Thursday 23 October 2014

Access wireshark using under privileged user.

This was the first problem, probably from the series of the problems i will be facing.

Using wireshark from a non root user.
When i started wireshark from the terminal as a under privileged user i got the error, saying the interfaces are not accessible.

My normal reaction was to start wireshark as a root user.

Now i was able to see the interface's, however wireshark warned me saying it is not secure to run wireshark with root privileges.

After searching for a while i found the following solution.

From the terminal login to root:
surajk@bt:~$ su

Now locate the dumpcap file:
root@bt:/home/surajk# locate dumpcap

Now just enable the required capabilities using the following command:
root@bt:/home/surajk# setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/dumpcap

The path of the dumpcap file is same as returned by the locate command.

Exit from the root login, and try starting wireshark.
This should solve your problem.

Some technical insight (Optional):

The capabilities allows dumpcap to do the following things.
    * use RAW and PACKET sockets;
    * bind to any address for transparent proxying.

CAP_NET_ADMIN (Capabilities to perform various network-related operations):
    * interface configuration;
    * administration of IP firewall, masquerading, and accounting;
    * modify routing tables;
    * bind to any address for transparent proxying;
    * set type-of-service (TOS)
    * clear driver statistics;
    * set promiscuous mode;
    * enabling multicasting;

This article that nicely explains the procedure to solve this problem.
To know more about capabilities one can read this.