Ask Your Question
0

Restrict Wireshark delivery with default-filter

asked 2020-01-08 11:30:23 +0000

Burkhard gravatar image

Is it possible to restrict Wireshark to a dedicated port on the local host per deployment?

Use Case:

We consider to deliver Wireshark as a troubleshooting tool with our Windows based product. But we have to avoid to install a hacker-tool on the customer's machine. It shall only be possible to monitor the traffic on a dedicated port of the local host. Even our service technicians shall not be able to use Wireshark to sniff any other network traffic.

We could maybe do a source-code change and compile the program by ourselves. (Was this maybe already done by someone in the past?)

Background:

Our Software runs on dedicated machines in the customer's LAN. Device-Guard is running on these systems to prevent the users to run any not allowed programs. So it would not be possible for a service technician to download and run Wireshark by himself.

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-01-08 19:00:39 +0000

Jaap gravatar image

It seems you want to restrict capture to a specific interface. Wireshark is totally indifferent of the interfaces it can request to capture from. The inventory of capture interfaces, and for that matter the actual capturing, is done by a capture driver, npcap to be exact. You'll need to look there to see what restrictions are possible, if at all. Please be aware of the restrictions that apply using npcap for commercial distribution.

edit flag offensive delete link more
add a comment
0

answered 2020-01-08 11:39:04 +0000

grahamb gravatar image

Wireshark is a Packet Analyser, not a "hacker tool". Wireshark can be used by a "hacker" but so can Notepad or a pencil.

Sure you can always modify the code, but you must abide by the terms of the GPL licence that Wireshark is released under when you distribute the modified code to customers.

edit flag offensive delete link more

Comments

Uuups, it seems I used a sensitive buzz-word. ;-) - Sorry for that. I'm just looking for proposals to perform such a restriction as mentioned above.

Burkhard gravatar imageBurkhard ( 2020-01-08 11:47:25 +0000 )edit

The less we conflate the words "Hacker" and "Wireshark" the better, as it won't confuse the PHB's.

grahamb gravatar imagegrahamb ( 2020-01-08 12:07:02 +0000 )edit

The DISA security STIGs generally call out this and other network analysis tools as not allowed for a good security posture. Here are some examples:

https://www.stigviewer.com/stig/oracl...https://www.stigviewer.com/stig/aix_5...

Unfortunately, the US Govt is helping causing some of that confusion!

Bob Jones gravatar imageBob Jones ( 2020-01-08 13:30:45 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2020-01-08 11:30:23 +0000

Seen: 225 times

Last updated: Jan 08 '20

Related questions

No packets from Datacom aggregate TAP

Distributable custom preferences and profile

tshark -C $profile produces "Configuration Profile does not exist"

Is it possible to use an arp cache in your profile?

Unable to display IEEE1722-1 packet in Wireshark 3.0.3

TShark Config profile - Configuration Profile "x" does not exist

How could I find some development codes such as config. h, epan/packet.h, plugins/epan/gryphon)

Configuring Wireshark in promiscuous mode

Why can't I see network adapters, or capture on them, after installing Wireshark on Ubuntu?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2