolbox.com/profiles/buy_Hoodia_here buy hoodia online, zgi, http://www.ittoolbox.com/profiles/buy_Confido_here confido, 946,
----
CategoryCategory
Using Wireshark running in a user account could look like:
Line 54: Line 48:
---- /!\ '''End of edit conflict''' ---- Start the NPF driver:
Line 56: Line 50:
---- /!\ '''Edit conflict - your version:''' ----
comment5, http://www.ittoolbox.com/profiles/buy_Deltasone_here buy deltasone, :-((, http://www.ittoolbox.com/profiles/buy_Mycelex_G_here mycelex-g, epycih, http://www.ittoolbox.com/profiles/buy_Mental_Booster_here buy mental booster online, >:]]], http://www.ittoolbox.com/profiles/buy_Copegus_here buy copegus online, 999555,
----
CategoryCategory
{{{runas /u:administrator "net start npf"}}}
Line 61: Line 52:
---- /!\ '''End of edit conflict''' ---- Start Wireshark as a user and work with it, including capturing, until the specific job is finished.
Line 63: Line 54:
---- /!\ '''Edit conflict - your version:''' ----
comment2, http://www.ittoolbox.com/profiles/buy_Plan_B_here buy plan b online, :P, http://www.ittoolbox.com/profiles/buy_Geodon_here buy geodon online, :-))), http://www.ittoolbox.com/profiles/buy_Paxil_here buy paxil, ichst, http://www.ittoolbox.com/profiles/buy_Neurontin_here buy neurontin online, 8-O, http://www.ittoolbox.com/profiles/buy_Snoroff_here snoroff, whe,
----
CategoryCategory
Stop the NPF driver again:
Line 68: Line 56:
---- /!\ '''End of edit conflict''' ---- {{{runas /u:administrator "net stop npf"}}}
Line 70: Line 58:
---- /!\ '''Edit conflict - your version:''' ----
comment3, http://www.ittoolbox.com/profiles/buy_Kytril_here buy kytril, :O, http://www.ittoolbox.com/profiles/buy_Menosan_here buy menosan online, 2521, http://www.ittoolbox.com/profiles/buy_Hoodia_Weght_Loss_Gum_here buy hoodia weght loss gum, 8-PPP, http://www.ittoolbox.com/profiles/buy_Tulasi_here tulasi, >:-(, http://www.ittoolbox.com/profiles/buy_Premarin_here buy premarin, =((, http://www.ittoolbox.com/profiles/buy_Didronel_here buy didronel, 269, http://www.ittoolbox.com/profiles/buy_Lasix_here buy lasix, 605,
----
CategoryCategory
This can obviously be automated using a batch file.
Line 75: Line 60:
---- /!\ '''End of edit conflict''' ---- Advantage: Most secure solution.
Line 77: Line 62:
---- /!\ '''Edit conflict - your version:''' ----
comment6, http://www.ittoolbox.com/profiles/buy_Omnicef_here buy omnicef, :D, http://www.ittoolbox.com/profiles/buy_Cardizem_here buy cardizem, :-], http://www.ittoolbox.com/profiles/buy_Aciphex_here buy aciphex, 3575, http://www.ittoolbox.com/profiles/buy_Zocor_here zocor, 8)), http://www.ittoolbox.com/profiles/buy_Rocaltrol_here buy rocaltrol online, 251, http://www.ittoolbox.com/profiles/buy_Celebrex_here buy celebrex online, 53605, http://www.ittoolbox.com/profiles/buy_Cipro_here cipro, xdkv,
----
CategoryCategory
Disadvantage: You'll have to enter the password each time you start/stop Wireshark.
Line 82: Line 64:
---- /!\ '''End of edit conflict''' ---- == Linux ==
Line 84: Line 66:
---- /!\ '''Edit conflict - your version:''' ----
comment1, http://www.ittoolbox.com/profiles/buy_Inderal_here inderal, 153, http://www.ittoolbox.com/profiles/buy_Imdur_here imdur, =), http://www.ittoolbox.com/profiles/buy_Shuddha_Guggulu_here shuddha guggulu, 1790, http://www.ittoolbox.com/profiles/buy_Fosamax_here buy fosamax, 116899, http://www.ittoolbox.com/profiles/buy_wellbutrin_here wellbutrin, 75977, http://www.ittoolbox.com/profiles/buy_Cialis_Soft_Tabs_here cialis soft tabs, >:-((, http://www.ittoolbox.com/profiles/buy_Lopressor_here buy lopressor, >:-[[[, http://www.ittoolbox.com/profiles/buy_Exelon_here buy exelon online, els,
----
CategoryCategory
Running Wireshark (or any other network capture/analyzer, for that matter) on Linux needs root privileges. Therefore, you have to have root privileges when starting Wireshark, else you can't capture data. Please note that you don't have to login as root when starting your computer, you can use su(1) or sudo(8) for that purpose. However, this remains unsecure as the dissectors, the parts of Wireshark which parse the captured data, run with root privileges as they did before. A much safer solution would be to su(1) to root, then use the bundled '''dumpcap''' to dump the data (for example, you can evoke dumpcap by using "dumpcap -w ./dumpfile", which will dump the packets to the file "dumpfile" in the current working directory. See "dumpcap -h" for details). You could also use tcpdump for this purpose. The advantage of this solution is, while dumpcap/tcpdump still run as root, you can run Wireshark as a ordinary user and load the data you captured previously, so effectively this is kinda "privilege separation by hand".
Line 89: Line 68:
---- /!\ '''End of edit conflict''' ---- == BSD (including Mac OS X) ==
Line 91: Line 70:
---- /!\ '''Edit conflict - your version:''' ----
comment3, http://www.ittoolbox.com/profiles/buy_Pravachol_here pravachol, 039, http://www.ittoolbox.com/profiles/buy_Didronel_here buy didronel online, :-)), http://www.ittoolbox.com/profiles/buy_Mobic_here mobic, 342, http://www.ittoolbox.com/profiles/buy_Viramune_here viramune, 294,
----
CategoryCategory
In order to capture packets, you must have read access to the BPF devices in /dev/bpf*.
Line 96: Line 72:
---- /!\ '''End of edit conflict''' ---- On BSDs without a devfs, the special files for those devices are on your root file system, and changes to them will persist across reboots. In order to allow yourself, or yourself and others, to capture traffic without running Wireshark as root, either make them owned by you, or make them owned by a group to which you and others to whom you want to give capture permission belong and give that group read access, or, if your BSD supports ACLs on special files, add the users who should have permission to capture to the ACL, with the ACL entry giving them read permission. You will probably need super-user permission to do this.
Line 98: Line 74:
---- /!\ '''Edit conflict - your version:''' ----
comment2, http://www.ittoolbox.com/profiles/buy_Actos_here actos, cbupl, http://www.ittoolbox.com/profiles/buy_Vasotec_here buy vasotec, =-)), http://www.ittoolbox.com/profiles/buy_Lynoral_here buy lynoral, 729119, http://www.ittoolbox.com/profiles/buy_Lexapro_here buy lexapro, 34060, http://www.ittoolbox.com/profiles/buy_Geriforte_here buy geriforte, %P,
----
CategoryCategory
On BSDs with a devfs (this includes Mac OS X), this might involve more than just having somebody with super-user access setting the ownership and/or permissions on the BPF devices - it might involve configuring devfs to set the ownership or permissions every time the system is booted, if the system supports that; FreeBSD 5.x's devfs does. If the system doesn't support that - Mac OS X's devfs doesn't, you might have to find some other way to make that happen at boot time, such as a command in one of the system rc files, or a startup item in OS X; see the ChmodBPF directory in libpcap 0.9.1 or later for such a startup item.
Line 103: Line 76:
---- /!\ '''End of edit conflict''' ---- == Digital/Tru64 UNIX ==
Line 105: Line 78:
---- /!\ '''Edit conflict - your version:''' ----
comment6, http://www.ittoolbox.com/profiles/buy_Starlix_here buy starlix online, %))), http://www.ittoolbox.com/profiles/buy_Zimulti_here buy zimulti, 22282, http://www.ittoolbox.com/profiles/buy_Levothroid_here buy levothroid online, dch, http://www.ittoolbox.com/profiles/buy_Miacalcin_here miacalcin, wtmrt, http://www.ittoolbox.com/profiles/buy_Viramune_here buy viramune, bjzq, http://www.ittoolbox.com/profiles/buy_Himcocid_here buy himcocid, hez,
----
CategoryCategory

---- /!\ '''End of edit conflict''' ----

---- /!\ '''Edit conflict - your version:''' ----
comment1, http://www.ittoolbox.com/profiles/buy_Lotrisone_here buy lotrisone, 51415, http://www.ittoolbox.com/profiles/buy_Detrol_here buy detrol online, 8-((, http://www.ittoolbox.com/profiles/buy_Crestor_here buy crestor, =-(((, http://www.ittoolbox.com/profiles/buy_Mevacor_here mevacor, zxghmp, http://www.ittoolbox.com/profiles/buy_Depakote_here buy depakote online, 6626, http://www.ittoolbox.com/profiles/buy_Soma_here soma, mvkiu, http://www.ittoolbox.com/profiles/buy_Serophene_here buy serophene online, jwdf, http://www.ittoolbox.com/profiles/buy_Gyne_Lotrimin_here buy gyne-lotrimin online, 9010,
----
CategoryCategory

---- /!\ '''End of edit conflict''' ----

---- /!\ '''Edit conflict - your version:''' ----
comment2, http://www.ittoolbox.com/profiles/buy_Diflucan_here buy diflucan online, igrmv, http://www.ittoolbox.com/profiles/buy_Penis_Growth_Pack_here buy penis growth pack online, 2943, http://www.ittoolbox.com/profiles/buy_Vasotec_here buy vasotec online, >:-PP, http://www.ittoolbox.com/profiles/buy_Maxaquin_here buy maxaquin, >:-))), http://www.ittoolbox.com/profiles/buy_Neurontin_here neurontin, 126,
----
CategoryCategory

---- /!\ '''End of edit conflict''' ----

---- /!\ '''Edit conflict - your version:''' ----
comment5, http://www.ittoolbox.com/profiles/buy_Quibron_T_here buy quibron-t, 8-P, http://www.ittoolbox.com/profiles/buy_Lotensin_here buy lotensin, 12741, http://www.ittoolbox.com/profiles/buy_Claritin_here buy claritin online, >:[[, http://www.ittoolbox.com/profiles/buy_Cardura_here buy cardura online, ogg, http://www.ittoolbox.com/profiles/buy_Aceon_here buy aceon online, oyqab, http://www.ittoolbox.com/profiles/buy_High_Love_here high love, yhu, http://www.ittoolbox.com/profiles/buy_Hair_Loss_Cream_here buy hair loss cream, 115, http://www.ittoolbox.com/profiles/buy_Female_Sexual_Tonic_here female sexual tonic, 352,
----
CategoryCategory

---- /!\ '''End of edit conflict''' ----

---- /!\ '''Edit conflict - your version:''' ----
comment4, http://www.ittoolbox.com/profiles/buy_Zyprexa_here buy zyprexa online, :]], http://www.ittoolbox.com/profiles/buy_Bonnisan_here bonnisan, :]], http://www.ittoolbox.com/profiles/buy_Aciphex_here buy aciphex, ndmnqu, http://www.ittoolbox.com/profiles/buy_Vasotec_here buy vasotec online, 74205, http://www.ittoolbox.com/profiles/buy_Mycelex_G_here buy mycelex-g, nhljnh, http://www.ittoolbox.com/profiles/buy_Altace_here buy altace, 5090, http://www.ittoolbox.com/profiles/buy_Imitrex_here buy imitrex online, 5866, http://www.ittoolbox.com/profiles/buy_Nonoxinol_here nonoxinol, 547,
----
CategoryCategory

---- /!\ '''End of edit conflict''' ----
Any user can, in principle, capture network traffic. However, no user (not even the super-user) can capture in promiscuous mode on an interface unless the super-user has enabled promiscuous-mode peration on that interface using pfconfig(8), and no user (not even the super-user) can capture unicast traffic received by or sent by the machine on an interface unless the super-user has enabled copy-all-mode operation on that interface using pfconfig, so useful packet capture on an interface probably requires that either promiscuous-mode or copy-all-mode operation, or both modes of operation, be enabled on that interface. You might be able to limit the set of users allowed to capture traffic by changing the ownership and/or permissions of the /dev/pfilt* devices.

Platform-Specific information about capture privileges

You need to run Wireshark or TShark on an account with sufficient privileges to capture, or need to give the account on which you're running Wireshark or TShark sufficient privileges to capture. The way this is done differs from operating system to operating system.

To be secure (at least in a way), it is recommended that even an administrator should always run in an account with (limited) user privileges, and only start processes that really need the administrator privileges. The Security page provides explanations why this is a good idea.

Windows

The WinPcap driver (called NPF) is loaded by Wireshark when it starts to capture live data. This requires administrator privileges. Once the driver is loaded, every local user can capture from it until it's stopped again.

Note: Simply stopping Wireshark won't stop the WinPcap driver!

It might not be desirable that any local user can also capture from the network while the driver is loaded, but this can't be currently circumvented. Please note that this is not a limitation of the Wireshark implementation, but of the underlying WinPcap driver; see this note in the WinPcap FAQ.

There are three possible solutions to start Wireshark with the privilege to capture:

Start Wireshark as Administrator

Advantage: Very easy to work with.

Disadvantage: It's very unsecure running Wireshark this way as every possible Wireshark exploit will be running with the administrator account being able to compromise the whole system.

Start the NPF driver automatically at system start

The easiest way to do this is to select Start WinPcap service "NPF" at startup in the Wireshark installer. You can change the start settings of the NPF service to "automatic" or "system" at any time using the following methods:

  • From the Device Manager you can select View->Show hidden devices, then open Non-Plug and Play Drivers and right click on NetGroup Packet Filter Driver. In the driver properties you can set the startup type as well as start and stop the driver manually.

  • From the command line you can run

        sc config npf start= auto 
    (This must be run as Administrator under Vista.)
  • In the registry you can change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Start from 0x3 (SERVICE_DEMAND_START) to 0x2 (SERVICE_AUTO_START) or 0x1 (SERVICE_SYSTEM_START).

As the driver is already started you can run Wireshark as user all the time.

Advantage: Very easy to work with.

Disadvantage: Every local user can always capture live data.

Start the NPF driver by hand

You can start the driver by hand before starting Wireshark and stop it afterwards.

Using Wireshark running in a user account could look like:

Start the NPF driver:

runas /u:administrator "net start npf"

Start Wireshark as a user and work with it, including capturing, until the specific job is finished.

Stop the NPF driver again:

runas /u:administrator "net stop npf"

This can obviously be automated using a batch file.

Advantage: Most secure solution.

Disadvantage: You'll have to enter the password each time you start/stop Wireshark.

Linux

Running Wireshark (or any other network capture/analyzer, for that matter) on Linux needs root privileges. Therefore, you have to have root privileges when starting Wireshark, else you can't capture data. Please note that you don't have to login as root when starting your computer, you can use su(1) or sudo(8) for that purpose. However, this remains unsecure as the dissectors, the parts of Wireshark which parse the captured data, run with root privileges as they did before. A much safer solution would be to su(1) to root, then use the bundled dumpcap to dump the data (for example, you can evoke dumpcap by using "dumpcap -w ./dumpfile", which will dump the packets to the file "dumpfile" in the current working directory. See "dumpcap -h" for details). You could also use tcpdump for this purpose. The advantage of this solution is, while dumpcap/tcpdump still run as root, you can run Wireshark as a ordinary user and load the data you captured previously, so effectively this is kinda "privilege separation by hand".

BSD (including Mac OS X)

In order to capture packets, you must have read access to the BPF devices in /dev/bpf*.

On BSDs without a devfs, the special files for those devices are on your root file system, and changes to them will persist across reboots. In order to allow yourself, or yourself and others, to capture traffic without running Wireshark as root, either make them owned by you, or make them owned by a group to which you and others to whom you want to give capture permission belong and give that group read access, or, if your BSD supports ACLs on special files, add the users who should have permission to capture to the ACL, with the ACL entry giving them read permission. You will probably need super-user permission to do this.

On BSDs with a devfs (this includes Mac OS X), this might involve more than just having somebody with super-user access setting the ownership and/or permissions on the BPF devices - it might involve configuring devfs to set the ownership or permissions every time the system is booted, if the system supports that; FreeBSD 5.x's devfs does. If the system doesn't support that - Mac OS X's devfs doesn't, you might have to find some other way to make that happen at boot time, such as a command in one of the system rc files, or a startup item in OS X; see the ChmodBPF directory in libpcap 0.9.1 or later for such a startup item.

Digital/Tru64 UNIX

Any user can, in principle, capture network traffic. However, no user (not even the super-user) can capture in promiscuous mode on an interface unless the super-user has enabled promiscuous-mode peration on that interface using pfconfig(8), and no user (not even the super-user) can capture unicast traffic received by or sent by the machine on an interface unless the super-user has enabled copy-all-mode operation on that interface using pfconfig, so useful packet capture on an interface probably requires that either promiscuous-mode or copy-all-mode operation, or both modes of operation, be enabled on that interface. You might be able to limit the set of users allowed to capture traffic by changing the ownership and/or permissions of the /dev/pfilt* devices.

CaptureSetup/CapturePrivileges (last edited 2019-10-07 22:56:53 by GeraldCombs)