Introduction to Wireshark

The Wireshark package contains a network protocol analyzer, also known as a “sniffer”. This is useful for analyzing data captured “off the wire” from a live network connection, or data read from a capture file.

Wireshark provides both a graphical and a TTY-mode front-end for examining captured network packets from over 500 protocols, as well as the capability to read capture files from many other popular network analyzers.

This package is known to build and work properly using an LFS-8.0 platform.

Package Information

  • Download (HTTP): https://www.wireshark.org/download/src/all-versions/wireshark-2.4.0.tar.xz

  • Download MD5 sum: 655106f8cf3bb8f521336d3a8ab5b10b

  • Download size: 27 MB

  • Estimated disk space required: 1.9 GB (with default GUI front-end, and all optional dependencies available in the BLFS book)

  • Estimated build time: 10.3 SBU (with default GUI front-end and all optional dependencies available in the BLFS book)

Additional Downloads

Wireshark dependencies


GLib-2.52.3 and libgcrypt-1.8.0



c-ares-1.12.0, GnuTLS-3.5.14, GTK+-3.22.18 or GTK+-2.24.31 (for the legacy GTK GUI), libnl-3.3.0, Lua-5.3.4, MIT Kerberos V5-1.15.1, nghttp2-1.25.0, OpenSSL-1.1.0f, SBC-1.3, libsmi, lz4, GeoIP, libssh, PortAudio (for GTK+ RTP player), Snappy, and Spandsp



The Qt GUI front-end is built by default, if Qt-5.9.1 is found. If you want to build the GTK+ GUI front-end, some configure switches have to be set (see “Command Explanations”).

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/wireshark

Kernel Configuration

The kernel must have the Packet protocol enabled for Wireshark to capture live packets from the network:

[*] Networking support --->          [CONFIG_NET]
      Networking options --->
        <*/M> Packet socket          [CONFIG_PACKET]

If built as a module, the name is af_packet.ko.

Installation of Wireshark

Wireshark is a very large and complex application. These instructions provide additional security measures to ensure that only trusted users are allowed to view network traffic. First, set up a system group for wireshark. As the root user:

groupadd -g 62 wireshark

Continue to install Wireshark by running the following commands:

patch -Np1 -i ../wireshark-2.4.0-lua_5_3-1.patch  &&

./configure --prefix=/usr --sysconfdir=/etc &&

This package does not come with a test suite.

Now, as the root user:

make install &&

install -v -m755 -d /usr/share/doc/wireshark-2.4.0 &&
install -v -m644    README{,.linux} doc/README.* doc/*.{pod,txt} \
                    /usr/share/doc/wireshark-2.4.0 &&

pushd /usr/share/doc/wireshark-2.4.0 &&
   for FILENAME in ../../wireshark/*.html; do
      ln -s -v -f $FILENAME .
   done &&

If you downloaded any of the documentation files from the page listed in the 'Additional Downloads', install them by issuing the following commands as the root user:

install -v -m644 <Downloaded_Files> \

Now, set ownership and permissions of sensitive applications to only allow authorized users. As the root user:

chown -v root:wireshark /usr/bin/{tshark,dumpcap} &&
chmod -v 6550 /usr/bin/{tshark,dumpcap}

Finally, add any users to the wireshark group (as root user):

usermod -a -G wireshark <username>

If you are installing wireshark for the first time, it will be necessary to leave the session and login again, thus you will now have wireshark between your groups, otherwise, it will not run properly.

Command Explanations

--with-gtk=[yes/no/2/3]: For the Gtk+ GUI. Default is no. If both Gtk+2 and 3 are installed, and “yes” is selected, default is 3. Obviously, GTK+-2.24.31 or GTK+-3.22.18 must have been built for this to work.

--with-qt=[yes/no/4/5]: For the Qt GUI. Default is yes, if Qt-5.9.1 is found on the system.

--disable-wireshark: Use this switch if you have Qt installed but do not want to build any of the GUIs.

Configuring Wireshark

Config Files

/etc/wireshark.conf and ~/.config/wireshark/* (unless there is already ~/.wireshark/* in the system)

Configuration Information

Though the default configuration parameters are very sane, reference the configuration section of the Wireshark User's Guide for configuration information. Most of Wireshark's configuration can be accomplished using the menu options of the wireshark graphical interfaces.



If you want to look at packets, make sure you don't filter them out with Iptables-1.6.1. If you want to exclude certain classes of packets, it is more efficient to do it with iptables than it is with Wireshark.


Installed Programs: capinfos, captype, dftest, dumpcap, editcap, idl2wrs, mergecap, randpkt, rawshark, reordercap, sharkd, text2pcap, tshark, wireshark, and wireshark-gtk (optional)
Installed Libraries: libwireshark.so, libwiretap.so, libwscodecs.so (optional), libwsutil.so, and numerous modules under /usr/lib/wireshark/plugins
Installed Directories: /usr/{lib,share}/wireshark and /usr/share/doc/wireshark-2.4.0

Short Descriptions


reads a saved capture file and returns any or all of several statistics about that file. It is able to detect and read any capture supported by the Wireshark package.


prints the file types of capture files.


is a display-filter-compiler test program.


is a network traffic dump tool. It lets you capture packet data from a live network and write the packets to a file.


edits and/or translates the format of capture files. It knows how to read libpcap capture files, including those of tcpdump, Wireshark and other tools that write captures in that format.


combines multiple saved capture files into a single output file.


creates random-packet capture files.


dump and analyze raw libpcap data.


reorder timestamps of input file frames into output file.


is a daemon that listens on UNIX sockets.


reads in an ASCII hex dump and writes the data described into a libpcap-style capture file.


is a TTY-mode network protocol analyzer. It lets you capture packet data from a live network or read packets from a previously saved capture file.


is the Qt GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file.


is the Gtk+ GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file.


contains functions used by the Wireshark programs to perform filtering and packet capturing.


is a library being developed as a future replacement for libpcap, the current standard Unix library for packet capturing. For more information, see the README file in the source wiretap directory.

Last updated on 2017-08-16 15:38:22 -0500