First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Restrict Wireshark delivery with default-filter

Is it possible to restrict Wireshark to a dedicated port on the local host per deployment?

Use Case:

We consider to deliver Wireshark as a troubleshooting tool with our Windows based product. But we have to avoid to install a hacker-tool on the customer's machine. It shall only be possible to monitor the traffic on a dedicated port of the local host. Even our service technicians shall not be able to use Wireshark to sniff any other network traffic.

We could maybe do a source-code change and compile the program by ourselves. (Was this maybe already done by someone in the past?)

Background:

Our Software runs on dedicated machines in the customer's LAN. Device-Guard is running on these systems to prevent the users to run any not allowed programs. So it would not be possible for a service technician to download and run Wireshark by himself.

Burkhard's avatar
1
Burkhard
asked 2020-01-08 11:30:23 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

Wireshark is a Packet Analyser, not a "hacker tool". Wireshark can be used by a "hacker" but so can Notepad or a pencil.

Sure you can always modify the code, but you must abide by the terms of the GPL licence that Wireshark is released under when you distribute the modified code to customers.

grahamb's avatar
23.8k
grahamb
answered 2020-01-08 11:39:04 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Uuups, it seems I used a sensitive buzz-word. ;-) - Sorry for that. I'm just looking for proposals to perform such a restriction as mentioned above.

Burkhard's avatar Burkhard (2020-01-08 11:47:25 +0000) edit
more
  • delete

The less we conflate the words "Hacker" and "Wireshark" the better, as it won't confuse the PHB's.

grahamb's avatar grahamb (2020-01-08 12:07:02 +0000) edit
more
  • delete

The DISA security STIGs generally call out this and other network analysis tools as not allowed for a good security posture. Here are some examples:

https://www.stigviewer.com/stig/oracl... https://www.stigviewer.com/stig/aix_5...

Unfortunately, the US Govt is helping causing some of that confusion!

Bob Jones's avatar Bob Jones (2020-01-08 13:30:45 +0000) edit
more
  • delete
add a comment see more comments
0

It seems you want to restrict capture to a specific interface. Wireshark is totally indifferent of the interfaces it can request to capture from. The inventory of capture interfaces, and for that matter the actual capturing, is done by a capture driver, npcap to be exact. You'll need to look there to see what restrictions are possible, if at all. Please be aware of the restrictions that apply using npcap for commercial distribution.

Jaap's avatar
13.7k
Jaap
answered 2020-01-08 19:00:39 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer