Is it possible to use tshark without installing wireshark/tshark rpms on the linux box? I'd like to create a monitoring script to take live traces (and then decoding the trace) on a linux node, but I'm not allowed to install any patches on the node. So I'm just wondering if I can somehow just put the libraries/files required to run tshark to a directory and use tshark without installing anything? asked 23 Nov '15, 14:53  Juha edited 23 Nov '15, 14:56  Guy Harris ♦♦ |
One Answer:
You could copy the tshark executable file compiled for your linux distribution into some directory you are allowed to write to, but without root privileges the executable won't be allowed to hook to the network interfaces anyway. But if tcpdump is already installed and can be run with root privileges e.g. using sudo (consult your admin), then you could let the tshark executable read the capture saved by tcpdump and decode it in a more user-friendly way. answered 23 Nov '15, 14:57  sindy edited 23 Nov '15, 15:00 |
But if it's dynamically linked with the Wireshark libraries, you'll have to copy them as well, and somehow arrange that the executable find them when run.
So, yeah, you're going to need at least some privileges on that node, even if it's only the ability to run the monitoring script (and the program it uses, whether it's TShark or tcpdump or...) as root.
Yep, I noticed I had to get the shared libraries as well and set the library path temporarily. I then ran into an issue where the tshark looks for the dumpcap from /usr/sbin/, but I'd like to have all related files in my own directry, e.g. /export/home/monitor/ and not have to have files or links populated in other system directories. I can use root privileges to run the script, but I cannot install packages or really touch any system files/directories.
As you seem to be forced to use complex technical solutions to overcome simple administrative restrictions, and as you haven't reacted on my notice about tcpdump which might be already installed, the solution of your needs could be to "non-install" dumpcap the same way like you've "non-installed" tshark.
If you ask tshark to capture from a physical interface, it internally invokes dumpshark (and because I am a "non-dev", I can only suppose that tshark passes an invocation command to the shell, which implies that it is enough if the dumpcap is somewhere on the standard path where shell looks for executables).
So your first step would be to non-install dumpcap and check that it can capture.
Next, you would try to augment the path on which the shell is looking for executables, i.e. so that you could manually execute dumpcap by simply
dumpcaprather than./dumpcap. If you succeed, tshark should then be able to run it as well.Should this not be possible (because you cannot augment the path or because it is not enough for tshark to reach dumpcap), you can first run dumpcap and ask it to write the captured data to a file by appending
-w your_file_nameto its parameters, and after capturing what you wanted, ask tshark to use that file as capture input - instead of-i ethX, you'd use-r your_file_name.If you need it "realtime", you can use a pipe instead of an intermediate file:
dumpcap -i ethX -P -w - | tshark -k -i -However, this last possibility may have a drawback, which is that you may not be able to capture from several interfaces in parallel because until recent, tshark did not accept pcapng format on an input pipe and I don't know which version you are using. This is the reason why -P is used as dumpcap parameter; however, specifying more than one -i overrides the -P.