Sniffing with Wireshark as a Non-Root User
By stretch | Friday, March 19, 2010 at 11:39 a.m. UTC
This article focuses on Linux and some UNIXes. For Windows users, there is some good info in the Wireshark wiki.
Many network engineers become dismayed the first time they run Wireshark on a Linux machine and find that they don't have access to any network interfaces. This is because, by default, raw access to network interfaces (e.g. eth0) requires root privileges. Unfortunately, this often prompts people to simply run Wireshark as root - a bad idea. As an older Gentoo Linux ebuild of Wireshark warns:
WIRESHARK CONTAINS OVER ONE POINT FIVE MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT.
Indeed, due to the complexity and sheer number of its many protocol dissectors, Wireshark is inherently vulnerable to malformed traffic (accidental or otherwise), which may result in denial of service conditions or possibly arbitrary code execution. But if we shouldn't run Wireshark with root privileges, how are we to capture packets?
The lead developer of Wireshark, Gerald Combs, points out some that Linux distributions are beginning to implement Linux filesystem capabilities for raw network access. In this article, we'll walk through putting this idea into practice on an Ubuntu 9.10 machine, and include a bit more detail behind the system commands.
Filesystem Capabilities
What are filesystem capabilities? From the man page:
For the purpose of performing permission checks, traditional Unix implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is non-zero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).
Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.
The manual goes on to list over two dozen distinct POSIX capabilities which individual executables may be granted. For sniffing, we're interested in two specifically:
- CAP_NET_ADMIN - Allow various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables).
- CAP_NET_RAW - Permit use of RAW and PACKET sockets.
CAP_NET_ADMIN allows us to set an interface to promiscuous mode, and CAP_NET_RAW permits raw access to an interface for capturing directly off the wire. These capabilities are assigned using the setcap
utility.
Enabling Non-root Capture
Step 1: Install setcap
First, we'll need to install the setcap
executable if it hasn't been already. We'll use this to set granular capabilities on Wireshark's dumpcap
executable. setcap
is part of the libcap2-bin package.
stretch@Sandbox:~$ sudo apt-get install libcap2-bin Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: libcap-dev The following NEW packages will be installed: libcap2-bin 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 17.7kB of archives. After this operation, 135kB of additional disk space will be used. Get:1 http://us.archive.ubuntu.com karmic/universe libcap2-bin 1:2.16-5ubuntu1 [17.7kB] Fetched 17.7kB in 0s (36.7kB/s) Selecting previously deselected package libcap2-bin. (Reading database ... 146486 files and directories currently installed.) Unpacking libcap2-bin (from .../libcap2-bin_1%3a2.16-5ubuntu1_amd64.deb) ... Processing triggers for man-db ... Setting up libcap2-bin (1:2.16-5ubuntu1) ...
Step 2: Create a Wireshark Group (Optional)
Since the application we'll be granting heightened capabilities can by default be executed by all users, you may wish to add a designated group for the Wireshark family of utilities (and similar applications) and restrict their execution to users within that group. However, this step isn't strictly necessary.
root@Sandbox# groupadd wireshark root@Sandbox# usermod -a -G wireshark stretch
After adding yourself to the group, your normal user may have to log out and back in. Or, you can run newgrp
to force the effect of the new group (you'll have to launch Wireshark from this same terminal environment in step 3):
stretch@Sandbox$ newgrp wireshark
We assign the dumpcap
executable to this group instead of Wireshark itself, as dumpcap
is responsible for all the low-level capture work. Changing its mode to 750 ensures only users belonging to its group can execute the file.
root@Sandbox# chgrp wireshark /usr/bin/dumpcap root@Sandbox# chmod 750 /usr/bin/dumpcap
Step 3: Grant Capabilities
Granting capabilities with setcap
is a simple matter:
root@Sandbox# setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
In case you're wondering, that =eip
bit after the capabilities list grants them in the effective, inheritable, and permitted bitmaps, respectively. A more thorough explanation is provided in section 2 of this FAQ.
To verify our change, we can use getcap
:
root@Sandbox# getcap /usr/bin/dumpcap /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
Now, as the user who we added to the wireshark group in step 2, execute Wireshark. You should now see the full list of available adapters and can begin sniffing. (If not, double-check that the wireshark group is listed in the output of groups
. You may need to log out and back in for the new group assignment to take effect.)
Posted in Packet Analysis, Tips and Tricks
Comments
March 19, 2010 at 12:22 p.m. UTC
Why can't Wireshark drop root after it starts sniffing, a la Apache?
March 19, 2010 at 12:41 p.m. UTC
@Dinger: If it did, you'd have to restart the application every time you wanted to re-start a capture.
March 19, 2010 at 1:18 p.m. UTC
Nice article!
March 19, 2010 at 1:54 p.m. UTC
It sounds very nice, unfortunately something must be missing for openSUSE 11.2 :
% sudo zypper install libcap-progs % sudo groupadd wireshark % sudo usermod -G wireshark jc % sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap % getcap /usr/bin/dumpcap /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip % groups users wireshark %wireshark [...] dumpcap: There are no interfaces on which a capture can be done
March 19, 2010 at 2:17 p.m. UTC
Good article. You can also use dpkg-statoverride on debian based systems to set file modes and ownership. Dpkg-statoverride keeps a database of the modifications and applies them to the files again, when you upgrade software packages. However it doesn't support capabilities at the moment.
root@Sandbox# dpkg-statoverride --add root wireshark 750 /usr/bin/dumpcap root@Sandbox# dpkg-statoverride --list /usr/bin/dumpcap root wireshark 750 /usr/bin/dumpcap root@Sandbox# ls -l /usr/bin/dumpcap -rwxr-x--- 1 root wireshark 58676 2009-10-25 05:33 /usr/bin/dumpcap
Regards,
Jochen
March 19, 2010 at 4:20 p.m. UTC
Solaris has had privileges for ages, in this case net_rawaccess. I run Cacti with SMF granting the net_icmpaccess privilege so tools like fping need not be setuid to work.
That said, I never use Wireshark to capture packets. Do you really want a sizeable fraction of those 1.5M lines of code in the way of each packet? I always capture using tcpdump (or Solaris' snoop) as root to a file, then read the file with Wireshark, sometimes on a completely different system.
March 19, 2010 at 4:33 p.m. UTC
@phocean: Did you do the following?
chgrp wireshark /usr/bin/dumpcap chmod 750 /usr/bin/dumpcap
If so, you may just need to log out and back in. If not, I'm not sure what's up with it. =\
March 19, 2010 at 4:39 p.m. UTC
@Fazal Majid: Wireshark itself doesn't capture packets (though it did prior to version 0.99.7); that's handled by the dumpcap executable, which is similar to tcpdump. It's a very lightweight executable:
stretch$ ls -lh `which dumpcap` -rwxr-x--- 1 root wireshark 63K 2009-10-25 00:28 /usr/bin/dumpcap
Also, the use of filesystem capabilities as demonstrated in the article can be applied to tcpdump as well, to avoid having to run it as root.
March 19, 2010 at 7:05 p.m. UTC
@stretch: Yes, I did that so there must be another issue. If I ever find, I will update here.
March 20, 2010 at 1:34 a.m. UTC
Another great article, Stretch!
I'm glad to see another network engineer concerned with system security. I used to copy and paste that warning from the ebuild into any thread I saw that suggested using Wireshark to capture packets. It's cool to see that there's a way around that these days.
March 21, 2010 at 4:18 a.m. UTC
@phocean: Hey, see if CONFIG_SECURITY_FILE_CAPABILITIES is enabled in your kernel config. If not, filesystem capabilities need to be enabled.
March 22, 2010 at 9:38 a.m. UTC
@stretch: Good idea, thank you for checking. Unfortunately, that was activated :
% uname -r 2.6.31.12-0.1-desktop % grep CONFIG_SECURITY_FILE_CAPABILITIES /boot/config-2.6.31.12-0.1-desktop CONFIG_SECURITY_FILE_CAPABILITIES=y
March 22, 2010 at 1:59 p.m. UTC
@stretch: Ok, I found out. Actually, it was necessary to activate the capabilities at boot time.
So I added the following line in /boot/grub/menu.lst, kernel field :
file_caps=1
March 22, 2010 at 2:05 p.m. UTC
@phocean: Ha! Weird. Glad you solved it, and thanks for posting the solution!
March 23, 2010 at 2:32 p.m. UTC
AppArmor and SELinux protect me even root cant pwn
April 8, 2010 at 1:43 p.m. UTC
Hi,
This looks cool but I am having trouble using this on CentOS 5 which is not Debian.
Does anyone know of a work around to implement this for CentOS 5?
Thanx,
John
April 8, 2010 at 4:40 p.m. UTC
Hi,
I found a LIBCAP2 Source from:
http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/
I installed this with the required dependancies.
The result I get after the install and following the instructions above are:
# uname -a Linux localhost.localdomain 2.6.18-164.15.1.el5PAE #1 SMP Wed Mar 17 12:14:29 EDT 2010 i686 i686 i386 GNU/Linux # setcap cap_net_raw,cap_net_admin=eip /usr/sbin/dumpcap # getcap /usr/sbin/dumpcap /usr/sbin/dumpcap = cap_net_admin,cap_net_raw+eip # ls -al /usr/sbin/dumpcap -rwxr-x--- 1 root wireshark 60900 Jun 16 2009 /usr/sbin/dumpcap
When I launch Wireshark as the user in the Wireshark Group I get NO intefaces listed.
Can anyone point me to my error in implementation?
Thanx,
John
August 12, 2010 at 10:24 a.m. UTC
Thank you very much for the post. I have spent almost 24hr on this but couldn't figure it out.
September 5, 2010 at 9:25 a.m. UTC
Very helpful article. Thanks.
September 23, 2010 at 2:08 a.m. UTC
Yes! loved the post, quick and simple
September 27, 2010 at 3:55 a.m. UTC
Very very helpful . thanks !
December 14, 2010 at 3:45 a.m. UTC
Nice post, thanks
January 25, 2011 at 1:09 a.m. UTC
You is hypercool, merci merci
March 14, 2011 at 8:33 p.m. UTC
Thanks for this post. I've followed the instructions above. One issue I'm having is the following: when I start Wireshark through the desktop GUI (Gnome, in this case), the capabilities don't seem to be applied and I can't access any interfaces. However, when I start Wireshark via command line, everything works as advertised above. Is there some additional step to get it working through the desktop application menu? I'll try this on KDE later in case it's just a Gnome issue.
May 27, 2011 at 12:21 a.m. UTC
libcap2-bin is a dependency of wireshark, at least the 1.4.6-1 wireshark on my ubuntu 11.04. As such, step 1 isn't really needed for users on that platform. (And Debian as well, I'm guessing)
June 1, 2011 at 1:17 p.m. UTC
Thanks for posting this, I can confirm it works on Ubuntu 11.04.
July 11, 2011 at 7:53 a.m. UTC
ah, thank you. Been searching for a way to do this :)
August 3, 2011 at 9:21 p.m. UTC
Excellent article: I did the job in 2 minutes... many thanks. (running Debian Lenny)
September 1, 2011 at 9:17 p.m. UTC
Awesome! Now on to learning this tool. Thanks for your article.
September 9, 2011 at 11:01 p.m. UTC
Nice article. I could use it to run wireshark as non-root user.
September 21, 2011 at 12:11 a.m. UTC
Thanks! Clear, concise instructions.
September 27, 2011 at 10:56 a.m. UTC
Works great on Xubuntu 11.04. Thanks!
October 15, 2011 at 10:25 a.m. UTC
OK, so I can't get wireshark gui in x to run properly at all without logging in to x as root and running wireshark as root. My overall goal is to get secure so before i get in to details... Let's start with, is it ok to have a policy of logging in to x with root since most of my tools require it anyways? Or should I be logging in to x with an admin or just a user and sudo ing anything I need root for?
November 12, 2011 at 6:51 p.m. UTC
Hey, thanks!
Worked awsome!
Only thing that should maybe be mentioned: You switched to root in Steps 2 and 3!!
I didn't regonize it at the beginning! For the dummy user it would be nice to use also sudo at steps 2,3 (or tell them to switch to root).
Thx
Dummy
January 25, 2012 at 10:42 a.m. UTC
Hi Stretch,
This worked perfectly for ubuntu 11.10 (Oneiric). For newbies like me note that step 2 and 3 are executed as root, I used "sudo -s" to get to this mode. Also in step 2, "stretch" is the actual user, replace it with your username.
On the other hand. I use GNS3/Dynamips to simulate Network hardware this, can something similar be done to allow connections to the network, but not running as root. I'll be glad to provide more info and help testing.
Thanks,
February 8, 2012 at 7:40 p.m. UTC
If I understood right I need to enable CONFIG_SECURITY_FILE_CAPABILITIES to make wireshark work in the described setup. Though, it is not enabled on my system.
$ uname -r 2.6.35-30-generic $ grep CONFIG_SECURITY_FILE_CAPABILITIES /boot/config-2.6.35-30-generic // Nothing
Can you please describe how I can enable the setting and what its purpose is exactely?
February 9, 2012 at 5:10 p.m. UTC
Thank you very much for the post. It works great.
June 12, 2012 at 7:43 p.m. UTC
Great job on the post. Keep up the good work!
June 19, 2012 at 1:07 a.m. UTC
Hi,
works great. But still I can only capture from net interfaces, which caps do I need to add to be able to capture USB ? :)
June 19, 2012 at 5:45 a.m. UTC
Since there are no answers yet, I'll post the solution that worked for me:
setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_DAC_OVERRIDE+eip /usr/bin/dumpcap
Greetings
Heiko
July 2, 2012 at 7:18 p.m. UTC
How do you login using the user name that you added to the group?
I am a noob at this and hence don't have much of an idea.
Thanks
Shaurya
July 14, 2012 at 4:47 a.m. UTC
If you have compiled Wireshark, maybe dumpcat will be in /usr/local/bin.
August 30, 2012 at 6:40 p.m. UTC
Excellent post. Wireshark was driving me crazy trying to run it as a non-root user. Your instructions were perfect.
Thanks.
August 31, 2012 at 6:34 a.m. UTC
Excellent article. Just one question, why isn't it suitable to run it as root even if it has many lines of code?
September 21, 2012 at 3:09 a.m. UTC
Thanks a bunch for posting this. It worked great for me on Ubuntu 12.04. This was, by far, the best solution I found. Thanks again.
September 25, 2012 at 12:37 a.m. UTC
The capfaq-0.2.txt is, seems, not there anymore.
I found it here:
https://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt
Cheers!
January 7, 2013 at 11:16 p.m. UTC
Thank you very much from France for this article
January 17, 2013 at 3:56 p.m. UTC
Worked on Xubuntu 12.10. libcap2-bin was already installed. Thanks. Saved me a lot of time!
February 22, 2013 at 4:04 p.m. UTC
Thanks a lot! Worked like a charm.
March 7, 2013 at 11:26 p.m. UTC
Thanks a lot for your post. Since time i look for an issue. Works fine with Linux Mint 14 Cinnamon for e.g. which install zenmap & etherape with both simple and root user. But not wireshark.
As with Fedora u just need to setup the laucher as root inside the launcher menu manager. Thanks again.
March 23, 2013 at 4:55 p.m. UTC
Thank you very much for this nice tutorial! The best one I have found (and I have been look for this info for a while)!
Tom
May 27, 2013 at 8:03 p.m. UTC
Very usefull article! Thanks!
July 17, 2013 at 9:13 p.m. UTC
So here on kubuntu 13.04 dumpcap installed to /usr/local/bin/dumpcap instead of /usr/bin/dumpcap . I guess the take away is that I need to be sure where dumpcap gets installed to. Otherwise the correct premisions don't set (obviously) and we get ye old "NO intefaces listed" execpt when Wireshark is run as root issue.
sudo newgrp wireshark
sudo chgrp wireshark /usr/local/bin/dumpcap
sudo chmod 750 /usr/local/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/dumpcap
Thank you for this post it helped immensely
August 8, 2013 at 8:30 a.m. UTC
Very nice. It's working fine..
September 14, 2013 at 1:06 p.m. UTC
Worked great, thanks !
November 15, 2013 at 1:20 p.m. UTC
thanks!
January 25, 2014 at 4:09 a.m. UTC
Thanks so much for writing this! Works perfectly in Kubuntu 13.10.
Odd that similar guides aren't on the first help page of Wireshark.
February 5, 2014 at 1:33 p.m. UTC
Works perfect on my debian machine.
Thank you very much !
July 2, 2014 at 6:33 a.m. UTC
Hi Stretch,
Many heartfelt thanks for not only showing us a series of steps that lead to results BUT also illuminating the background and reasons WHY they are applied.
I learnt a great deal from this, particularly the motivation behind the capabilities system of the Linux kernel.
Thanks
July 5, 2014 at 3:40 a.m. UTC
@stretch: Thank you! still very useful!
@lobo: thanks to you too! hope that some day dpkg-statoverride gets to work with capabilities too! thats a great idea.
Saludos!
September 3, 2014 at 12:09 p.m. UTC
Thanks! Tried all the same steps from other sites, but had no effect. Your words about re-login (or $newgrp ...) were helpful for me.
September 11, 2014 at 10:50 p.m. UTC
Fine article. Works even for Fedora 20, provided that 'usr/bin/dumpcap' is replaced with '/usr/sbin/dumpcap' at its every occurrence.
September 22, 2014 at 9:08 a.m. UTC
Thank you for the great explanation. It helped me to set up capturing with libpcap from NON-ROOT account.
January 22, 2015 at 2:06 p.m. UTC
Good and informational article
Confirmed on Mint 17.1
May 14, 2015 at 6:51 a.m. UTC
Thank you, this was helpful
June 11, 2015 at 6:03 a.m. UTC
Thanks! worked like a charm.
July 5, 2015 at 9:59 p.m. UTC
It worked good except for some reason I had to change /usr/local/bin/dumpcap to 777 instead of 750 for some reason - worked immediately then.
November 30, 2015 at 10:02 p.m. UTC
This was the most complete explanation of the "why" as well as the "how". Running Wireshark on Ubuntu 14.04 LTS now with detailed notes. Thanks for the post.
January 6, 2016 at 10:17 a.m. UTC
Indeed. Great explanation. Thanks!
January 30, 2016 at 2:04 a.m. UTC
Ubuntu 14.04
``` whereis dumpcap dumpcap: /usr/bin/dumpcap /usr/bin/X11/dumpcap /usr/share/man/man1/dumpcap.1.gz
sudo usermod -a -G wireshark YOUR_USER_NAME sudo chgrp wireshark /usr/bin/dumpcap sudo chmod 750 /usr/bin/dumpcap
next line will prevent user from seeing capture interfaces in wireshark GUI so don't use it
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
use next line setcap command instead because it makes interfaces available for capture (Thanks Heiko!)
sudo setcap cap_net_raw,cap_net_admin,cap_dac_override+eip /usr/bin/dumpcap ```
April 1, 2016 at 6:29 a.m. UTC
After all these years, it's still a great post and holds up! Got tshark working on my pi, so thank you a bunch!