Running Wireshark as a normal user

This page is about running Wireshark on Linux as a normal user, rather than as root.

It is mostly written around Kali Linux 1.1, although various bits of the page may be relevant to other distributions.

The basic problem is that if you try to run Wireshark as a normal user, you don`t get the ability to choose what network interface to use, in fact you don`t get any network interfaces.

Now this isn`t actually a problem with Wireshark - because Wireshark doesn`t talk directly to the network interfaces - it runs another executable to do this, "dumpcap", which is usually located in /usr/bin/.

Wireshark itself will function quite happily with the limited privileges that are associated with normal users, but dumpcap doesn`t - it needs elevated privileges to control the network interface(s), and these elevated privileges can be provided by running Wireshark, and hence dumpcap, as root.

However this is a bad idea for two reasons - the first is that dumpcap doesn`t need all the privileges that running as root provides, and it is always a bad security policy to run with more privileges than are actually required.

The second is that Wireshark is known to have security problems - this isn`t meant to be a criticism of Wireshark - the developers of Wireshark are constantly expanding the abilities of Wireshark, and it is quite amazing just how many different communication technologies it can handle - so Wireshark isn`t a finished product, and Wireshark users are more than likely to be quite technically literate.

Historically though, running as root was how Wireshark was run, probably because there wasn`t any other way to do it.

However developments in the Linux kernel have now started to introduce a mechanism that enables processes to be assigned some specific elevated privileges, but not the whole suite of elevated privileges that comes with running as root - this mechanism is known as "capabilities" - as the kernel has evolved they have been introduced bit by bit - I think that the concepts started with kernel 2.2, then 2.4 added a bit more.

This isn`t a page about the theory of capabilities - I don`t know anything like enough about them to write such a page, but a useful place to look is in /usr/include/linux/capability.h - opened in a text display this will show the list of capabilities that the linux installation you are using understands, and are available for use -

 cat /usr/include/linux/capability.h | less

will do this.

Kali Linux 1.1 shows 37 of them - and the two capabilities that dumpcap needs to control the network interfaces are "cap_net_admin" and "cap_net_raw" - capabilities number 12 and 13.

However before we can apply these capabilities to dumpcap, we have to separate dumpcap away from wireshark from a permissions point of view.

A fairly simple way to do this is to associate dumpcap with the users group -

 chgrp users /usr/bin/dumpcap

This does work, but it might be neater and a better solution to create a new group - called for example "net-probes" - and particular users can be associated with this group, and they will get the ability to use dumpcap, and hence Wireshark.

 groupadd net-probes

 chgrp net-probes /usr/bin/dumpcap

 usermod -a -G net-probes <username>

If you want to prevent users who are not members of the net-probes group from running Wireshark, then set the permissions -

 chmod 750 /usr/bin/dumpcap

Now that we have isolated the permissions on dumpcap away from the permissions on Wireshark, we can now add the capabilities -

 setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

Check that the capabilities have now been set -

getcap /usr/bin/dumpcap

and you should get the result -

/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

Do a reboot, login as the normal user, and see if it works.

NB -1

Just because a Linux distribution is using kernel 2.4 or 2.6 doesn`t mean that the distribution has the ability to use capabilities - if the file /usr/include/linux/capability.h doesn`t exist, it probably doesn`t know about capabilities - Kali Linux 1.1 is on kernel 3.18, which is a much later kernel version.

NB -2

Some versions of the usermod command will not recognise the "-a" and "-G" options - try the "-A" option instead.

NB -3

Some distributions of Linux are a bit sneaky in that they run Wireshark through a desktop configuration tool like gksu or xdg which runs Wireshark as root behind your back - you may well be asked for an admin password, but underneath, you are running Wireshark as root.

website design by ron-t

website hosting by freevirtualservers.com

+ +