Join us 4-8 November in Vienna for SharkFest'24 EUROPE, the official Wireshark Developer and User Conference
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 2288] Selecting multiple files with any options creates an

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 21 Feb 2008 18:57:14 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2288





--- Comment #5 from Bill Meier <wmeier@xxxxxxxxxxx>  2008-02-21 18:57:11 GMT ---
OK: digging further into this I've determined the following so far (having run
out of any more time today for further digging):

Summary
-------
1. perror() output from a child dumpcap seems to cause tshark (and wireshark ?)
   to ignore the output (and following output ?)

2. In my Fedora 8 environment, cap_set_proc() in dumpcap seems to have some
   problem (which causes a perror()).

Details
-------
1. My env: Fedora 8

2. Wireshark: latest SVN installed to /usr/local/bin

  [wsh-svn]$ ls -l /usr/local/bin/tshark /usr/local/bin/dumpcap
  -rwxr-xr-x 1 root root 118431 2008-02-19 17:27 /usr/local/bin/dumpcap
  -rwxr-xr-x 1 root root 672048 2008-02-19 17:27 /usr/local/bin/tshark

  ##Note Ihat I've removed suid on dumpcap.

  ## dumpcap
  [wsh-svn]$ /usr/local/bin/dumpcap -i foo -w foo.pcap
  capset(): Operation not permitted
  The capture session could not be initiated (socket: Operation not permitted).
  Please check to make sure you have sufficient permissions, and that you have
  the proper interface or pipe specified.

    ##Note: "Capset(): Operation not permitted" above comes from a
    ##       perror() in dumpcap

  ## tshark
  [wsh-svn]$ /usr/local/bin/tshark -i foo -w foo.pcap
  Capturing on foo
  ## Note no addt'l err msg text: See below for probable reason
  ## Also: the above tshark output is exactly what is currently happening
  ##  in the Ubuntu buildbot test faliure.

3. Wireshark: latest svn plus:
   - enable all tshark g_log warn, debug, etc
   - add 1 line of g_log output in capture_sync (see below)
       to verify actual dumpcap being called by tshark.

   Installed *locally*

  [wsh-svn]$ ls -l ~/local-wireshark/bin/tshark ~/local-wireshark/bin/dumpcap
  -rwxr-xr-x 1 wmeier wmeier 118431 2008-02-21 13:25 \
                  /home/wmeier/local-wireshark/bin/dumpcap
  -rwxr-xr-x 1 wmeier wmeier 671930 2008-02-21 13:25 \
                  /home/wmeier/local-wireshark/bin/tshark

   ## I've again removed suid from dumpcap (altho not really relevant
   ##   in this case)

  ## dumpcap
  [wsh-svn]$ ~/local-wireshark/bin/dumpcap -i foo -w pcap.cap
  capset(): Operation not permitted
  The capture session could not be initiated (socket: Operation not permitted).
  Please check to make sure you have sufficient permissions, and that you have 
  the proper interface or pipe specified.

  ## tshark
  [wsh-svn]$ ~/local-wireshark/bin/tshark -i foo -w pcap.cap
  Capturing on foo
  (process:22804): Capture-DEBUG: sync_pipe_start
  (process:22804): Capture-DEBUG: CAPTURE OPTIONS    :
  (process:22804): Capture-DEBUG: CFile              : 0x(nil)
  (process:22804): Capture-DEBUG: Filter             :
  (process:22804): Capture-DEBUG: Interface          : foo
  (process:22804): Capture-DEBUG: Interface Descr    : foo
  (process:22804): Capture-DEBUG: SnapLen         (0): 65535
  (process:22804): Capture-DEBUG: Promisc            : 1
  (process:22804): Capture-DEBUG: LinkType           : -1
  (process:22804): Capture-DEBUG: SavingToFile       : 1
  (process:22804): Capture-DEBUG: SaveFile           : pcap.cap
  (process:22804): Capture-DEBUG: RealTimeMode       : 1
  (process:22804): Capture-DEBUG: ShowInfo           : 1
  (process:22804): Capture-DEBUG: QuitAfterCap       : 0
  (process:22804): Capture-DEBUG: MultiFilesOn       : 0
  (process:22804): Capture-DEBUG: FileDuration    (0): 60
  (process:22804): Capture-DEBUG: RingNumFiles    (0): 0
  (process:22804): Capture-DEBUG: AutostopFiles   (0): 1
  (process:22804): Capture-DEBUG: AutostopPackets (0): 0
  (process:22804): Capture-DEBUG: AutostopFilesize(0): 1024 (KB)
  (process:22804): Capture-DEBUG: AutostopDuration(0): 60
  (process:22804): Capture-DEBUG: ForkChild          : -1
  (process:22804): Capture-DEBUG: argv[0]: \
                    /home/wmeier/local-wireshark/bin/dumpcap  ## (added)
(process:22804): Capture-DEBUG: read 7 length error, \
                    required 6385779 > len 4096, indicator: 99

** (process:22804): WARNING **: Unknown message from dumpcap, \
            try to show it as a string: capset(): Operation not permitted
E
(process:22804): Capture-DEBUG: sync_pipe_input_cb: error reading from sync
pipe
(process:22804): Capture-DEBUG: sync_pipe_wait_for_child: wait till child
closed
(process:22804): Capture-DEBUG: sync_pipe_wait_for_child: capture child closed
** (process:22804): DEBUG: input pipe closed

So: I see two problems:

1. perror() output from child dumpcap causes "Unknown message" in tshark
   This message is *only* seen if tshark g_logging for Warnings enabled.

   (This message should probably be a g_error ?)

2. When running w/o privileges in my environment dumpcap has problems 
   to do with capability handling ?
   (cat_set_proc & etc is new to me; I can test further tomorrow if
    needed).

Bill


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.