Wireshark integration with UNetLab on OSX


Why should those Windows users have all the fun? Wouldn't you like to be able to capture traffic in Wireshark on your Mac? Well, you have come to the right place!

So, the idea is that when you select Capture from the right-click pop-up menu, and select the interface in UNL, then Wireshark should launch.

The problem is that there is no handler for the "capture://" part of the URL. We can edit handlers if they already exist, but it's not easy to create them as and when we want them.

So, we need to create one, and the program to actually run Wireshark.

This can be done through AppleScript, and actually can perform both actions - launching Wireshark, and associating "capture://" with the program.

After a couple of hours digging around I came across a workable solution.

I created a script, and after a bit of testing, it's now turned into a workable solution.
To install it, you can download the app from the link below, just unzip it, and copy the app to your Applications directory.

Here is a video of it in action:


Download link:
https://sites.google.com/site/802101files/books/UNL_Wireshark.app.zip
Check this link for the updated file!

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »

29 comments

comments
Anonymous
1 September 2015 at 18:42 delete

Hi Stuart,

Good day! I installed your app to my MBP with OSX v10.9.5. I'm running VMWare Fusion 6.0.2 with the latest UNL v72. I installed X11 (x-quartz) and wireshark v1.12.7. No success yet in making the capture. Not sure if this has version issue on the wireshark or I need to tweak something on my MAC or wireshark. From Wireshark, what interface do you use for the capture? Thanks.

Toto

Reply
avatar
2 September 2015 at 01:56 delete

Hi Toto, try the beta version for OSX, it is version 1.99.8 - the direct link is https://1.eu.dl.wireshark.org/osx/Wireshark%201.99.8%20Intel%2064.dmg - it's a native version, so does not require X11 to run.

The script/app will pick up the UNL IP address, and the port (usually this is vunl_X_X) and then SSH to the box to begin the dump. Make sure you pop in the password in the terminal window when prompted.

Let me know how you get on, I tried it on my macbook air and my mac desktop, so would be good to see how it works for more people!

Thanks

Stuart

Reply
avatar
2 September 2015 at 02:23 delete

Thanx Thanx ,very greatful. Its working

Reply
avatar
2 September 2015 at 02:52 delete

Great! Thanks for letting me know, Koby!

Reply
avatar
Anonymous
3 September 2015 at 01:21 delete

Hi Stuart,

For some reason, terminal window does not pop. I've configured the VM as "shared with my MAC." Do I need to have TUNTAP installed as well or I'm missing something. I also noticed this prompt everytime I boot up UNL, "A virtual machine is attempting to monitor all network traffic, which requires administrator access. Type your password to allow this." I actually ignore this message. Not sure, what to disable on the VM. Highly appreciate your help! Thanks.

Best regards,
Toto

Reply
avatar
3 September 2015 at 01:50 delete

That might be why its not working! You need to put in your password, otherwise how will the VM interact with your network - i.e. load wireshark :)

Try it again and put in your password :) Hopefully it should work. I havn't actually tried it with Fusion, I was just using ESXi

Reply
avatar
Anonymous
3 September 2015 at 07:04 delete

hi stuart,

I tested it both applying the password and not and output is still the same. seems like I need to work something out in fusion. i'll try to install esxi if issue will persist. thanks.

toto

Reply
avatar
Anonymous
6 September 2015 at 03:01 delete

Hi Stuart!

What Mac OS X version you are using?
On video it looks like Mavericks 10.9, not the latest Yosemite 10.10.
I'm trying to run your app on Yosemite 10.10.5 and always getting a "Cannot open application «UNL_Wireshark»" error window.
Used software - Chrome web browser 45.0.2454.85 (64-bit) an Wireshark 1.99.9.

Thanks!

Reply
avatar
6 September 2015 at 11:22 delete

I am on 10.10.4 on my macbook air,I will check what my iMac is running, but I dont think it's Mavericks. Pretty sure that its on 10.10. Did you put the app in your /Applications directory?

If anyone else has come across this error then please let me know.

Reply
avatar
12 September 2015 at 22:46 delete

Works like a charm in 10.10 Yosemite
Thanks Stuart!

Though after upgrading from 10.9 to 10.10 I had to fix wireshar "Error from waitpid()" with this http://noshut.ru/2015/09/wireshark-mac-os-x-v1-99-1-waitpid-error-quick-fix/#more-403

Reply
avatar
1 November 2015 at 05:12 delete

It work on my mac, however the language isn't english :), does anyone know how to set language back into english? thanks

Reply
avatar
1 November 2015 at 10:01 delete

You mean Wireshark is in a different language? Open Preferences, click on Appearance, then look at language settings at the bottom.

Reply
avatar
2 November 2015 at 01:46 delete

Stuart, I get the same error when i try to run it too. Using 10.11.1, either with Firefox or Chrome.

Reply
avatar
2 November 2015 at 01:50 delete

I have run it on El capitan and Yosemite and it works ok on those. I am running the development build of wire shark though. Try that.

Reply
avatar
3 November 2015 at 04:12 delete

have the same issue. Running El Captian 10.11.1, Chrome Version 46.0.2490.80 (64-bit) Wireshark 2.0.0rc2. I have also tried safari and got the following message safari can't open 'capture://10.0.0.201/vunl0_3_" because OS X doesn't recognize Internet addresses starting with "capture". Hope this helps

Reply
avatar
3 November 2015 at 04:21 delete

Also for some strange reason your apple script is asking it to open terminal but seems that the app is opening a web browser instead.

Reply
avatar
3 November 2015 at 05:41 delete

Franco, you havn't set up the handlers - read the blog post again and check this link: http://www.802101.com/2015/09/changing-url-handlers-in-osx.html

Reply
avatar
3 November 2015 at 06:04 delete

Hi Stuart

Thanks for getting back to me. As you can see

https://www.dropbox.com/s/i82o4hbytodwk35/capture.png?dl=0

it was set up to use UNL_Wireshark but still no joy. I even added terminal and Wireshark just to see what might happen but nothing.

Thanks for the quick reply as always.

Reply
avatar
4 November 2015 at 06:59 delete

Right got this to work. For some strange reason when using your app it gave me the error message. So thought OK make my own Applescript app in El Capitan. Open Script Editor and paste the code you done.

on open location this_URL
set cap_URL to this_URL
set new_cap_HOST to word 2 of cap_URL
set new_cap_INT to word 3 of cap_URL
# set cap_out to capture.new_cap_INT
# display dialog new_cap_HOST
# display dialog new_cap_INT
tell application "Terminal"
activate
do script "mkfifo /tmp/capture_" & new_cap_INT
do script "wireshark -k -i /tmp/capture_" & new_cap_INT
do script "ssh root@" & new_cap_HOST & " tcpdump -U -i " & new_cap_INT & " -s 0 -w - > /tmp/capture_" & new_cap_INT
end tell
end open location

Then just save as an application and make sure that it's the same name and set up the handlers as shown on your website

http://www.802101.com/2015/09/changing-url-handlers-in-osx.html

Et viola :-)

Just hope this helps anyone else. And thanks for the little script. I hope that they add this to Unetlab by default if possible.

All the best

Reply
avatar
23 November 2015 at 14:39 delete

Great job Stuart ... very appreciated !!!
CCIE #39837

Reply
avatar
20 February 2016 at 06:45 delete

Hi Sir

I this normal when you start capturing. it automaticall opens 3 terminal windows. 1 to put the password so it initiates wireshark? See my screenshot:
https://mega.nz/#!7YF0mTwA!K9WFLILWVwR8CcDCEP7VIzVyWpJgz1JPwDmGGXDU6zE

Reply
avatar
20 February 2016 at 07:47 delete

Hi Peter! Yeah, I don't know how to get it all in one window! maybe version 3.0 will have that fixed! :)

Reply
avatar
20 February 2016 at 13:29 delete

Thank you Sir, since its working. let me work like that for a while

Reply
avatar
Max
6 March 2016 at 01:24 delete

Sorry, based on the descriptions here I still can't understand how to change the handler for "capture://" to your script? On your other page about handlers it says it's not possible to add via Default Apps tool. But how then?

Reply
avatar
Max
6 March 2016 at 01:30 delete

Found the problem: your v2 version is missing CFBundleURLName section from the Info.plist file. It works for you since you have it already assigned, but not for new users.

Reply
avatar
6 March 2016 at 12:44 delete

Hey Max! Nice one! I will amend it... Cheers!

Reply
avatar
8 March 2016 at 03:55 delete

RCDefaultApps should have one for capture, look in the URL tab - what I meant was that I couldn't figure out how to create a custom handler (like "802101://")

Reply
avatar
8 March 2016 at 04:01 delete

I amended it and have uploaded the new version. Thanks again Max!

Reply
avatar
27 September 2016 at 20:37 delete

Awesome work Stuart. Thanks!

Reply
avatar