Wireshark · Wireshark-users: [Wireshark-users] How to rid of queries swamping logs in non-online Wireshark

Wireshark-users: [Wireshark-users] How to rid of queries swamping logs in non-online Wireshark

From: Miroslav Rovis <miro.rovis@xxxxxxxxxxxxxxxxx>
Date: Sat, 19 Mar 2016 15:53:48 +0100
Hi!

I don't use Wireshark with all the X for capturing traffic. Also because it
takes me long to grasp what's going on, and I mostly I just can't do it in real
time, the figuring of what I need to about the capture.

I capture with the engine of Wireshark, the dumpcap, instead.

But I use Wireshark for analysis of the traffic. (Often on some other
machine.)

And I was wondering how I could disable, from Wireshark if possible, the
persistent (and futile, in the scenario above given) querying of
Wireshark of my interfaces?

Here is a recent log:

Mar 19 15:07:01 g5n kernel: [10907.301170] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:11319] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000 

Mar 19 15:07:01 g5n kernel: [10907.306730] grsec: more alerts, logging
disabled for 10 seconds 

Mar 19 15:07:02 g5n kernel: [10908.301061] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:11330] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000 

Mar 19 15:07:03 g5n kernel: [10909.301201] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:11341] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000 

Mar 19 15:07:04 g5n kernel: [10910.301197] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:11352] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000 

Mar 19 15:07:05 g5n kernel: [10911.301278] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:11363] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000 

...[ 30 lines cut]...

Mar 19 15:07:11 g5n kernel: [10917.301426] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:11429] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000 

Mar 19 15:07:12 g5n kernel: [10918.301093] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:11440] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000 

Mar 19 15:07:12 g5n kernel: [10918.306187] grsec: (miro:U:/) denied
socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:11440] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:12197]
uid/euid:1000/1000 gid/egid:1000/1000 Mar 19 15:07:13 g5n kernel:
[10919.301419] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S
-Z none ) by /usr/bin/dumpcap[wireshark:11451] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:12197]
uid/euid:1000/1000 gid/egid:1000/1000 

Mar 19 15:07:13 g5n kernel: [10919.306977] grsec: (miro:U:/) denied
socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:11451] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:12197]
uid/euid:1000/1000 gid/egid:1000/1000 Mar 19 15:07:14 g5n kernel:
[10920.301304] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S
-Z none ) by /usr/bin/dumpcap[wireshark:11462] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:12197]
uid/euid:1000/1000 gid/egid:1000/1000 

Mar 19 15:07:14 g5n kernel: [10920.306551] grsec: (miro:U:/) denied
socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:11462] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:12197]
uid/euid:1000/1000 gid/egid:1000/1000 Mar 19 15:07:15 g5n kernel:
[10921.301498] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S
-Z none ) by /usr/bin/dumpcap[wireshark:11473] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:12197]
uid/euid:1000/1000 gid/egid:1000/1000 

Mar 19 15:07:15 g5n kernel: [10921.307075] grsec: (miro:U:/) denied
socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:11473] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:12197]
uid/euid:1000/1000 gid/egid:1000/1000

And it goes on like that forever, here's a shorter except later as I'be been
writing this:


Mar 19 15:11:59 g5n kernel: [11205.307827] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:14622] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000

Mar 19 15:11:59 g5n kernel: [11205.313426] grsec: (miro:U:/) denied
socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:14622] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:12197]
uid/euid:1000/1000 gid/egid:1000/1000

Mar 19 15:12:00 g5n kernel: [11206.307858] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:14633] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000

Mar 19 15:12:00 g5n kernel: [11206.313485] grsec: (miro:U:/) denied
socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:14633] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:12197]
uid/euid:1000/1000 gid/egid:1000/1000

(Of course I could allow the nexessary socket, but I don't want to. I
prefer capturing with dumpcap. But even if I did I doubt that would
solve the problem, it would only bring in another venue of possible
vulnerability.)

It's a grsecurity-hardened kernel on a Gentoo box, and the query is shown only
because I have the Role Based Access (RBAC) set up and the exec_logging option
enabled, which logs it. So that, firstly, don't show on a non-exec-logging
kernel, grsec or any other, and secondly also makes it possibly a question for
https://forums.grsecurity.net (and I might try and see there too, or if I get
a solution, report it there for other users).

But I was hoping to try and see what advice I might get on Wireshark ML first.

Because it really swamps the logs uselessly. I don't want to be shutting down
Wireshark just not to swamp my system logs.

Anyone could tell us about this?

Another fraction from my logs, as I'm ready to send this query, just for the
readers to get the idea of the scale of the swamping:

Mar 19 15:27:30 g5n kernel: [12136.335567] grsec: (miro:U:/) denied
socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:24895] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:12197]
uid/euid:1000/1000 gid/egid:1000/1000
Mar 19 15:27:31 g5n kernel: [12137.328553] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:24906] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000
Mar 19 15:27:31 g5n kernel: [12137.334101] grsec: more alerts, logging
disabled for 10 seconds
Mar 19 15:27:32 g5n kernel: [12138.328681] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:24917] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000
Mar 19 15:27:33 g5n kernel: [12139.328792] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:24928] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000
Mar 19 15:27:34 g5n kernel: [12140.326209] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:24939] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000
Mar 19 15:27:35 g5n kernel: [12141.328824] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:24950] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000
Mar 19 15:27:36 g5n kernel: [12142.328825] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:24961] uid/euid:1000/1000 gid/egid:1000/1000,
parent /usr/bin/wireshark[wireshark:12197] uid/euid:1000/1000
gid/egid:1000/1000

Regards!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Attachment: signature.asc
Description: PGP signature
Follow-Ups:
- Re: [Wireshark-users] How to rid of queries swamping logs in non-online Wireshark
  - From: Jeff Morriss
Prev by Date: [Wireshark-users] Looking for a good wireless decryption tutorial
Next by Date: Re: [Wireshark-users] How to rid of queries swamping logs in non-online Wireshark
Previous by thread: [Wireshark-users] Looking for a good wireless decryption tutorial
Next by thread: Re: [Wireshark-users] How to rid of queries swamping logs in non-online Wireshark
Index(es):
- Date
- Thread