Silverblue: Wireshark does not see network interfaces

1. On Fedora Silverblue 38 host I created new container:

   distrobox create --name wireshark
   distrobox create --name wireshark
   

2. Inside container I installed Wireshark.

   sudo dnf --assumeyes install wireshark
   

3. From inside of container I started Wireshark.

   wireshark
   

4. Wireshark GUI starts up, but no network interfaces are recognized. I see the following:
   

but I expect to see ethernet and looback devices.

Any help is appreciated.

ADDITIONAL:
Wireshark flatpak exits, but it does not support capturing network traffic and so is not really helpful for my case, I need network capturing and analyzing program.

I execute this command:

• on host: but I see no effect in /etc/group
• inside container: user is added in group, I can see new row in /etc/group

I rebooted and problem is the same.

Does this solution really work for Fedora Silverblue or is this just a solution for Fedora Workstation?

The group will only exists when Wireshark in installed / overlayed on the system. If you go this route, then you can use Troubleshooting :: Fedora Docs to add yourself to it.

If you want to run it from a container, then you need to make sure that you retain the user and group in the container, which means that you likely have to run it as “root” inside a toolbox container.

I see when “root” user is required it is probably easier to install it rpm-ostree layer then using containers.

I did the following:

# Installed Wireshark in rpm-ostree layer 
rpm-ostree install wireshark
  
# Rebooted to make affect.
systemctl reboot
  
# Add user to group as suggested by Timothée Ravier
grep -E '^wireshark:' /usr/lib/group | sudo tee -a /etc/group
sudo usermod -aG wireshark $USER

# Reboot to take user to group affect (maybe logoff is enough)
systemctl reboot

# Start program
wireshark

Now I see network traffic is visible to Wireshark and so problem solved.

Thanks for help.

Yesterday I tried to upgrade with:
rpm-ostree upgrade

and error was returned:

error: While applying overrides for pkg wireshark-cli: Could not find group ‘wireshark’ in group file

I run “wireshark” and it successfully started and was working fine. But, I don’t know why “wireshark-cli” is a problem, looks like some CLI part of Wireshark.

Then I removed the “wireshark”:
rpm-ostree uninstall wireshark

and installed it back following above instructions and then
rpm-ostree upgrade
worked fine and also “wireshark” started successfully and working fine.

Today I have repeated the “rpm-ostree upgrade” command I have got the same error as yesterday.

I know I can uninstall “wireshark”, but I would like to avoid doing this over and over again every day.

Also… I have looked at the issue error is pointing out.

cat /etc/group | grep wireshark
wireshark:x:968:myuser

cat /usr/lib/group | grep wireshark
wireshark:x:968:

but group is created.

This is likely one of the following issue:

• https://github.com/coreos/fedora-coreos-tracker/issues/1250
• Unable to upgrade with wireshark layered · Issue #50 · fedora-silverblue/issue-tracker · GitHub
• Add wireshark (and usbmon) GIDs to groups · Issue #391 · fedora-silverblue/issue-tracker · GitHub

This is the demonstration that Flatpak sandboxing is a real thing

Btw a solution could be the use of Wireshark with SSH.

Screenshot from 2023-09-07 16-53-271213×1198 103 KB

@siosm, yes it does look like some old issue. Is this an issue all users installing wireshark in rpm-ostree gets into or is this per user problem? Do you think this is an issue of rpm-ostree (or one of its components) or is RPM install package doing something extraordinary. If the later, then maybe upstream wireshark packager can be contacted.

@Alessio, using wireshark/flatpak (that do not support network capturing and only supports analysis of already captured file) and using ssh-remote-capture, it would require to install SSH server on my desktop, this is also little bit overhead. I mean installing SSH server to do the capture.

One by-pass solution I am looking at it is:

• install tcpdump as rpm-ostree layer to capture network traffic
• install wireshark/flatpak to do the network capture file analysis

This is little bit annoyance to need two tools to do the job of one.

FWIW ssh is already installed on Silverblue. You only need to start it through GNOME Settings or from the command line.

I don’t have a great answer here. Ideally, the whireshark package would provide a polkit enabled DBus service that would let the Flatpak dynamically request the service to tcpdump an interface and forward the content to the unprivileged Flatpak.

As a workaround, running tcpdump from a privileged (root) toolbox and then analyzing the result in the Flatpak could do it as well.

I’ve never run sshdump but I found the following pages:

• sshdump(1)
• How do I use SSH Remote Capture in Wireshark - Ask Wireshark
• How do I use SSH Remote Capture in Wireshark - Stack Overflow

It looks like it would only require tcpdump to be available on the host.

I have checked listening ports: sudo ss -ntlp

State           Recv-Q          Send-Q                   Local Address:Port                   Peer Address:Port          Process                                             
LISTEN          0               4096                         127.0.0.1:631                         0.0.0.0:*              users:(("cupsd",pid=1019,fd=7))                    
LISTEN          0               4096                     127.0.0.53%lo:53                          0.0.0.0:*              users:(("systemd-resolve",pid=866,fd=17))          
LISTEN          0               4096                           0.0.0.0:5355                        0.0.0.0:*              users:(("systemd-resolve",pid=866,fd=11))          
LISTEN          0               4096                        127.0.0.54:53                          0.0.0.0:*              users:(("systemd-resolve",pid=866,fd=19))          
LISTEN          0               4096                             [::1]:631                            [::]:*              users:(("cupsd",pid=1019,fd=6))                    
LISTEN          0               4096                              [::]:5355                           [::]:*              users:(("systemd-resolve",pid=866,fd=13))          

It looks to me SSH server is NOT installed by default on Fedora Silverblue.

I am not sure about this. Running sshdump from Wireshark and dialog is displayed with fields:

• Remote SSH server address
• Remote SSH server port
• Remote SSH server username
• Remote SSH server password
  and more… It looks to me SSH server is required and additionally probably some TCP monitoring tool like tcpdump (which is probably already installed on most Linux servers, but not desktops).

I need Wireshark time to time on my desktop machine to take network capture of my desktop to remote server.

Yeah. It is not started.

You can check if it is installed with rpm -qa | grep openssh, and it is.

As I wrote

Screenshot from 2023-09-10 16-31-531950×958 25.2 KB

Or from the command line
sudo systemctl enable sshd --now

Btw, yes, also tcpdump is needed.

As another alternative, I’ve made a system extension for Wireshark: wireshark: Add initial sysext by travier · Pull Request #59 · travier/fedora-sysexts · GitHub