How to Compile Wireshark on OpenBSD
Wireshark, formerly known as Ethereal, is a great tool for network troubleshooting or any other task involving network packet capture and analysis. But you have to build it yourself on OpenBSD, and the compilation will fail.
The OpenBSD community hasn't built Wireshark packages for a while, since Wireshark has a bad security track record. It has to run with root privileges to do most of what people find useful, and its packet dissectors (the modules analyzing the large set of supported protocols) are very complicated and prone to bugs. A privileged process running untrusted code leads to big security problems!
On top of this, the Wireshark community hasn't seemed to worry about making Wireshark build cleanly from source on OpenBSD.
Here is the trick for compiling Wireshark on OpenBSD, based on what I found at http://www.linbsd.org/ethereal_on_openbsd38.html The following worked with Ethereal under earlier versions of OpenBSD, and it works with Wireshark.
Install these additional packages on OpenBSD:
autoconf automake gcc-4* glib2 gmake gtk+2 libtool m4 metaauto python
See what versions of autoconf and automake you have:
% pkg_info autoconf | head -1 % pkg_info automake | head -1 % ls /usr/local/bin/auto*
You will probably have to do the software build as root because of the memory requirements. Become root with:
% su -
Set two environment variables, changing the numbers as appropriate. If you see, for example, autoconf-2.59p1, then you should probably specify simply 2.59. Similarly, if you see automake-1.9.6p8, then you should probably specify simply 1.9. The ls command above is probably the most useful test.
# setenv AUTOCONF_VERSION 2.69 # setenv AUTOMAKE_VERSION 1.11
# export AUTOCONF_VERSION=2.69 # export AUTOMAKE_VERSION=1.11
At this point we find that the INSTALL, README, and other files don't tell the whole story for OpenBSD. First, we have to generate the Makefiles:
If that command fails with a complaint about missing Python, even though you have already installed it, then you need to do something like the following as root:
# pushd /usr/local/bin # ln -s python2.7 python # popd
If it fails with an error about a missing open directory /usr/share/aclocal then:
# pushd /usr/share # ln -s /usr/local/share/aclocal # popd
Do the configuration:
If you previously installed an earlier version, uninstall it and (most importantly) its old libraries. Otherwise, the following build will fail. Notice that you must use the GNU version of make:
# gmake uninstall
Now build the software. Note that you may have to run the following as root because of the amount of memory resources required by the library building. Note also that you have to use the GNU version of make:
After quite a while, that should succeed. On my system this takes about 3.5 to 4 times as long as it takes to build the OpenBSD kernel. If it succeeds, you're ready to install, again being careful to use the gmake program:
# gmake install
If it did not succeed, carefully read the output.
In file included from packet-dplay.c:33: /usr/include/sys/socket.h:147: error: expected specifier-qualifier-list before 'u_int8_t' /usr/include/sys/socket.h:165: error: expected specifier-qualifier-list before 'u_int8_t' /usr/include/sys/socket.h:233: error: expected specifier-qualifier-list before 'uid_t' /usr/include/sys/socket.h:354: error: expected specifier-qualifier-list before 'socklen_t' /usr/include/sys/socket.h:380: error: expected specifier-qualifier-list before 'socklen_t' /usr/include/sys/socket.h:436: error: expected specifier-qualifier-list before 'caddr_t'Fix — Use an older version of Wireshark. I have had the above problem trying to compile Wireshark 1.0.4 on OpenBSD 4.4 through 4.7. I rolled back to Wireshark 1.0.0 (I had kept the old tar files) and that version compiles and runs just fine.
AM_NON_ENERATED_CFLAGS = -WerrorBy Wireshark 1.0.4, the Makefile came with that already commented out. Someone had noticed this!
When you try to run Wireshark, as soon as you try to start a capture it may fail with these two symptoms:
Child capture process died: Segmentation violation - core dumped
(ethereal-capture:PID): GdkPixbuf-WARNING **: Cannot open pixbuf loader module file '/var/db/gtk-2.0/gdk-pixbuf.loaders': Too many open files
This problem is caused by Wireshark using so many shared libraries stored under /usr/local/lib and data files stored under /usr/local/share/wireshark, especially if you built it with RADIUS support. The fix is to run Wireshark in an environment where more open files are allowed. For root, the command ulimit -a shows that the Bash shell can have only 128 simultaneous open file descriptors for that shell and its child processes. So, start Wireshark like this:
% su root -c 'ulimit -n 512 ; wireshark &'
Or, more extremely:
% su root -c 'ulimit -n unlimited ; wireshark &'
For more details see man bash and read the ulimit section.
As for useful capture filters,
see the page at the Wireshark Wiki.
I always forget where the "not" goes — it's:
port not 53
not port 53
Things get further complicated when combining expressions:
port not 53 and not arp
Expressions can be carefully combined in multiple ways. These two are equivalent:
host www.example.com and not (port 80 or port 25) host www.example.com and not port 80 and not port 25
Here's my favorite complicated filter expression — just capture HTTP GET requests. This looks for the ASCII for "GET " — 0x47, 0x45; 0x54, 0x20, immediately after the TCP header:
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
See the tcpdump manual page for comprehensive details.