Building Wireshark 1.12.5 Static Binaries for CentOS 5

This tutorial shows you how to compile the latest version of Wireshark, v1.12.5 as at May 2015, with SSL/TLS support, on CentOS 5.9. This is useful because the last version of Wireshark available on CentOS 5.x repositories is 1.0.15, released in 2010, and later versions are only released for CentOS 6 or 7. You can also use the steps described in this tutorial and compile Wireshark for Redhat 5 or other Linux distributions that come with outdated versions of Wireshark.

Background

First, I must say that there is a reason why newer versions of Wireshark are not automatically available for CentOS 5. Wireshark 1.6 and above requires GLib 2.16 or newer to compile whereas the last GLib official release for CentOS 5.9 is only 2.14. Unlike many other package requirements of Wireshark (autoconf, automake, flex, etc.) whose later versions can be installed via yum install or compiled from code, GLib is an integral part of CentOS (and most Linux operating systems), and cannot be upgraded without recompiling the kernel using the updated version. This is perhaps why the Wireshark developer team has chosen to only support CentOS 6 and 7 for newer releases.

Fortunately, there is a way to overcome this limitation, which is to perform a static build of Wireshark that includes all the necessary libraries at compile time and can run on just a base CentOS installation. I came across this method from this post after three long days of research and have chosen to describe the compilation steps in details to help others with similar problems. To demonstrate the whole process as clearly as possible, we will start the build on a virtual machine with just a CentOS 5.9 base installation.

Before we start, make sure you have a C/C++ compiler on your machine. You can install GCC using:

yum install gcc-c++ 

Running autogen.sh

First, download the source from here and extract it. From the extracted source folder, run the following to prepare for the build:

./autogen.sh

You will see the following errors – packages autoconf, automake and libtool are missing:

./autogen.sh: line 55: autoconf: command not found

You must have autoconf 2.60 or later installed to compile Wireshark.
Download the appropriate package for your distribution/OS,
or get the source tarball at ftp://ftp.gnu.org/pub/gnu/autoconf/
./autogen.sh: line 69: automake: command not found

You must have automake 1.9 or later installed to compile Wireshark.
Download the appropriate package for your distribution/OS,
or get the source tarball at ftp://ftp.gnu.org/pub/gnu/automake/
./autogen.sh: line 99: libtool: command not found

You must have libtool 1.4 or later installed to compile Wireshark.
Download the appropriate package for your distribution/OS,
or get the source tarball at ftp://ftp.gnu.org/pub/gnu/libtool/

Install the missing libtool and automake packages:

yum install libtool automake

For autoconf, the latest version on the repository is only 2.59. We will need to download a later version (I tried with 2.63 and it worked) here, extract the source and run the following commands from the extracted source folder to install autoconf to /usr/bin/autoconf:

./configure
make install

Now run autogen.sh again. It should succeed, showing the following:

Now type "./configure [options]" and "make" to compile Wireshark.

Build Configuration

The next step is to configure the source code for building. This means selecting the features, plugins, etc. that will be included in the compiled binary. In this example, we will compile the command line version of Wireshark, tshark, with no user interface, and with SSL/TLS support. To attempt this, run the following command:

./configure --disable-wireshark --with-ssl

This will take a while and will most likely end up with the following message:

configure: error: I couldn't find yacc (or bison or ...); 
make sure it's installed and in your path

To fix this and similar error messages, you will need to install some extra packages:

yum install flex bison pkgconfig zlib zlib-devel libpcap libpcap-devel 
openssl-devel gnutls gnutls-devel libgcrypt libgcrypt-devel

After that, run configure again and you will see another complaint:

./configure: line 21144: PKG_PROG_PKG_CONFIG: command not found
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... no
./configure: line 21777: syntax error near unexpected token `LIBGNUTLS,'
./configure: line 21777: `  PKG_CHECK_MODULES(LIBGNUTLS, gnutls >= 3.1.10 ,'

To fix this, you will need to specify where aclocal (part of automake package) is on your system. Run the following:

whereis aclocal

You will see the following output:

aclocal: /usr/bin/aclocal /usr/share/aclocal

Take note of the location and run the following to set the path to aclocal:

ACLOCAL_FLAGS="-I /usr/share/aclocal"

Run autogen and autoconfigure again. You will now hit the biggest obstacle, GLib requirements:

checking for GLIB - version >= 2.16.0... no
*** Could not run GLIB test program, checking why...
*** The test program failed to compile or link. See the file config.log for the
*** exact error that occurred. This usually means GLIB is incorrectly installed.
configure: error: GLib 2.16.0 or later distribution not found.

For young players, GLib is a core component of the OS so you can’t upgrade it via yum. Do not try blindly and execute commands such as yum remove glib or yum remove glib2 in the hope that you can upgrade the library – you will most likely end up with a broken system that needs a fresh install. Same goes for OpenSSL, which we will touch later, do not attempt yum remove openssl, which will remove hundreds of packages and require a reinstall afterwards.

The correct thing to do now is to download a newer version of GLib, such as 2.26 (later versions require Python 2.5 which does not come with CentOS 5), from here and perform a static build to extract the .a library files:

./configure --enable-static --prefix=/tmp/glib
make
make install

After that, configure Wireshark to perform a static build using the compiled GLib 2.26 libraries:

LDFLAGS=' -L/tmp/glib/lib ' CFLAGS='-fPIC' LD_LIBRARY_PATH=/tmp/glib/lib \
PKG_CONFIG_PATH=/tmp/glib/lib/pkgconfig ./configure \
--prefix=/usr/local/myshark --disable-wireshark \
--with-ssl --enable-static=yes --enable-shared=no --with-krb5=no

The above configuration options tell Wireshark to perform a static build (-fPIC) using the glib static libraries at /tmp/glib/lib (LD_LIBRARY_PATH) with the bundled pkgconfig (PKG_CONFIG_PATH) and output the static binaries to /use/local/myshark (–prefix). Additionally, LDFLAGS allows the linker to link the output with the provided static GLib binaries, otherwise, there will be some linker errors during the make process. Kerberos support also needs to be disabled (–with-krb5=no) to avoid missing headers during compilation. I am not sure why this issue does not occur with a normal build.

The configuration should complete with the following results:

The Wireshark package has been configured with the following options.
             Build wireshark (Gtk+) : no
                 Build wireshark-qt : no
                       Build tshark : yes
                     Build capinfos : yes
                      Build captype : yes
                      Build editcap : yes
                      Build dumpcap : yes
                     Build mergecap : yes
                   Build reordercap : yes
                    Build text2pcap : yes
                      Build randpkt : yes
                       Build dftest : yes
                     Build rawshark : yes

   Save files as pcap-ng by default : yes
  Install dumpcap with capabilities : no
             Install dumpcap setuid : no
                  Use dumpcap group : (none)
                        Use plugins : yes
                    Use Lua library : no
                 Use Python binding : no
                   Build rtp_player : no
             Build profile binaries : no
                   Use pcap library : yes
                   Use zlib library : yes
               Use kerberos library : no
                 Use c-ares library : no
               Use GNU ADNS library : no
                Use SMI MIB library : no
             Use GNU crypto library : yes
             Use SSL crypto library : yes
           Use IPv6 name resolution : yes
                 Use gnutls library : yes
     Use POSIX capabilities library : no
                  Use GeoIP library : no
                     Use nl library : no
              Use SBC codec library : no

If the result shows Use gnutls library : no, make sure that packages gnutls and gnutls-devel are installed. If error SSL crypto library was requested, but is not available is encountered, check that you have installed openssl-devel package. If Use GNU crypto library is no, install libgcrypt and libgcrypt-devel packages.

Building tshark

Type make to start the build process, which may take a while (5 minutes on my Intel Core i7 processor). When done, type make install and you will see the following files in /usr/local/myshark/bin:

-rwxr-xr-x 1 root root 572K Jun 18 12:21 capinfos
-rwxr-xr-x 1 root root 557K Jun 18 12:21 captype
-rwxr-xr-x 1 root root  66M Jun 18 12:21 dftest
-rwxr-xr-x 1 root root 106K Jun 18 12:21 dumpcap
-rwxr-xr-x 1 root root 590K Jun 18 12:21 editcap
-rwxr-xr-x 1 root root 570K Jun 18 12:21 mergecap
-rwxr-xr-x 1 root root 564K Jun 18 12:21 randpkt
-rwxr-xr-x 1 root root  69M Jun 18 12:21 rawshark
-rwxr-xr-x 1 root root 561K Jun 18 12:21 reordercap
-rwxr-xr-x 1 root root  56K Jun 18 12:21 text2pcap
-rwxr-xr-x 1 root root  70M Jun 18 12:21 tshark

The big file size of 70MB, compared with just a few hundreds KB for a normal build, is a tell-tale sign that the tshark binary is now static and includes all the necessary libraries to run it independently without the need for any other packages. To test if the build is indeed static, I copy /usr/local/myshark to a new barebone CentOS installation with just the base packages and run tshark -v:

It works! Now we have a fully functional latest version of Wireshark 1.12.5 running on just CentOS 5. For an idea of what is possible with Wireshark 1.12.5 but not with Wireshark 1.0.15, try to decrypt TLS 1.2 traffic with TLS_RSA_WITH_AES_256_CBC_SHA256 encryption using a self-signed cert. In my test, Wireshark 1.0.15 would not even recognize the SSL handshake while the latest version could decrypt the traffic just fine.

Building mergecap and Other Utilities

My next challenge came when I ran mergecap on the CentOS 5 base installation. Although mergecap -h worked fine and showed the version number with the help text, the actual pcap merging operation failed with the following error:

undefined symbol: g_malloc_n

It seems as if the glib library is not bundled with mergecap even when a static build configuration is requested, so the method g_malloc_n (part of GLib) will fail to load when GLib is not installed on the machine. This is explained by the small size of mergecap (570KB), which should have been larger if GLib and other libraries were linked statically. Same goes for other utlities except dftest and rawshark, their small size suggests that the required libraries were probably not linked with the executables.

As there seems to be no out-of-the-box configure option to cater for this, the only way to overcome this without editing the configure/make scripts would be to use gcc to static-link the object files with their required libraries:

gcc -ldl -W1,-Bstatic mergecap-mergecap.o /usr/local/myshark/lib/*.a \
/usr/lib64/libz.a /tmp/glib/lib/libgio-2.0.a /tmp/glib/lib/libgmodule-2.0.a \
/tmp/glib/lib/libgthread-2.0.a /tmp/glib/lib/libglib-2.0.a -o mergecap-new

This method results in a larger binary of 1565KB that works well on just a CentOS base installation. I guess the same method can be applied to other executables (editcap, dumpcap, etc.) should there be a need to run them standalone on CentOS 5.

Unfortunately, you cannot build the RPM for Wireshark on CentOS 5.9 using this method. Commands make dist and make rpm-package will fail with uic not found message. This is because somehow the RPM build of Wireshark will still use uic even when we are not interested in the GUI version of Wireshark, only tshark.

On a side note, the last version of Wireshark that can be compiled natively on CentOS 5 without resorting to static builds of GLib is version 1.5.0, released in April 2011.

The Wireshark 1.12.5 static build for Cent OS 5 can be downloaded here. The static build of mergecap can be found here. I guess the next challenge would probably be manually compiling newer versions of GCC for CentOS 5 and using that version of GCC to compile Wireshark. This will be needed once the Wireshark team decides to stop supporting GCC 4.1.2, which is the latest available version on CentOS 5.