Wireshark is a network packet analyzer. A network packet analyzer presents captured packet data in as much detail as possible.
You could think of a network packet analyzer as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable (but at a higher level, of course).
What Wireshark is not
Wireshark isn’t an intrusion detection system. It will not warn you when someone does strange things on your network that he/she isn’t allowed to do. However, if strange things happen, Wireshark might help you figure out what is going on.
Wireshark will not manipulate things on the network, it will only “measure” things from it. Wireshark doesn’t send packets on the network or do other active things (except domain name resolution, but that can be disabled).
Prerequisites:
Ensure that the following dependencies are installed on the system.
GLib
development package which includes the headers, libraries, and other files necessary for development.💡GLib package comes pre-installed with Ubuntu 22.04. For earlier versions to install the package use the command:sudo apt-get install libglib2.0-dev
The
libpcap
library for capturing live network data.
Install Wireshark
Update the APT package index by running the following command:
sudo apt update
Once the APT package index is updated, install Wireshark on your system:
sudo apt install wireshark
Click
yes
button during the installation for non-superusers to able to capture the packetsVerify the Wireshark version:
wireshark --version
Configure Wireshark
If you are logged as a normal user then add the user to the Wireshark group:
sudo usermod -aG wireshark $USER
This command adds the currently logged-in user to the
wireshark
group, giving them permissions associated with that group (like capturing network packets without needing to be the root user).💡If an error "wireshark group does not exist" appears during the execution of the command above, then create manually a "wireshark" group with the commandsudo groupadd wireshark
Only then, add the currently logged-in user to thewireshark
group.Modify the “dumcap” file permission:
sudo chgrp wireshark /usr/bin/dumpcap
This command changes the group ownership of the
dumpcap
executable to thewireshark
group.sudo chmod +x /usr/bin/dumpcap
The command above grants execute permissions to the
dumpcap
file.sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
The tool
setcap
assigns capabilities to executables.cap_net_raw
: Allows the program to use RAW and PACKET sockets, which can be necessary for sniffing tools that need to capture raw packets directly from network interfaces.cap_net_admin
: Provides various network-related privileges like interface configuration, administration, binding to privileged ports, setting packet filtering rules, etc.=eip
indicates which set of capabilities to modify:e
stands for Effective. It means the capability is "activated".i
stands for Inherited. It means the capability can be inherited by child processes.p
stands for Permitted. It ensures the capability can be used by the process
By setting these capabilities, you're giving the dumpcap
binary the ability to capture raw packets and conduct other network-related operations without needing to run as the root user.