Re: [Wireshark-dev] nflog in qt and gtk
Some updates on this. When running in QT, 2 dumcaps are created, one for stats and one for capture. When capturing on nflog, the child process require the parent to be dead (its fd are released). I tried to implement a solution that, in case the interface starts with nf, tries again up to 10 times. It works on my machine. I noticed that the first try fails, while the second succeds. You can find the change here https://code.wireshark.org/review/#/c/6796/ Comments welcome. Dario. On Fri, Jan 23, 2015 at 2:11 PM, Dario Lombardo dario.lombardo...@gmail.com wrote: Hi Peter I opened a bug on bugzilla for that https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10886 and I tried to figure out how the solution can be implemented. You can find my WIP here https://code.wireshark.org/review/6757 If you or someone else want to work on it, you're welcome. Dario. On Tue, Dec 23, 2014 at 11:15 AM, Dario Lombardo dario.lombardo...@gmail.com wrote: Kill statistics before starting the capture? Sounds fine to me, though I am not sure whether it has other side-effects. The Capture - Options dialog is another place where these stats are visible. What about filing a bug? Do you think it would be useful? Or is there anyone taking care of it? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] nflog in qt and gtk
Hi Peter I opened a bug on bugzilla for that https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10886 and I tried to figure out how the solution can be implemented. You can find my WIP here https://code.wireshark.org/review/6757 If you or someone else want to work on it, you're welcome. Dario. On Tue, Dec 23, 2014 at 11:15 AM, Dario Lombardo dario.lombardo...@gmail.com wrote: Kill statistics before starting the capture? Sounds fine to me, though I am not sure whether it has other side-effects. The Capture - Options dialog is another place where these stats are visible. What about filing a bug? Do you think it would be useful? Or is there anyone taking care of it? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] nflog in qt and gtk
Kill statistics before starting the capture? Sounds fine to me, though I am not sure whether it has other side-effects. The Capture - Options dialog is another place where these stats are visible. What about filing a bug? Do you think it would be useful? Or is there anyone taking care of it? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] nflog in qt and gtk
On Thu, Dec 18, 2014 at 4:29 PM, Peter Wu pe...@lekensteyn.nl wrote: You should not run Wireshark with sudo, instead set the appropriate privileges on the dumpcap binary as described at http://wiki.wireshark.org/CaptureSetup/CapturePrivileges Generally speaking, you are right, and it's waht I do with my stable wireshark. But with my development version, the setcapped binary is overwritten every time I recompile. So I use the master compiled version with sudo. What did I do wrong? I have spend some minutes into debugging it and it turns out that you cannot have two open sockets for NFLOG. Reproducer: $ dumpcap -i nflog -w /dev/null Capturing on 'nflog' File: /dev/null (in a different shell) $ dumpcap -i nflog -w /dev/null Capturing on 'nflog' dumpcap: The capture session could not be initiated on interface 'nflog' (Can't listen on group group index: Operation not permitted). Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified. The difference between GTK and Qt is that Qt additionally executes `dumpcap -S -Z none` which seems to open a socket for each available interface to collect stats. At this point I stopped debugging, hope it helps. If I've got the point, wireshark QT is not expected to work with nflog, right? If stats can't be stopped, it won't work. ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] nflog in qt and gtk
On Friday 19 December 2014 11:08:01 Dario Lombardo wrote: On Thu, Dec 18, 2014 at 4:29 PM, Peter Wu pe...@lekensteyn.nl wrote: You should not run Wireshark with sudo, instead set the appropriate privileges on the dumpcap binary as described at http://wiki.wireshark.org/CaptureSetup/CapturePrivileges Generally speaking, you are right, and it's waht I do with my stable wireshark. But with my development version, the setcapped binary is overwritten every time I recompile. So I use the master compiled version with sudo. If I need to perform a capture, i just overwrite dumpcap with: ln -sfv /usr/bin/dumpcap /tmp/wsbuild/run/ It looks like you also avoid overwriting this file/symlink by disabling dumpcap building: cmake -DBUILD_dumpcap=0 ... What did I do wrong? I have spend some minutes into debugging it and it turns out that you cannot have two open sockets for NFLOG. Reproducer: $ dumpcap -i nflog -w /dev/null Capturing on 'nflog' File: /dev/null (in a different shell) $ dumpcap -i nflog -w /dev/null Capturing on 'nflog' dumpcap: The capture session could not be initiated on interface 'nflog' (Can't listen on group group index: Operation not permitted). Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified. The difference between GTK and Qt is that Qt additionally executes `dumpcap -S -Z none` which seems to open a socket for each available interface to collect stats. At this point I stopped debugging, hope it helps. If I've got the point, wireshark QT is not expected to work with nflog, right? If stats can't be stopped, it won't work. Nope, it won't work at the moment. The problem is that NFLOG can only be opened by one user which is a kernel limitation. From net/netfilter/nfnetlink_log.c: inst = instance_lookup_get(log, group_num); if (inst inst-peer_portid != NETLINK_CB(skb).portid) { ret = -EPERM; goto out_put; } -- Kind regards, Peter https://lekensteyn.nl ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] nflog in qt and gtk
On Friday 19 December 2014 11:55:47 Dario Lombardo wrote: On Fri, Dec 19, 2014 at 11:44 AM, Peter Wu pe...@lekensteyn.nl wrote: Nope, it won't work at the moment. The problem is that NFLOG can only be opened by one user which is a kernel limitation. From net/netfilter/nfnetlink_log.c: inst = instance_lookup_get(log, group_num); if (inst inst-peer_portid != NETLINK_CB(skb).portid) { ret = -EPERM; goto out_put; } When wireshark-qt waits in the main screen, it shows a graph for each interface. Is it generated by dumpcap -S -Z none? When capture starts, those graphs are not shown anymore. Wouldn't be a solution to kill dumpcap -S -Z none when in capture and re-run it again when in home screen? Kill statistics before starting the capture? Sounds fine to me, though I am not sure whether it has other side-effects. The Capture - Options dialog is another place where these stats are visible. -- Kind regards, Peter https://lekensteyn.nl ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] nflog in qt and gtk
On Fri, Dec 19, 2014 at 12:35 PM, Peter Wu pe...@lekensteyn.nl wrote: The Capture - Options dialog is another place where these stats are visible. Is it visible during capture? ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] nflog in qt and gtk
On Friday 19 December 2014 17:07:20 Dario Lombardo wrote: On Fri, Dec 19, 2014 at 12:35 PM, Peter Wu pe...@lekensteyn.nl wrote: The Capture - Options dialog is another place where these stats are visible. Is it visible during capture? No, it is not visible during capture. The options menu item is also disabled when a capture is active. -- Kind regards, Peter https://lekensteyn.nl ___ Sent via:Wireshark-dev mailing list wireshark-dev@wireshark.org Archives:http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe