本文共 8610 字,大约阅读时间需要 28 分钟。
Introduction to Wireshark
The Wireshark package contains a network protocol analyzer, also known as a “sniffer”. This is useful for analyzing data captured “off the wire” from a live network connection, or data read from a capture file.
Wireshark provides both a graphical and a TTY-mode front-end for examining captured network packets from over 500 protocols, as well as the capability to read capture files from many other popular network analyzers.
This package is known to build and work properly using an LFS-7.7 platform.
Package Information
-
Download (HTTP):
-
Download (FTP):
-
Download MD5 sum: acfa156fd35cb66c867b1ace992e4b5b
-
Download size: 28 MB
-
Estimated disk space required: 1.2 GB (1.4 GB, with the Qt GUI)
-
Estimated build time: 4.3 SBU (5.3 SBU, with the Qt GUI)
Additional Downloads
-
Optional patch: (allows to build the LUA bindings if is installed and LUA is not disabled by passing --without-lua
to configure)
-
Additional Documentation: (contains links to several different docs in a variety of formats)
Wireshark dependencies
Required
Recommended
(to build the Gtk+3 GUI) and (required to capture data)
Optional
, , , , , , , and
Optional (to build more GUI front-ends)
, , or
Note
The GTK+ GUI needs one of or . If both are installed, GTK+3 is used by default.
The Qt GUI needs one of or . If both are installed, Qt5 is used by default.
Both GTK+ and Qt GUI can be built at the same time. If you want to override the defaults, some configure switches have to be set (see “Command Explanations”) or some special instructions have to be issued (see below) when both Qt4 and Qt5 are installed and you want to use Qt4. SBU and disk space required are larger for the Qt GUI. The instructions below suppose you only want to build the GTK+3 GUI.
User Notes:
Kernel Configuration
The kernel must have the Packet protocol enabled for Wireshark to capture live packets from the network:
[*] Networking support ---> [CONFIG_NET] Networking options ---> <*/M> Packet socket [CONFIG_PACKET]
If built as a module, the name is af_packet.ko
.
Installation of Wireshark
Optionally, fix the description of the program in the title. The first change overwrites the default “SVN Unknown” in the title and the second overwrites a utility script that resets the version to “unknown”.
cat > svnversion.h << "EOF" &&#define SVNVERSION "BLFS"#define SVNPATH "source"EOFcat > make-version.pl << "EOF"#!/usr/bin/perlEOF
Wireshark is a very large and complex application. These instructions provide additional security measures to ensure that only trusted users are allowed to view network traffic. First, set up a system group for wireshark. As the root
user:
groupadd -g 62 wireshark
If you want to build a Qt GUI and have both Qt4 and 5 installed, issue either:
source setqt5
if you want the Qt5 GUI built, or:
source setqt4 &&sed -i 's/Qt5 Qt/Qt/' configure
if you want the Qt4 GUI built.
Continue to install Wireshark by running the following commands:
patch -Np1 -i ../wireshark-1.12.4-lua_5_3_0-1.patch &&./configure --prefix=/usr \ --with-gtk3 \ --without-qt \ --sysconfdir=/etc &&make
This package does not come with a test suite.
Now, as the root
user:
make install &&install -v -m755 -d /usr/share/doc/wireshark-1.12.4 &&install -v -m755 -d /usr/share/pixmaps/wireshark &&install -v -m644 README{,.linux} doc/README.* doc/*.{pod,txt} \ /usr/share/doc/wireshark-1.12.4 &&pushd /usr/share/doc/wireshark-1.12.4 && for FILENAME in ../../wireshark/*.html; do ln -s -v -f $FILENAME . done &&popd &&unset FILENAMEinstall -v -m644 -D wireshark.desktop \ /usr/share/applications/wireshark.desktop &&install -v -m644 -D image/wsicon48.png \ /usr/share/pixmaps/wireshark.png &&install -v -m644 image/*.{png,ico,xpm,bmp} \ /usr/share/pixmaps/wireshark
If you downloaded any of the documentation files from the page listed in the 'Additional Downloads', install them by issuing the following commands as theroot
user:
install -v -m644 /usr/share/doc/wireshark-1.12.4
Now, set ownership and permissions of sensitive applications to only allow authorized users. As the root
user:
chown -v root:wireshark /usr/bin/{tshark,dumpcap} &&chmod -v 6550 /usr/bin/{tshark,dumpcap}
Finally, add any users to the wireshark group (as root
user):
usermod -a -G wireshark
Command Explanations
sed -i 's/Qt5 Qt/Qt/' ...: This command is required because, without it, libraries and includes from Qt5 are found and used first, if both versions are installed, when trying to build with Qt4, and make does not complete.
--with-gtk3
: By default, the build machinery will build a GUI for both Qt and GTK+, if those libraries are found. If Qt is installed and you do not want the GUI for it to be built, you need to pass --without-qt
to the configure script. That overrides the default, so that you must specify --with-gtk3
or --with-gtk2
in order to have the GTK+ GUI built.
--without-qt
: disables building of the Qt GUI.
--disable-wireshark
: Use this switch if you have GTK+ installed but do not want to build any of the GUIs.
--with-gtk2
: Use this option if you want the GTK+2 GUI. Notice that the GUI for only one GTK+ version (either 2 or 3) can be built.
Configuring Wireshark
Config Files
/etc/wireshark.conf
and ~/.wireshark/*
Configuration Information
Though the default configuration parameters are very sane, reference the configuration section of the for configuration information. Most of Wireshark's configuration can be accomplished using the menu options of the wireshark graphical interfaces.
Desktop file for the Qt GUI
If Qt GUI was built and you wish an entry in the desktop menu, there are two possibilities (instructions must be run as root).
If only the Qt GUI was built:
mv -v /usr/share/applications/wireshark.desktop \ /usr/share/applications/wireshark-qt.desktop
If both, GTK+ and Qt GUIs were built:
cp -v /usr/share/applications/wireshark.desktop \ /usr/share/applications/wireshark-qt.desktop
Now, fix it for wireshark-qt:
sed -e 's/ireshark/&-qt/' \ -e 's/^\(Icon=wireshark\)-qt/\1/' \ -i /usr/share/applications/wireshark-qt.desktop
Note
If you want to look at packets, make sure you don't filter them out with . If you want to exclude certain classes of packets, it is more efficient to do it with iptables than it is with Wireshark.
Contents
Installed Programs: capinfos, captype, dftest, dumpcap, editcap, mergecap, randpkt, rawshark, reordercap, text2pcap, tshark, wireshark, and optionally wireshark-qt Installed Libraries: libfiletap.so, libwireshark.so, libwiretap.so, libwsutil.so, and numerous modules under /usr/lib/wireshark/plugins Installed Directories: /usr/lib/wireshark, /usr/share/doc/wireshark-1.12.4, /usr/share/pixmaps/wireshark, and /usr/share/wireshark Short Descriptions
capinfos | reads a saved capture file and returns any or all of several statistics about that file. It is able to detect and read any capture supported by the Wireshark package. |
captype | prints the file types of capture files. |
dftest | is a display-filter-compiler test program. |
dumpcap | is a network traffic dump tool. It lets you capture packet data from a live network and write the packets to a file. |
editcap | edits and/or translates the format of capture files. It knows how to read libpcap capture files, including those of tcpdump, Wiresharkand other tools that write captures in that format. |
mergecap | combines multiple saved capture files into a single output file. |
randpkt | creates random-packet capture files. |
rawshark | dump and analyze raw libpcap data. |
reordercap | reorder timestamps of input file frames into output file. |
text2pcap | reads in an ASCII hex dump and writes the data described into a libpcap-style capture file. |
tshark | is a TTY-mode network protocol analyzer. It lets you capture packet data from a live network or read packets from a previously saved capture file. |
wireshark | is the GTK+ GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file. |
wireshark-qt | is the Qt GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file. |
libwireshark.so | contains functions used by the Wireshark programs to perform filtering and packet capturing. |
libwiretap.so | is a library being developed as a future replacement for libpcap , the current standard Unix library for packet capturing. For more information, see the README file in the source wiretap directory. |
转载地址:http://bjixi.baihongyu.com/