Install Wireshark 3.0.2 on Ubuntu Desktop 18.04 REDUX

In my previous post, I gave instructions on how to build and install Wireshark 3.0.1 for Ubuntu 18.04, which did the trick at the time, but it was a little hasty and had a few bugs that I didn’t know how to resolve at the time. Come Monday morning at Sharkfest 2019, during a TLS training session with @SYNbit, I had a problem with decrypting packets (I couldn’t add RSA keys). I found out that in my compiling of Wireshark, I didn’t include the GNUTLS package — and actually, it turns out there’s a lot I didn’t include that would actually solve the bugs I mentioned in the previous post. You can see all I didn’t include in the compiling here:

Wireshark version without packages

So in other words, I didn’t compile this correctly, and even shared how to do it incorrectly. Not going to say I was wrong, but perhaps you could say it was half-baked.

Ya BLEW IT Gif Shaking Head Tim and Eric

Well, I’m hoping to correct the record here.

Wireshark and Ubuntu 18.04+

If you’re doing packet analysis and run Debian/Ubuntu, you may have noticed that Wireshark is currently at version 3.0.2 (at the time of writing this), but both Debian and Ubuntu are running 2.6.x versions of Wireshark (Debian Stretch is at 2.6.7-1, and Ubuntu 18.04 is at 2.6.8-1). While Fedora 30 is running Wireshark 3.0.1, even Ubuntu 19.10 (Eoan) is still running Wireshark 2.6.9-1 (again at the time of writing this).

Wireshark Logo

Now for probably really good reasons, there still isn’t a Wireshark 3.0.2 deb package for Debian-Ubuntu distributions, and if you just so happen to be at Sharkfest 2019 running some flavor of Debian/Ubuntu and you’re taking the packet analysis classes, you needed to be running Wireshark 3.0.2. Of course, you could just fire up a VM on your laptop and run Windows, or grab that random spare Mac in your bag — why you have a spare Mac in your bag is beyond me — but your only option is to compile from source the Wireshark package.

Background On Compiling and Installing Wireshark 3.0.2 for Ubuntu Desktop 18.04

The first thing to note here is that the previous post focused on 3.0.1, but that wasn’t the most recent Wireshark source, so for this we’re updating to 3.0.2.

Next, when compiling applications from source, usually the approach is to extract the tarball, then run ‘configure, make, make install’ and you’re done. However, Wireshark actually has info on how to build this within the tarball in a file called “INSTALL” (I know, I pretty much can hear “RTFM” as I type this). Starting at about line 191, the file says:

11/b. If you ‘re running a system that supports APT (Debian/Ubuntu/etc.)
run

dpkg-buildpackage -us -uc -rfakeroot

in the source directory right after extracting of checking out
Wireshark’s source code. (You don’t have to run configure/make/etc.
prior to running dpkg-buildpackage)

Ok, great, but if you run the command above, you’ll likely find that you have a few dependencies that you’re missing. The instructions below should help clear this all up.

Compiling and Installing Wireshark 3.0.2 for Ubuntu Desktop 18.04

Disclaimer: like I noted in my previous post, Wireshark is a complicated application, and I am not a developer, so my instructions could have some flaws (they certainly have improved). My main intent here is to just share the dependencies needed to get Wireshark 3.0.2 compiled because otherwise you’re going to be running the dpkg-buildpackage command, get the dependency error messages, Google the dependency package for Ubuntu, install it, then find the next one over and over again — if only someone just posted the dependencies!

Install the Dependencies

First off, let’s install all the dependencies needed (there’s a lot):

Grab the Source Tarball and Set Up the Build Environment

After doing this a few times, I learned that it’s easier to set up a build directory because when you run the dpkg-buildpackage command, it’s going to build .deb files in the parent directory of the extracted tarball directory (see later). Let’s create the build directory, grab the source tarball, and extract it:

Build Wireshark 3.0.2

Assuming everything above went off without a hitch, we should be able to build Wireshark now. Within the ‘wireshark-3.0.2’ directory, run the following command:

dpkg-buildpackage’ is a program that builds packages for installation; the command won’t install Wireshark (that comes next), but it does build the .deb files for installation. The process can take anywhere from 10-30 minutes (maybe more) depending on your system. Once the process is done, in the parent directory (‘wireshark_build’), you should see the following deb files:

Now we can install the packages.

Install Wireshark

To the install the packages above, within ‘wireshark_build’, run the following command:

You’ll likely get a prompt during the install about dumpcap and running as root. Basically, it’s best practice to not run Wireshark as root but to instead create a group that has permissions to capture packets. During the .deb installation, the installer will create the group ‘wireshark’, so enter ‘Yes’ at the prompt to create the group, then add your user account to the group with the following command:

If during the install you have dependency errors, usually that can be resolve by running an apt install fix that will install the dependencies and finish the Wireshark install:

Assuming everything went well, Wireshark should be installed and you should get the following under Help > About Wireshark:

About Wireshark Information 3.0.2
Ubuntu Desktop 18.04
Wireshark 3.0.2 - On Crostini Ubuntu 18.04
ChromeOS Crostini – Ubuntu 18.04

BCG729 Package Missing

One thing to note is that there is one package that is missing from these instructions: BCG729. BCG729 is a an open-source encoder/decoder for the G729 codec, and if you wish to have that, you’ll need to build and compile that before you build and compile the Wireshark .deb files. More info on that here.

That should be it! Happy packet analyzing!

Install Wireshark 3.0.1 on Ubuntu 18.04

(UPDATE 20190619: There are better instructions in a new post I made. Go there. Wireshark is actually built correctly and will even capture packets (unlike these instructions)).

(UPDATE 20190611: This method below is a bit clunky and causes quite a few issues that are unnecessary. I’ve found a new method that I’m going to make a new post for. Hint: in the Wireshark tarball, look at the ‘INSTALL’ file.)

If you’re doing packet analysis and run Debian/Ubuntu, you may have noticed that Wireshark is currently at version 3.0.2 (at the time of writing this), but both Debian and Ubuntu are running 2.6.x versions of Wireshark (Debian Stretch is at 2.6.7-1, and Ubuntu 18.04 is at 2.6.8-1). While Fedora 30 is running Wireshark 3.0.1, even Ubuntu 19.10 (Eoan) is still running Wireshark 2.6.9-1 (again at the time of writing this).

Wireshark Logo

Now for probably really good reasons, there still isn’t a Wireshark 3.0.1 deb package for Debian-Ubuntu distributions, and if you just so happen to be at Sharkfest 2019 running some flavor of Debian/Ubuntu and you’re taking the packet analysis classes, you need to be running Wireshark 3.0.1. Of course, you could just fire up a VM on your laptop and run Windows, or grab that random spare Mac in your bag — why you have a spare Mac in your bag is beyond me — but your only option is to compile from source the Wireshark package.

I’m going to quit yapping about this now and just get to the point.

Compiling and Installing Wireshark 3.0.1 for Ubuntu 18.04

First off, Wireshark is a complicated application, and I am not a developer, so my instructions here are likely flawed. My main intent here is to just share the dependencies needed to get Wireshark 3.0.1 compiled because otherwise you’re going to be running the ninja/make commands, get the dependency error message, Google the dependency package for Ubuntu, install it, then find the next one over and over again — if only someone just posted the dependencies!

That being said, I work with Ubuntu LTS releases, so my instructions here are what I put together for Ubuntu 18.04 on a Ubuntu 18.04 laptop and in a Linux container in Crostini (this is the ‘Linux Apps’ service on Chromebooks, which is my primary device as of late and is a whole other post I hope to do some day).

These instructions are largely lifted from this post on ‘Beyond Linux from Scratch’, but I’ve appened them with dependency information for Ubuntu 18.04.

Another caveat here is that I previously had done an ‘apt install wireshark’, which helped with most of the libpcap depdencies. Ubuntu runs libpcap0.8 1.8.1-6*, but the ‘Beyond Linux’ post says it needs libpcap-1.9 (my install seems to capture fine with 0.8 1.8, but I’m not really capturing with this install, just analyzing).

Lastly, this doesn’t have option components. I’m just trying to get 3.0.1 up and running for the basics.

If there ways to improve this, please comment and let me know!

Install the dependencies

First off, let’s get the dependencies installed:

Create the Wireshark Group and Add Yourself to the Group

To capture without running as root, create the ‘wireshark’ group (assuming gid 62 isn’t taken). Run the following as root/sudo:

Add yourself to the group (you’ll need to log out and back in for the change to go into effect) as root/sudo:

Grab and Extract the Wireshark tarball

Grab the Wireshark tarball:

Extract it and move into the directory:

Build the Wireshark Application

In the ‘wireshark-3.0.1’ directory, build the application for install:

Install the Built Wireshark Application

Now as root, install Wireshark:

Secure the Application Directories

Set ownership info of the applications:

That should be it! Run ‘wireshark’ and you should be set. Should look something like this:

Wireshark 3.0.1 on ChromeOS
Wireshark 3.0.1 on Ubuntu 18.04.2 Containerized App – ChromeOS

Bugs I’ve Encountered

Seems that on the Crostini build, some things aren’t working correctly. I’ve built this on my Ubuntu 18.04 laptop with no issues (yet). Some that I’ve found on Crostini:

  • Interfaces not found for capturing: I’m not really concerned about this because I knew from the get-go that Wireshark with ChromeOS would be spotty, especially with Wireshark. However, if you use the official Ubuntu package, packet capture works fine (although because it’s containerized, you don’t get hardware access for capturing).
  • No statistic information on interface: another one I don’t care about because I get the data elsewhere (see below).

No packets message

Edit (20190610): I erroneously said that Ubuntu runs libpcap0.8, inferring that the version was 0.8, but Ubuntu actually runs 1.8.1-6. The Ubuntu libpcap package is called 0.8 and is built and tested for Ubuntu, but that name doesn’t actually reflect the actual version.