Ask Your Question
0

WS 3.2 on Mac: ring buffer file permission and file extension

asked 2020-02-26 19:24:48 +0000

rishi_sanju gravatar image

updated 2020-02-27 03:17:04 +0000

Guy Harris gravatar image

Hi All,

Using WS 3.2 on MAC and created ring buffer to continuous capture. Capture is working fine. Wanted to know 2 things: 1. When the capture file is created, file is created with "600" permission. umask did not help. Is there an option to set to make it say 644 or some other file permission. 2. Capture file is created without any file extension, is there a setting to include the file extension(.pcapng).

Thanks

edit retag flag offensive close merge delete

Comments

Who are the owner and group of the capture files?

Chuckc gravatar imageChuckc ( 2020-02-26 20:11:46 +0000 )edit

There is only one additional user created(UID: 501, GID: 20) and using that account to setup the wireshark captures.

rishi_sanju gravatar imagerishi_sanju ( 2020-02-26 20:54:22 +0000 )edit

I'm not a Mac guy. Look over these.
https://blog.wireshark.org/2010/02/ru...
https://wiki.wireshark.org/CaptureSet...

If changing dumpcap helps with permissions then we can look at the file extension problem.

Chuckc gravatar imageChuckc ( 2020-02-26 22:58:41 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-02-27 16:06:58 +0000

rishi_sanju gravatar image

updated 2020-02-27 18:24:16 +0000

Thx to you all for help. For the benefit of the readers, here are the answers in short:

  1. Ring buffer capture file is created with 0600 permission. There is no option in wireshark GUI, but in command line, user can use "-g" option.
  2. To have the file extension, user needs to provide the extension explicitly. For example: "hello.pcapng", will have something like "hello_00001_20200226191351.pcapng.
edit flag offensive delete link more
0

answered 2020-02-27 03:16:17 +0000

Guy Harris gravatar image

When the capture file is created, file is created with "600" permission. umask did not help.

Wireshark's done that since 1999; the commit to do that was

commit c31abd81fa1fa78b0ac19d0b1de3d492a016768c
Author: Gilbert Ramirez <[email protected]>
Date:   Sat Jul 31 23:06:13 1999 +0000

    chmod() the temporary capture file to 0600 so that only the user can
    read the trace. We chmod() after pcap creates the file, but before it actually
    writes data there. Thanks to Frederic Peters <[email protected]>,
    the Debian maintainer of Ethereal, for pointing this out.

Is there an option to set to make it say 644 or some other file permission.

There is, but it's command-line only (-g); there's no such option for Wireshark.

  1. Capture file is created without any file extension, is there a setting to include the file extension(.pcapng).

No - if you give an explicit file name (which you have to do with a ring buffer), you have to give the extension explicitly, e.g. if you specify "hello.pcapng" in the Output pane of the Capture Options dialog, the files have names like hello_00001_20200226191351.pcapng.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-02-26 19:24:48 +0000

Seen: 259 times

Last updated: Feb 27 '20