The Official Wireshark Blog

Running Wireshark as You

· 534 words · 3 minutes to read
Categories: Security Tip
Tags: capture Security

Running Wireshark on Linux involves an interesting challenge1: Capturing packets requires root access, but Wireshark is big program and we strongly recommend against running it with elevated privileges. On Linux it’s common to see Wireshark running as root, but this is nearly unheard for similarly-sized applications like Firefox and GIMP. How can we avoid running Wireshark as root?

UPDATE 2010-02-10: Made changes suggested by Jaap and Balint.

A good way 🔗

Notice how I said “capturing packets requires root” above? Here’s a secret — Wireshark doesn’t capture packets. A separate program called dumpcap does. Compared to Wireshark, dumpcap is tiny. It’s much less complex and much safer to run as root. We can make it so that dumpcap runs as root and that only users in a particular group can run it:

$ sudo -s
# groupadd -g wireshark
# usermod -a -G wireshark gerald
# chgrp wireshark /usr/bin/dumpcap
# chmod 4750 /usr/bin/dumpcap

A better way 🔗

It’s also possible to let dumpcap do its job without involving root access at all. For a very long time Linux has allowed the use of fine-grained permissions called capabilities. In many recent distributions you can use the setcap utility to add capabilities to individual files.

Dumpcap needs CAP_NET_RAW and CAP_NET_ADMIN, so what do we need to feed setcap? On my Ubuntu Karmic system the setcap man page points you to cap_from_text. Cap_from_text points you to _cap_names, an array in the kernel. It would be nice if the setcap man page included a list of capability names along with a few examples. As it turns out, the names need to be in lower-case.

$ sudo -s
# sudo apt-get install libcap2-bin
# groupadd -g wireshark
# usermod -a -G wireshark gerald
# chmod 750 /usr/bin/dumpcap
# setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

You can also set these capabilities for Wireshark and TShark directly. Fully-functional filesystem capabilities is something the Linux world has needed for a very long time. I’m glad they’re finally seeing wide deployment.

Who’s Doing This? 🔗

Debian and Gentoo are using group-based permissions for Wireshark. Ubuntu is working on it. Hopefully the other distributions will follow suit.


1. This is a problem on other systems too, but it’s usually easier to solve. On Windows you can run the NPF service at startup. On OS X you can use ChmodBPF.

Comments 🔗

Comment by Jake on 2010-02-08 05:45:00 +0000 🔗

Note that the recent Debian packages already implement this, something you’ll notice when installing them. Thanks Balint. For Ubuntu it’s still on Wishlist status.

Comment by Balint on 2010-02-10 04:11:39 +0000 🔗

Gerald,
Could you please suggest using the wireshark system group instead of packetcapture?
Gentoo and Debian already use wireshark group, and it would be easier for newcomers to use the same group name everywhere.

I plan to update the Debian packages to use setcap, thanks for the hint.

Comment by Gerald Combs on 2010-02-10 10:59:09 +0000 🔗

I changed the example group to “wireshark” and mentioned Gentoo, Debian, and Ubuntu.

Comment by Balint on 2010-02-17 10:28:51 +0000 🔗

It would also make sense to use groupadd -g -r wireshark instead of groupadd -g wireshark to make the new group a system group. That would match and nicely coexist with Debian’s and Ubuntu’s installation method.