lost and found ( for me ? )

wireshark , tshark : You don't have permission to capture on that device

I’ve faced the following error when I tried to capture with non root user.
$ whoami
foobar

$ /usr/local/bin/tshark -i eth0
capture session could not be initiated (You don't have permission to capture on that device)

to solve this

become a root user
# whoami
root

set file capabilities.
# addgroup wireshark
Adding group `wireshark' (GID 1001) ...
Done.

# chgrp wireshark /usr/local/bin/dumpcap

# chmod 754 /usr/local/bin/dumpcap

# setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/local/bin/dumpcap

# getcap /usr/local/bin/dumpcap
/usr/local/bin/dumpcap = cap_net_admin,cap_net_raw+eip


Please note that command path may differ from my environment.
In my case , I built wireshark from a source code and I’ve installed binary files under /usr/local/bin directory.

add a user to wireshark group
# egrep foobar /etc/group
foobar:x:1000:

# usermod -G foobar,wireshark foobar

# egrep foobar /etc/group
foobar:x:1000:foobar
wireshark:x:1001:foobar

$ whoami
foobar

$ /usr/local/bin/tshark -i eth0
Capturing on eth0

Hope this helps

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.