Sniffing with Wireshark as a Non-Root User

By stretch | Friday, March 19, 2010 at 11:39 a.m. UTC

This article focuses on Linux and some UNIXes. For Windows users, there is some good info in the Wireshark wiki.

Many network engineers become dismayed the first time they run Wireshark on a Linux machine and find that they don't have access to any network interfaces. This is because, by default, raw access to network interfaces (e.g. eth0) requires root privileges. Unfortunately, this often prompts people to simply run Wireshark as root - a bad idea. As an older Gentoo Linux ebuild of Wireshark warns:

WIRESHARK CONTAINS OVER ONE POINT FIVE MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT.

Indeed, due to the complexity and sheer number of its many protocol dissectors, Wireshark is inherently vulnerable to malformed traffic (accidental or otherwise), which may result in denial of service conditions or possibly arbitrary code execution. But if we shouldn't run Wireshark with root privileges, how are we to capture packets?

The lead developer of Wireshark, Gerald Combs, points out some that Linux distributions are beginning to implement Linux filesystem capabilities for raw network access. In this article, we'll walk through putting this idea into practice on an Ubuntu 9.10 machine, and include a bit more detail behind the system commands.

Filesystem Capabilities

What are filesystem capabilities? From the man page:

For the purpose of performing permission checks, traditional Unix implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is non-zero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

The manual goes on to list over two dozen distinct POSIX capabilities which individual executables may be granted. For sniffing, we're interested in two specifically:

  • CAP_NET_ADMIN - Allow various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables).
  • CAP_NET_RAW - Permit use of RAW and PACKET sockets.

CAP_NET_ADMIN allows us to set an interface to promiscuous mode, and CAP_NET_RAW permits raw access to an interface for capturing directly off the wire. These capabilities are assigned using the setcap utility.

Enabling Non-root Capture

Step 1: Install setcap

First, we'll need to install the setcap executable if it hasn't been already. We'll use this to set granular capabilities on Wireshark's dumpcap executable. setcap is part of the libcap2-bin package.

stretch@Sandbox:~$ sudo apt-get install libcap2-bin
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  libcap-dev
The following NEW packages will be installed:
  libcap2-bin
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 17.7kB of archives.
After this operation, 135kB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com karmic/universe libcap2-bin 1:2.16-5ubuntu1 [17.7kB]
Fetched 17.7kB in 0s (36.7kB/s)    
Selecting previously deselected package libcap2-bin.
(Reading database ... 146486 files and directories currently installed.)
Unpacking libcap2-bin (from .../libcap2-bin_1%3a2.16-5ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Setting up libcap2-bin (1:2.16-5ubuntu1) ...

Step 2: Create a Wireshark Group (Optional)

Since the application we'll be granting heightened capabilities can by default be executed by all users, you may wish to add a designated group for the Wireshark family of utilities (and similar applications) and restrict their execution to users within that group. However, this step isn't strictly necessary.

root@Sandbox# groupadd wireshark
root@Sandbox# usermod -a -G wireshark stretch

After adding yourself to the group, your normal user may have to log out and back in. Or, you can run newgrp to force the effect of the new group (you'll have to launch Wireshark from this same terminal environment in step 3):

stretch@Sandbox$ newgrp wireshark

We assign the dumpcap executable to this group instead of Wireshark itself, as dumpcap is responsible for all the low-level capture work. Changing its mode to 750 ensures only users belonging to its group can execute the file.

root@Sandbox# chgrp wireshark /usr/bin/dumpcap
root@Sandbox# chmod 750 /usr/bin/dumpcap

Step 3: Grant Capabilities

Granting capabilities with setcap is a simple matter:

root@Sandbox# setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

In case you're wondering, that =eip bit after the capabilities list grants them in the effective, inheritable, and permitted bitmaps, respectively. A more thorough explanation is provided in section 2 of this FAQ.

To verify our change, we can use getcap:

root@Sandbox# getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

Now, as the user who we added to the wireshark group in step 2, execute Wireshark. You should now see the full list of available adapters and can begin sniffing. (If not, double-check that the wireshark group is listed in the output of groups. You may need to log out and back in for the new group assignment to take effect.)

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Comments


Dinger (guest)
March 19, 2010 at 12:22 p.m. UTC

Why can't Wireshark drop root after it starts sniffing, a la Apache?


stretch
March 19, 2010 at 12:41 p.m. UTC

@Dinger: If it did, you'd have to restart the application every time you wanted to re-start a capture.


spencer
March 19, 2010 at 1:18 p.m. UTC

Nice article!


phocean
March 19, 2010 at 1:54 p.m. UTC

It sounds very nice, unfortunately something must be missing for openSUSE 11.2 :

% sudo zypper install libcap-progs
% sudo groupadd wireshark
% sudo usermod -G wireshark jc
% sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

% getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

% groups
users wireshark

%wireshark
[...]
dumpcap: There are no interfaces on which a capture can be done

lobo
March 19, 2010 at 2:17 p.m. UTC

Good article. You can also use dpkg-statoverride on debian based systems to set file modes and ownership. Dpkg-statoverride keeps a database of the modifications and applies them to the files again, when you upgrade software packages. However it doesn't support capabilities at the moment.

root@Sandbox# dpkg-statoverride --add root wireshark 750 /usr/bin/dumpcap 
root@Sandbox# dpkg-statoverride --list /usr/bin/dumpcap
root wireshark 750 /usr/bin/dumpcap
root@Sandbox# ls -l /usr/bin/dumpcap
-rwxr-x--- 1 root wireshark 58676 2009-10-25 05:33 /usr/bin/dumpcap

Regards,

Jochen


Fazal Majid (guest)
March 19, 2010 at 4:20 p.m. UTC

Solaris has had privileges for ages, in this case net_rawaccess. I run Cacti with SMF granting the net_icmpaccess privilege so tools like fping need not be setuid to work.

That said, I never use Wireshark to capture packets. Do you really want a sizeable fraction of those 1.5M lines of code in the way of each packet? I always capture using tcpdump (or Solaris' snoop) as root to a file, then read the file with Wireshark, sometimes on a completely different system.


stretch
March 19, 2010 at 4:33 p.m. UTC

@phocean: Did you do the following?

chgrp wireshark /usr/bin/dumpcap
chmod 750 /usr/bin/dumpcap

If so, you may just need to log out and back in. If not, I'm not sure what's up with it. =\


stretch
March 19, 2010 at 4:39 p.m. UTC

@Fazal Majid: Wireshark itself doesn't capture packets (though it did prior to version 0.99.7); that's handled by the dumpcap executable, which is similar to tcpdump. It's a very lightweight executable:

stretch$ ls -lh `which dumpcap`
-rwxr-x--- 1 root wireshark 63K 2009-10-25 00:28 /usr/bin/dumpcap

Also, the use of filesystem capabilities as demonstrated in the article can be applied to tcpdump as well, to avoid having to run it as root.


phocean
March 19, 2010 at 7:05 p.m. UTC

@stretch: Yes, I did that so there must be another issue. If I ever find, I will update here.


ibarrere (guest)
March 20, 2010 at 1:34 a.m. UTC

Another great article, Stretch!

I'm glad to see another network engineer concerned with system security. I used to copy and paste that warning from the ebuild into any thread I saw that suggested using Wireshark to capture packets. It's cool to see that there's a way around that these days.


stretch
March 21, 2010 at 4:18 a.m. UTC

@phocean: Hey, see if CONFIG_SECURITY_FILE_CAPABILITIES is enabled in your kernel config. If not, filesystem capabilities need to be enabled.


phocean
March 22, 2010 at 9:38 a.m. UTC

@stretch: Good idea, thank you for checking. Unfortunately, that was activated :

% uname -r
2.6.31.12-0.1-desktop
% grep CONFIG_SECURITY_FILE_CAPABILITIES /boot/config-2.6.31.12-0.1-desktop
CONFIG_SECURITY_FILE_CAPABILITIES=y

phocean
March 22, 2010 at 1:59 p.m. UTC

@stretch: Ok, I found out. Actually, it was necessary to activate the capabilities at boot time.

So I added the following line in /boot/grub/menu.lst, kernel field :

file_caps=1

stretch
March 22, 2010 at 2:05 p.m. UTC

@phocean: Ha! Weird. Glad you solved it, and thanks for posting the solution!


juancarlospaco
March 23, 2010 at 2:32 p.m. UTC

AppArmor and SELinux protect me even root cant pwn


JRP (guest)
April 8, 2010 at 1:43 p.m. UTC

Hi,

This looks cool but I am having trouble using this on CentOS 5 which is not Debian.

Does anyone know of a work around to implement this for CentOS 5?

Thanx,

John


JRP (guest)
April 8, 2010 at 4:40 p.m. UTC

Hi,

I found a LIBCAP2 Source from:

http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/

I installed this with the required dependancies.

The result I get after the install and following the instructions above are:

# uname -a
Linux localhost.localdomain 2.6.18-164.15.1.el5PAE #1 SMP Wed Mar 17 12:14:29 EDT 2010 i686 i686 i386 GNU/Linux

# setcap cap_net_raw,cap_net_admin=eip /usr/sbin/dumpcap

# getcap /usr/sbin/dumpcap
/usr/sbin/dumpcap = cap_net_admin,cap_net_raw+eip

# ls -al /usr/sbin/dumpcap
-rwxr-x--- 1 root wireshark 60900 Jun 16  2009 /usr/sbin/dumpcap

When I launch Wireshark as the user in the Wireshark Group I get NO intefaces listed.

Can anyone point me to my error in implementation?

Thanx,

John


Promu (guest)
August 12, 2010 at 10:24 a.m. UTC

Thank you very much for the post. I have spent almost 24hr on this but couldn't figure it out.


Bevor (guest)
September 5, 2010 at 9:25 a.m. UTC

Very helpful article. Thanks.


Christopher (guest)
September 23, 2010 at 2:08 a.m. UTC

Yes! loved the post, quick and simple


pokengx (guest)
September 27, 2010 at 3:55 a.m. UTC

Very very helpful . thanks !


Replika (guest)
December 14, 2010 at 3:45 a.m. UTC

Nice post, thanks


polecat (guest)
January 25, 2011 at 1:09 a.m. UTC

You is hypercool, merci merci


asdfqwerty (guest)
March 14, 2011 at 8:33 p.m. UTC

Thanks for this post. I've followed the instructions above. One issue I'm having is the following: when I start Wireshark through the desktop GUI (Gnome, in this case), the capabilities don't seem to be applied and I can't access any interfaces. However, when I start Wireshark via command line, everything works as advertised above. Is there some additional step to get it working through the desktop application menu? I'll try this on KDE later in case it's just a Gnome issue.


a7ndrew
May 27, 2011 at 12:21 a.m. UTC

libcap2-bin is a dependency of wireshark, at least the 1.4.6-1 wireshark on my ubuntu 11.04. As such, step 1 isn't really needed for users on that platform. (And Debian as well, I'm guessing)


Binary Soldier (guest)
June 1, 2011 at 1:17 p.m. UTC

Thanks for posting this, I can confirm it works on Ubuntu 11.04.


GrimmVarg (guest)
July 11, 2011 at 7:53 a.m. UTC

ah, thank you. Been searching for a way to do this :)


nicgios (guest)
August 3, 2011 at 9:21 p.m. UTC

Excellent article: I did the job in 2 minutes... many thanks. (running Debian Lenny)


pgarth (guest)
September 1, 2011 at 9:17 p.m. UTC

Awesome! Now on to learning this tool. Thanks for your article.


Ravi Joshi (guest)
September 9, 2011 at 11:01 p.m. UTC

Nice article. I could use it to run wireshark as non-root user.


gdesilva (guest)
September 21, 2011 at 12:11 a.m. UTC

Thanks! Clear, concise instructions.


Rob (guest)
September 27, 2011 at 10:56 a.m. UTC

Works great on Xubuntu 11.04. Thanks!


bendo (guest)
October 15, 2011 at 10:25 a.m. UTC

OK, so I can't get wireshark gui in x to run properly at all without logging in to x as root and running wireshark as root. My overall goal is to get secure so before i get in to details... Let's start with, is it ok to have a policy of logging in to x with root since most of my tools require it anyways? Or should I be logging in to x with an admin or just a user and sudo ing anything I need root for?


Dummy (guest)
November 12, 2011 at 6:51 p.m. UTC

Hey, thanks!
Worked awsome!

Only thing that should maybe be mentioned: You switched to root in Steps 2 and 3!!

I didn't regonize it at the beginning! For the dummy user it would be nice to use also sudo at steps 2,3 (or tell them to switch to root).

Thx
Dummy


Glennn (guest)
January 25, 2012 at 10:42 a.m. UTC

Hi Stretch,

This worked perfectly for ubuntu 11.10 (Oneiric). For newbies like me note that step 2 and 3 are executed as root, I used "sudo -s" to get to this mode. Also in step 2, "stretch" is the actual user, replace it with your username.

On the other hand. I use GNS3/Dynamips to simulate Network hardware this, can something similar be done to allow connections to the network, but not running as root. I'll be glad to provide more info and help testing.

Thanks,


Tobi (guest)
February 8, 2012 at 7:40 p.m. UTC

If I understood right I need to enable CONFIG_SECURITY_FILE_CAPABILITIES to make wireshark work in the described setup. Though, it is not enabled on my system.

$ uname -r
2.6.35-30-generic

$ grep CONFIG_SECURITY_FILE_CAPABILITIES /boot/config-2.6.35-30-generic
// Nothing

Can you please describe how I can enable the setting and what its purpose is exactely?


DANIL (guest)
February 9, 2012 at 5:10 p.m. UTC

Thank you very much for the post. It works great.


harrisonc
June 12, 2012 at 7:43 p.m. UTC

Great job on the post. Keep up the good work!


Heiko (guest)
June 19, 2012 at 1:07 a.m. UTC

Hi,
works great. But still I can only capture from net interfaces, which caps do I need to add to be able to capture USB ? :)


Heiko (guest)
June 19, 2012 at 5:45 a.m. UTC

Since there are no answers yet, I'll post the solution that worked for me:

setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_DAC_OVERRIDE+eip /usr/bin/dumpcap

Greetings
Heiko


Ankit (guest)
July 2, 2012 at 7:18 p.m. UTC

How do you login using the user name that you added to the group?
I am a noob at this and hence don't have much of an idea.

Thanks
Shaurya


F (guest)
July 14, 2012 at 4:47 a.m. UTC

If you have compiled Wireshark, maybe dumpcat will be in /usr/local/bin.


wayne (guest)
August 30, 2012 at 6:40 p.m. UTC

Excellent post. Wireshark was driving me crazy trying to run it as a non-root user. Your instructions were perfect.
Thanks.


Farrukh (guest)
August 31, 2012 at 6:34 a.m. UTC

Excellent article. Just one question, why isn't it suitable to run it as root even if it has many lines of code?


winston (guest)
September 21, 2012 at 3:09 a.m. UTC

Thanks a bunch for posting this. It worked great for me on Ubuntu 12.04. This was, by far, the best solution I found. Thanks again.


Miroslav Rovis (guest)
September 25, 2012 at 12:37 a.m. UTC

The capfaq-0.2.txt is, seems, not there anymore.
I found it here:
https://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt
Cheers!


olif (guest)
January 7, 2013 at 11:16 p.m. UTC

Thank you very much from France for this article


ATW136 (guest)
January 17, 2013 at 3:56 p.m. UTC

Worked on Xubuntu 12.10. libcap2-bin was already installed. Thanks. Saved me a lot of time!


Ago (guest)
February 22, 2013 at 4:04 p.m. UTC

Thanks a lot! Worked like a charm.


mikmax (guest)
March 7, 2013 at 11:26 p.m. UTC

Thanks a lot for your post. Since time i look for an issue. Works fine with Linux Mint 14 Cinnamon for e.g. which install zenmap & etherape with both simple and root user. But not wireshark.
As with Fedora u just need to setup the laucher as root inside the launcher menu manager. Thanks again.


*Tom (guest)
March 23, 2013 at 4:55 p.m. UTC

Thank you very much for this nice tutorial! The best one I have found (and I have been look for this info for a while)!

Tom


xapaxuc (guest)
May 27, 2013 at 8:03 p.m. UTC

Very usefull article! Thanks!


brett (guest)
July 17, 2013 at 9:13 p.m. UTC

So here on kubuntu 13.04 dumpcap installed to /usr/local/bin/dumpcap instead of /usr/bin/dumpcap . I guess the take away is that I need to be sure where dumpcap gets installed to. Otherwise the correct premisions don't set (obviously) and we get ye old "NO intefaces listed" execpt when Wireshark is run as root issue.

sudo newgrp wireshark
sudo chgrp wireshark /usr/local/bin/dumpcap
sudo chmod 750 /usr/local/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/dumpcap

Thank you for this post it helped immensely


Manikandan (guest)
August 8, 2013 at 8:30 a.m. UTC

Very nice. It's working fine..


newbie (guest)
September 14, 2013 at 1:06 p.m. UTC

Worked great, thanks !


Estalle
November 15, 2013 at 1:20 p.m. UTC

thanks!


A guest
January 25, 2014 at 4:09 a.m. UTC

Thanks so much for writing this! Works perfectly in Kubuntu 13.10.

Odd that similar guides aren't on the first help page of Wireshark.


empty MT (guest)
February 5, 2014 at 1:33 p.m. UTC

Works perfect on my debian machine.
Thank you very much !


darbehdar (guest)
July 2, 2014 at 6:33 a.m. UTC

Hi Stretch,

Many heartfelt thanks for not only showing us a series of steps that lead to results BUT also illuminating the background and reasons WHY they are applied.

I learnt a great deal from this, particularly the motivation behind the capabilities system of the Linux kernel.

Thanks


gargo (guest)
July 5, 2014 at 3:40 a.m. UTC

@stretch: Thank you! still very useful!

@lobo: thanks to you too! hope that some day dpkg-statoverride gets to work with capabilities too! thats a great idea.

Saludos!

Leave a Comment


Optional; will not be displayed publicly or given out.
No commercial links. Only personal (e.g. blog, Twitter, or LinkedIn) and/or on-topic links, please.
The 'V' in VLAN stands for _____.