Building a Wireshark for CentOS 7

Update: If you’re just keen on grabbing the latest Wireshark, check out the Wireshark on Centos TL;DR version. Or the new version 2.4.0 build documentation.

So as part of some of the work I want to look at this year around IoT and the impact on networks, I was looking at some packet traces of the MQTT protocol. Originally developed by IBM and now an OASIS standard at version 3.1.1, MQTT provides a mechanism for the IoT to communicate status and receive commands using a publish and subscribe model. The Wireshark packet capture tool is a good way of capturing these data flows.

My challenge is that although CentOS 7 (my default OS) comes with a version of the packet sniffer, it is hopelessly outdated, being Wireshark version 1.10, which doesn’t have an MQTT decode in it. Let’s see if I can find a way of getting a newer one.

So using the Power of the Internet, I fired up the search engines, and discovered a few snippets (listed below), which I’ll weave through this blog post and create a public repository for a current Wireshark version for Centos 7 on x86_64.

So the bits I need are to:

  • Create a build environment
  • Download the latest Wireshark code
  • Compile the code
  • Make RPM files
  • Convert the RPM modules into a repository
  • Sync the repository to somewhere public
  • Publish the repository so others can find it
  • Test the repo myself to make sure it works

So let’s get to it.

Creating a build environment

I’ve not done code development for several years, so I’m a little rusty at this, and thanks go to Jeff Li for the handy few lines that get me started.

So first off, I need a gcc compiler, repo tools and the various dependencies for the code.
sudo yum install gcc gcc-c++ bison flex libpcap-devel qt-devel gtk3-devel rpm-build libtool c-ares-devel qt5-qtbase-devel qt5-qtmultimedia-devel qt5-linguist desktop-file-utils createrepo

(These have been adjusted for my environment, which was missing a few packages Jeff might have had already installed). This downloaded on my environment 167MB worth of extra code in 62 packages, but on your system, it might be different.

Downloading the latest code

As of the time of writing, the latest version of Wireshark is 2.2.4, and they provide the source code for this as a BZipped TAR file, downloadable from this link. By the time you read this, the version might have increased. If you need to do this via a command line, then:
I place this in a work directory and unzip it using the command:
tar xfv wireshark-2.2.4.tar.bz2

Compile the Wireshark code

So now a couple of commands to start the configuration process, prior to running the compile..
cd wireshark-2.2.4

Which if things have gone well will result in ..
The Wireshark package has been configured with the following options:
GLib version : v2.46.2
Build wireshark : yes (with Qt5 v5.6.1)
Build wireshark-gtk : yes (with GTK+ v3.14.13)
Build tshark : yes
Build tfshark : no
Build capinfos : yes
Build captype : yes
Build editcap : yes
Build dumpcap : yes
Build mergecap : yes
Build reordercap : yes
Build text2pcap : yes
Build randpkt : yes
Build dftest : yes
Build rawshark : yes
Build androiddump : yes
Build sshdump : no
Build ciscodump : no
Build randpktdump : yes
Build echld : no
Save files as pcap-ng by default : yes
Install dumpcap with capabilities : no
Install dumpcap setuid : no
Use dumpcap group : (none)
Use plugins : yes
Use external capture sources : yes
Use Lua library : no
Build Qt RTP player : yes
Build GTK+ RTP player : no
Build profile binaries : no
Use pcap library : yes
Use zlib library : yes
Use kerberos library : no
Use c-ares library : yes
Use SMI MIB library : no
Use GNU gcrypt library : no
Use SSL crypto library : no
Use GnuTLS library : no
Use POSIX capabilities library : no
Use GeoIP library : no
Use libssh library : no
Have ssh_userauth_agent : no
Use nl library : no
Use SBC codec library : no

Now we can compile the code, which will take some time (there are a LOT of packet decodes to process), so grab a beverage whilst you wait..
Just as well it was a big cup of coffee.. at this point running ./wireshark should fire up a working copy of Wireshark, version 2.2.4.

Make the Wireshark RPM files

That’s all well and good, but if I want to make this portable and to provide it to others, what do we need to do?
We now need to convert the various binaries into an .RPM package for distribution via my soon to be created repository.
make rpm-package
Now we could install the rpm file directly using sudo yum localinstall packaging/rpm/RPMS/x86_64/wireshark-gtk-2.2.4-1.rpm, but that’s not what I want to do, I’d like to give you the chance to make this as seamless as possible.

Sync the repository to somewhere public

Now all I need to do is to put this out into the Internet so others can share in the results of my effort. To do this, I’ll use rsync to copy this directory structure out to my public website location, but that’ll be in the background.

Publish the repository so others can find it

This is available on the website, so let’s grab it, and move it to where yum expects to find it.
Now move it to the yum repositories directory
sudo mv wireshark.repo /etc/yum.repos.d

Build a Wireshark.repo file by hand

So as a user of the repository, I’m going to need to create a new .repo file in the /etc/yum.repos.d/ directory. So you can either create the file wireshark.repo and fill it with the contents below using your favourite text editor, not forgetting to do this via sudo, as you’re writing to a system directory.
name=Wireshark for CentOS7

Test my Wireshark repository

If you’ve stuck with me this far, then let’s do the last few commands, and get you on your way.

Now it’s simply a case of running sudo yum update and sudo yum install wireshark-gtk, and you’re now ready to go.

Thanks to:

Updated: Added signed RPMs (see #SaferInternetDay – so let’s sign some things. like that new repository) as it’s #SaferInternetDay today. Stay safe.