Securing Wireshark

Posted on January 14, 2014

Wireshark can sniff and analyze network traffic and is very useful. But it also has a very large attack surface due to the large number of protocols it supports, and some of those are obviously bound to contain exploitable vulnerabilities. By disabling unnecessary protocols you can reduce that risk. To choose which protocols should be enabled or disabled, click AnalyzeEnabled Protocols.

Since there are just too many of them to go through them all, I recommend disabling all of them (click Disable All). Then enable those you need. For typical “internet use” I recommend at least these:

You also need to enable the application level protocols you need, e.g. HTTP, SSH, OCSP, etc. And note that many protocols are encapsulated inside another protocol, e.g. OCSP queries are sent inside HTTP requests. In such cases you need to enable the encapsulating protocols as well.

Reminder - Don’t run Wireshark as root!

If you haven’t already, you may want to run these commands (source) to make it possible to capture without running as root:


sudo groupadd --system wireshark
sudo chgrp wireshark /usr/bin/dumpcap
sudo chmod 754 /usr/bin/dumpcap
sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap
sudo adduser youraccount wireshark

Comments

Samuel  2015-01-28,  20:10

A little heads up: When you upgrade Wireshark, any new protocols will be enabled by default.

So I'd recommend periodically checking the enabled protocols, just to make sure nothing unwanted is enabled.

Post a comment

Name:
E-mail:
(optional, used to generate user icon)
Web site:
Leave blank:
Comment: