Re: How to rid of queries swamping logs in non-online Wireshark

[Jeff Morriss <jeff.morriss.ws () gmail com>]

On Tue, Mar 29, 2016 at 9:12 AM, Miroslav Rovis <
miro.rovis () croatiafidelis hr> wrote:

> On 160321-10:54-0400, Jeff Morriss wrote:
> > On Sat, Mar 19, 2016 at 10:53 AM, Miroslav Rovis <
> > miro.rovis () croatiafidelis hr> wrote:
> >
> > > Hi!
> Hi!
> You already helped me with the important link, after which I can't stop
> decrypting SSL ;-) :
> The SSL tcp stream decoding in Users' Manual?
> https://www.wireshark.org/lists/wireshark-users/201509/msg00011.html


You mean add the SSL decoding stuff to the manual (rather than just in the
Wiki)?  I'm a bit hesitant to duplicate information--especially given how
complicated SSL decryption is.  (Anyway as I probably stated earlier I
don't know a lot about SSL decryption and have only actually done it while
helping others.)

This, the first thing:
> > > Here is a recent log:
> > >
> > > Mar 19 15:07:01 g5n kernel: [10907.301170] grsec: (miro:U:/) exec of
> > > /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
> > > /usr/bin/dumpcap[wireshark:11319] uid/euid:1000/1000
> gid/egid:1000/1000,
> > > parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
> > > gid/egid:1000/1000
> >
> > [...]
> has stopped. So it could be something else the reason, as I run dumpcap
> from normal user terminal, via sudo.
>
> And back at the time of that periodically occuring kind of log swamping
> by Wireshark, I wasn't even running dumpcap...
>
> So it must be something else missing in the picture. The next time it
> occurs, if it does, I'll be back to tell about it.

OK, I was thinking that Wireshark (the GUI) was periodically running
dumpcap.  I know it does at least at startup but I don't know how it gets
the interface statistics (the sparklines next to the interfaces in the Qt
UI)--I assumed it was running it periodically.

And the second thing is, I kept looking if there were replies for a day
> or two, and then I thought I put a stupid question, and that nobody
> would reply.

Do you mean that you didn't get a copy of the reply?  Are you subscribed to
the list?  If not it's generally a good idea to tell people to be sure to
Cc: you on their reply otherwise they will reply just to the list (that's
the default behavior for the list)--and you'll only see the reply if you go
searching in the list archives.

Thanks, Jeff, you're one of my heroes, and Wireshark is great! (If only
> I had such understanding to be able to contribute... I hope at least
> when I post about it, I attract a few newbies...)

No problem. :-)

On Tue, Mar 29, 2016 at 9:12 AM, Miroslav Rovis <
miro.rovis () croatiafidelis hr> wrote:

> On 160321-10:54-0400, Jeff Morriss wrote:
> > On Sat, Mar 19, 2016 at 10:53 AM, Miroslav Rovis <
> > miro.rovis () croatiafidelis hr> wrote:
> >
> > > Hi!
> Hi!
> You already helped me with the important link, after which I can't stop
> decrypting SSL ;-) :
> The SSL tcp stream decoding in Users' Manual?
> https://www.wireshark.org/lists/wireshark-users/201509/msg00011.html
> And I thanked you here:
> (8644 views currently)
> SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
> https://forums.gentoo.org/viewtopic-t-1029408.html#7819968
> (and mentioned you later as well, when I found you among the top
> Wireshark developers, but can't find that page on Gentoo Forums quickly)
>
> However, two things.
>
> This, the first thing:
> > > Here is a recent log:
> > >
> > > Mar 19 15:07:01 g5n kernel: [10907.301170] grsec: (miro:U:/) exec of
> > > /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
> > > /usr/bin/dumpcap[wireshark:11319] uid/euid:1000/1000
> gid/egid:1000/1000,
> > > parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
> > > gid/egid:1000/1000
> >
> > [...]
> has stopped. So it could be something else the reason, as I run dumpcap
> from normal user terminal, via sudo.
>
> And back at the time of that periodically occuring kind of log swamping
> by Wireshark, I wasn't even running dumpcap...
>
> So it must be something else missing in the picture. The next time it
> occurs, if it does, I'll be back to tell about it.
>
> > Wireshark is starting dumpcap periodically to check the status of the
> > interfaces (and also get statistics from them).  I think the only way
> > you'll be able to disable this (from the Wireshark side) is to make it so
> > you don't have permission to start dumpcap (from Wireshark).  Obviously
> > this conflicts with your use of dumpcap (as the same user) to actually
> > capture.
> >
> > I suppose a simpler method would be to simply rename dumpcap to something
> > you'll know but Wireshark won't, e.g., `dumpcap-real`.
>
> And the second thing is, I kept looking if there were replies for a day
> or two, and then I thought I put a stupid question, and that nobody
> would reply.
>
> Thanks, Jeff, you're one of my heroes, and Wireshark is great! (If only
> I had such understanding to be able to contribute... I hope at least
> when I post about it, I attract a few newbies...)
>
> Regards!
> --
> Miroslav Rovis
> Zagreb, Croatia
> http://www.CroatiaFidelis.hr
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe