is there some way to get dumpcap without installing wireshark on ubuntu server?

sneakyimp · 12-01-2016, 05:33 PM

So I was hoping to do some analysis of network activity on a virtual machine running Ubuntu 16 server. I've got Wireshark on my workstation to do the analysis but need to capture the packets on the VM. Wireshark uses dumpcap.

I've searched the Ubuntu system for dumpcap but apt-cache search finds nothing. I can install wireshark but great googly moogly does it install a lot of stuff:

Code:

$ sudo apt-get install wireshark
[sudo] password for sneakyimp: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-4.4.0-31 linux-headers-4.4.0-31-generic linux-image-4.4.0-31-generic
  linux-image-extra-4.4.0-31-generic
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  geoip-database-extra gstreamer1.0-plugins-base javascript-common libauthen-sasl-perl libc-ares2
  libcdparanoia0 libegl1-mesa libencode-locale-perl libevdev2 libfile-basedir-perl
  libfile-desktopentry-perl libfile-listing-perl libfile-mimeinfo-perl libfont-afm-perl libfontenc1
  libgbm1 libgraphite2-3 libgstreamer-plugins-base1.0-0 libgstreamer1.0-0 libgudev-1.0-0 libharfbuzz0b
  libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl
  libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl
  libinput10 libio-html-perl libio-socket-ssl-perl libipc-system-simple-perl libjs-openlayers
  liblua5.2-0 liblwp-mediatypes-perl liblwp-protocol-https-perl libmailtools-perl libmtdev1
  libnet-dbus-perl libnet-http-perl libnet-smtp-ssl-perl libnet-ssleay-perl libnl-route-3-200 libopus0
  liborc-0.4-0 libpcre16-3 libproxy1v5 libqgsttools-p1 libqt5core5a libqt5dbus5 libqt5gui5
  libqt5multimedia5 libqt5multimedia5-plugins libqt5multimediawidgets5 libqt5network5 libqt5opengl5
  libqt5printsupport5 libqt5svg5 libqt5widgets5 libsbc1 libsmi2ldbl libtheora0 libtie-ixhash-perl
  libtimedate-perl liburi-perl libvisual-0.4-0 libwacom-bin libwacom-common libwacom2 libwayland-client0
  libwayland-server0 libwireshark-data libwireshark6 libwiretap5 libwsutil6 libwww-perl
  libwww-robotrules-perl libx11-protocol-perl libxaw7 libxcb-icccm4 libxcb-image0 libxcb-keysyms1
  libxcb-randr0 libxcb-render-util0 libxcb-render0 libxcb-shape0 libxcb-shm0 libxcb-util1 libxcb-xfixes0
  libxcb-xkb1 libxcomposite1 libxft2 libxkbcommon-x11-0 libxkbcommon0 libxml-parser-perl
  libxml-twig-perl libxml-xpathengine-perl libxpm4 libxrandr2 libxtst6 libxv1 libxxf86dga1
  qttranslations5-l10n wireshark-common wireshark-qt x11-utils x11-xserver-utils xdg-utils
Suggested packages:
  gvfs libdigest-hmac-perl libgssapi-perl libvisual-0.4-plugins gstreamer1.0-tools libdata-dump-perl
  libcrypt-ssleay-perl opus-tools libthai0 libqt5libqgtk2 qt5-image-formats-plugins qtwayland5
  snmp-mibs-downloader wireshark-doc libauthen-ntlm-perl libunicode-map8-perl libunicode-string-perl
  xml-twig-tools mesa-utils nickle cairo-5c xorg-docs-core gvfs-bin
The following NEW packages will be installed:
  geoip-database-extra gstreamer1.0-plugins-base javascript-common libauthen-sasl-perl libc-ares2
  libcdparanoia0 libegl1-mesa libencode-locale-perl libevdev2 libfile-basedir-perl
  libfile-desktopentry-perl libfile-listing-perl libfile-mimeinfo-perl libfont-afm-perl libfontenc1
  libgbm1 libgraphite2-3 libgstreamer-plugins-base1.0-0 libgstreamer1.0-0 libgudev-1.0-0 libharfbuzz0b
  libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl
  libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl
  libinput10 libio-html-perl libio-socket-ssl-perl libipc-system-simple-perl libjs-openlayers
  liblua5.2-0 liblwp-mediatypes-perl liblwp-protocol-https-perl libmailtools-perl libmtdev1
  libnet-dbus-perl libnet-http-perl libnet-smtp-ssl-perl libnet-ssleay-perl libnl-route-3-200 libopus0
  liborc-0.4-0 libpcre16-3 libproxy1v5 libqgsttools-p1 libqt5core5a libqt5dbus5 libqt5gui5
  libqt5multimedia5 libqt5multimedia5-plugins libqt5multimediawidgets5 libqt5network5 libqt5opengl5
  libqt5printsupport5 libqt5svg5 libqt5widgets5 libsbc1 libsmi2ldbl libtheora0 libtie-ixhash-perl
  libtimedate-perl liburi-perl libvisual-0.4-0 libwacom-bin libwacom-common libwacom2 libwayland-client0
  libwayland-server0 libwireshark-data libwireshark6 libwiretap5 libwsutil6 libwww-perl
  libwww-robotrules-perl libx11-protocol-perl libxaw7 libxcb-icccm4 libxcb-image0 libxcb-keysyms1
  libxcb-randr0 libxcb-render-util0 libxcb-render0 libxcb-shape0 libxcb-shm0 libxcb-util1 libxcb-xfixes0
  libxcb-xkb1 libxcomposite1 libxft2 libxkbcommon-x11-0 libxkbcommon0 libxml-parser-perl
  libxml-twig-perl libxml-xpathengine-perl libxpm4 libxrandr2 libxtst6 libxv1 libxxf86dga1
  qttranslations5-l10n wireshark wireshark-common wireshark-qt x11-utils x11-xserver-utils xdg-utils
0 upgraded, 112 newly installed, 0 to remove and 2 not upgraded.
Need to get 44.9 MB of archives.
After this operation, 188 MB of additional disk space will be used.

Is there some way to easily get a wireshark-readable packet dump from a VM without installing this avalanche of stuff?

sneakyimp · 12-01-2016, 05:56 PM

the wireshark docs 5.2.2 looks interesting:

Code:

* pcapng. A flexible, etensible successor to the libpcap format. Wireshark 1.8 and later save files as pcapng by default. Versions prior to 1.8 used libpcap.
* libpcap. The default format used by the libpcap packet capture library. Used by tcpdump, _Snort, Nmap, Ntop, and many other tools.
* Oracle (previously Sun) snoop and atmsnoop

ubuntu repo has some promising-looking options.
pcap:

Code:

$ apt-cache search pcap | grep "^pcap"
pcapfix - repairs broken pcap and pcapng files
pcaputils - specialized libpcap utilities

libcap:

Code:

$ apt-cache search libcap | grep "^libcap"
libcap-dev - POSIX 1003.1e capabilities (development)
libcap-ng-dev - Development and header files for libcap-ng
libcap-ng0 - An alternate POSIX capabilities library
libcap2 - POSIX 1003.1e capabilities (library)
libcap2-bin - POSIX 1003.1e capabilities (utilities)
libcap2-dbg - POSIX 1003.1e capabilities (debug)
libcap-ng-utils - Utilities for analysing and setting file capabilities
libcapi20-3 - ISDN utilities - CAPI support libraries
libcapi20-dev - ISDN utilities - CAPI development libraries
libcapnp-0.5.3 - Cap'n Proto C++ library
libcapnp-dev - Cap'n Proto C++ library (development files)
libcapstone-dev - lightweight multi-architecture disassembly framework - devel files
libcapstone3 - lightweight multi-architecture disassembly framework - library
libcaptcha-recaptcha-perl - perl implementation of the reCAPTCHA API
libcapture-tiny-perl - module to capture STDOUT and STDERR

Can anyone comment on these?

Habitual · 12-01-2016, 06:31 PM

Quote:

Originally Posted by sneakyimp

Is there some way to easily get a wireshark-readable packet dump from a VM without installing this avalanche of stuff?

Have a look at tcpdump.

sneakyimp · 12-01-2016, 06:52 PM

Thank you!

Quote:

Originally Posted by Habitual

Have a look at tcpdump.

That looks promising. The wireshark docs have a useful tip.

sneakyimp · 12-01-2016, 06:57 PM

aha...there's also tshark which is apparently terminal-based version of wireshark. Its install looks much less intrusive than wireshark:

Code:

$ sudo apt-get install tshark
[sudo] password for sneakyimp: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-4.4.0-31 linux-headers-4.4.0-31-generic linux-image-4.4.0-31-generic
  linux-image-extra-4.4.0-31-generic
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  geoip-database-extra javascript-common libc-ares2 libjs-openlayers liblua5.2-0 libsmi2ldbl
  libwireshark-data libwireshark6 libwiretap5 libwsutil6 wireshark-common
Suggested packages:
  snmp-mibs-downloader wireshark-doc
The following NEW packages will be installed:
  geoip-database-extra javascript-common libc-ares2 libjs-openlayers liblua5.2-0 libsmi2ldbl
  libwireshark-data libwireshark6 libwiretap5 libwsutil6 tshark wireshark-common
0 upgraded, 12 newly installed, 0 to remove and 2 not upgraded.
Need to get 24.8 MB of archives.
After this operation, 105 MB of additional disk space will be used.
Do you want to continue? [Y/n] y

EDIT: tshark installs dumpcap!

sneakyimp · 12-01-2016, 07:49 PM

For anyone who wants to know how to get dumpcap installed on a server (e.g., ubuntu-server with no GUI) then do this:

1) install tshark

Code:

sudo apt-get install tshark

2) add your current user to the wireshark group so you have permission to execute dumpcap

Code:

sudo adduser $USER wireshark

3) LOGOUT of the terminal or reboot the machine then log back in. You must do this for your membership in the wireshark group to take effect.

4) you can check the available network interfaces with

Code:

dumpcap -D

5) Pick the number of the interface you want and you can start your dump capture with this command:

Code:

dumpcap -i 1 -w ~/output-file

The command will run until you hit ctrl-C to stop it.

See man pages for dumpcap for more information and options.

Habitual · 12-02-2016, 06:17 AM

If I can get the j.o.b. done with fewer tools/, I'm all ears.

But wireshark requires a gui and you're processing on a local workstation.
Fewer deps with dumpcap?

tshark on Ubuntu 14.04.5 LTS shows wireshark-common as a dep.
wireshark install has a boatload of other stuff you don't need to install IMO.
libpcap seems to be the common denominator in these packages.

tcpdump is a good solid base or "standard" if I may say so.
A wireshark "user" on a headless-server for this task is unnecessary, IMO.
</opinion>
But I don't use wireshark on servers.

I'm gonna kick back and let some others chime in.
Maybe I missed something.

Peace.

sneakyimp · 12-02-2016, 12:15 PM

Thanks for your input!

Quote:

Originally Posted by Habitual

But wireshark requires a gui and you're processing on a local workstation.
Fewer deps with dumpcap?

tshark doesn't require gui. It has docs which describe how you can analyze a dump file via terminal commands.

Quote:

Originally Posted by Habitual

tcpdump is a good solid base or "standard" if I may say so.

I was prepared to use tcpdump, but I'll be using a wireshark GUI (on a separate machine) to analyze the dump files and the WS docs say that the default file format is slightly newer. This is why I've chosen to go with tshark.

Quote:

Originally Posted by Habitual

A wireshark "user" on a headless-server for this task is unnecessary, IMO.
</opinion>
But I don't use wireshark on servers.

Strictly speaking, this 'server' is not really a server but just a VM for monitoring installation actions for some security analysis. It would be impractical to run WS or dumpcap on any production server. The files would be enormous!

lazydog · 12-05-2016, 11:45 AM

I've always used tcpdump and wireshark has never had a problem importing them.