# How to Install Wireshark on Ubuntu 22.04

[Wireshark](https://www.wireshark.org/docs/wsug_html/#ChIntroWhatIs:~:text=on%20Windows%20platforms-,1.1.%C2%A0What%20is%20Wireshark%3F,-Wireshark%20is%20a) is a network packet analyzer. A network packet analyzer presents captured packet data in as much detail as possible.

You could think of a network packet analyzer as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable (but at a higher level, of course).

### What Wireshark is not

* [Wireshark](https://www.wireshark.org/docs/wsug_html/#ChIntroWhatIs:~:text=they%20often%20do!-,1.1.8.%C2%A0What%20Wireshark%20is%20not,-Here%20are%20some) isn’t an intrusion detection system. It will not warn you when someone does strange things on your network that he/she isn’t allowed to do. However, if strange things happen, Wireshark might help you figure out what is going on.
    
* Wireshark will not manipulate things on the network, it will only “measure” things from it. Wireshark doesn’t send packets on the network or do other active things (except domain name resolution, but that can be disabled).
    

### Prerequisites:

Ensure that the following dependencies are installed on the system.

1. [`GLib` development package](https://packages.debian.org/sid/libglib2.0-dev) which includes the headers, libraries, and other files necessary for development.
    
    <div data-node-type="callout">
    <div data-node-type="callout-emoji">💡</div>
    <div data-node-type="callout-text">GLib package comes pre-installed with Ubuntu 22.04. For earlier versions to install the package use the command: <code>sudo apt-get install libglib2.0-dev</code></div>
    </div>
    
2. [The `libpcap` library](https://wiki.wireshark.org/libpcap) for capturing live network data.
    

## Install Wireshark

1. Update the APT package index by running the following command:
    
    ```bash
    sudo apt update
    ```
    
2. Once the APT package index is updated, install Wireshark on your system:
    
    ```bash
    sudo apt install wireshark
    ```
    
    Click `yes` button during the installation for non-superusers to able to capture the packets
    
3. Verify the Wireshark version:
    
    ```bash
    wireshark --version
    ```
    

## Configure Wireshark

1. If you are logged as a normal user then add the user to the Wireshark group:
    
    ```bash
    sudo usermod -aG wireshark $USER
    ```
    
    This command adds the currently logged-in user to the `wireshark` group, giving them permissions associated with that group (like capturing network packets without needing to be the root user).
    
    <div data-node-type="callout">
    <div data-node-type="callout-emoji">💡</div>
    <div data-node-type="callout-text">If an error "<strong>wireshark group does not exist</strong>" appears during the execution of the command above, then create manually a "wireshark" group with the command <code>sudo groupadd wireshark</code> Only then, add the currently logged-in user to the <code>wireshark</code> group.</div>
    </div>
    
2. Modify the **“dumcap”** file permission:
    
    ```bash
    sudo chgrp wireshark /usr/bin/dumpcap
    ```
    
    This command changes the group ownership of the `dumpcap` executable to the `wireshark` group.
    
    ```bash
    sudo chmod +x /usr/bin/dumpcap
    ```
    
    The command above grants execute permissions to the `dumpcap` file.
    
    ```bash
    sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
    ```
    
    The tool `setcap` assigns capabilities to executables.
    
    `cap_net_raw`: Allows the program to use RAW and PACKET sockets, which can be necessary for sniffing tools that need to capture raw packets directly from network interfaces.
    
    `cap_net_admin`: Provides various network-related privileges like interface configuration, administration, binding to privileged ports, setting packet filtering rules, etc.
    
    `=eip` indicates which set of capabilities to modify:
    
    * `e` stands for Effective. It means the capability is "activated".
        
    * `i` stands for Inherited. It means the capability can be inherited by child processes.
        
    * `p` stands for Permitted. It ensures the capability can be used by the process
        
    
    By setting these capabilities, you're giving the `dumpcap` binary the ability to capture raw packets and conduct other network-related operations without needing to run as the root user.
    

## References

1. [How to Install and Configure Wireshark on Ubuntu 20.04 Linux Tutorial](https://cloudinfrastructureservices.co.uk/how-to-install-and-configure-wireshark-on-ubuntu-20-04-linux-tutorial/)
    
2. [Wireshark User’s Guide](https://www.wireshark.org/docs/wsug_html/#ChIntroWhatIs:~:text=on%20Windows%20platforms-,1.1.%C2%A0What%20is%20Wireshark%3F,-Wireshark%20is%20a)
