Ask Your Question
0

Restrict Wireshark delivery with default-filter

asked 2020-01-08 11:30:23 +0000

Is it possible to restrict Wireshark to a dedicated port on the local host per deployment?

Use Case:

We consider to deliver Wireshark as a troubleshooting tool with our Windows based product. But we have to avoid to install a hacker-tool on the customer's machine. It shall only be possible to monitor the traffic on a dedicated port of the local host. Even our service technicians shall not be able to use Wireshark to sniff any other network traffic.

We could maybe do a source-code change and compile the program by ourselves. (Was this maybe already done by someone in the past?)

Background:

Our Software runs on dedicated machines in the customer's LAN. Device-Guard is running on these systems to prevent the users to run any not allowed programs. So it would not be possible for a service technician to download and run Wireshark by himself.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-01-08 19:00:39 +0000

Jaap gravatar image

It seems you want to restrict capture to a specific interface. Wireshark is totally indifferent of the interfaces it can request to capture from. The inventory of capture interfaces, and for that matter the actual capturing, is done by a capture driver, npcap to be exact. You'll need to look there to see what restrictions are possible, if at all. Please be aware of the restrictions that apply using npcap for commercial distribution.

edit flag offensive delete link more
0

answered 2020-01-08 11:39:04 +0000

grahamb gravatar image

Wireshark is a Packet Analyser, not a "hacker tool". Wireshark can be used by a "hacker" but so can Notepad or a pencil.

Sure you can always modify the code, but you must abide by the terms of the GPL licence that Wireshark is released under when you distribute the modified code to customers.

edit flag offensive delete link more

Comments

Uuups, it seems I used a sensitive buzz-word. ;-) - Sorry for that. I'm just looking for proposals to perform such a restriction as mentioned above.

Burkhard gravatar imageBurkhard ( 2020-01-08 11:47:25 +0000 )edit

The less we conflate the words "Hacker" and "Wireshark" the better, as it won't confuse the PHB's.

grahamb gravatar imagegrahamb ( 2020-01-08 12:07:02 +0000 )edit

The DISA security STIGs generally call out this and other network analysis tools as not allowed for a good security posture. Here are some examples:

https://www.stigviewer.com/stig/oracl...https://www.stigviewer.com/stig/aix_5...

Unfortunately, the US Govt is helping causing some of that confusion!

Bob Jones gravatar imageBob Jones ( 2020-01-08 13:30:45 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-01-08 11:30:23 +0000

Seen: 50 times

Last updated: Jan 08