Non-root wireshark capturing in Linux

 On Debian-based platforms (such as Ubuntu) by default you can’t capture data unless you are root. Some information about this is given here. However you can change this so anyone in the wireshark group can capture.  There is a security concern in this but it seems to me not much worse than starting a root shell to do the capture.

First reconfigure the wireshark install.

$ sudo dpkg-reconfigure wireshark-common

Select ‘Yes’ to enable SUID in wireshark.

Now add the users you want to the wireshark group.

$ sudo adduser user1 wireshark

You may also need to set caps.

$ sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

Before you are able to capture you will need to log out and log back in again for the groups change to take effect.

More info on capture priviledges.

Advertisements

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: