Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2024-02-13 05:59:14 +0000

fsbof gravatar image

Wireshark and nftables

Hi,

I have Wireshark installed on Linux and it works fine.

When starting Wireshark, it was starting very quickly (less the 2 seconds) until I setup nftables.

It then started to pause on 'Initializing external capture plugins' for about 20-25 seconds.

I have been trying to workout what it was stumbling over and have come up with the following;

  1. With only a very simple input and output chain that have 'accept' as their default states, Wireshark starts quickly.
  2. With either or both being set to 'drop', Wireshark pauses.
  3. With both being set to 'accept' and the loopback, eth, wlan interfaces all being set to 'drop', Wireshark starts quickly.
  4. With either or both being set to 'drop' and all the interfaces shown by Wireshark except for 'bluetooth-monitor' being set to 'accept', Wireshark pauses.
  5. With either or both being set to 'accept' and all the interfaces shown by Wireshark except for 'bluetooth-monitor' being set to 'drop', Wireshark starts quickly.

I am unable to add 'bluetooth-monitor' as in interface to nftables even to test. The error reported by the syntax checker is the interface names exceeds 16 characters!

Has anyone got any suggestions;

A. what may be causing Wireshark to start slower?

B. what troubleshooting steps I could take next?

C. fingers crossed - what a fix might be? ;-)

Many Thanks

Kernel 6.1.75

Wireshark 4.0.12

Wireshark and nftables

Hi,

I have Wireshark installed on Linux and it works fine.

When starting Wireshark, it was starting very quickly (less the 2 seconds) until I setup nftables.

It then started to pause on 'Initializing external capture plugins' for about 20-25 seconds.

I have been trying to workout what it was stumbling over and have come up with the following;

  1. With only a very simple input and output chain that have 'accept' as their default states, Wireshark starts quickly.
  2. With either or both being set to 'drop', Wireshark pauses.
  3. With both being set to 'accept' and the loopback, eth, wlan interfaces all being set to 'drop', Wireshark starts quickly.
  4. With either or both being set to 'drop' and all the interfaces shown by Wireshark except for 'bluetooth-monitor' being set to 'accept', Wireshark pauses.
  5. With either or both being set to 'accept' and all the interfaces shown by Wireshark except for 'bluetooth-monitor' being set to 'drop', Wireshark starts quickly.

I am unable to add 'bluetooth-monitor' as in an interface to nftables even to test. The error reported by the syntax checker is the interface names exceeds 16 characters!characters! I also tried adding 'pan1' to nftables which compiled ok but made no difference. I should note that there is no bluetooth interface on this host

Has anyone got any suggestions;

A. what may be causing Wireshark to start slower?

B. what troubleshooting steps I could take next?

C. fingers crossed - what a fix might be? ;-)

Many Thanks

Kernel 6.1.75

Wireshark 4.0.12

Wireshark and nftables

Hi,

I have Wireshark installed on Linux and it works fine.

When starting Wireshark, it was starting very quickly (less the 2 seconds) until I setup nftables.

It then started to pause on 'Initializing external capture plugins' for about 20-25 seconds.

I have been trying to workout what it was stumbling over and have come up with the following;

  1. With only a very simple input and output chain that have 'accept' as their default states, Wireshark starts quickly.
  2. With either or both being set to 'drop', Wireshark pauses.
  3. With both being set to 'accept' and the loopback, eth, wlan interfaces all being set to 'drop', Wireshark starts quickly.
  4. With either or both being set to 'drop' and all the interfaces shown by Wireshark except for 'bluetooth-monitor' being set to 'accept', Wireshark pauses.
  5. With either or both being set to 'accept' and all the interfaces shown by Wireshark except for 'bluetooth-monitor' being set to 'drop', Wireshark starts quickly.

I am unable to add 'bluetooth-monitor' as an interface to nftables even to test. The error reported by the syntax checker is the interface names exceeds 16 characters! I also tried adding 'pan1' to nftables which compiled ok but made no difference. I should note that there is no bluetooth interface on this host

Has anyone got any suggestions;

A. what may be causing Wireshark to start slower?slower? (Resolved : Loopack interface was blocked - see comment by @johnthacker below - thanks)

B. what troubleshooting steps I could take next?next? (Resolved : Thanks @Jaap, @Guy-Harris and johnthacker for your suggestions)

C. fingers crossed - what a fix might be? ;-);-) (Resolved : See above)

Many Thanks

Kernel 6.1.75

Wireshark 4.0.12

Wireshark and nftables

Hi,

I have Wireshark installed on Linux and it works fine.

When starting Wireshark, it was starting very quickly (less the 2 seconds) until I setup nftables.

It then started to pause on 'Initializing external capture plugins' for about 20-25 seconds.

I have been trying to workout what it was stumbling over and have come up with the following;

  1. With only a very simple input and output chain that have 'accept' as their default states, Wireshark starts quickly.
  2. With either or both being set to 'drop', Wireshark pauses.
  3. With both being set to 'accept' and the loopback, eth, wlan interfaces all being set to 'drop', Wireshark starts quickly.
  4. With either or both being set to 'drop' and all the interfaces shown by Wireshark except for 'bluetooth-monitor' being set to 'accept', Wireshark pauses.
  5. With either or both being set to 'accept' and all the interfaces shown by Wireshark except for 'bluetooth-monitor' being set to 'drop', Wireshark starts quickly.

I am unable to add 'bluetooth-monitor' as an interface to nftables even to test. The error reported by the syntax checker is the interface names exceeds 16 characters! I also tried adding 'pan1' to nftables which compiled ok but made no difference. I should note that there is no bluetooth interface on this host

Has anyone got any suggestions;

A. what may be causing Wireshark to start slower? (Resolved : Loopack interface was blocked - see comment by @johnthacker below - thanks)

B. what troubleshooting steps I could take next? (Resolved : Thanks @Jaap, @Guy-Harris and johnthacker for your suggestions)

C. fingers crossed - what a fix might be? ;-) (Resolved : See above)

Many Thanks

Kernel 6.1.75

Wireshark 4.0.12