Ask Your Question
0

dumpcap -w option with -b option does not seem to work

asked 2020-06-10 23:53:42 +0000

jogusto gravatar image

updated 2020-06-11 15:21:40 +0000

* UPDATED TO MERGE THE DUPLICATE QUESTION INFO *

Running dumpcap on Ubuntu 18.04 LTS 64-bit. I can run Wireshark in the GUI just fine, can capture packets, etc. Please note that I can run dumpcap, outputting to a temporary file. That works. My user is in the group 'wireshark' and yes I chose those pcap installation options to have it work that way. So, from a basic permissions point of view, dumpcap does run, does capture packets.

If there is some reason anyone knows why "sudo command" is not the same as "running as root" then please tell me.

My problem is not having ANY success getting the output options to work properly.

They seem very broken.

First of all, just using the -w filename option does not work unless I first create the file. That does not make any sense to have it work that way!

sudo dumpcap -i enp0s3 -w `pwd`/myfile.pcapng  -q
Capturing on 'enp0s3'
dumpcap: The file to which the capture would be saved ("/home/jgustavson/myfile.pcapng") could not be opened: Permission denied.

Notice that the file in fact does not exist but the program says "Permission denied" as the error. I am in my home directory at the time. If I create the file via echo foo >myfile.pcapng and then try the dumpcap command, it works. Very unexpected!

sudo dumpcap -i enp0s3 -w `pwd`/myfile.pcapng  -q
Capturing on 'enp0s3'
File: /home/jgustavson/myfile.pcapng
Packets captured: 141
[ctrl-C here]
Packets received/dropped on interface 'enp0s3': 141/0 (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (100.0%)

Anyone understand why dumpcap seems to be incapable of creating a file if I tell it the name to use with the -w option? If I leave the -w option out, it will create and write to a temporary file just fine.

What I really want to do is set up a ring buffer option, so dumpcap will start a new file every nnn seconds:

sudo dumpcap -i enp0s3 -w `pwd`/myfile.pcapng -b interval:60 -q
Capturing on 'enp0s3'
dumpcap: The file to which the capture would be saved ("/home/jgustavson/myfile.pcapng") could not be opened: No such file or directory.

... but as you can see, that fails too. (yes, I had deleted myfile.pcapng before running the command, to start "clean") If I leave out the -w option it complains "dumpcap: Ring buffer requested, but capture isn't being saved to a permanent file."

Now I want to run dumpcap, using a ring buffer option to start a new file every 60 seconds. I use the command line:

   sudo dumpcap -i enp0s3 -w `pwd`/dump.pcapng -b interval:60 -q

No matter what I do, so long as I have the -b option on the command line, I get grousing:

  Capturing on 'enp0s3'
   dumpcap: The file to which the capture would be saved ("/home/jgustavson/dump.pcapng") could not be opened: 
   No such file or directory.

This seems like it should ... (more)

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-06-11 02:41:56 +0000

Chuckc gravatar image

Look at the answer here.
Not running dumpcap as root is recommended.
I tested on my Ubuntu system with 2.6.10 and 3.2.3 - worked fine after chgrp and chmod.
If it fails after setting the permissions, verify that the directory is writable.

edit flag offensive delete link more

Comments

what does sudo do? runs as root. I'm not understanding your statement "not running... as root"

Which chgrp and chmod commands did you issue? Perhaps giving the specific information might help me get this solved.

If I create the -w output file first, dumpcap can write to my file and my directory. If I run it without the -w option, it happily captures, and writes to a temp file. How can this be explained by permissions? I am in my home directory, I should have permissions, and besides, I'm running as root.

jogusto gravatar imagejogusto ( 2020-06-11 14:58:26 +0000 )edit

See the wiki page here on applying the correct permissions to dumpcap and creating the appropriate group when running on Ubuntu.

grahamb gravatar imagegrahamb ( 2020-06-11 16:17:37 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-06-10 23:53:42 +0000

Seen: 70 times

Last updated: Jun 11