Upstream has released new versions on November 30: https://www.wireshark.org/news/20171130.html Updated package uploaded for Mageia 6. Advisory: ======================== Updated wireshark packages fix security vulnerabilities: The wireshark package has been updated to version 2.2.11, which fixes a few security issues where a malformed packet trace could cause it to crash, and fixes several other bugs as well. See the release notes for details. References: https://www.wireshark.org/security/wnpa-sec-2017-47.html https://www.wireshark.org/security/wnpa-sec-2017-48.html https://www.wireshark.org/security/wnpa-sec-2017-49.html https://www.wireshark.org/docs/relnotes/wireshark-2.2.11.html https://www.wireshark.org/news/20171130.html ======================== Updated packages in core/updates_testing: ======================== wireshark-2.2.11-1.mga6 libwireshark8-2.2.11-1.mga6 libwiretap6-2.2.11-1.mga6 libwscodecs1-2.2.11-1.mga6 libwsutil7-2.2.11-1.mga6 libwireshark-devel-2.2.11-1.mga6 wireshark-tools-2.2.11-1.mga6 tshark-2.2.11-1.mga6 rawshark-2.2.11-1.mga6 dumpcap-2.2.11-1.mga6 from wireshark-2.2.11-1.mga6.src.rpm
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Wireshark
Keywords: (none) => has_procedure
Mageia 6 :: x86_64 Installed all the packages. Added user to wireshark group. Restarted the session. $ id uid=1000(lcl) gid=1000(lcl) groups=1000(lcl),952(wireshark),958(dirsrv),963(mysql) Updated the packages listed. Referred to the QA test procedure: $ wireshark -n wiresharktest <wiresharktest does not exist> The gui launches. $ tshark -nr wiresharktest tshark: The file "wiresharktest" doesn't exist. $ editcap -r wiresharktest wiresharktest50 1-50 editcap: Can't open wiresharktest: No such file or directory $ updatedb $ locate wiresharktest $ locate wiresharktest50 $ cd /usr/share/wireshark $ ls No sign of any test files. $ rpm -qa | grep wireshark lib64wireshark-devel-2.2.11-1.mga6 wireshark-tools-2.2.11-1.mga6 lib64wireshark8-2.2.11-1.mga6 wireshark-2.2.11-1.mga6
CC: (none) => tarazed25
Continuing from comment 2. Tried to set up a capture filter in the main interface but nothing seemed to work; most buttons remained greyed out. Wireshark -> capture interfaces -> input capture filter = ether 192.168.1.156 specified output file lcl.cap traffic traces for Ethernet and Linux cooked looked the same and mirrored the traces in gkrellm. start button greyed out. Changing ether to enp2s0 had no effect. capture filter = tcp port 80 Start still greyed out. Pretty sure I tested this in the past and managed to capture a packet stream OK and see the hexdump. randpkt works OK and dftest ip. Something is not working here - no idea what.
Finally found a filter which worked: capture filter = host belexeuli The windows turned green and the OK button became active. So what could be wrong with the interface? It did not accept any of the other possibilities listed in the tutorial; real MAC addresses, host <numerical ip>, ether, enp2so, whatever.
$ wireshark lcl1.cap Showed all 555 lines in a scrolled window with accompanying hexdumps. $ tshark -nr lcl1.cap This did the same but all at once in the terminal. $ randpkt -b 500 -t dns wireshark_dns.pcap $ wireshark wireshark_dns.pcap Showed a 1000 line file with 2 random addresses for source and destination. $ editcap -r lcl1.cap dns wireshark_dns.pcap 1-50 No output. Ran wiresahrk again with capturefilter = host vega and no output file specified. $ ls -l /tmp/wireshark* -rw------- 1 lcl lcl 3712 Dec 3 11:53 /tmp/wireshark_enp2s0_20171203115245_qHvE7L.pcapng $ mv /tmp/wireshark_enp2s0_20171203115245_qHvE7L.pcapng lcl2.cap $ editcap -r lcl1.cap lcl2.cap 1-50 No output. $ mergecap -v -w wiresharkmerged lcl1.cap lcl2.cap ........................... Record: 605 mergecap: merging complete $ dftest ip Filter: "ip" Constants: Instructions: 00000 CHECK_EXISTS ip 00001 RETURN $ capinfos lcl2.cap File name: lcl2.cap File type: Wireshark/... - pcapng File encapsulation: Ethernet File timestamp precision: microseconds (6) Packet size limit: file hdr: (not set) Number of packets: 50 File size: 10 kB Data size: 8574 bytes Capture duration: 90.665830 seconds .......................... So that all looks fine but shall reserve the OK until somebody explains why wireshark rejects all other capture filters.
MGA6-32 on Dell Latitude D600 MATE No installation issues. Added wireshark group to my user, logged in again, then got something I've never seen on previous wireshark updates: $ wireshark -n wiresharktest wireshark: relocation error: /lib/libQt5Widgets.so.5: symbol _ZTV13QInputControl, version Qt_5_PRIVATE_API not defined in file libQt5Gui.so.5 with link time reference Googling on the error did not make me any wiser.
CC: (none) => herman.viaene
In VirtualBox, M6, Plasma, 64-bit Package(s) under test: wireshark lib64wireshark8 lib64wiretap6 lib64wsutil7 wireshark-tools tshark Assign wilcal to the wireshark group, restart wilcal. default install of : [root@localhost wilcal]# urpmi wireshark Package wireshark-2.2.10-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi lib64wireshark8 Package lib64wireshark8-2.2.10-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi lib64wiretap6 Package lib64wiretap6-2.2.10-1.mga6.x86_64 is already installed urpmi lib64wsutil7[root@localhost wilcal]# urpmi lib64wsutil7 Package lib64wsutil7-2.2.10-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi wireshark-tools Package wireshark-tools-2.2.10-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi tshark Package tshark-2.2.10-1.mga6.x86_64 is already installed Running wireshark I can capture and save to a file (test01.pcapng) the traffic on enp0s3. Close wireshark. I can reopen test01.pcapng with wireshark and review the data. wireshark tools like tshark work: tshark >> test01.txt works Capturing on 'enp0s3' 2345 ^Z ( captured lines ) [1]+ Stopped tshark >> test01.txt Set a filter: ip.src == 192.168.1.65 ( this system ) ip.addr == 192.168.1.70 ( Yamaha receiver ) Set filter to: not ip.addr == 192.168.1.65 and not ip.src == 192.168.1.70 Filter works and captures to test02.pcapng install wireshark lib64wireshark7 lib64wiretap5 lib64wsutil6 wireshark-tools tshark from updates_testing [root@localhost Documents]# urpmi wireshark Package wireshark-2.2.11-1.mga6.x86_64 is already installed [root@localhost Documents]# urpmi lib64wireshark8 Package lib64wireshark8-2.2.11-1.mga6.x86_64 is already installed [root@localhost Documents]# urpmi lib64wiretap6 Package lib64wiretap6-2.2.11-1.mga6.x86_64 is already installed [root@localhost Documents]# urpmi lib64wsutil7 Package lib64wsutil7-2.2.11-1.mga6.x86_64 is already installed [root@localhost Documents]# urpmi wireshark-tools Package wireshark-tools-2.2.11-1.mga6.x86_64 is already installed [root@localhost Documents]# urpmi tshark Package tshark-2.2.11-1.mga6.x86_64 is already installed Running wireshark I can capture and save to a file (test02.pcapng) the traffic on enp0s3. Close wireshark. Reopen test01.pcapng & test02.pcapng with wireshark and review the data. wireshark tools like tshark work: tshark >> test02.txt works and captures to test04.pcapng Capturing on 'enp0s3' 6601 ^Z ( captured lines ) [1]+ Stopped tshark >> test02.txt Set a filter: ip.src == 192.168.1.65 ( this system ) ip.addr == 192.168.1.70 ( Yamaha receiver ) Set filter to: not ip.addr == 192.168.1.65 and not ip.src == 192.168.1.70 Filter works. Intersting to note that I have set my system DNS server to the new IBM QUAD9 server. Wireshark clearly displays all the accesses that are being made to that server. Example: 36 6.829157872 10.0.2.15 → 9.9.9.9 DNS 79 Standard query 0xb9d4 A ocsp.globalsign.com
CC: (none) => wilcal.int
Whiteboard: (none) => MGA6-64-OK
In VirtualBox, M6, Plasma, 32-bit Package(s) under test: wireshark libwireshark8 libwiretap6 libwsutil7 wireshark-tools tshark Assign wilcal to the wireshark group, restart wilcal. default install of : [root@localhost wilcal]# urpmi wireshark Package wireshark-2.2.10-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi libwireshark8 Package libwireshark8-2.2.10-1.mga6.i586 is already installed Marking libwireshark8 as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list [root@localhost wilcal]# urpmi libwiretap6 Package libwiretap6-2.2.10-1.mga6.i586 is already installed Marking libwiretap6 as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list [root@localhost wilcal]# urpmi libwsutil7 Package libwsutil7-2.2.10-1.mga6.i586 is already installed Marking libwsutil7 as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list [root@localhost wilcal]# urpmi wireshark-tools Package wireshark-tools-2.2.10-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi tshark Package tshark-2.2.10-1.mga6.i586 is already installed Running wireshark I can capture and save to a file (test01.pcapng) the traffic on enp0s3. Close wireshark. I can reopen test01.pcapng with wireshark and review the data. wireshark tools like tshark work: tshark >> test01.txt works Capturing on 'enp0s3' 2843 ^Z ( captured lines ) [1]+ Stopped tshark >> test01.txt Set a filter: ip.src == 192.168.1.65 ( this system ) ip.addr == 192.168.1.70 ( Yamaha receiver ) Set filter to: not ip.addr == 192.168.1.65 and not ip.src == 192.168.1.70 Filter works. install wireshark libwireshark7 libwiretap5 libwsutil6 wireshark-tools tshark from updates_testing [root@localhost wilcal]# urpmi wireshark Package wireshark-2.2.11-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi libwireshark8 Package libwireshark8-2.2.11-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi libwiretap6 Package libwiretap6-2.2.11-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi libwsutil7 Package libwsutil7-2.2.11-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi wireshark-tools Package wireshark-tools-2.2.11-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi tshark Package tshark-2.2.11-1.mga6.i586 is already installed Running wireshark I can capture and save to a file (test02.pcapng) the traffic on enp0s3. Close wireshark. Reopen test01.pcapng & test02.pcapng with wireshark and review the data. wireshark tools like tshark work: tshark >> test02.txt works Capturing on 'enp0s3' 5173 ^Z ( captured lines ) [1]+ Stopped tshark >> test02.txt Set a filter: ip.src == 192.168.1.65 ( this system ) ip.addr == 192.168.1.70 ( Yamaha receiver ) Set filter to: not ip.addr == 192.168.1.65 and not ip.src == 192.168.1.70 Filter works.
Whiteboard: MGA6-64-OK => MGA6-32-OK MGA6-64-OK
Good to go
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Addendum to comment 5. wilcal's tests prompted me to explore further and revealed that there are capture filters and display filters, captures to constrain the data and display to further constrain that for viewing. Makes a little more sense now.
Of all the tools we test Wireshark is one of the more commonly and widely used. Load it on to your laptop and run it while your on Wifi in a Starbucks Coffee Shop. :-))
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0445.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
The security issues fixed here are CVE-2017-1708[3-5] according to Debian: https://www.debian.org/security/2017/dsa-4060