{"id":4364,"date":"2014-10-10T20:00:52","date_gmt":"2014-10-10T18:00:52","guid":{"rendered":"http:\/\/blog.wenzlaff.de\/?p=4364"},"modified":"2021-11-20T18:02:00","modified_gmt":"2021-11-20T17:02:00","slug":"raspberry-pi-sniffen-mit-tshark-aber-nicht-als-root-user","status":"publish","type":"post","link":"http:\/\/blog.wenzlaff.de\/?p=4364","title":{"rendered":"Raspberry Pi: Sniffen mit TShark, aber nicht als root User"},"content":{"rendered":"

Zuerst mal eine Mindmap zu TShark<\/a>, dem Kommandline-Tool von Wireshark (fr\u00fche Ethereal).
\n\"tshark\"<\/a><\/p>\n

Installation<\/h3>\n

Zuerste den rPi aktualisieren und das Packet installieren mit:<\/p>\n

sudo apt-get update\r\nsudo apt-get upgrade\r\nsudo apt-get install tshark\r\n<\/pre>\n
Zuerst einmal die Befehle und die Version f\u00fcr die Komandozeile mit<\/p>\n
tshark -h<\/pre>\n
ausgeben:<\/p>\n
TShark 1.12.1 (Git Rev Unknown from unknown)\r\nDump and analyze network traffic.\r\nSee http:\/\/www.wireshark.org for more information.\r\n\r\nCopyright 1998-2014 Gerald Combs <gerald@wireshark.org> and contributors.\r\nThis is free software; see the source for copying conditions. There is NO\r\nwarranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\r\n\r\nUsage: tshark [options] ...\r\n\r\nCapture interface:\r\n  -i <interface>           name or idx of interface (def: first non-loopback)\r\n  -f <capture filter>      packet filter in libpcap filter syntax\r\n  -s <snaplen>             packet snapshot length (def: 65535)\r\n  -p                       don't capture in promiscuous mode\r\n  -I                       capture in monitor mode, if available\r\n  -B <buffer size>         size of kernel buffer (def: 2MB)\r\n  -y <link type>           link layer type (def: first appropriate)\r\n  -D                       print list of interfaces and exit\r\n  -L                       print list of link-layer types of iface and exit\r\n\r\nCapture stop conditions:\r\n  -c <packet count>        stop after n packets (def: infinite)\r\n  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds\r\n                           filesize:NUM - stop this file after NUM KB\r\n                              files:NUM - stop after NUM files\r\nCapture output:\r\n  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs\r\n                           filesize:NUM - switch to next file after NUM KB\r\n                              files:NUM - ringbuffer: replace after NUM files\r\nInput file:\r\n  -r <infile>              set the filename to read from (- to read from stdin)\r\n\r\nProcessing:\r\n  -2                       perform a two-pass analysis\r\n  -R <read filter>         packet Read filter in Wireshark display filter syntax\r\n  -Y <display filter>      packet displaY filter in Wireshark display filter\r\n                           syntax\r\n  -n                       disable all name resolutions (def: all enabled)\r\n  -N <name resolve flags>  enable specific name resolution(s): \"mntC\"\r\n  -d <layer_type>==<selector>,<decode_as_protocol> ...\r\n                           \"Decode As\", see the man page for details\r\n                           Example: tcp.port==8888,http\r\n  -H <hosts file>          read a list of entries from a hosts file, which will\r\n                           then be written to a capture file. (Implies -W n)\r\nOutput:\r\n  -w <outfile|->           write packets to a pcap-format file named \"outfile\"\r\n                           (or to the standard output for \"-\")\r\n  -C <config profile>      start with specified configuration profile\r\n  -F <output file type>    set the output file type, default is pcapng\r\n                           an empty \"-F\" option will list the file types\r\n  -V                       add output of packet tree        (Packet Details)\r\n  -O <protocols>           Only show packet details of these protocols, comma\r\n                           separated\r\n  -P                       print packet summary even when writing to a file\r\n  -S <separator>           the line separator to print between packets\r\n  -x                       add output of hex and ASCII dump (Packet Bytes)\r\n  -T pdml|ps|psml|text|fields\r\n                           format of text output (def: text)\r\n  -e <field>               field to print if -Tfields selected (e.g. tcp.port,\r\n                           _ws.col.Info)\r\n                           this option can be repeated to print multiple fields\r\n  -E<fieldsoption>=<value> set options for output when -Tfields selected:\r\n     header=y|n            switch headers on and off\r\n     separator=\/t|\/s|<char> select tab, space, printable character as separator\r\n     occurrence=f|l|a      print first, last or all occurrences of each field\r\n     aggregator=,|\/s|<char> select comma, space, printable character as\r\n                           aggregator\r\n     quote=d|s|n           select double, single, no quotes for values\r\n  -t a|ad|d|dd|e|r|u|ud    output format of time stamps (def: r: rel. to first)\r\n  -u s|hms                 output format of seconds (def: s: seconds)\r\n  -l                       flush standard output after each packet\r\n  -q                       be more quiet on stdout (e.g. when using statistics)\r\n  -Q                       only log true errors to stderr (quieter than -q)\r\n  -g                       enable group read access on the output file(s)\r\n  -W n                     Save extra information in the file, if supported.\r\n                           n = write network address resolution information\r\n  -X <key>:<value>         eXtension options, see the man page for details\r\n  -z <statistics>          various statistics, see the man page for details\r\n  --capture-comment <comment>\r\n                           add a capture comment to the newly created\r\n                           output file (only for pcapng)\r\n\r\nMiscellaneous:\r\n  -h                       display this help and exit\r\n  -v                       display version info and exit\r\n  -o <name>:<value> ...    override preference setting\r\n  -K <keytab>              keytab file to use for kerberos decryption\r\n  -G [report]              dump one of several available reports and exit\r\n                           default report=\"fields\"\r\n                           use \"-G ?\" for more help\r\n\r\nWARNING: dumpcap will enable kernel BPF JIT compiler if available.\r\nYou might want to reset it\r\nBy doing \"echo 0 > \/proc\/sys\/net\/core\/bpf_jit_enable\"\r\n<\/pre>\n
Erst wollen wir uns die vorhandenen Interfaces anschauen und die Nummer merken.<\/p>\n
\r\nsudo tshark -D\r\n<\/pre>\n
Liefert die folgende Liste der verf\u00fcgbaren Interfaces:
\n
\n1. eth0
\n2. wlan0
\n3. wlan0mon
\n4. any
\n5. lo (Loopback)
\n6. nflog
\n7. nfqueue
\n8. usbmon1
\n<\/code>
\nDann mal 10 Sekunden in die Datei traffic.pcap den Netzwerkverkehr von 1 (eth0) sichern mit:<\/p>\n
tshark -i 1 -a duration:10 -w traffic.pcap<\/pre>\n
Kommt es zu dieser Fehlermeldung:<\/p>\n
\r\nCapturing on 'eth0'\r\ntshark: The capture session could not be initiated on interface 'eth0' (You don't have permission to capture on that device).\r\nPlease check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.\r\n<\/pre>\n
dann nicht aus Sicherheitsgr\u00fcnden mit sudo<\/strong> starten. TShark sollte nicht als root ausgef\u00fchrt werden und der aktuelle User hat nicht die Rechte auf die Schnittstellen zuzugreifen.<\/p>\n
Abhilfe<\/h3>\n
Den aktuellen User (hier pi) f\u00fcr den Zugriff reconfigurieren mit:<\/p>\n
sudo dpkg-reconfigure wireshark-common<\/pre>\n
Es erscheint so ein Dialog:
\n\"Bildschirmfoto<\/a>
\nDort mit Ja<\/strong> antworten.<\/p>\n
Damit die Berechigung f\u00fcr den User (pi) gesetzt wird, und es nicht zu dieser Fehlermeldung kommt:<\/p>\n
tshark: Couldn't run \/usr\/bin\/dumpcap in child process: Keine Berechtigung<\/pre>\n
Einmal:<\/p>\n
\r\nsudo usermod -a -G wireshark pi\r\n<\/pre>\n
Dann einmal abmelden:<\/p>\n
exit<\/pre>\n
und wieder anmelden. <\/p>\n
Schon k\u00f6nnen Dateien im PCAP Format<\/a> auf dem Raspberry Pi erzeugt werden und auf einem anderen Rechner mit Wireshark ausgewertet werden.<\/p>\n","protected":false},"excerpt":{"rendered":"
Zuerst mal eine Mindmap zu TShark, dem Kommandline-Tool von Wireshark (fr\u00fche Ethereal). Installation Zuerste den rPi aktualisieren und das Packet installieren mit: sudo apt-get update sudo apt-get upgrade sudo apt-get install tshark Zuerst einmal die Befehle und die Version f\u00fcr die Komandozeile mit tshark -h ausgeben: TShark 1.12.1 (Git Rev Unknown from unknown) Dump and … <\/p>\n
\u201eRaspberry Pi: Sniffen mit TShark, aber nicht als root User\u201c <\/span>weiterlesen<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,1204,1023,1319],"tags":[5108,1729,1731,589,1733,1734,2190,1728,511,1732,1726,1727,1730,1115],"class_list":["post-4364","post","type-post","status-publish","format-standard","hentry","category-allgemein","category-internet-2","category-raspberry-pi","category-sicherheit-2","tag-cap","tag-ethereal","tag-hai","tag-netzwerk","tag-pcap","tag-pcap-format","tag-raspberry-pi","tag-root","tag-scann","tag-shark","tag-sniffen","tag-tshark","tag-wiereshark","tag-wireshark"],"_links":{"self":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/4364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4364"}],"version-history":[{"count":0,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/4364\/revisions"}],"wp:attachment":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4364"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}