How to Compile Wireshark on OpenBSD

Wireshark on OpenBSD

Wireshark, formerly known as Ethereal, is a great tool for network troubleshooting or any other task involving network packet capture and analysis. But you may have to build it yourself on OpenBSD, and if so, the compilation will probably fail. Here is how to successfully compile and install the Wireshark toolkit, setting permissions so you can capture packets without being logged in as root.

The OpenBSD community hadn't built Wireshark packages for a while, since Wireshark has a bad security track record. Its packet dissectors (the modules analyzing the large set of supported protocols) are very complicated and prone to bugs. Making things worse, many people have believed that it has to run with root privileges. A privileged process running untrusted code leads to big security problems!

On top of all this, the Wireshark community hasn't seemed to worry about making Wireshark build cleanly from source on OpenBSD.

Yeah, I get it, do the capture only with tcpdump run as root and then use the enormous and less trustworthy Wireshark to decode and examine the result.

As of OpenBSD 5.8, the wireshark and tshark packages were once again available. But who knows how long that will last...

Here is the trick for compiling Wireshark on OpenBSD, based on what I found in a guide for OpenBSD 3.8. The following worked with Ethereal under earlier versions of OpenBSD, and it works with Wireshark.

Compiling and Installing Wireshark

Step 1:

Install these additional packages on OpenBSD:

autoconf
automake
gcc-4*
glib2
gmake
gtk+2
libtool
m4
metaauto
python 

Step 2:

See what versions of autoconf and automake you have:

% pkg_info autoconf | head -1
% pkg_info automake | head -1
% ls /usr/local/bin/auto* 

Step 3:

You will probably have to do the software build as root because of the memory requirements. Become root with:

% su - 

Step 4:

Set two environment variables, changing the numbers as appropriate. If you see, for example, autoconf-2.59p1, then you should probably specify simply 2.59. Similarly, if you see automake-1.9.6p8, then you should probably specify simply 1.9. The ls command above is probably the most useful test.

If you're running tcsh or csh, do something like the following:

# setenv AUTOCONF_VERSION 2.69
# setenv AUTOMAKE_VERSION 1.14 

If you're running bash, do something like the following:

# export AUTOCONF_VERSION=2.69
# export AUTOMAKE_VERSION=1.14 

Step 5:

At this point we find that the INSTALL, README, and other files don't tell the whole story for OpenBSD. First, we have to generate the Makefiles:

# ./autogen.sh 

If that command fails with a complaint about missing Python, even though you have already installed it, then you need to do something like the following as root:

# pushd /usr/local/bin
# ln -s python2.7 python
# popd 

If it fails with an error about a missing open directory /usr/share/aclocal then:

# pushd /usr/share
# ln -s /usr/local/share/aclocal
# popd 

Step 6:

Do the configuration:

# ./configure 

Run this script with the --help option to see what choices you have. Resist the urge to install it setuid-root as that is unnecessarily dangerous. See below for how to safely allow non-root capture.

Step 7:

If you previously installed an earlier version, uninstall it and (most importantly) its old libraries. Otherwise, the following build will fail. Notice that you must use the GNU version of make:

# gmake uninstall 

Step 8:

Now build the software. Note that you may have to run the following as root because of the amount of memory resources required by the library building. Note also that you have to use the GNU version of make:

# gmake 

Step 9:

After quite a while, that should succeed. On my system this takes about 3.5 to 4 times as long as it takes to build the OpenBSD kernel. If it succeeds, you're ready to install, again being careful to use the gmake program:

# gmake install 

Step 10:

If it did not succeed, carefully read the output.

Possible error #1 — Wireshark simply will not compile. You get a bunch of errors of this form:

In file included from packet-dplay.c:33:
/usr/include/sys/socket.h:147: error: expected specifier-qualifier-list before 'u_int8_t'
/usr/include/sys/socket.h:165: error: expected specifier-qualifier-list before 'u_int8_t'
/usr/include/sys/socket.h:233: error: expected specifier-qualifier-list before 'uid_t'
/usr/include/sys/socket.h:354: error: expected specifier-qualifier-list before 'socklen_t'
/usr/include/sys/socket.h:380: error: expected specifier-qualifier-list before 'socklen_t'
/usr/include/sys/socket.h:436: error: expected specifier-qualifier-list before 'caddr_t' 

Fix — Use an older version of Wireshark. I have had the above problem trying to compile Wireshark 1.0.4 on OpenBSD 4.4 through 4.7. I rolled back to Wireshark 1.0.0 (I had kept the old tar files) and that version compiles and runs just fine.

Possible error #2 — Some warning messages due to risky code in the wiretap directory may cause the build to halt because the -Werror flag tells gcc to consider warnings to be errors. This was a problem building Wireshark 1.0.0 on OpenBSD 4.3.
Fix — Edit the file wiretap/Makefile and comment out this line:

AM_NON_NERATED_CFLAGS = -Werror 

By Wireshark 1.0.4, the Makefile came with that already commented out. Someone had noticed this!

Step 11:

When you try to run Wireshark, as soon as you try to start a capture it may fail with these two symptoms:

First, an error box pops up reading:

Child capture process died:
Segmentation violation - core dumped 

The terminal where you started Wireshark shows an error:

(ethereal-capture:PID): GdkPixbuf-WARNING **:
Cannot open pixbuf loader module file
'/var/db/gtk-2.0/gdk-pixbuf.loaders': Too many open files 

This problem is caused by Wireshark using so many shared libraries stored under /usr/local/lib and data files stored under /usr/local/share/wireshark, especially if you built it with RADIUS support. The fix is to run Wireshark in an environment where more open files are allowed. For root, the command ulimit -a shows that the Bash shell can have only 128 simultaneous open file descriptors for that shell and its child processes. So, start Wireshark like this:

% su root -c 'ulimit -n 512 ; wireshark &' 

Or, more extremely:

% su root -c 'ulimit -n unlimited ; wireshark &' 

For more details see man bash and read the ulimit section.

Safely Allowing Unprivileged User Capture

It is dangerous to run Wireshark as root because of the enormous and therefore buggy system of packet dissectors. The good news is that Wireshark supports privilege separation so the user interface (GUI for wireshark, text for tshark) can run as an ordinary user while only the dumpcap packet capture code runs as root.

Even that reduced risk is not needed on OpenBSD. Do the following to allow any member of group wheel to capture packets. The device files should already be in group wheel but just to make sure:

# chgrp wheel /dev/bpf*
# chmod g+r /dev/bpf*
# ls -l /dev/bpf*
0 crw-r-----  1 root  wheel   23,   0 Jul 17 16:48 /dev/bpf0
0 crw-r-----  1 root  wheel   23,   1 Jul 17 16:48 /dev/bpf1
0 crw-r-----  1 root  wheel   23,   2 Jul 17 16:48 /dev/bpf2
0 crw-r-----  1 root  wheel   23,   3 Jul 17 16:48 /dev/bpf3
0 crw-r-----  1 root  wheel   23,   4 Jul 17 16:48 /dev/bpf4
0 crw-r-----  1 root  wheel   23,   5 Jul 17 16:48 /dev/bpf5
0 crw-r-----  1 root  wheel   23,   6 Jul 17 16:48 /dev/bpf6
0 crw-r-----  1 root  wheel   23,   7 Jul 17 16:48 /dev/bpf7
0 crw-r-----  1 root  wheel   23,   8 Jul 17 16:48 /dev/bpf8
0 crw-r-----  1 root  wheel   23,   9 Jul 17 16:48 /dev/bpf9

Wireshark Capture Filters

As for useful capture filters, see the Wireshark filter page at the Wireshark Wiki. I always forget where the "not" goes — it's:
  port not 53
and not:
  not port 53
Things get further complicated when combining expressions:

port not 53 and not arp 

Expressions can be carefully combined in multiple ways. These two are equivalent:

host www.example.com and not (port 80 or port 25)
host www.example.com and not port 80 and not port 25 

Here's my favorite example of a complicated filter expression — just capture HTTP GET requests. This looks for the ASCII for "GET " — 0x47, 0x45, 0x54, 0x20 — immediately after the TCP header:

port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 

See the tcpdump manual page for comprehensive details.