facing problem in wireshark

rajavel · 03-13-2009, 02:48 AM

i am new to linux and i am using ubuntu..when i am trying to capture the packets in wireshark,the following error pop ups..pls help me to resolve the problem

Quote:

the capture session could not be initiated (socket: operation not permitted)
please check to make sure you have sufficient permissions

trist007 · 03-13-2009, 02:50 AM

you need root privs so

sudo wireshark

rajavel · 03-13-2009, 04:19 AM

thank u buddy...is there anyother tools available which is better than wireshark??? and also i am new to packet sniffing tools..so pls give me some tutorials regarding this..

w3bd3vil · 03-13-2009, 04:51 AM

Personally, nothing better than wireshark.
Some other tools that come to mind.
tcpdump
ettercap
dsniff
snoop

A few tuts on using wireshark

http://securitytube.net/Wireshark-Basics-(1)-video.aspx
http://securitytube.net/Wireshark-Basics-(2)-video.aspx

rajavel · 03-16-2009, 06:08 AM

thanks buddy..can we configure the wireshark so that we can find out the ip which is trying to access a blocked sites???

w3bd3vil · 03-16-2009, 02:34 PM

Not exactly, but you should be able to figure out using the filters in wireshark.

rajavel · 03-17-2009, 02:48 AM

can you be more explicit pls???? actually i want to trackdown the ips which are trying to access the blocked sites in lan..i know that we can block the sites using iptables so..

salasi · 03-17-2009, 06:43 PM

Quote:

Originally Posted by rajavel

can you be more explicit pls???? actually i want to trackdown the ips which are trying to access the blocked sites in lan..i know that we can block the sites using iptables so..

....so what?

The easy thing to work on is to capture data by source or destination addr. The trouble is, with most network architectures the destination is going to be something like a router on your network (the immediate destination) or a proxy server, rather than the ultimate destination.

In wireshark, you still have the information on the ultimate destination contained in the description of the packet. The trouble is, I don't quite see how you can filter on an encapsulated destination rather than an immediate destination. You can filter on a source or a destination, which may be a help, but it doesn't quite seem to be what you want.

If you know the protocol, you could filter to just that protocol, but if that is a protocol in frequent use, that might not help much. If you have tens of thousands of users, this might not be much help at all.

Two cautions; before you spend lots of time working out which IP address is the source for your problem, ensure that knowing the IP address will do what you want; if IPs are dynamically assigned, this may not be the case.

Second, be sure that whatever legal, ethical and contractual restrictions are in place are respected.

rajavel · 03-18-2009, 03:30 AM

now i am facing this problem

Quote:

swaws@swaws-desktop:~$ wireshark

(wireshark:8304): Gtk-WARNING **: cannot open display:
swaws@swaws-desktop:~$ sudo wireshark

(wireshark:8305): Gtk-WARNING **: cannot open display:
swaws@swaws-desktop:~$

how can i uvercome this???

rajavel · 03-18-2009, 03:37 AM

still i am facing the above problem...i cant able to open wireshark with command line..