How to install Wireshak on Linux and capture USB traffic?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I have encountered numerous problems in the installation of Wireshark, and the capture of USB traffic, especially due to user permissions.
In the answer, I describe a full workflow for doing that.
The answers to each individual problems are given on different forums, so I thought I'd bring everything together in one answer, to avoid future users to Google every single issue they encounter.
linux ubuntu usb root wireshark
asked Jun 25 '15 at 15:21
matthieumatthieu
5531425
add a comment |
I have encountered numerous problems in the installation of Wireshark, and the capture of USB traffic, especially due to user permissions.
In the answer, I describe a full workflow for doing that.
The answers to each individual problems are given on different forums, so I thought I'd bring everything together in one answer, to avoid future users to Google every single issue they encounter.
linux ubuntu usb root wireshark
asked Jun 25 '15 at 15:21
matthieumatthieu
5531425
add a comment |
I have encountered numerous problems in the installation of Wireshark, and the capture of USB traffic, especially due to user permissions.
In the answer, I describe a full workflow for doing that.
The answers to each individual problems are given on different forums, so I thought I'd bring everything together in one answer, to avoid future users to Google every single issue they encounter.
linux ubuntu usb root wireshark
asked Jun 25 '15 at 15:21
matthieumatthieu
5531425
I have encountered numerous problems in the installation of Wireshark, and the capture of USB traffic, especially due to user permissions.
In the answer, I describe a full workflow for doing that.
The answers to each individual problems are given on different forums, so I thought I'd bring everything together in one answer, to avoid future users to Google every single issue they encounter.
linux ubuntu usb root wireshark
linux ubuntu usb root wireshark
asked Jun 25 '15 at 15:21
matthieumatthieu
5531425
asked Jun 25 '15 at 15:21
matthieumatthieu
5531425
asked Jun 25 '15 at 15:21
matthieumatthieu
5531425
asked Jun 25 '15 at 15:21
matthieumatthieu
5531425
asked Jun 25 '15 at 15:21
matthieumatthieu
5531425
5531425
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Tested on Ubuntu 14.04, but probably works on other distributions since none of the steps are specific to Ubuntu.
The first time you follow the tutorial, do all the steps 1 -> 7.
When you restart your computer, you have to repeat steps 6 and 7 to see the USB interfaces in Wireshark.
Install Wireshark and libpcap:
sudo apt-get install wireshark libpcap0.8
For Debian, Ubuntu and other Debian derivatives, continue to step 3.
For other Linux based systems or other installation methods, see the Wireshark Wiki, then go to step 6.
Reconfigure wireshark to allow non-superusers to track packets:
sudo dpkg-reconfigure wireshark-common
Select
<Yes>in the prompt
Add your username to the "wireshark" usergroup:
sudo usermod -a -G wireshark <your_username>
You can verify if it’s done correctly by displaying the groups your username is part of:
groups <your_username>
If not, you can add the group "wireshark" manually:
groupadd wireshark
And then add your username to the group (see above)
Important: Logout of your session, then log back in.
This step depends on the kernel version that is installed on your machine. To know the version of your kernel, type:
uname -r
For versions of the kernel prior to 2.6.21, if debugfs is not already mounted on /sys/kernel/debug, ensure that it is mounted there by issuing the following command:
sudo mount -t debugfs / /sys/kernel/debug
For kernel version 2.6.21 and later, load the loadable module usbmon in the Kernel:
sudo modprobe usbmon
See Wireshark Wiki for more information about this differentiation.
If the usbmon interfaces don't appear in Wireshark, look for interfaces using dumpcap (the command-line tool of Wireshark):
sudo dumpcap -D
You should see the usbmon* interfaces. Now display the permissions of the usbmon interfaces:
ls -l /dev/usbmon*
If the usbmon* files have 'crw-------', then it's normal that Wireshark cannot read them because it's not run as root. Do not execute wireshark in root mode, it may damage files. Instead, you can give it regular users privileges :
sudo setfacl -m u:$USER:r /dev/usbmon*
Now the usbmon interfaces should appear in Wireshark.
Have fun !
Sources:
https://wiki.wireshark.org/CaptureSetup/USB#Linux
https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes
https://unix.stackexchange.com/questions/55722/wireshark-couldnt-run-usr-sbin-dumpcap-in-child-process
http://anonscm.debian.org/viewvc/collab-maint/ext-maint/wireshark/trunk/debian/README.Debian?view=markup
answered Jun 25 '15 at 15:21
matthieumatthieu
5531425
1
thanks. worked perfect for me
– rawatm
Jan 26 '16 at 8:04
Thanks, I had a problem with permissions after updating wireshark and now it's working great.
– Hammi
Dec 24 '16 at 10:24
1
Just in case someone was wondering how to make loading of usbmon (step 6) persistent over reboots: create a file in/etc/modules-load.d/calledusbmon.confand in this file add one line with the module nameusbmon.
– Gerrit
Mar 15 '18 at 10:25
@Gerrit thanks! That helped. And how do I persist the permissions?
– m4l490n
Mar 29 '18 at 20:01
Step 7sudo chmod 644 /dev/usbmon*can be replaced with the more restrictivesudo setfacl -m u:$USER:r /dev/usbmon*. This more closely matches the Wireshark USB Wiki.
– MilesF
Dec 21 '18 at 18:49
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f31054437%2fhow-to-install-wireshak-on-linux-and-capture-usb-traffic%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Tested on Ubuntu 14.04, but probably works on other distributions since none of the steps are specific to Ubuntu.
The first time you follow the tutorial, do all the steps 1 -> 7.
When you restart your computer, you have to repeat steps 6 and 7 to see the USB interfaces in Wireshark.
Install Wireshark and libpcap:
sudo apt-get install wireshark libpcap0.8
For Debian, Ubuntu and other Debian derivatives, continue to step 3.
For other Linux based systems or other installation methods, see the Wireshark Wiki, then go to step 6.
Reconfigure wireshark to allow non-superusers to track packets:
sudo dpkg-reconfigure wireshark-common
Select
<Yes>in the prompt
Add your username to the "wireshark" usergroup:
sudo usermod -a -G wireshark <your_username>
You can verify if it’s done correctly by displaying the groups your username is part of:
groups <your_username>
If not, you can add the group "wireshark" manually:
groupadd wireshark
And then add your username to the group (see above)
Important: Logout of your session, then log back in.
This step depends on the kernel version that is installed on your machine. To know the version of your kernel, type:
uname -r
For versions of the kernel prior to 2.6.21, if debugfs is not already mounted on /sys/kernel/debug, ensure that it is mounted there by issuing the following command:
sudo mount -t debugfs / /sys/kernel/debug
For kernel version 2.6.21 and later, load the loadable module usbmon in the Kernel:
sudo modprobe usbmon
See Wireshark Wiki for more information about this differentiation.
If the usbmon interfaces don't appear in Wireshark, look for interfaces using dumpcap (the command-line tool of Wireshark):
sudo dumpcap -D
You should see the usbmon* interfaces. Now display the permissions of the usbmon interfaces:
ls -l /dev/usbmon*
If the usbmon* files have 'crw-------', then it's normal that Wireshark cannot read them because it's not run as root. Do not execute wireshark in root mode, it may damage files. Instead, you can give it regular users privileges :
sudo setfacl -m u:$USER:r /dev/usbmon*
Now the usbmon interfaces should appear in Wireshark.
Have fun !
Sources:
https://wiki.wireshark.org/CaptureSetup/USB#Linux
https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes
https://unix.stackexchange.com/questions/55722/wireshark-couldnt-run-usr-sbin-dumpcap-in-child-process
http://anonscm.debian.org/viewvc/collab-maint/ext-maint/wireshark/trunk/debian/README.Debian?view=markup
answered Jun 25 '15 at 15:21
matthieumatthieu
5531425
1
thanks. worked perfect for me
– rawatm
Jan 26 '16 at 8:04
Thanks, I had a problem with permissions after updating wireshark and now it's working great.
– Hammi
Dec 24 '16 at 10:24
1
Just in case someone was wondering how to make loading of usbmon (step 6) persistent over reboots: create a file in/etc/modules-load.d/calledusbmon.confand in this file add one line with the module nameusbmon.
– Gerrit
Mar 15 '18 at 10:25
@Gerrit thanks! That helped. And how do I persist the permissions?
– m4l490n
Mar 29 '18 at 20:01
Step 7sudo chmod 644 /dev/usbmon*can be replaced with the more restrictivesudo setfacl -m u:$USER:r /dev/usbmon*. This more closely matches the Wireshark USB Wiki.
– MilesF
Dec 21 '18 at 18:49
add a comment |
Tested on Ubuntu 14.04, but probably works on other distributions since none of the steps are specific to Ubuntu.
The first time you follow the tutorial, do all the steps 1 -> 7.
When you restart your computer, you have to repeat steps 6 and 7 to see the USB interfaces in Wireshark.
Install Wireshark and libpcap:
sudo apt-get install wireshark libpcap0.8
For Debian, Ubuntu and other Debian derivatives, continue to step 3.
For other Linux based systems or other installation methods, see the Wireshark Wiki, then go to step 6.
Reconfigure wireshark to allow non-superusers to track packets:
sudo dpkg-reconfigure wireshark-common
Select
<Yes>in the prompt
Add your username to the "wireshark" usergroup:
sudo usermod -a -G wireshark <your_username>
You can verify if it’s done correctly by displaying the groups your username is part of:
groups <your_username>
If not, you can add the group "wireshark" manually:
groupadd wireshark
And then add your username to the group (see above)
Important: Logout of your session, then log back in.
This step depends on the kernel version that is installed on your machine. To know the version of your kernel, type:
uname -r
For versions of the kernel prior to 2.6.21, if debugfs is not already mounted on /sys/kernel/debug, ensure that it is mounted there by issuing the following command:
sudo mount -t debugfs / /sys/kernel/debug
For kernel version 2.6.21 and later, load the loadable module usbmon in the Kernel:
sudo modprobe usbmon
See Wireshark Wiki for more information about this differentiation.
If the usbmon interfaces don't appear in Wireshark, look for interfaces using dumpcap (the command-line tool of Wireshark):
sudo dumpcap -D
You should see the usbmon* interfaces. Now display the permissions of the usbmon interfaces:
ls -l /dev/usbmon*
If the usbmon* files have 'crw-------', then it's normal that Wireshark cannot read them because it's not run as root. Do not execute wireshark in root mode, it may damage files. Instead, you can give it regular users privileges :
sudo setfacl -m u:$USER:r /dev/usbmon*
Now the usbmon interfaces should appear in Wireshark.
Have fun !
Sources:
https://wiki.wireshark.org/CaptureSetup/USB#Linux
https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes
https://unix.stackexchange.com/questions/55722/wireshark-couldnt-run-usr-sbin-dumpcap-in-child-process
http://anonscm.debian.org/viewvc/collab-maint/ext-maint/wireshark/trunk/debian/README.Debian?view=markup
answered Jun 25 '15 at 15:21
matthieumatthieu
5531425
1
thanks. worked perfect for me
– rawatm
Jan 26 '16 at 8:04
Thanks, I had a problem with permissions after updating wireshark and now it's working great.
– Hammi
Dec 24 '16 at 10:24
1
Just in case someone was wondering how to make loading of usbmon (step 6) persistent over reboots: create a file in/etc/modules-load.d/calledusbmon.confand in this file add one line with the module nameusbmon.
– Gerrit
Mar 15 '18 at 10:25
@Gerrit thanks! That helped. And how do I persist the permissions?
– m4l490n
Mar 29 '18 at 20:01
Step 7sudo chmod 644 /dev/usbmon*can be replaced with the more restrictivesudo setfacl -m u:$USER:r /dev/usbmon*. This more closely matches the Wireshark USB Wiki.
– MilesF
Dec 21 '18 at 18:49
add a comment |
Tested on Ubuntu 14.04, but probably works on other distributions since none of the steps are specific to Ubuntu.
The first time you follow the tutorial, do all the steps 1 -> 7.
When you restart your computer, you have to repeat steps 6 and 7 to see the USB interfaces in Wireshark.
Install Wireshark and libpcap:
sudo apt-get install wireshark libpcap0.8
For Debian, Ubuntu and other Debian derivatives, continue to step 3.
For other Linux based systems or other installation methods, see the Wireshark Wiki, then go to step 6.
Reconfigure wireshark to allow non-superusers to track packets:
sudo dpkg-reconfigure wireshark-common
Select
<Yes>in the prompt
Add your username to the "wireshark" usergroup:
sudo usermod -a -G wireshark <your_username>
You can verify if it’s done correctly by displaying the groups your username is part of:
groups <your_username>
If not, you can add the group "wireshark" manually:
groupadd wireshark
And then add your username to the group (see above)
Important: Logout of your session, then log back in.
This step depends on the kernel version that is installed on your machine. To know the version of your kernel, type:
uname -r
For versions of the kernel prior to 2.6.21, if debugfs is not already mounted on /sys/kernel/debug, ensure that it is mounted there by issuing the following command:
sudo mount -t debugfs / /sys/kernel/debug
For kernel version 2.6.21 and later, load the loadable module usbmon in the Kernel:
sudo modprobe usbmon
See Wireshark Wiki for more information about this differentiation.
If the usbmon interfaces don't appear in Wireshark, look for interfaces using dumpcap (the command-line tool of Wireshark):
sudo dumpcap -D
You should see the usbmon* interfaces. Now display the permissions of the usbmon interfaces:
ls -l /dev/usbmon*
If the usbmon* files have 'crw-------', then it's normal that Wireshark cannot read them because it's not run as root. Do not execute wireshark in root mode, it may damage files. Instead, you can give it regular users privileges :
sudo setfacl -m u:$USER:r /dev/usbmon*
Now the usbmon interfaces should appear in Wireshark.
Have fun !
Sources:
https://wiki.wireshark.org/CaptureSetup/USB#Linux
https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes
https://unix.stackexchange.com/questions/55722/wireshark-couldnt-run-usr-sbin-dumpcap-in-child-process
http://anonscm.debian.org/viewvc/collab-maint/ext-maint/wireshark/trunk/debian/README.Debian?view=markup
answered Jun 25 '15 at 15:21
matthieumatthieu
5531425
Tested on Ubuntu 14.04, but probably works on other distributions since none of the steps are specific to Ubuntu.
The first time you follow the tutorial, do all the steps 1 -> 7.
When you restart your computer, you have to repeat steps 6 and 7 to see the USB interfaces in Wireshark.
Install Wireshark and libpcap:
sudo apt-get install wireshark libpcap0.8
For Debian, Ubuntu and other Debian derivatives, continue to step 3.
For other Linux based systems or other installation methods, see the Wireshark Wiki, then go to step 6.
Reconfigure wireshark to allow non-superusers to track packets:
sudo dpkg-reconfigure wireshark-common
Select
<Yes>in the prompt
Add your username to the "wireshark" usergroup:
sudo usermod -a -G wireshark <your_username>
You can verify if it’s done correctly by displaying the groups your username is part of:
groups <your_username>
If not, you can add the group "wireshark" manually:
groupadd wireshark
And then add your username to the group (see above)
Important: Logout of your session, then log back in.
This step depends on the kernel version that is installed on your machine. To know the version of your kernel, type:
uname -r
For versions of the kernel prior to 2.6.21, if debugfs is not already mounted on /sys/kernel/debug, ensure that it is mounted there by issuing the following command:
sudo mount -t debugfs / /sys/kernel/debug
For kernel version 2.6.21 and later, load the loadable module usbmon in the Kernel:
sudo modprobe usbmon
See Wireshark Wiki for more information about this differentiation.
If the usbmon interfaces don't appear in Wireshark, look for interfaces using dumpcap (the command-line tool of Wireshark):
sudo dumpcap -D
You should see the usbmon* interfaces. Now display the permissions of the usbmon interfaces:
ls -l /dev/usbmon*
If the usbmon* files have 'crw-------', then it's normal that Wireshark cannot read them because it's not run as root. Do not execute wireshark in root mode, it may damage files. Instead, you can give it regular users privileges :
sudo setfacl -m u:$USER:r /dev/usbmon*
Now the usbmon interfaces should appear in Wireshark.
Have fun !
Sources:
https://wiki.wireshark.org/CaptureSetup/USB#Linux
https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes
https://unix.stackexchange.com/questions/55722/wireshark-couldnt-run-usr-sbin-dumpcap-in-child-process
http://anonscm.debian.org/viewvc/collab-maint/ext-maint/wireshark/trunk/debian/README.Debian?view=markup
answered Jun 25 '15 at 15:21
matthieumatthieu
5531425
edited Jan 4 at 10:25
answered Jun 25 '15 at 15:21
matthieumatthieu
5531425
answered Jun 25 '15 at 15:21
matthieumatthieu
5531425
answered Jun 25 '15 at 15:21
matthieumatthieu
5531425
5531425
1
thanks. worked perfect for me
– rawatm
Jan 26 '16 at 8:04
Thanks, I had a problem with permissions after updating wireshark and now it's working great.
– Hammi
Dec 24 '16 at 10:24
1
Just in case someone was wondering how to make loading of usbmon (step 6) persistent over reboots: create a file in/etc/modules-load.d/calledusbmon.confand in this file add one line with the module nameusbmon.
– Gerrit
Mar 15 '18 at 10:25
@Gerrit thanks! That helped. And how do I persist the permissions?
– m4l490n
Mar 29 '18 at 20:01
Step 7sudo chmod 644 /dev/usbmon*can be replaced with the more restrictivesudo setfacl -m u:$USER:r /dev/usbmon*. This more closely matches the Wireshark USB Wiki.
– MilesF
Dec 21 '18 at 18:49
add a comment |
1
thanks. worked perfect for me
– rawatm
Jan 26 '16 at 8:04
Thanks, I had a problem with permissions after updating wireshark and now it's working great.
– Hammi
Dec 24 '16 at 10:24
1
Just in case someone was wondering how to make loading of usbmon (step 6) persistent over reboots: create a file in/etc/modules-load.d/calledusbmon.confand in this file add one line with the module nameusbmon.
– Gerrit
Mar 15 '18 at 10:25
@Gerrit thanks! That helped. And how do I persist the permissions?
– m4l490n
Mar 29 '18 at 20:01
Step 7sudo chmod 644 /dev/usbmon*can be replaced with the more restrictivesudo setfacl -m u:$USER:r /dev/usbmon*. This more closely matches the Wireshark USB Wiki.
– MilesF
Dec 21 '18 at 18:49
1
1
thanks. worked perfect for me
– rawatm
Jan 26 '16 at 8:04
thanks. worked perfect for me
– rawatm
Jan 26 '16 at 8:04
Thanks, I had a problem with permissions after updating wireshark and now it's working great.
– Hammi
Dec 24 '16 at 10:24
Thanks, I had a problem with permissions after updating wireshark and now it's working great.
– Hammi
Dec 24 '16 at 10:24
1
1
Just in case someone was wondering how to make loading of usbmon (step 6) persistent over reboots: create a file in
/etc/modules-load.d/ called usbmon.conf and in this file add one line with the module name usbmon.– Gerrit
Mar 15 '18 at 10:25
Just in case someone was wondering how to make loading of usbmon (step 6) persistent over reboots: create a file in
/etc/modules-load.d/ called usbmon.conf and in this file add one line with the module name usbmon.– Gerrit
Mar 15 '18 at 10:25
@Gerrit thanks! That helped. And how do I persist the permissions?
– m4l490n
Mar 29 '18 at 20:01
@Gerrit thanks! That helped. And how do I persist the permissions?
– m4l490n
Mar 29 '18 at 20:01
Step 7
sudo chmod 644 /dev/usbmon* can be replaced with the more restrictive sudo setfacl -m u:$USER:r /dev/usbmon*. This more closely matches the Wireshark USB Wiki.– MilesF
Dec 21 '18 at 18:49
Step 7
sudo chmod 644 /dev/usbmon* can be replaced with the more restrictive sudo setfacl -m u:$USER:r /dev/usbmon*. This more closely matches the Wireshark USB Wiki.– MilesF
Dec 21 '18 at 18:49
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f31054437%2fhow-to-install-wireshak-on-linux-and-capture-usb-traffic%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
