Linux下用wireshark

qhyw

down了wireshark工具在linux机器上很久了，但每次打开都不能像windows下那样正常运行，还以为自己安装的有问题，直到前几天才从一个同事那里的得知，在linux下用wireshark需要root权限的，试了一下，哈，果然是这样.结果搜了一下，人家wireshark安装平台信息里白纸黑字的写着呢,自己从来就没读过:Running Wireshark (or any other network capture/analyzer, for that matter) on Linux needs root privileges. Therefore, you have to have root privileges when starting Wireshark, else you can't capture data. Please note that you don't have to login as root when starting your computer, you can use su(1) or sudo(8) for that purpose.

如果觉得在su模式下不安全，wireshark开发组建议使用tcpdump.(especially when you want to do a remote capture and do not want the network load associated with running Wireshark remotely).命令格式：tcpdump -i <interface> -s 65535 -w <some-file>
,(note:/tcpdump still run as root).常用的方法其实是写到脚本里,放到/usr/bin 下运行。比如：
      A=fxp0
      B=fxp1
      SU tcpdump -i $A -s 2000 -w /tmp/A.pcap  &
      pidA=$!
      SU tcpdump -i $B -s 2000 -w /tmp/B.pcap &
      pidB=$!
      trap "kill $pidA $pidB 2>/dev/null" 0 1 2 15
      wait
(note:terminate the capture with ^C ),
然后在普通模式下,直接wireshark /tmp/A.pcap 就可以看到抓取的包信息了。