Install Wireshark on Rocky Linux

In this guide, you will learn how to install Wireshark on Rocky Linux. Wireshark is the world’s foremost and widely-used network protocol analyzer.

Some of the features of Wireshark include;

• Deep inspection of hundreds of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
• The most powerful display filters in the industry
• Rich VoIP analysis
• Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor …
• Capture files compressed with gzip can be decompressed on the fly
• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
• Coloring rules can be applied to the packet list for quick, intuitive analysis
• Output can be exported to XML, PostScript, CSV, or plain text

Note that it is a criminal act to scan or sniff on any network traffic without any clearance to do so, otherwise using it may land you in jail.

Install Wireshark on Rocky Linux

Wireshark is available on the default Rocky Linux repositories. However, the available versions may not be the up-to-date. Wireshark 3.6.3 is the current stable release as of this writing.

Well, to confirm this, run the commands below to check the available version of Wireshark on Rocky Linux;

sudo dnf info wireshark

Command output;

Available Packages
Name         : wireshark
Epoch        : 1
Version      : 2.6.2
Release      : 14.el8
Architecture : x86_64
Size         : 3.6 M
Source       : wireshark-2.6.2-14.el8.src.rpm
Repository   : appstream
Summary      : Network traffic analyzer
URL          : http://www.wireshark.org/
License      : GPL+

As you can see, the latest version of Wireshark is available on Rocky Linux.

Hence, to install the latest release version of Wireshark on Rocky Linux, you need to build it from the source.

To build Wireshark from the source on Rocky Linux;

Install Required Build tools

dnf install qt5-devel gcc gcc-c++ bison flex libpcap-devel \
gtk3-devel rpm-build libtool c-ares-devel qt5-qtbase-devel \
qt5-qtmultimedia-devel qt5-linguist desktop-file-utils \
createrepo glib2-devel perl perl-devel tcpdump libcap-devel \
libssh-devel krb5-devel perl-Parse-Yapp snappy-devel git\
minizip-devel lz4 libxml2-devel spandsp-devel systemd-devel -y

Compile and Install Wireshark

Download Wireshark latest source code from downloads page.

wget https://1.eu.dl.wireshark.org/src/wireshark-3.6.3.tar.xz

Extract the Wireshark source code.

tar xJf wireshark-3.6.3.tar.xz

Compile Wireshark source code

cd wireshark-3.6.3

cmake .

Sample command output;

...
-- The following OPTIONAL packages have been found:

 * Git
 * GMODULE2
 * Gettext
 * LIBSSH (required version >= 0.6), Library for implementing SSH clients, 
   extcap remote SSH interfaces (sshdump, ciscodump)
 * PCAP
 * Systemd, System and Service Manager (libraries), 
   Support for systemd journal extcap interface (sdjournal)
 * GNUTLS (required version >= 3.3.0)
 * KERBEROS
 * ZLIB
 * Minizip, Mini zip and unzip based on zlib, 
   Support for profiles import/export
 * SNAPPY, A fast compressor/decompressor from Google, 
   Snappy decompression in CQL and Kafka dissectors
 * SPANDSP, a library of many DSP functions for telephony, 
   Support for G.722 and G.726 codecs in RTP player
 * LibXml2
 * CAP, The Libcap package implements the user-space interfaces to the POSIX 1003.1e capabilities available in Linux kernels, 
   Allow packet captures without running as root
 * SETCAP
 * XSLTPROC

-- The following REQUIRED packages have been found:

 * GLIB2 (required version >= 2.38.0)
 * GTHREAD2
 * GCRYPT (required version >= 1.5.0)
 * CARES (required version >= 1.5.0), Library for asynchronous DNS requests, 
   DNS name resolution for captures
 * LEX
 * Perl
 * Python3 (required version >= 3.4)
 * M
 * Qt5Core
 * Qt5LinguistTools
 * Qt5Network (required version >= 5.15.2)
 * Qt5Gui (required version >= 5.15.2)
 * Qt5Multimedia
 * Qt5PrintSupport
 * Qt5Widgets

-- The following OPTIONAL packages have not been found:

 * MaxMindDB, C library for the MaxMind DB file format, 
   Support for GeoIP lookup
 * SMI, Library to access SMI management information, 
   Support MIB and PIB parsing and OID resolution
 * BROTLI
 * LZ4, LZ4 is a fast lossless compression algorithm, 
   LZ4 decompression in CQL and Kafka dissectors, read compressed capture files
 * ZSTD (required version >= 1.0.0), A compressor/decompressor from Facebook providing better compression than Snappy at a cost of speed, 
   Zstd decompression in Kafka dissector, read compressed capture files
 * NGHTTP2, HTTP/2 C library and tools, 
   Header decompression in HTTP2
 * LUA (required version >= 5.1)
 * NL, Libraries for using the Netlink protocol on Linux, 
   Support for managing wireless 802.11 interfaces
 * SBC, Bluetooth low-complexity, subband codec (SBC) decoder, 
   Support for playing SBC codec in RTP player
 * BCG729, G.729 decoder, 
   Support for G.729 codec in RTP player
 * ILBC, iLBC decoder, 
   Support for iLBC codec in RTP player
 * OPUS, opus decoder, 
   Support for opus codec in RTP player
 * DOXYGEN
 * SpeexDSP, SpeexDSP is a patent-free, Open Source/Free Software DSP library, 
   RTP audio resampling
 * Asciidoctor (required version >= 1.5)

We are on tag v3.6.3.
vcs_version.h unchanged.
-- Configuring done
-- Generating done
-- Build files have been written to: /root/wireshark-3.6.3

Fix any errors before you proceed, just in case there is any.

Build Wireshark

make

Install Wireshark

make install

Running Wireshark on Rocky Linux

You can now launch Wireshark either from command line or from the activities;

Wireshark interface;

Tshark command line utility is also installed;

tshark --help

TShark (Wireshark) 3.6.3 (Git commit 6d348e4611e2)
Dump and analyze network traffic.
See https://www.wireshark.org for more information.

Usage: tshark [options] ...

Capture interface:
  -i , --interface 
                           name or idx of interface (def: first non-loopback)
  -f       packet filter in libpcap filter syntax
  -s , --snapshot-length 
                           packet snapshot length (def: appropriate maximum)
  -p, --no-promiscuous-mode
                           don't capture in promiscuous mode
  -I, --monitor-mode       capture in monitor mode, if available
  -B , --buffer-size 
                           size of kernel buffer (def: 2MB)
  -y , --linktype 
                           link layer type (def: first appropriate)
  --time-stamp-type  timestamp method for interface
  -D, --list-interfaces    print list of interfaces and exit
  -L, --list-data-link-types
                           print list of link-layer types of iface and exit
  --list-time-stamp-types  print list of timestamp types for iface and exit

Capture stop conditions:
  -c         stop after n packets (def: infinite)
  -a  ..., --autostop  ...
                           duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
                            packets:NUM - stop after NUM packets
Capture output:
  -b  ..., --ring-buffer 
                           duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
                            packets:NUM - switch to next file after NUM packets
                           interval:NUM - switch to next file when the time is
                                          an exact multiple of NUM secs
Input file:
  -r , --read-file 
                           set the filename to read from (or '-' for stdin)

Processing:
  -2                       perform a two-pass analysis
  -M         perform session auto reset
  -R , --read-filter 
                           packet Read filter in Wireshark display filter syntax
                           (requires -2)
  -Y , --display-filter 
                           packet displaY filter in Wireshark display filter
                           syntax
  -n                       disable all name resolutions (def: "mNd" enabled, or
                           as set in preferences)
  -N   enable specific name resolution(s): "mnNtdv"
  -d ==, ...
                           "Decode As", see the man page for details
                           Example: tcp.port==8888,http
  -H           read a list of entries from a hosts file, which will
                           then be written to a capture file. (Implies -W n)
  --enable-protocol 
                           enable dissection of proto_name
  --disable-protocol 
                           disable dissection of proto_name
  --enable-heuristic 
                           enable dissection of heuristic protocol
  --disable-heuristic 
                           disable dissection of heuristic protocol
Output:
  -w            write packets to a pcapng-format file named "outfile"
                           (or '-' for stdout)
  --capture-comment 
                           add a capture file comment, if supported
  -C       start with specified configuration profile
  -F 
    set the output file type, default is pcapng
                           an empty "-F" option will list the file types
  -V                       add output of packet tree        (Packet Details)
  -O            Only show packet details of these protocols, comma
                           separated
  -P, --print              print packet summary even when writing to a file
  -S            the line separator to print between packets
  -x                       add output of hex and ASCII dump (Packet Bytes)
  -T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|?
                           format of text output (def: text)
  -j       protocols layers filter if -T ek|pdml|json selected
                           (e.g. "ip ip.flags text", filter does not expand child
                           nodes, unless child is specified also in the filter)
  -J       top level protocol filter if -T ek|pdml|json selected
                           (e.g. "http tcp", filter which expands all child nodes)
  -e                field to print if -Tfields selected (e.g. tcp.port,
                           _ws.col.Info)
                           this option can be repeated to print multiple fields
  -E= set options for output when -Tfields selected:
     bom=y|n               print a UTF-8 BOM
     header=y|n            switch headers on and off
     separator=/t|/s| select tab, space, printable character as separator
     occurrence=f|l|a      print first, last or all occurrences of each field
     aggregator=,|/s| select comma, space, printable character as
                           aggregator
     quote=d|s|n           select double, single, no quotes for values
  -t a|ad|adoy|d|dd|e|r|u|ud|udoy
                           output format of time stamps (def: r: rel. to first)
  -u s|hms                 output format of seconds (def: s: seconds)
  -l                       flush standard output after each packet
  -q                       be more quiet on stdout (e.g. when using statistics)
  -Q                       only log true errors to stderr (quieter than -q)
  -g                       enable group read access on the output file(s)
  -W n                     Save extra information in the file, if supported.
                           n = write network address resolution information
  -X :         eXtension options, see the man page for details
  -U tap_name              PDUs export mode, see the man page for details
  -z           various statistics, see the man page for details
  --export-objects ,
                           save exported objects for a protocol to a directory
                           named "destdir"
  --export-tls-session-keys 
                           export TLS Session Keys to a file named "keyfile"
  --color                  color output text similarly to the Wireshark GUI,
                           requires a terminal with 24-bit color support
                           Also supplies color attributes to pdml and psml formats
                           (Note that attributes are nonstandard)
  --no-duplicate-keys      If -T json is specified, merge duplicate keys in an object
                           into a single key with as value a json array containing all
                           values
  --elastic-mapping-filter  If -G elastic-mapping is specified, put only the
                           specified protocols within the mapping file
Diagnostic output:
  --log-level       sets the active log level ("critical", "warning", etc.)
  --log-fatal       sets level to abort the program ("critical" or "warning")
  --log-domains <[!]list>  comma separated list of the active log domains
  --log-debug <[!]list>    comma separated list of domains with "debug" level
  --log-noisy <[!]list>    comma separated list of domains with "noisy" level
  --log-file         file to output messages to (in addition to stderr)

Miscellaneous:
  -h, --help               display this help and exit
  -v, --version            display version info and exit
  -o : ...    override preference setting
  -K               keytab file to use for kerberos decryption
  -G [report]              dump one of several available reports and exit
                           default report="fields"
                           use "-G help" for more help

Dumpcap can benefit from an enabled BPF JIT compiler if available.
You might want to enable it by executing:
 "echo 1 > /proc/sys/net/core/bpf_jit_enable"
Note that this can make your system less secure!

And there you go. Wireshark is now running on Rocky Linux.

Other Tutorials

Install Thunderbird Mail Client on Rocky Linux

Install DokuWiki on Rocky Linux