Wireshark mailing list archives

Re: nflog in qt and gtk

From: Peter Wu <peter () lekensteyn nl>
Date: Fri, 19 Dec 2014 11:44:25 +0100

On Friday 19 December 2014 11:08:01 Dario Lombardo wrote:

On Thu, Dec 18, 2014 at 4:29 PM, Peter Wu <peter () lekensteyn nl> wrote:



You should not run Wireshark with sudo, instead set the appropriate
privileges on the dumpcap binary as described at
http://wiki.wireshark.org/CaptureSetup/CapturePrivileges

Generally speaking, you are right, and it's waht I do with my stable
wireshark. But with my development version, the setcapped binary is
overwritten every time I recompile. So I use the master compiled version
with sudo.


If I need to perform a capture, i just overwrite dumpcap with:
ln -sfv /usr/bin/dumpcap /tmp/wsbuild/run/

It looks like you also avoid overwriting this file/symlink by disabling
dumpcap building:

    cmake -DBUILD_dumpcap=0 ...

What did I do wrong?


I have spend some minutes into debugging it and it turns out that you
cannot have two open sockets for NFLOG.

Reproducer:
$ dumpcap -i nflog -w /dev/null
Capturing on 'nflog'
File: /dev/null
(in a different shell)
$ dumpcap -i nflog -w /dev/null
Capturing on 'nflog'
dumpcap: The capture session could not be initiated on interface 'nflog'
(Can't listen on group group index: Operation not permitted).
Please check to make sure you have sufficient permissions, and that you
have the proper interface or pipe specified.

The difference between GTK and Qt is that Qt additionally executes
`dumpcap -S -Z none` which seems to open a socket for each available
interface to collect stats.

At this point I stopped debugging, hope it helps.



If I've got the point, wireshark QT is not expected to work with nflog,
right? If stats can't be stopped, it won't work.


Nope, it won't work at the moment. The problem is that NFLOG can only be
opened by one user which is a kernel limitation. From
net/netfilter/nfnetlink_log.c:

        inst = instance_lookup_get(log, group_num);
        if (inst && inst->peer_portid != NETLINK_CB(skb).portid) {
                ret = -EPERM;
                goto out_put;
        }
-- 
Kind regards,
Peter
https://lekensteyn.nl

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

nflog in qt and gtk Dario Lombardo (Dec 18)
- Re: nflog in qt and gtk Peter Wu (Dec 18)
  - Re: nflog in qt and gtk Dario Lombardo (Dec 19)
    - Re: nflog in qt and gtk Peter Wu (Dec 19)
    - Re: nflog in qt and gtk Dario Lombardo (Dec 19)
    - Re: nflog in qt and gtk Peter Wu (Dec 19)
    - Re: nflog in qt and gtk Dario Lombardo (Dec 19)
    - Re: nflog in qt and gtk Peter Wu (Dec 19)
    - Re: nflog in qt and gtk Dario Lombardo (Dec 23)