test pcap works fine, live interface with sudo does not about termshark HOT 8 CLOSED

Same problem here! Got:
Could not find network interface <interface_name>

from termshark.

Hello, I may have the same issue:
sudo termshark -i eth0
It looks like the interface name is missing in the child processes.
/usr/bin/dumpcap -n -i - -Z none
tshark -T psml -o gui.column.format:"No.","%m","Time","%t","Source","%s","Destination","%d","Protocol","%p","Length","%L","Info","%i" -i - -l

from termshark.

-i - means that dumpcap is reading from stdin, not eth0. @hook-s3c can you post the result of ps x | grep "[d]umpcap" after starting sudo termshark -i 1?

from termshark.

ps aux | grep "[d]umpcap"
root     29839  0.0  0.0  62492  4836 pts/3    S+   13:53   0:00 /usr/bin/dumpcap -n -i - -Z none

from termshark.

Sorry I didn't respond to this for so long. When testing I often run something like this in a tmux pane:

while [ 1 ] ; do ps auxw --forest | grep 'dumpcap\|tail\|termshark\|tshark' ; sleep 0.5s ; clear ; done

Here's what I see reading from eth0 on my laptop

gcla      3011  |   \_ bash /home/gcla/bin/tm.sh 2 go run cmd/termshark/termshark.go -i eth0
gcla      3014  |       \_ go run cmd/termshark/termshark.go -i eth0
gcla      3153  |           \_ /tmp/go-build782541691/b001/exe/termshark -i eth0
gcla      3193  |               \_ dumpcap -P -i eth0 -w /home/gcla/.cache/termshark/eth0-273276068.pcap
gcla      3195  |               \_ tshark -T psml -o gui.column.format:"No.","%m","Time","%t","Source","%s","Destination","%d","Protocol","%p","Length","%L","Info","%i" -i - -l -d udp.port==2075,cflow -d udp.port==9191,cflow -d udp.port==2055,cflow -d udp.port==2095,cflow
gcla      3251  |               |   \_ /usr/bin/dumpcap -n -i - -Z none
gcla      3196  |               \_ tail -f -c +0 /home/gcla/.cache/termshark/eth0-273276068.pcap
gcla      3463  |   \_ grep --color=auto dumpcap\|tail\|termshark\|tshark

(tm.sh is just a hack to render the tui on a different tty)

@pocc is right that the dumpcap command highlighted in #22 (comment) is reading from stdin - in my process list, the stdin of 3195 (which defers to 3251) is being fed by the stdout from 3196. When termshark reads from an iface, it starts one dumpcap to write the packets to a hidden pcap file, then it sets up a tail command to continuously feed updates to tshark for psml, etc. The tail command reads from the hidden pcap file. That way, if a new display filter is applied, the tail can be restarted at the beginning and the already captured packets are preserved.

So for this issue, I think something has gone wrong with @hook-s3c 's equivalent of my pid 3193. Termshark should definitely handle this properly, and seems like it isn't.

@hook-s3c - does

sudo tshark -i eth0

work for you? If it does, you could try running termshark under strace and it might reveal what's going wrong with the dumpcap

sudo strace -f -o foo -s 256 -tt termshark -i eth0

from termshark.

@gcla, in my case, dumpcap corresponding to your PID 3193 exits prematurely because of permission issue. I haven't figured out yet why a root process can't create the pcap file.

openat(AT_FDCWD, "/home/user/.cache/termshark/enx000ec688e4c7-151260431.pcap", O_WRONLY|O_CREAT|O_TRUNC, 0600) = -1 EACCES (Permission denied)

from termshark.

@hook-s3c and @pkeroulas - is this issue still affecting you? My understanding is that dumpcap will drop root permissions once it's opened the interface it needs, so perhaps when it calls openat() it has already called seteuid() to a user without permission to write to that directory. Some more data here: https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/389467

from termshark.

I will close this for now, but please re-open if it's still an issue.

from termshark.