Enabling Non-root Capture

Step 1: Install setcap

First, we'll need to install the setcap executable if it hasn't been already. We'll use this to set granular capabilities on Wireshark's dumpcap executable. setcap is part of the libcap2-bin package.

stretch@Sandbox:~$ sudo apt-get install libcap2-binReading package lists... DoneBuilding dependency tree       Reading state information... DoneSuggested packages:  libcap-devThe following NEW packages will be installed:  libcap2-bin0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.Need to get 17.7kB of archives.After this operation, 135kB of additional disk space will be used.Get:1 http://us.archive.ubuntu.com karmic/universe libcap2-bin 1:2.16-5ubuntu1 [17.7kB]Fetched 17.7kB in 0s (36.7kB/s)    Selecting previously deselected package libcap2-bin.(Reading database ... 146486 files and directories currently installed.)Unpacking libcap2-bin (from .../libcap2-bin_1%3a2.16-5ubuntu1_amd64.deb) ...Processing triggers for man-db ...Setting up libcap2-bin (1:2.16-5ubuntu1) ...

Step 2: Create a Wireshark Group (Optional)

Since the application we'll be granting heightened capabilities can by default be executed by all users, you may wish to add a designated group for the Wireshark family of utilities (and similar applications) and restrict their execution to users within that group. However, this step isn't strictly necessary.

root@Sandbox# groupadd wiresharkroot@Sandbox# usermod -a -G wireshark stretch

After adding yourself to the group, your normal user may have to log out and back in. Or, you can run newgrp to force the effect of the new group (you'll have to launch Wireshark from this same terminal environment in step 3):

stretch@Sandbox$ newgrp wireshark

We assign the dumpcap executable to this group instead of Wireshark itself, as dumpcap is responsible for all the low-level capture work. Changing its mode to 750 ensures only users belonging to its group can execute the file.

root@Sandbox# chgrp wireshark /usr/bin/dumpcaproot@Sandbox# chmod 750 /usr/bin/dumpcap

Step 3: Grant Capabilities

Granting capabilities with setcap is a simple matter:

root@Sandbox# setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

In case you're wondering, that =eip bit after the capabilities list grants them in the effective, inheritable, and permitted bitmaps, respectively. A more thorough explanation is provided in section 2 of .

To verify our change, we can use getcap:

root@Sandbox# getcap /usr/bin/dumpcap/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

Now, as the user who we added to the wireshark group in step 2, execute Wireshark. You should now see the full list of available adapters and can begin sniffing. (If not, double-check that the wireshark group is listed in the output of groups. You may need to log out and back in for the new group assignment to take effect.)

----for example: USER is atxuser----        ----add USER atxuser to GROUP wireshark----        [root@localhost robot]# groupadd wireshark        [root@localhost robot]# usermod -a -G wireshark atxuser        ----switch to atxuser and add GROUP wireshark----        [root@localhost robot]# su - atxuser        [atxuser@localhost ~]$ newgrp wireshark        [atxuser@localhost ~]$ exit        ----Grant Capabilities----        [root@localhost robot]# chgrp wireshark /usr/sbin/dumpcap        [root@localhost robot]# chmod 750 /usr/sbin/dumpcap        [root@localhost robot]# setcap cap_net_raw,cap_net_admin=eip /usr/sbin/dumpcap        [root@localhost robot]# getcap /usr/sbin/dumpcap        /usr/sbin/dumpcap = cap_net_admin,cap_net_raw+eip        ----to check if tshark can be working fine with non-root user----        [root@localhost robot]#su - atxuser        [atxuser@localhost ~]$ tshark -i eth0 -a duration:10 -V -T pdml > dump.xml &