Wireshark  is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.



Wireshark is cross-platform, using the GTK+ widget toolkit in current releases, and Qt in the development version, to implement its user interface, and using pcap to capture packets; it runs on GNU/Linux, OS X, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License.



Wireshark allows the user to put network interface controllers that support promiscuous mode into that mode, in order to see all traffic visible on that interface, not just traffic addressed to one of the interface’s configured addresses and broadcast/multicast traffic.



In Kali Linux or any other Linux distribution after installing wireshark it will not detect ethernet interface and its need root privileges to control ethernet interfaces and  many  network engineers become dismayed the first time they run Wireshark on a Linux machine and find that they don’t have access to any network interfaces. This is because, by default, raw access to network interfaces (e.g. eth0) requires root privileges. Unfortunately, this often prompts people to simply run Wireshark as root a bad idea.



Those who using wireshark for the first time with non root user. they will get an following error.



Screenshot from 2014-06-03 05:22:41



Due to the complexity and sheer number of its many protocol dissectors, Wireshark is inherently vulnerable to malformed traffic (accidental or otherwise), which may result in denial of service conditions or possibly arbitrary code execution.



The lead developer of Wireshark, Gerald Combs, points out some that Linux distributions are beginning to implement Linux filesystem capabilities for raw network access. In this article, we’ll walk through putting this idea into practice on an Kali Linux machine.




Filesystem Capabilities:


For the purpose of performing permission checks, traditional Unix implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is non-zero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process’s credentials (usually: effective UID, effective GID, and supplementary group list).


Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.




For sniffing, we’re interested in two specifically:


CAP_NET_ADMIN – Allow various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables).


CAP_NET_RAW – Permit use of RAW and PACKET sockets.


CAP_NET_ADMIN -allows us to set an interface to promiscuous mode, and CAP_NET_RAW permits raw access to an interface for capturing directly off the wire.



These capabilities are assigned using the setcap utility.



First, we’ll need to install the setcap executable if it hasn’t been already. We’ll use this to set granular capabilities on Wireshark’s dumpcap executable. setcap is part of the libcap2-bin package.




#apt-get install libcap2-bin



Screenshot from 2014-06-03 05:19:40





Create a Wireshark Group


Since the application we’ll be granting heightened capabilities can by default be executed by all users, you may wish to add a designated group for the Wireshark family of utilities (and similar applications) and restrict their execution to users within that group. However, this step isn’t strictly necessary.


#groupadd wireshark

#usermod -a -G wireshark sathish


Screenshot from 2014-06-03 05:20:49





After adding yourself to the group, your normal user may have to log out and back in



We assign the dumpcap executable to this group instead of Wireshark itself, as dumpcap is responsible for all the low-level capture work. Changing its mode to 750 ensures only users belonging to its group can execute the file.


#chgrp wireshark /usr/bin/dumpcap

#chmod 750 /usr/bin/dumpcap



Screenshot from 2014-06-03 05:21:57




Granting capabilities with setcap is a simple matter:


#setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap


In case you’re wondering, that =eip bit after the capabilities list grants them in the effective, inheritable, and permitted bitmaps, respectively.



Screenshot from 2014-06-03 05:23:22





To verify our change, we can use getcap:



#getcap /usr/bin/dumpcap



Screenshot from 2014-06-03 05:23:40



Now, as the user who we added to the wireshark group and execute Wireshark. You should now see the full list of available adapters and can begin sniffing.



Screenshot from 2014-06-03 05:29:18