Run Wireshark (not) as Root

We all know, that capturing packets on any interface requires root access.(ok maybe not all, but it’s true) But wireshark is too large and complex a program to be given root permissions. (Do keep this in mind, programs with more than 20,000 lines of code are a risk in sudo).

Luckily for us, the portion of Wireshark that does packet capturing is a much smaller program, which can easily be allowed some capabilities. So we just set some obscure variable names from the kernel  into this thing, and voila, it works.

Here’s the best way to make it work.

sudo apt-get install libcap2-bin
sudo groupadd -g wireshark
sudo usermod -a -G wireshark <Insert-Your-Username-Here>
sudo chmod 750 /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

Thank this guy (he has a better explanation too)
https://blog.wireshark.org/2010/02/running-wireshark-as-you/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s