How to Compile Wireshark on OpenBSD
Wireshark, formerly known as Ethereal, is a great tool for network troubleshooting or any other task involving network packet capture and analysis. But you have to build it yourself on OpenBSD, and the compilation will fail.
The OpenBSD community hasn't built Wireshark packages for a while, since Wireshark has a bad security track record. It has to run with root privileges to do most of what people find useful, and its packet dissectors (the modules analyzing the large set of supported protocols) are very complicated and prone to bugs. A privileged process running untrusted code leads to big security problems!
On top of this, the Wireshark community hasn't seemed to worry about making Wireshark build cleanly from source on OpenBSD.
Here is the trick for compiling Wireshark on OpenBSD, based on what I found at http://www.linbsd.org/ethereal_on_openbsd38.html The following worked with Ethereal under earlier versions of OpenBSD, and it works with Wireshark.
Install these additional packages on OpenBSD:
autoconf automake gcc-4* glib2 gmake gtk+2 libtool m4 metaauto python
See what versions of
automake you have:
% pkg_info autoconf | head -1 % pkg_info automake | head -1 % ls /usr/local/bin/auto*
You will probably have to do the software build as
root because of the memory requirements.
Become root with:
% su -
Set two environment variables, changing the
numbers as appropriate.
If you see, for example,
then you should probably specify simply
Similarly, if you see
then you should probably specify simply
ls command above is probably the most
csh, do something like the following:
# setenv AUTOCONF_VERSION 2.69 # setenv AUTOMAKE_VERSION 1.11
bash,do something like the following:
# export AUTOCONF_VERSION=2.69 # export AUTOMAKE_VERSION=1.11
At this point we find that the
README, and other files don't tell the
whole story for OpenBSD.
First, we have to generate the Makefiles:
If that command fails with a complaint about missing Python,
even though you have already installed it,
then you need to do something
like the following as
# pushd /usr/local/bin # ln -s python2.7 python # popd
If it fails with an error about a missing open
# pushd /usr/share # ln -s /usr/local/share/aclocal # popd
Do the configuration:
If you previously installed an earlier version,
uninstall it and (most importantly) its old
Otherwise, the following build will fail.
Notice that you must use the GNU version of
# gmake uninstall
Now build the software.
Note that you may have to run the following as
root because of the amount of memory
resources required by the library building.
Note also that you have to use the GNU version
After quite a while, that should succeed.
On my system this takes about 3.5 to 4 times as long
as it takes to
build the OpenBSD kernel.
If it succeeds, you're ready to install, again being
careful to use the
# gmake install
If it did not succeed, carefully read the output.
In file included from packet-dplay.c:33: /usr/include/sys/socket.h:147: error: expected specifier-qualifier-list before 'u_int8_t' /usr/include/sys/socket.h:165: error: expected specifier-qualifier-list before 'u_int8_t' /usr/include/sys/socket.h:233: error: expected specifier-qualifier-list before 'uid_t' /usr/include/sys/socket.h:354: error: expected specifier-qualifier-list before 'socklen_t' /usr/include/sys/socket.h:380: error: expected specifier-qualifier-list before 'socklen_t' /usr/include/sys/socket.h:436: error: expected specifier-qualifier-list before 'caddr_t'Fix — Use an older version of Wireshark. I have had the above problem trying to compile Wireshark 1.0.4 on OpenBSD 4.4 through 4.7. I rolled back to Wireshark 1.0.0 (I had kept the old tar files) and that version compiles and runs just fine.
wiretapdirectory may cause the build to halt because the
gccto consider warnings to be errors. This was a problem building Wireshark 1.0.0 on OpenBSD 4.3.
wiretap/Makefileand comment out this line:
AM_NON_ENERATED_CFLAGS = -WerrorBy Wireshark 1.0.4, the Makefile came with that already commented out. Someone had noticed this!
When you try to run Wireshark, as soon as you try to start a capture it may fail with these two symptoms:
Child capture process died: Segmentation violation - core dumped
(ethereal-capture:PID): GdkPixbuf-WARNING **: Cannot open pixbuf loader module file '/var/db/gtk-2.0/gdk-pixbuf.loaders': Too many open files
This problem is caused by
Wireshark using so many shared libraries stored under
/usr/local/lib and data files
especially if you built it with RADIUS support.
The fix is to run Wireshark in an environment where
more open files are allowed.
root, the command
shows that the Bash shell can have only 128 simultaneous
open file descriptors for that shell and its child
So, start Wireshark like this:
% su root -c 'ulimit -n 512 ; wireshark &'
Or, more extremely:
% su root -c 'ulimit -n unlimited ; wireshark &'
For more details see
and read the
As for useful capture filters,
see the page at the Wireshark Wiki.
I always forget where the "not" goes — it's:
port not 53
not port 53
Things get further complicated when combining expressions:
port not 53 and not arp
Expressions can be carefully combined in multiple ways. These two are equivalent:
host www.example.com and not (port 80 or port 25) host www.example.com and not port 80 and not port 25
Here's my favorite complicated filter expression —
just capture HTTP
This looks for the ASCII for
"GET " —
0x47, 0x45; 0x54, 0x20, immediately after the TCP header:
port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
tcpdump manual page
for comprehensive details.