Wireshark From Source / RHEL 7

Wireshark on Red Hat Enterprise Linux is, for some reason, about a decade out of date. The current version available via yum install is 1.10.14. This version was released in June 2013, and reached end of life in June 2015. Now, RHEL might be back-porting security patches (I'm not sure with Wireshark), but there's no new features, and in my case, I needed mergecap specifically to be able to handle pcap-ng captures. Newest Wireshark version as of this writing is 3.0.6.

The goal of this post is just to try to save people from the dependency hell. There's plenty of articles out there on installing from source, but most of them reference a Wireshark 2.x version, which seems to have slightly different build steps. Additionally, most (not all) don't talk about the prerequisites for Wireshark, and none seem to make mention of rpm-setup.sh, a handy little script for installing all the rpm prerequisites.

Initial Setup

I did my initial testing on CentOS 7.7 (minimal) and my actual install was RHEL 7.7. Make sure you have yum install wget gcc gcc-c++ and have the RHEL optional repo available (rhel-x86_64-server-optional-7). EPEL repo (epel/x86_64) may also be necessary, it was already provisioned for me. Technically you don't need wget if you want to scp the files over, but gcc and gcc-c++ are necessary to start the process by building CMake. Other pre-requisites will be installed by the Wireshark rpm-setup.sh script.

Building and Installing CMake

CMake is going to be a requirement for building Wireshark, and if installed from RHEL repos will give you version 2.8.12.2. However, when you build Wireshark, it will complain that version 3.x is required.

The newest build currently availible is 3.15.5. You can check here https://cmake.org/download/ for the latest version and replace the version numbers below.

wget https://cmake.org/files/v3.15/cmake-3.15.5.tar.gz
tar zxvf cmake-3.15.5.tar.gz
cd cmake-3.15.5
./bootstrap --prefix=/usr/local
make -j$(nproc)
make install

If all went well, you should now be able to do cmake --version and get the current version number.

[root@kali:~/cmake-3.15.5]# cmake --version
cmake version 3.15.5

CMake suite maintained and supported by Kitware (kitware.com/cmake).

Go back to your working directory (/root/ for me) when you are finished.

Building and Installing Wireshark

Note below the rpm-setup.sh --install-optional step. This should install all the necessary prereqes. In particular, the first time I went through this and was missing the optional repository, I didn't get libpcap-devel installed. Wireshark/tshark built and ran just fine, but neither were able to capture packets.

Again, I'm using the latest stable version here, 3.0.6. You can go to https://www.wireshark.org/download.html and replace the version numbers below.

wget https://2.na.dl.wireshark.org/src/wireshark-3.0.6.tar.xz
tar xJf wireshark-3.0.6.tar.xz
mkdir build
cd build
../wireshark-3.0.6/tools/rpm-setup.sh --install-optional
cmake ../wireshark-3.0.6
make
make install

Once this finishes, you should be able to run tshark --version, mergecap --version, or launch the Wireshark GUI and go to help -> about and see the latest version.

Cleanup

Don't forget to remove all the compressed files and random directories you downloaded. Should be:

rm wireshark-3.0.6.tar.xz
rm cmake-3.15.5.tar.gz
rm -rf ~/wireshark-3.0.6
rm -rf ~/cmake-3.15.5
rm -rf ~/build

Please don't just copy and paste these without making sure I have the path's correct. All be it on your if you damage your own system.