Why should those Windows users have all the fun? Wouldn't you like to be able to capture traffic in Wireshark on your Mac? Well, you have come to the right place!
So, the idea is that when you select Capture from the right-click pop-up menu, and select the interface in UNL, then Wireshark should launch.
The problem is that there is no handler for the "capture://" part of the URL. We can edit handlers if they already exist, but it's not easy to create them as and when we want them.
So, we need to create one, and the program to actually run Wireshark.
This can be done through AppleScript, and actually can perform both actions - launching Wireshark, and associating "capture://" with the program.
After a couple of hours digging around I came across a workable solution.
I created a script, and after a bit of testing, it's now turned into a workable solution.
To install it, you can download the app from the link below, just unzip it, and copy the app to your Applications directory.
Here is a video of it in action:
Download link:
Check this link for the updated file!
29 comments
commentsHi Stuart,
ReplyGood day! I installed your app to my MBP with OSX v10.9.5. I'm running VMWare Fusion 6.0.2 with the latest UNL v72. I installed X11 (x-quartz) and wireshark v1.12.7. No success yet in making the capture. Not sure if this has version issue on the wireshark or I need to tweak something on my MAC or wireshark. From Wireshark, what interface do you use for the capture? Thanks.
Toto
Hi Toto, try the beta version for OSX, it is version 1.99.8 - the direct link is https://1.eu.dl.wireshark.org/osx/Wireshark%201.99.8%20Intel%2064.dmg - it's a native version, so does not require X11 to run.
ReplyThe script/app will pick up the UNL IP address, and the port (usually this is vunl_X_X) and then SSH to the box to begin the dump. Make sure you pop in the password in the terminal window when prompted.
Let me know how you get on, I tried it on my macbook air and my mac desktop, so would be good to see how it works for more people!
Thanks
Stuart
Thanx Thanx ,very greatful. Its working
ReplyGreat! Thanks for letting me know, Koby!
ReplyHi Stuart,
ReplyFor some reason, terminal window does not pop. I've configured the VM as "shared with my MAC." Do I need to have TUNTAP installed as well or I'm missing something. I also noticed this prompt everytime I boot up UNL, "A virtual machine is attempting to monitor all network traffic, which requires administrator access. Type your password to allow this." I actually ignore this message. Not sure, what to disable on the VM. Highly appreciate your help! Thanks.
Best regards,
Toto
That might be why its not working! You need to put in your password, otherwise how will the VM interact with your network - i.e. load wireshark :)
ReplyTry it again and put in your password :) Hopefully it should work. I havn't actually tried it with Fusion, I was just using ESXi
hi stuart,
ReplyI tested it both applying the password and not and output is still the same. seems like I need to work something out in fusion. i'll try to install esxi if issue will persist. thanks.
toto
Hi Stuart!
ReplyWhat Mac OS X version you are using?
On video it looks like Mavericks 10.9, not the latest Yosemite 10.10.
I'm trying to run your app on Yosemite 10.10.5 and always getting a "Cannot open application «UNL_Wireshark»" error window.
Used software - Chrome web browser 45.0.2454.85 (64-bit) an Wireshark 1.99.9.
Thanks!
I am on 10.10.4 on my macbook air,I will check what my iMac is running, but I dont think it's Mavericks. Pretty sure that its on 10.10. Did you put the app in your /Applications directory?
ReplyIf anyone else has come across this error then please let me know.
Works like a charm in 10.10 Yosemite
ReplyThanks Stuart!
Though after upgrading from 10.9 to 10.10 I had to fix wireshar "Error from waitpid()" with this http://noshut.ru/2015/09/wireshark-mac-os-x-v1-99-1-waitpid-error-quick-fix/#more-403
It work on my mac, however the language isn't english :), does anyone know how to set language back into english? thanks
ReplyYou mean Wireshark is in a different language? Open Preferences, click on Appearance, then look at language settings at the bottom.
ReplyStuart, I get the same error when i try to run it too. Using 10.11.1, either with Firefox or Chrome.
ReplyI have run it on El capitan and Yosemite and it works ok on those. I am running the development build of wire shark though. Try that.
Replyhave the same issue. Running El Captian 10.11.1, Chrome Version 46.0.2490.80 (64-bit) Wireshark 2.0.0rc2. I have also tried safari and got the following message safari can't open 'capture://10.0.0.201/vunl0_3_" because OS X doesn't recognize Internet addresses starting with "capture". Hope this helps
ReplyAlso for some strange reason your apple script is asking it to open terminal but seems that the app is opening a web browser instead.
ReplyFranco, you havn't set up the handlers - read the blog post again and check this link: http://www.802101.com/2015/09/changing-url-handlers-in-osx.html
ReplyHi Stuart
ReplyThanks for getting back to me. As you can see
https://www.dropbox.com/s/i82o4hbytodwk35/capture.png?dl=0
it was set up to use UNL_Wireshark but still no joy. I even added terminal and Wireshark just to see what might happen but nothing.
Thanks for the quick reply as always.
Right got this to work. For some strange reason when using your app it gave me the error message. So thought OK make my own Applescript app in El Capitan. Open Script Editor and paste the code you done.
Replyon open location this_URL
set cap_URL to this_URL
set new_cap_HOST to word 2 of cap_URL
set new_cap_INT to word 3 of cap_URL
# set cap_out to capture.new_cap_INT
# display dialog new_cap_HOST
# display dialog new_cap_INT
tell application "Terminal"
activate
do script "mkfifo /tmp/capture_" & new_cap_INT
do script "wireshark -k -i /tmp/capture_" & new_cap_INT
do script "ssh root@" & new_cap_HOST & " tcpdump -U -i " & new_cap_INT & " -s 0 -w - > /tmp/capture_" & new_cap_INT
end tell
end open location
Then just save as an application and make sure that it's the same name and set up the handlers as shown on your website
http://www.802101.com/2015/09/changing-url-handlers-in-osx.html
Et viola :-)
Just hope this helps anyone else. And thanks for the little script. I hope that they add this to Unetlab by default if possible.
All the best
Great job Stuart ... very appreciated !!!
ReplyCCIE #39837
Hi Sir
ReplyI this normal when you start capturing. it automaticall opens 3 terminal windows. 1 to put the password so it initiates wireshark? See my screenshot:
https://mega.nz/#!7YF0mTwA!K9WFLILWVwR8CcDCEP7VIzVyWpJgz1JPwDmGGXDU6zE
Hi Peter! Yeah, I don't know how to get it all in one window! maybe version 3.0 will have that fixed! :)
ReplyThank you Sir, since its working. let me work like that for a while
ReplySorry, based on the descriptions here I still can't understand how to change the handler for "capture://" to your script? On your other page about handlers it says it's not possible to add via Default Apps tool. But how then?
ReplyFound the problem: your v2 version is missing CFBundleURLName section from the Info.plist file. It works for you since you have it already assigned, but not for new users.
ReplyHey Max! Nice one! I will amend it... Cheers!
ReplyRCDefaultApps should have one for capture, look in the URL tab - what I meant was that I couldn't figure out how to create a custom handler (like "802101://")
ReplyI amended it and have uploaded the new version. Thanks again Max!
ReplyAwesome work Stuart. Thanks!
Reply