I am using the following command: for retrieving the SERVFAILures and the NX responses but it complains with: I also tried running this command from a non-privileged account (not root) against a pcap file that had NX responses but nothing was returned... Is there another way of doing it or a fix for this? Thanks asked 02 Mar '16, 02:53  altdrugzgene edited 02 Mar '16, 04:37 |
One Answer:
Have you followed the link in the "complaint"? It's telling you to really, really abstain from running tshark as root. The link show how to configure your system so that you can capture without running tshark (or wireshark) as root. answered 02 Mar '16, 03:30  grahamb ♦ my question is not clear I think. Is the lua scripting language NOT working if u execute wireshark as root? (02 Mar '16, 03:37) altdrugzgene Yes it is disabled. (02 Mar '16, 03:50) grahamb ♦ However it doesnt work even when im running it from an unprivileged account (02 Mar '16, 04:47) altdrugzgene OK, so that was really unclear that Lua is not your primary problem. Can you provide a capture where it fails for you? I've just randomly taken a capture and used your filter with modified search string and it worked for me the following way (a little bit of manual obfuscation on the real fqdn done): (02 Mar ‘16, 05:00) sindy well it doesnt work for me… i want a filter that spits all the NX and SERVFAIL responses but my filter doesnt work (02 Mar ‘16, 07:59) altdrugzgene Can you post a capture file with examples of such two packets (NX and SERVFAIL, one per each type is enough, so you may use (02 Mar ‘16, 08:07) sindy That (modified as appropriate) filter works for me as well. What version of Wireshark are you using? @altdrugzgene, is it possible to post a link to your capture, or at least a capture with one pdu from it that is the failure you want to locate? (02 Mar ‘16, 08:12) grahamb ♦ showing 5 of 7 show 2 more comments |
"another way of doing it" is to run tshark as a non-root; as you are reading the input from a file rather than capturing it, you definitely do not need the root privileges.
"a fix for this" will never come as fixes come for bugs, not for intentional safety measures. Wireshark/tshark intentionally disable Lua when running with root privileges, and they also intentionally spawn dumpcap as a separate process to run with root privileges and do only the capturing, so that they themselves could run without root privileges.
the thing is that i want a filter to see the NX responses and other SERVFAIL messages of DNS. I tried running this with a standard account and filter didnt work.
Once again in a different thread.
If, on the same capture on which it does not work for you:
it works elsewhere, it is most likely some issue with your configuration or, less likely, installation.
it does not work elsewhere, it is most likely something about the packet which the dissector cannot handle.
To find out which investigation way to take, we need your capture. Without it, we cannot help you.