Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2024-03-01 20:36:03 +0000

Guy Harris gravatar image

What you should do is:

  1. install with "non-superusers should be allowed to capture from network interfaces";
  2. run sudo gpasswd -a $USER wireshark from the command line.

At minimum, after doing the sudo gpasswd ..., you will have to log out and log in again, but if that doesn't fix the problem, you may have to reboot.

First of all, it was not exactly clear which colour was meant to select the Yes or No answer on the configuration whether a non-superuser should be able to capture packets of network interfaces. I thought it was the red background when I selected a button.

The color indicates which of the two buttons, Yes and No, is currently selected. The Tab key switches between Yes and No.

When installing Wireshark with Synaptic, there's just a single button to push to select allowing non-root users to capture.

We should probably document this in the User's Guide.

When I selected that non-superusers should be allowed, I haven't seen the hardware network interfaces.

That's because Ubuntu's installer only does half the job. It configures Wireshark so that dumpcap, the program that does the capturing, has the appropriate capabilities set, so that it can open capture files without running as root (running with that capability is safer than running as root), and is set up only to be executable by root and by users in the group "wireshark", but it does NOT add the user who installs Wireshark to the "wireshark" group. You have to do that yourself.

This means that you don't have permission to run dumpcap, so, when Wireshark runs it to get a list of interfaces, that fails, and Wireshark does not report an error for this.

When I seleceted that they are not, the hardware network interfaces showed up, but when I tried to capture packets, the system said I cannot access that network interface.

That's because, in tat case, dumpcap can be run by anybody, but it doesn't have the appropriate capabilities set, and getting a list of interfaces does not require those capabilities - only capturing on them does. I.e., Wireshark can run dumpcap to get a list of the interfaces, but if it runs it to capture, dumpcap gets a "permission denied" error when trying to open the interface for capturing.

The solution was to run Wireshark with sudo.

That's... not a good idea, given how large Wireshark is; running it with root privileges is not recommended.

Is this a bug in Wireshark or I didn't do something correctly?

There are a bunch of problems here, one of which is a Wireshark bug, but fixing that bug won't make it possible to capture, it will, at best, tell you what you have to do to fix the other problems, which aren't Wireshark bugs:

  1. The Ubuntu Wireshark package doesn't indicate that the "non-superusers should be allowed to capture traffic" means "selected non-superusers should be allowed to capture traffic", so the user might infer that it allows everybody to capture traffic.
  2. Ubuntu's installer doesn't add the user to the "wireshark" group if you specify that non-superusers should be allowed to capture traffic. Maybe the argument is that the user specified that non-superusers should be allowed to capture traffic, and that means that selected non-superusers should be allowed to capture traffic, but didn't say "make me one of those non-superusers".
  3. Wireshark doesn't report the failure of dumpcap to run. Ideally, it should determine why it failed (no execute permission because the user isn't in some group, etc.) and provide a platform-dependent suggestion for how to fix it.
  4. Wireshark's documentation in the User's Guide needs to be updated, and possibly updated to give distribution-dependent advice - for example, it appears that, at least in Ubuntu 22.04, after adding yourself to a group with sudo gpasswd -a $USER wireshark, logging out and back in again isn't sufficient - when I tried it, I had to reboot.