dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
946
share rss forum feed


aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

Does one have to add Wireshark to a software firewall?

While I know that there are different software firewalls: Does one ever have to add Wireshark to a software firewall, to get Wireshark to see traffic to and from the computer that it is running on?

Thanks
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.



Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13

1 recommendation

Occasionally ran Wireshark to check/troubleshoot but not as a part of firewall

Cudni


Velnias

join:2004-07-06
reply to aefstoggaflm

Bad idea.

»web.nvd.nist.gov/view/vuln/searc···&cves=on


Jasu

join:2010-01-09
Finland

1 recommendation

reply to aefstoggaflm

As Velnias pointed out, Wireshark protocol dissectors have had some problems with vulnerabilities. You should use tcpdump/windump to capture traffic to a file and read the file with Wireshark (= no need for privileges).

Also, depending how you use your connection to Internet, capturing all traffic will create lots of data. You can't go through it manually. You could check Snort.


wolfy339

join:2005-04-30
Edmonds, WA

1 recommendation

said by Jasu:

As Velnias pointed out, Wireshark protocol dissectors have had some problems with vulnerabilities. You should use tcpdump/windump to capture traffic to a file and read the file with Wireshark (= no need for privileges).

Heck, I run Wireshark from a limited user acct on my home machine no trouble
--
Computer: Antec 850w PSU, ASUS M4A89GTDPRO-USB3, AMD Phenom II x4 955 @ 3.2GHZ, ATI Radeon 5770, SB XFI Fatal1ty, 8GB Kingston DDR3, Windows 7 Ultimate x64, KIS 2012, Samsung SyncMaster 2443BWX, Frontier DSL 768/128 w/ Westell 6100 C90 & Linksys WRT120N

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

reply to Velnias

Your link refers to EARLIER VERSIONS of Wireshark. Plus, most were rated 'LOW vulnerability" with a few at "medium" and NONE higher than that.

Seems to me the more responsible answer would have been to tell the OP to get the LATEST VERSION of Wireshark - 1.8.6 AND install the 64bit version.

I don't recall what OS the OP has, but if anyone wants to install Wireshark 1.8.6 64bit on Windows 8 you must FIRST install the latest version of WinPcap. THEN install Wireshark 1.8.6 and decline the installer's offer to remove your CURRENT version of WinPcap and instead replace it with an OLDER version. (Wireshark needs to update the version of WinPcap that is packaged with their installer).

The version of WinPcap (4.1.2) that is bundled with the Wireshark 64bit installer will NOT install on Windows 8. That is why WinPcap finally came out last month with a version that will install easily on Win 8 (4.1.3). The version packed with Wireshark will not install and may screw up the computer and the Wireshark installation itself install UNLESS certain TRICKS are executed to get it to, hopefully, install correctly. I went through this mess when I got this new Win 8 computer and wanted to install Ping Plotter Pro which requires WinPcap. So, it is best to install the new version of WinPcap FIRST and then install Wiireshark ignoring Wireshark's offer to uninstall the latest WinPcap and install the version that is highly problematic on Windows 8.

Even if you don't have Win 8, you should install WinPcap first so you have the latest version. This was as of yesterday that Wireshark installler offers the old version of WinPcap and wants to remove the latest version which is the only version that installs correctly (without tricks/hassle) on Win 8. I'm sure they will fix that soon but until they do, do it like I mentioned.

»www.winpcap.org/install/default.htm
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Velnias

join:2004-07-06

Bad security track of wireshark means more vulnerabilities in the future, no security in mind when developed.
BTW low or medium vulnerability means application crash - pretty bad for online attack detector.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Online attack detector? That's not what I use it for and if it did crash...well, I have had "explorer.exe" crash twice in the past two days. I'm not crazy about crashing programs, but I sure would not say crashing was "pretty bad" of a program because then I'd have to conclude that almost all programs are "pretty bad".
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Velnias

join:2004-07-06

You right - crashing *packet analyzer* is not a big deal.

Hmm, crashing "explorer.exe"? That really happens so often without any "help"?


Jasu

join:2010-01-09
Finland
reply to wolfy339

Yes, you are right. You only have to start the Winpcap driver as an administrator, after that anyone can use it. Thanks for Microsoft for removing the more secure raw sockets in WinXP SP2...



Phoenix22
Death From Above
Premium
join:2001-12-11
SOG C&C Nrth

1 recommendation

reply to aefstoggaflm

no


SpHeRe31459
Premium
join:2002-10-09
Sacramento, CA
kudos:2
reply to aefstoggaflm

said by aefstoggaflm:

While I know that there are different software firewalls: Does one ever have to add Wireshark to a software firewall, to get Wireshark to see traffic to and from the computer that it is running on?

Thanks

Nope I have never need to configure the firewall to get packets to work. Doesn't mean you might not need to with a very locked down set of rules or something.

Is this using the standard Windows firewall on XP? on Win7? or another firewall product?

TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

1 recommendation

reply to aefstoggaflm

said by aefstoggaflm:

While I know that there are different software firewalls: Does one ever have to add Wireshark to a software firewall, to get Wireshark to see traffic to and from the computer that it is running on?

Thanks

I have not used a lot of different firewalls recently and the one I use does not require you to give permission for wireshark to work. I would of course prefer a firewall that required permission for wireshark since to me it is something of a hole in the firewall, if a program can receive packets without permission. In the past I have used firewalls that required you grant permission but I do not know if they still would since it is possible the the OS hooks have changed.

Of course you than have the tradeoff that in theory wireshark could respond since you would need to allow it to receive Inbound TCP and reply packets would not be stopped since software firewalls allow outbound TCP in reply to inbound TCP. Still it would block other programs from receiving packets without permission by hooking into the OS in a similar manner.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.

HELLFIRE
Premium
join:2009-11-25
kudos:18

1 recommendation

reply to aefstoggaflm

Depends what you're doing aefstoggaflm See Profile. As others have alluded to, you occasionally need to troubleshoot
the inevitable "the issue is / isn't the firewall," whether your firewall is software, hardware, appliance or otherwise.

I won't comment on the security / wisdom of running Wireshark itself as other posters have added some good points
pro and con.

It depends what YOU want to do in YOUR environment.

My 00000010bits.

Regards



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL
reply to SpHeRe31459

said by SpHeRe31459:

said by aefstoggaflm:

While I know that there are different software firewalls: Does one ever have to add Wireshark to a software firewall, to get Wireshark to see traffic to and from the computer that it is running on?

Thanks

Nope I have never need to configure the firewall to get packets to work. Doesn't mean you might not need to with a very locked down set of rules or something.

Is this using the standard Windows firewall on XP? on Win7? or another firewall product?

I was asking in general.

On my computers running Windows, the firewall built into Windows.

On my computers running a distro of unix/linux, that is another matter....
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.