Objective
Wireshark is a packet analysis tool capable of capturing and displaying network packets as they are received by machines like the Raspberry Pi. This is particularly useful thanks to the attached Wi-Fi and Bluetooth radios. Even GNU Radio has utilized it in conjunction with the RFTap application. So today, I’m going to install Wireshark for Raspberry Pi on a local network.
Notice of Non-Affiliation and Disclaimer: As of the publication date, we are not affiliated with, associated with, authorized with, endorsed by, compensated by, or in any way officially connected with the Wireshark Foundation, Raspberry Pi Foundation, Canonical or their owners, subsidiaries or affiliates.
External Links: Links to external web pages have been provided as a convenience and for informational purposes only. Unboxing Tomorrow and Voxidyne Media bear no responsibility for the accuracy, legality or content of the external site or for that of subsequent links. Contact the external site for answers to questions regarding its content.
Scope and Acknowledgement
First, I must note this guide will only cover how to install the Wireshark binary, which is currently at version 2.6.8, rather than the latest stable release as of December 2020 (version 3.4.0). If you’re looking to build the latest version; the Wireshark Foundation has created “Building Wireshark from source under UNIX.”
Second, I acknowledge the blog: Don’s Think Tank for documenting this procedure in 2015. Because it’s been over 5 years since it was published, you can consider this confirmation that the method still works, at least for the following…
Resources
- Raspberry Pi 3B+
- Raspberry Pi Operating System with desktop and recommended software
- Internet access
- Permission from your network administrator
Installing the Wireshark Binary
Step 1: Update && Upgrade
First, update and upgrade your existing software packages…
sudo apt-get update && sudo apt-get upgrade -y
Step 2: Install Wireshark Package
Now install the Wireshark package…
sudo apt-get install wireshark
Step 3: Configure Permissions
Part-way through the installation, you will be asked if non-superusers should be able to capture packets. As a practice, it is a bad idea to give all user levels excess privileges, so I’ve disallowed this by selecting “No.”
Now I will give this system a new user group called “wireshark.”
sudo groupadd wireshark
Because I’m still using the default username of “pi,” I will add the pi account to the wireshark user group…
sudo usermod -a -G wireshark pi
Now change the group ownership of the dumpcap utility to the wireshark group.
sudo chgrp wireshark /usr/bin/dumpcap
Now modify the dumpcap file to allow execution by the new wireshark group.
sudo chmod 750 /usr/bin/dumpcap
The “750” pattern grants read and execute permission to the group, but won’t do the same for any random user. You can optionally verify this with:
ls -al /usr/bin/dumpcap
…which should return the flags: -rwxr-x—.
Now configure the capabilities of the dumpcap file…
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
Verify this change using…
sudo getcap /usr/bin/dumpcap
…which should return “/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip”
Step 4: Reboot and Run
Now, log off or reboot. Afterward, you should be able to run Wireshark by simply entering “wireshark” in the terminal. Then just press the “start capturing packets” button (the shark fin) to begin!
As a optional side note: you can check your version of Wireshark using…
wireshark --version
Closing Remarks
For instructions on installing the latest stable release, you can find a useful guide on the official Wireshark page.
In terms of speed, the Raspberry Pi 3B+ can become quite sluggish on a high-traffic connection such as to a remote desktop or streaming webcam. An alternate application to consider in that case may be something like tcpdump.
On a closing note, here are some possible startup warnings you may observe…
libEGL warning: DRI2: failed to authenticate
You may see this error while Wireshark initializes. According to pi3d.github.io, this can happen if mesa (a graphics stack for the Raspberry Pi’s graphics processing unit) was ever installed with its own versions of libEGL and libGLESv2 (graphics libraries). According to the source, you can test by entering…
sudo find / -name libEGL*
sudo find / -name libGLESv2*
…under normal conditions, this should only return /opt/vc/lib/libEGL.so and /opt/vc/lib/libGLESv2.so.
Main Warn libpng warning: iCCP: known incorrect sRGB profile
This has to do with portable network graphics (PNG) image files and the International Color Consortium Profile (iCCP) metadata appended to them. These images are handled by the cross-platform libpng library, which (according to one Google Docs thread) will throw the warning in response to metadata that should be stripped.
List of Commands Used
sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install wireshark
sudo groupadd wireshark
sudo usermod -a -G wireshark pi
sudo chgrp wireshark /usr/bin/dumpcap
sudo chmod 750 /usr/bin/dumpcap
ls -al /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
sudo getcap /usr/bin/dumpcap
wireshark
References
[1] | Wireshark Foundation, “Wireshark · Go Deep.,” [Online]. Available: https://www.wireshark.org/#download. [Accessed 2 Dec. 2020]. |
[2] | Wireshark Foundation, “Release Notes,” [Online]. Available: https://www.wireshark.org/docs/relnotes/. [Accessed 4 Dec. 2020]. |
[3] | Don’s Think Tank, “WireShark Raspberry PI,” 30 July 2015. [Online]. Available: https://donsthinktank.blogspot.com/2015/07/wireshark-raspberry-pi.html. [Accessed 2 Dec. 2020]. |
[4] | Wireshark Foundation, “2.6. Building Wireshark from source under UNIX,” [Online]. Available: https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallUnixBuild.html. [Accessed 4 Dec. 2020]. |
[5] | pi3d, “Frequently Asked Questions; pi3d 2.40 documentation,” [Online]. Available: https://pi3d.github.io/html/FAQ.html. [Accessed 4 Dec. 2020]. |
[6] | G. Randers-Pehrson, “libpng.txt – A description on how to use and modify libpng,” 3 Jan. 2010. [Online]. Available: http://www.libpng.org/pub/png/libpng-1.4.0-manual.pdf. [Accessed 4 Dec. 2020]. |
[7] | “libpng warning: iCCP: Not recognizing known sRGB profile that has been edited,” 4 Nov 2014. [Online]. Available: https://groups.google.com/g/adt-dev/c/rjTQ_STR3OE?pli=1. [Accessed 4 Dec 2020]. |
Important Notice: This article and its contents (the “Information”) belong to Unboxing-tomorrow.com and Voxidyne Media LLC. No license is granted for the use of it other than for information purposes. No license of any intellectual property rights is granted. The Information is subject to change without notice. The Information supplied is believed to be accurate, but Voxidyne Media LLC assumes no responsibility for its accuracy or completeness, any error in or omission from it or for any use made of it. Liability for loss or damage resulting from any reliance on the Information or use of it (including liability resulting from negligence or where Voxidyne Media LLC was aware of the possibility of such loss or damage arising) is excluded.