Wireshark: Allow unprivileged user to sniff traffic on Ubuntu.

Network Engineers simply need to sniff packets over Networks. Sniffing is not an option or a Lamer activity, sniffing is the base of Network Troubleshooting.

Using Wireshark, one of the best Network Sniffers (and more) could be tricky, if the software is launched from an unprivileged User Account since access to network interfaces won’t be possible (no device will be listed as available to start packets capture).

On the other side, it is strongly recommended to not run Wireshark as root for security reasons.

By default, raw access to network interfaces (eth0 for example) requires root privileges. Unfortunately, this often prompts people to simply run Wireshark as root: a bad idea.

Due to the complexity and sheer number of its many protocol dissectors, Wireshark is inherently vulnerable to malformed traffic (accidental or otherwise), which may result in Denial of Service conditions or possibly arbitrary code execution.

For the purpose of performing permission checks, traditional Unix implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is non-zero).
Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process’s credentials (usually: effective UID, effective GID, and supplementary group list).
Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

The manual goes on to list over two dozen distinct POSIX capabilities which individual executables may be granted. For sniffing, we’re interested in two specifically:

  • CAP_NET_ADMIN: Allow various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables).
  • CAP_NET_RAW: Permit use of RAW and PACKET sockets.

CAP_NET_ADMIN allows us to set an interface to promiscuous mode, and CAP_NET_RAW permits raw access to an interface for capturing directly off the wire.
These capabilities are assigned using the setcap utility.
To list the available capture interfaces, it is possible to use dumpcap command.

Here is a quick guide to allow a non-root user to have rights to sniff packets over Network Interfaces (including USB ones):

1. Install setcap tool in Ubuntu, simply use APT:

sudo apt-get install libcap2-bin

2. Create a Wireshark Group and assign current user to that group:

sudo addgroup -quiet -system wireshark
usermod -a -G wireshark stretch

3. Gather group rights for current user:

newgrp wireshark

4. Assign the dumpcap executable to this group, as dumpcap is responsible for all the low-level capture work. Changing its mode to 750 ensures only users belonging to its group can execute the file:

sudo chown root:wireshark /usr/bin/dumpcap
chmod 750 /usr/bin/dumpcap

5. Grant capabilities with setcap:

sudo setcap\
 cap_net_raw,cap_net_admin,cap_dac_override+eip\
 /usr/bin/dumpcap

6. Verify set capabilities (as unprivileged user):

getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_dac_override,cap_net_admin,cap_net_raw+eip

7. List available network interfaces (as unprivileged user):

dumpcap -D
1. eth0
2. wlan0
3. usbmon1 (USB bus number 1)
4. usbmon2 (USB bus number 2)
5. usbmon3 (USB bus number 3)
6. usbmon4 (USB bus number 4)
7. any (Pseudo-device that captures on all interfaces)
8. lo

Comments are closed.