В этом руководстве вы узнаете, как установить Wireshark на Rocky Linux.

Wireshark является самым передовым и широко используемым в мире анализатором сетевых протоколов.

Некоторые из возможностей Wireshark включают;

• Глубокая проверка сотен протоколов, причем постоянно добавляются новые.
• Захват в реальном времени и автономный анализ
• Стандартный трехпанельный браузер пакетов
• Мультиплатформенность: Работает на Windows, Linux, macOS, Solaris, FreeBSD, NetBSD и многих других.
• Захваченные сетевые данные можно просматривать через графический интерфейс или с помощью утилиты TShark, работающей в режиме TTY.
• Самые мощные фильтры отображения в отрасли
• Богатый анализ VoIP
• Чтение/запись множества различных форматов файлов захвата: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor …
• Файлы захвата, сжатые с помощью gzip, могут быть распакованы на лету.
• Живые данные могут быть считаны из Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI и других (в зависимости от вашей платформы).
• Поддержка расшифровки многих протоколов, включая IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP и WPA/WPA2.
• Правила раскраски могут быть применены к списку пакетов для быстрого, интуитивно понятного анализа
• Результаты можно экспортировать в XML, PostScript, CSV или обычный текст.

Обратите внимание, что сканирование или прослушивание любого сетевого трафика без разрешения на это является преступлением, в противном случае использование программы может привести вас в тюрьму.

Установка Wireshark в Rocky Linux

Wireshark доступен в репозиториях Rocky Linux по умолчанию.

Однако доступные версии могут быть не самыми последними.

Wireshark 3.6.3 является текущим стабильным релизом на момент написания этой статьи.

Чтобы подтвердить это, выполните приведенные ниже команды, чтобы проверить доступную версию Wireshark на Rocky Linux;

sudo dnf info wireshark

Вывод:

Available Packages

Name         : wireshark

Epoch        : 1

Version      : 2.6.2

Release      : 14.el8

Architecture : x86_64

Size         : 3.6 M

Source       : wireshark-2.6.2-14.el8.src.rpm

Repository   : appstream

Summary      : Network traffic analyzer

URL          : http://www.wireshark.org/

License      : GPL+

Как видите, последняя версия Wireshark доступна на Rocky Linux.

Следовательно, чтобы установить Wireshark на Rocky Linux, по крайней мере, последние версии, необходимо собрать его из исходников.

Чтобы собрать Wireshark из исходного кода на Rocky Linux;

Установите необходимые инструменты сборки

dnf install qt5-devel gcc gcc-c++ bison flex libpcap-devel 

gtk3-devel rpm-build libtool c-ares-devel qt5-qtbase-devel 

qt5-qtmultimedia-devel qt5-linguist desktop-file-utils 

createrepo glib2-devel perl perl-devel tcpdump libcap-devel 

libssh-devel krb5-devel perl-Parse-Yapp snappy-devel git

minizip-devel lz4 libxml2-devel spandsp-devel systemd-devel -y

Установите Wireshark на Rocky Linux

Загрузите последнюю версию исходного кода Wireshark со страницы скаивания.

https://www.wireshark.org/#download

wget https://1.eu.dl.wireshark.org/src/wireshark-3.6.3.tar.xz

Извлеките исходный код Wireshark.

tar xJf wireshark-3.6.3.tar.xz

Компиляция исходного кода Wireshark

cd wireshark-3.6.3

cmake .

Образец вывода команды;

...

-- The following OPTIONAL packages have been found:



 * Git

 * GMODULE2

 * Gettext

 * LIBSSH (required version >= 0.6), Library for implementing SSH clients, 

   extcap remote SSH interfaces (sshdump, ciscodump)

 * PCAP

 * Systemd, System and Service Manager (libraries), 

   Support for systemd journal extcap interface (sdjournal)

 * GNUTLS (required version >= 3.3.0)

 * KERBEROS

 * ZLIB

 * Minizip, Mini zip and unzip based on zlib, 

   Support for profiles import/export

 * SNAPPY, A fast compressor/decompressor from Google, 

   Snappy decompression in CQL and Kafka dissectors

 * SPANDSP, a library of many DSP functions for telephony, 

   Support for G.722 and G.726 codecs in RTP player

 * LibXml2

 * CAP, The Libcap package implements the user-space interfaces to the POSIX 1003.1e capabilities available in Linux kernels, 

   Allow packet captures without running as root

 * SETCAP

 * XSLTPROC



-- The following REQUIRED packages have been found:



 * GLIB2 (required version >= 2.38.0)

 * GTHREAD2

 * GCRYPT (required version >= 1.5.0)

 * CARES (required version >= 1.5.0), Library for asynchronous DNS requests, 

   DNS name resolution for captures

 * LEX

 * Perl

 * Python3 (required version >= 3.4)

 * M

 * Qt5Core

 * Qt5LinguistTools

 * Qt5Network (required version >= 5.15.2)

 * Qt5Gui (required version >= 5.15.2)

 * Qt5Multimedia

 * Qt5PrintSupport

 * Qt5Widgets



-- The following OPTIONAL packages have not been found:



 * MaxMindDB, C library for the MaxMind DB file format, 

   Support for GeoIP lookup

 * SMI, Library to access SMI management information, 

   Support MIB and PIB parsing and OID resolution

 * BROTLI

 * LZ4, LZ4 is a fast lossless compression algorithm, 

   LZ4 decompression in CQL and Kafka dissectors, read compressed capture files

 * ZSTD (required version >= 1.0.0), A compressor/decompressor from Facebook providing better compression than Snappy at a cost of speed, 

   Zstd decompression in Kafka dissector, read compressed capture files

 * NGHTTP2, HTTP/2 C library and tools, 

   Header decompression in HTTP2

 * LUA (required version >= 5.1)

 * NL, Libraries for using the Netlink protocol on Linux, 

   Support for managing wireless 802.11 interfaces

 * SBC, Bluetooth low-complexity, subband codec (SBC) decoder, 

   Support for playing SBC codec in RTP player

 * BCG729, G.729 decoder, 

   Support for G.729 codec in RTP player

 * ILBC, iLBC decoder, 

   Support for iLBC codec in RTP player

 * OPUS, opus decoder, 

   Support for opus codec in RTP player

 * DOXYGEN

 * SpeexDSP, SpeexDSP is a patent-free, Open Source/Free Software DSP library, 

   RTP audio resampling

 * Asciidoctor (required version >= 1.5)



We are on tag v3.6.3.

vcs_version.h unchanged.

-- Configuring done

-- Generating done

-- Build files have been written to: /root/wireshark-3.6.3

Исправьте все ошибки, прежде чем продолжить, на всякий случай.

Сборка Wireshark

make

Установка Wireshark на Rocky Linux

make install

Также установлена утилита командной строки Tshark;

tshark --help

TShark (Wireshark) 3.6.3 (Git commit 6d348e4611e2)

Dump and analyze network traffic.

See https://www.wireshark.org for more information.



Usage: tshark [options] ...



Capture interface:

  -i , --interface 

                           name or idx of interface (def: first non-loopback)

  -f       packet filter in libpcap filter syntax

  -s , --snapshot-length 

                           packet snapshot length (def: appropriate maximum)

  -p, --no-promiscuous-mode

                           don't capture in promiscuous mode

  -I, --monitor-mode       capture in monitor mode, if available

  -B , --buffer-size 

                           size of kernel buffer (def: 2MB)

  -y , --linktype 

                           link layer type (def: first appropriate)

  --time-stamp-type  timestamp method for interface

  -D, --list-interfaces    print list of interfaces and exit

  -L, --list-data-link-types

                           print list of link-layer types of iface and exit

  --list-time-stamp-types  print list of timestamp types for iface and exit



Capture stop conditions:

  -c         stop after n packets (def: infinite)

  -a  ..., --autostop  ...

                           duration:NUM - stop after NUM seconds

                           filesize:NUM - stop this file after NUM KB

                              files:NUM - stop after NUM files

                            packets:NUM - stop after NUM packets

Capture output:

  -b  ..., --ring-buffer 

                           duration:NUM - switch to next file after NUM secs

                           filesize:NUM - switch to next file after NUM KB

                              files:NUM - ringbuffer: replace after NUM files

                            packets:NUM - switch to next file after NUM packets

                           interval:NUM - switch to next file when the time is

                                          an exact multiple of NUM secs

Input file:

  -r , --read-file 

                           set the filename to read from (or '-' for stdin)



Processing:

  -2                       perform a two-pass analysis

  -M         perform session auto reset

  -R , --read-filter 

                           packet Read filter in Wireshark display filter syntax

                           (requires -2)

  -Y , --display-filter 

                           packet displaY filter in Wireshark display filter

                           syntax

  -n                       disable all name resolutions (def: "mNd" enabled, or

                           as set in preferences)

  -N   enable specific name resolution(s): "mnNtdv"

  -d ==, ...

                           "Decode As", see the man page for details

                           Example: tcp.port==8888,http

  -H           read a list of entries from a hosts file, which will

                           then be written to a capture file. (Implies -W n)

  --enable-protocol 

                           enable dissection of proto_name

  --disable-protocol 

                           disable dissection of proto_name

  --enable-heuristic 

                           enable dissection of heuristic protocol

  --disable-heuristic 

                           disable dissection of heuristic protocol

Output:

  -w <outfile|->           write packets to a pcapng-format file named "outfile"

                           (or '-' for stdout)

  --capture-comment 

                           add a capture file comment, if supported

  -C       start with specified configuration profile

  -F 
    set the output file type, default is pcapng

                           an empty "-F" option will list the file types

  -V                       add output of packet tree        (Packet Details)

  -O            Only show packet details of these protocols, comma

                           separated

  -P, --print              print packet summary even when writing to a file

  -S            the line separator to print between packets

  -x                       add output of hex and ASCII dump (Packet Bytes)

  -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?

                           format of text output (def: text)

  -j       protocols layers filter if -T ek|pdml|json selected

                           (e.g. "ip ip.flags text", filter does not expand child

                           nodes, unless child is specified also in the filter)

  -J       top level protocol filter if -T ek|pdml|json selected

                           (e.g. "http tcp", filter which expands all child nodes)

  -e                field to print if -Tfields selected (e.g. tcp.port,

                           _ws.col.Info)

                           this option can be repeated to print multiple fields

  -E= set options for output when -Tfields selected:

     bom=y|n               print a UTF-8 BOM

     header=y|n            switch headers on and off

     separator=/t|/s| select tab, space, printable character as separator

     occurrence=f|l|a      print first, last or all occurrences of each field

     aggregator=,|/s| select comma, space, printable character as

                           aggregator

     quote=d|s|n           select double, single, no quotes for values

  -t a|ad|adoy|d|dd|e|r|u|ud|udoy

                           output format of time stamps (def: r: rel. to first)

  -u s|hms                 output format of seconds (def: s: seconds)

  -l                       flush standard output after each packet

  -q                       be more quiet on stdout (e.g. when using statistics)

  -Q                       only log true errors to stderr (quieter than -q)

  -g                       enable group read access on the output file(s)

  -W n                     Save extra information in the file, if supported.

                           n = write network address resolution information

  -X :         eXtension options, see the man page for details

  -U tap_name              PDUs export mode, see the man page for details

  -z           various statistics, see the man page for details

  --export-objects ,

                           save exported objects for a protocol to a directory

                           named "destdir"

  --export-tls-session-keys 

                           export TLS Session Keys to a file named "keyfile"

  --color                  color output text similarly to the Wireshark GUI,

                           requires a terminal with 24-bit color support

                           Also supplies color attributes to pdml and psml formats

                           (Note that attributes are nonstandard)

  --no-duplicate-keys      If -T json is specified, merge duplicate keys in an object

                           into a single key with as value a json array containing all

                           values

  --elastic-mapping-filter  If -G elastic-mapping is specified, put only the

                           specified protocols within the mapping file

Diagnostic output:

  --log-level       sets the active log level ("critical", "warning", etc.)

  --log-fatal       sets level to abort the program ("critical" or "warning")

  --log-domains <[!]list>  comma separated list of the active log domains

  --log-debug <[!]list>    comma separated list of domains with "debug" level

  --log-noisy <[!]list>    comma separated list of domains with "noisy" level

  --log-file         file to output messages to (in addition to stderr)



Miscellaneous:

  -h, --help               display this help and exit

  -v, --version            display version info and exit

  -o : ...    override preference setting

  -K               keytab file to use for kerberos decryption

  -G [report]              dump one of several available reports and exit

                           default report="fields"

                           use "-G help" for more help



Dumpcap can benefit from an enabled BPF JIT compiler if available.

You might want to enable it by executing:

 "echo 1 > /proc/sys/net/core/bpf_jit_enable"

Note that this can make your system less secure!
</outfile|->