Enabling Non-root Capture
Step 1: Install setcap
First, we’ll need to install the
setcapexecutable if it hasn’t been already. We’ll use this to set granular capabilities on Wireshark’s
setcapis part of the libcap2-bin package.
[email protected]:~$ sudo apt-get install libcap2-bin Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: libcap-dev The following NEW packages will be installed: libcap2-bin 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 17.7kB of archives. After this operation, 135kB of additional disk space will be used. Get:1 http://us.archive.ubuntu.com karmic/universe libcap2-bin 1:2.16-5ubuntu1 [17.7kB] Fetched 17.7kB in 0s (36.7kB/s) Selecting previously deselected package libcap2-bin. (Reading database ... 146486 files and directories currently installed.) Unpacking libcap2-bin (from .../libcap2-bin_1%3a2.16-5ubuntu1_amd64.deb) ... Processing triggers for man-db ... Setting up libcap2-bin (1:2.16-5ubuntu1) ...
Step 2: Create a Wireshark Group (Optional)
Since the application we’ll be granting heightened capabilities can by default be executed by all users, you may wish to add a designated group for the Wireshark family of utilities (and similar applications) and restrict their execution to users within that group. However, this step isn’t strictly necessary.
[email protected]# groupadd wireshark [email protected]# usermod -a -G wireshark stretch
After adding yourself to the group, your normal user may have to log out and back in. Or, you can run
newgrpto force the effect of the new group (you’ll have to launch Wireshark from this same terminal environment in step 3):
[email protected]$ newgrp wireshark
We assign the
dumpcapexecutable to this group instead of Wireshark itself, as
dumpcapis responsible for all the low-level capture work. Changing its mode to 750 ensures only users belonging to its group can execute the file.
[email protected]# chgrp wireshark /usr/bin/dumpcap [email protected]# chmod 750 /usr/bin/dumpcap
Step 3: Grant Capabilities
Granting capabilities with
setcapis a simple matter:
[email protected]# setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
In case you’re wondering, that
=eipbit after the capabilities list grants them in the effective, inheritable, and permitted bitmaps, respectively. A more thorough explanation is provided in section 2 ofthis FAQ.
To verify our change, we can use
[email protected]# getcap /usr/bin/dumpcap /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
Now, as the user who we added to the wireshark group in step 2, execute Wireshark. You should now see the full list of available adapters and can begin sniffing. (If not, double-check that the wireshark group is listed in the output of
groups. You may need to log out and back in for the new group assignment to take effect.)
----for example: USER is atxuser---- ----add USER atxuser to GROUP wireshark---- [[email protected] robot]# groupadd wireshark [[email protected] robot]# usermod -a -G wireshark atxuser ----switch to atxuser and add GROUP wireshark---- [[email protected] robot]# su - atxuser [[email protected] ~]$ newgrp wireshark [[email protected] ~]$ exit ----Grant Capabilities---- [[email protected] robot]# chgrp wireshark /usr/sbin/dumpcap [[email protected] robot]# chmod 750 /usr/sbin/dumpcap [[email protected] robot]# setcap cap_net_raw,cap_net_admin=eip /usr/sbin/dumpcap [[email protected] robot]# getcap /usr/sbin/dumpcap /usr/sbin/dumpcap = cap_net_admin,cap_net_raw+eip ----to check if tshark can be working fine with non-root user---- [[email protected] robot]#su - atxuser [[email protected] ~]$ tshark -i eth0 -a duration:10 -V -T pdml &> dump.xml &
- About Wireshark “the NPF driver isn’t running “Solutions
- VirtualBox under archlinux reports an error ‘/SBIN/rcvboxdrv setup’
- nfs load errorwrong fs type, bad option, bad superblock
- Mac tshark Error: command not found: tshark
- [Solved] Hadoop runs start-dfs.sh error: attempting to operate on HDFS as root
- [Solved] Docker ERROR: Couldn’t connect to Docker daemon at http+docker://localunixsocket – is it running?
- Setting root password after installation of Ubuntu 20.04 LTS
- This account is currently not available [How to Solve]
- mongodb not authorized on admin to execute command [version 3.2.18]
- How to Solve centos7 selenium–unknown error: DevToolsActivePort file doesn’t exist