© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
My apologies for the rather extensive delay. Other things came up, and it took me longer than I thought it would to figure out what was going on.
Short answer: running "sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_DAC_
---
Running dpkg-reconfigure as you did simply automates the steps listed at [1] and [2]. This uses the linux capabilites subsystem [3] to grant the dumpcap program (the part of wireshark that actually does the capturing) the NET_RAW and NET_ADMIN capabilities so it can capture on network interfaces without full root privileges.
The USB capture component of dumpcap uses a different interface from the network capture, as the kernel exposes the two types of devices in different ways. The USB devices are exposed via the /dev/usbmonXXX device files, which are read/writable by root only. Setting the NET_* capabilities has no effect on dumpcap's ability to access those files.
Unfortunately, the only capability I've found that does grant dumpcap the ability to access those files is the DAC_OVERRIDE capability (DAC stands for Discretionary Access Control). With this capability, dumpcap can read/write to ANY file on the filesystem regardless of that file's permissions or owner. This means it can access the USB device files, but it also means it gets access to all the other dangerous files on the filesystem.
The optimal solution would be for Linux to provide more fine-grained capabilities so that it is possible to grant dumpcap USB access without all of the other dangerous stuff that comes with it. For now, it's understandable why Wireshark doesn't want to open up that security hole by default.
If anything is unclear, please don't hesitate to ask.
Evan
[1] http://
[2] http://
[3] http://