This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filtering NX responses from a pcap file

0

I am using the following command:

 tshark -r whatever -T fields -e dns.qry.name -e dns.flags.rcode -Y "dns.qry.name contains drush and dns.flags.response eq 1 and dns.flags.rcode != 0"

for retrieving the SERVFAILures and the NX responses but it complains with:

 tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.

I also tried running this command from a non-privileged account (not root) against a pcap file that had NX responses but nothing was returned...

Is there another way of doing it or a fix for this?

Thanks

asked 02 Mar '16, 02:53

altdrugzgene's gravatar image

altdrugzgene
11448
accept rate: 0%

edited 02 Mar '16, 04:37

  • "another way of doing it" is to run tshark as a non-root; as you are reading the input from a file rather than capturing it, you definitely do not need the root privileges.

  • "a fix for this" will never come as fixes come for bugs, not for intentional safety measures. Wireshark/tshark intentionally disable Lua when running with root privileges, and they also intentionally spawn dumpcap as a separate process to run with root privileges and do only the capturing, so that they themselves could run without root privileges.

(02 Mar '16, 04:42) sindy

the thing is that i want a filter to see the NX responses and other SERVFAIL messages of DNS. I tried running this with a standard account and filter didnt work.

(02 Mar '16, 08:15) altdrugzgene

Once again in a different thread.

If, on the same capture on which it does not work for you:

  • it works elsewhere, it is most likely some issue with your configuration or, less likely, installation.

  • it does not work elsewhere, it is most likely something about the packet which the dissector cannot handle.

To find out which investigation way to take, we need your capture. Without it, we cannot help you.

(02 Mar '16, 08:27) sindy

One Answer:

0

Have you followed the link in the "complaint"? It's telling you to really, really abstain from running tshark as root. The link show how to configure your system so that you can capture without running tshark (or wireshark) as root.

answered 02 Mar '16, 03:30

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

my question is not clear I think. Is the lua scripting language NOT working if u execute wireshark as root?

(02 Mar '16, 03:37) altdrugzgene

Yes it is disabled.

(02 Mar '16, 03:50) grahamb ♦

However it doesnt work even when im running it from an unprivileged account

(02 Mar '16, 04:47) altdrugzgene

OK, so that was really unclear that Lua is not your primary problem.

Can you provide a capture where it fails for you? I've just randomly taken a capture and used your filter with modified search string and it worked for me the following way (a little bit of manual obfuscation on the real fqdn done):

C:\Users\me>"c:\Program Files\Wireshark\tshark.exe" -r "c:\Users\me\Downloads\random.pcapng" -Y "dns.qry.name contains searchstring and dns.flags.response eq 1 and dns.flags.rcode != 0" -T fields -e dns.qry.name -e dns.flags.rcode

my.searchstring.org 3

(02 Mar ‘16, 05:00) sindy

well it doesnt work for me… i want a filter that spits all the NX and SERVFAIL responses but my filter doesnt work

(02 Mar ‘16, 07:59) altdrugzgene

Can you post a capture file with examples of such two packets (NX and SERVFAIL, one per each type is enough, so you may use File->Export Specified Packets if you don’t want to disclose too much information) somewhere and edit your original question with a link to it? That should answer whether it is a generic issue (means: a bug worth reporting) or something about your installation.

(02 Mar ‘16, 08:07) sindy

That (modified as appropriate) filter works for me as well. What version of Wireshark are you using?

@altdrugzgene, is it possible to post a link to your capture, or at least a capture with one pdu from it that is the failure you want to locate?

(02 Mar ‘16, 08:12) grahamb ♦
showing 5 of 7 show 2 more comments