 | 1 | initial version |
Capturing on 'usbmon1'
libpcap uses different mechanisms for capturing on different devices.
On Linux, for regular network interfaces, it uses the Linux PF_PACKET socket mechanism, which just requires CAP_NET_RAW and CAP_NET_ADMIN (and, for some purposes, doesn't even require the latter).
However, for USB traffic capture, it uses the USB monitor mechanism, which, unfortunately, requires...
...root privileges. Thanks, Linux!
(Linux isn't the only annoying one; macOS's libpcap supports an "any" device, but it doesn't use the BPF capture mechanism, so it requires...
...root privileges. Thanks, Apple!)
Perhaps we should, for all platforms, just have dumpcap require root privileges.
If you want to capture USB traffic, try doing
chown root /usr/bin/dumpcap
chmod u+s /usr/bin/dumpcap
dumpcap does know about root privileges and will give them up as soon as it can, just as it does with CAP_NET_RAW and CAP_NET_ADMIN. It means that, before it does, it has more privileges than with CAP_NET_RAW and CAP_NET_ADMIN, but, as noted, that's not easy to escape.
(Really, the ideal would be if libpcap ran very small helper programs that opens the relevant device, with whatever privileges are required, and then hands a descriptor for it back to libpcap over a UNIX-domain socket, which would confine the elevate privileges to a very tiny program. It would also allow all capture programs, such as tcpdump, to run without any elevated privileges.)