Bug 397851

When diagnosing a bit more, I believe I have found the problem. Wireshark uses
an external program called "dumpcap". It is looking for it in /usr/bin, but the
RPM puts it in /usr/sbin.

Workaround:

ln -s /usr/sbin/dumpcap /usr/bin/dumpcap

Strange, I'm suspicious about your workaround. Wireshark is installed with
/usr/sbin patch and all binaries are located there (/usr/bin/wireshark is
consolehelper link). This works for me on Fedora 8, RHEL 5 and Fedora 6. 

Did you by any chance tried to install your own version of wireshark directly
from a source tarball? 

Which interface does it crash with? All of them? 

First to answer your questions:

- I did not modify wireshark:

  $ rpm -q wireshark
  wireshark-0.99.6-3.fc8
  $ rpm -V wireshark | wc -l
  0

- Wireshark crashes even before you can select the capture interface. Selecting
"Capture" and then "Interfaces" from the menu will lead to the crash immediately.

Secondly I did some more investigation:

After inspection of the wireshark source code it appears it looks for "dumpcap"
in the same directory as the wireshark executable. If wireshark is started with
an absolute path name, it takes the directory from argv[0]. If not, $PATH is
searched for the wireshark executable.

When running a command through sudo, only "/bin" and "/usr/bin" are in the path.
This means that wireshark cannot find its own executable, and bad stuff happens.

  $ sudo sh -c 'echo $PATH'
  /usr/bin:/bin

To confirm the hypothesis we can start wireshark with a full pathname and without:

  $ sudo /usr/sbin/wireshark
  # Select Capture -> Interfaces: no crash 

Starting wireshark without a full path name:

  $ sudo wireshark
  # Select Capture -> Interfaces: crash
  wireshark: Fatal IO error 11 (Resource temporarily unavailable) on X server :20.0.
  wireshark: Fatal IO error 11 (Resource temporarily unavailable) on X server :20.0.

The conclusion must therefore be that the problem is caused by an interaction
between sudo and wireshark.

I see the problem and why it is happening. I will have patch soon.

This should be fixed in wireshark-0.99.7-2.fc8

I don't really want to reopen this bug because it is so old, but the exact same thing is happening me using Wireshark 1.2.4-1 on Fedora 12 (x86_64). The only difference for me is that in my case, when I try to select a capture interface, not only does Wireshark crash, it also completely crashes my X server...

Geert's workaround from comment #1 resolves the issue for me.

I'm using Fedora 12, running Gnome 2.28.0

Wireshark version info: 
wireshark-gnome-1.2.4-1.fc12.x86_64
wireshark-1.2.4-1.fc12.x86_64

Wireshark build info:
Compiled with GTK+ 2.18.3, with GLib 2.22.2, with libpcap 1.0.0, with libz
1.2.3, without POSIX capabilities, with libpcre 7.8, with SMI 0.4.8, without
c-ares, without ADNS, without Lua, with GnuTLS 2.8.5, with Gcrypt 1.4.4, with
MIT Kerberos, without GeoIP, with PortAudio V19-devel (built Jul 28 2009),
without AirPcap.

Running on Linux 2.6.31.6-166.fc12.x86_64, with libpcap version 1.0.0, GnuTLS
2.8.5, Gcrypt 1.4.4.

Built using gcc 4.4.2 20091027 (Red Hat 4.4.2-7).

Hi Radek Vokal,
Im experiencing similar issue with wireshark1.08 and 1.4.4 on RHL-EL5. I have installed Wireshark 1.4.4 and later 1.0.8 from a source tarball. Once i try to launch wireshark using "sudo wireshark" error pops up as
"Cant get pathname of Wireshark: "wireshark" not found in "/usr/bin:/bin".
it wont be possilbe to capture traffic. Report this to the wireshark developers."
and also some dumpcap not found error pops us when i choose capture->interface.

Can you pls let me know how to resolve this issue?

Created attachment 487189 [details]
Error displayed on launching wireshark 1.0.8 or 1.4.4