From f54de620d6aeeb11e49e64c3beaa4a8507761d7c Mon Sep 17 00:00:00 2001 From: Guy Harris Date: Fri, 11 Aug 2006 00:11:11 +0000 Subject: From Stephen Fisher: add more information on configuring for BSD, modernize the section on BPF (modern BSDs have BPF built in and clone BPF devices, so no configuration should be necessary; we can add back the old instructions if people using older BSDs run into problems), and add information on making BPF devices available to non-root users. svn path=/trunk/; revision=18880 --- README.bsd | 107 +++++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 79 insertions(+), 28 deletions(-) (limited to 'README.bsd') diff --git a/README.bsd b/README.bsd index 76a7a657ac..eba96b8998 100644 --- a/README.bsd +++ b/README.bsd @@ -1,32 +1,83 @@ $Id$ +Installing Wireshark on FreeBSD/OpenBSD/NetBSD +======================================================================== + + 1. Extra packages required + 2. Compiling Wireshark + 3. Berkeley Packet Filter (BPF) requirement + 4. Running Wireshark as a non-root user + + +1. Extra packages required +--------------------------- +Wireshark requires a number of additional programs to function. +Install the latest versions of the following programs before compiling: + + atk + cairo + expat + gettext + glib2 + glitz + gtk2 / gtk+2 + jpeg + libiconv + pango + pkgconfig + png + tiff + +The easiest way to install these is by using your operating system's +ports or packages system. + + +2. Compiling Wireshark +----------------------- +To compile Wireshark with the default options, run configure, make and +make install: + + ./configure + make + make install + +The configure and make steps can be run as a non-root user and you can +run Wireshark from the compilation directory itself. You must run make +install as root in order to copy the program to the proper directories. + + +3. Berkeley Packet Filter (BPF) requirement +-------------------------------------------- In order to capture packets (with Wireshark/TShark, tcpdump, or any -other packet capture program) on a BSD system, your kernel must have -the Berkeley packet Filter mechanism enabled. On some BSDs (recent -versions of FreeBSD, for example), it's enabled by default in the -generic kernel; it's not enabled by default in older FreeBSD kernels, -and might not be enabled by default in other kernels. - -The entry in the FreeBSD 3.4 i386 GENERIC configuration file for it is: - - # The `bpfilter' pseudo-device enables the Berkeley Packet Filter. - # Be aware of the administrative consequences of enabling this! - # The number of devices determines the maximum number of - # simultaneous BPF clients programs runnable. - pseudo-device bpfilter 1 #Berkeley packet filter - -To enable BPF, add "pseudo-device" line such as the last line there to -your configuration file, re-run "config", rebuild the kernel, install -the new kernel, and reboot. - -Note that some daemons, or other applications, may be BPF clients, i.e. -may use the BPF mechanism to see link-layer traffic coming into the -machine and send link-layer traffic from the machine; for example, if -the number in the "pseudo-device bpfilter" line is 1, and such a daemon -or application is running, a packet-capture program will not be able to -do packet capture, as the one and only BPF device will already be in -use. You may therefore need to increase the number of BPF devices, by -increasing the number in the "pseudo-device bpfilter" line, re-running -"config", rebuilding the kernel, installing the new kernel, and -rebooting. +other packet capture program) on a BSD system, your kernel must have the +Berkeley Packet Filter mechanism enabled. The default kernel +configurations in recent versions of BSD systems have this enabled +already. To verify the bpf device is present, look in the /dev +directory: + + ls -l /dev/bpf* + +You should see one or more bpf devices listed similar to this: + + crw------- 1 root wheel 0, 90 Aug 10 21:05 /dev/bpf0 + crw------- 1 root wheel 0, 91 Aug 10 21:05 /dev/bpf1 + +Packet-capturing programs will pick the first bpf device that's not in +use. Recent versions of most BSDs will create bpf devices as needed, so +you don't have to configure the number of devices that will be +available. +4. Running wireshark as a non-root user +------------------------------------------- +Since the bpf devices are read-only by the owner (root), you normally +have to run packet capturing programs such as Wireshark as root. It is +safer to run programs as a non-root user if possible. To run Wireshark +as a non-root user, you must change the permissions on the bpf device(s). +If you are the only user that needs to use Wireshark, the easiest way +is to change the owner of each bpf device to your username. You can also +add the read/write ability to the group (typically wheel) and add users +that need to use Wireshark to the wheel group. Check your operating +system's documentation on how to make permanent these changes as they +are often reset upon reboot; if /dev is implemented with devfs, it might +be possible to configure devfs to create all bpf devices owned by a +particular user and/or group and with particular permissions. -- cgit v1.2.1