Capturing packets on wireshark as a normal user

Posted by Diego Assencio on 2013.11.26 under Linux (Wireshark)

To capture packets on wireshark without being root, open a terminal and run:

sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

This will enable all users to capture live traffic going through any network interface. If this is what you wish, you are done: just run wireshark and have fun!

For the more curious reader, the command above changes the capabilities of the dumpcap binary (dumpcap is the capture utility from which wireshark obtains the captured packets). You can verify that the command worked by running:

getcap /usr/bin/dumpcap

This is what you should see:

/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

If you think allowing all users to have this privilege is too permissive, then you should create a group and only allow users from that group to execute dumpcap (and therefore to capture live traffic with wireshark). On Ubuntu/Debian, you can create a group called wireshark with the following command:

sudo addgroup wireshark

Now change the group of the dumpcap binary to wireshark:

sudo chgrp wireshark /usr/bin/dumpcap

Make sure only users in the wireshark group can execute dumpcap:

sudo chmod 754 /usr/bin/dumpcap

Now add the necessary capabilities to dumpcap as discussed above (even if you already ran this command before, run it again as dumpcap might have lost its given capabilities at this point):

sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

To test if your permissions are correct, run wireshark as a regular user (I am assuming you have not added this user to the wireshark group). If you cannot capture live traffic, everything is fine. You should now add each user who should be allowed to capture traffic to the wireshark group with the command below:

sudo usermod -a -G wireshark <username>

To verify that the user now belongs to the wireshark group, run:

id <username>

The output should look similar to this (wireshark must be on the output, the rest is irrelevant):

uid=1000(username) gid=1000(username) ..., 1001(wireshark)

Now run wireshark as one of the users in the wireshark group; you should be able to capture live traffic (however, if you did all of the above as one of the users you added to the wireshark group, you might have to log out and log back in for your added permissions to actually take place).

NOTE: while in principle you could just run wireshark as root and ignore all the instructions above, do not do this! Wireshark is a huge application and there is no need to run the whole thing as root and risk damaging your system.

To read more about this topic, see the wireshark wiki.


No comments posted yet.

Leave a reply

NOTE: A name and a comment (max. 1024 characters) must be provided; all other fields are optional. Equations will be processed if surrounded with dollar signs (as in LaTeX). You can post up to 5 comments per day.