This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireless interface isn’t shown in Wireshark

I'm trying to capture on my laptop (Linux) packets, that goes through the wireless card. Wireshark shoes only the capture interfaces: bluetooth0, randpkt and udpdump. wlan0 isn't shown.

I used this and it worked. But is there a way that mon0 (or wlan0) will appear in Wireshark and I can use it normally and not having to do the "sudo tcpdump..." and then "wireshark -nr..." any time I want to capture?

wireless interface wireshark

asked 01 Sep '17, 09:44

sharp_pilot
11●1●1●4
accept rate: 0%

1) What happens if you run tcpdump on mon0/wlan0 without sudo?

2) What Linux distribution is this?

(01 Sep '17, 14:27) Guy Harris ♦♦

1) tcpdump: mon0: You don't have permission to capture on that device (socket: Operation not permitted)

2) Mint

I tried sudo wireshark and it showing me all the interfaces that way, but is it safe to use it with root privileges?

I tried this:

https://askubuntu.com/questions/74059/how-do-i-run-wireshark-with-root-privileges

but it isn't helping the tcpdump nor the wireshark to show all interfaces.

(01 Sep '17, 23:08) sharp_pilot

(I installed wireshark by building the source and not via apt-get. So is sudo dpkg-reconfigure wireshark-common the way to activate that or should I do something else?)

(02 Sep '17, 22:46) sharp_pilot

I did this: https://wiki.wireshark.org/CaptureSetup/CapturePrivileges

And when I run /usr/bin/dumpcap -D it shows me all interfaces. great.

But when I do dumpcap -D it shows me only 1. bluetooth0.

And when I call wireshark it again doesn't show me all interfaces.

Any Idea how to make wireshark show all interfaces now?

(02 Sep '17, 23:07) sharp_pilot

One Answer:

I installed wireshark by building the source

If you built using the configure script, you need to run the configure script with --enable-setcap-install - and you may have to install it with make install, and that may require that you install it with sudo make install. Then run the installed version, not the version in your build tree. That should make dumpcap run with the right privileges.

If you build using CMake, you need to run CMake with -DENABLE_CAP=ON, and you might again have to install.

answered 02 Sep '17, 23:39

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%

When I run stat /usr/local/bin/wireshark I see:

Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)

So it just installed it as root? And it run it has root now when I call wireshark?

How should I restrict that?

(03 Sep '17, 03:46) sharp_pilot

So it just installed it as root?

Yes.

And it run it has root now when I call wireshark?

No. Running a program whose executable image file is owned by root does not cause the program to run as root. Try running stat on, for example, /bin/sh or /bin/cat. That happens only if the executable image file has the set-UID bit set; if that were the case, stat would report -rwsr-x-rx - note the "s".

Wireshark isn't what needs elevated privileges to capture on Linux; dumpcap is. And --enable-setcap-install shouldn't cause dumpcap's executable image file to be set-UID root, it should just cause it to have the cap_net_admin and cap_net_raw capabilities, so that the process running dumpcap has the CAP_NET_ADMIN and CAP_NET_RAW capabilities. The file capabilities are set with the setcap command; you can see what capabilities a file has by using the getcap command.

(03 Sep '17, 11:23) Guy Harris ♦♦