Wireshark won't capture packets as non-root, but then works after it crashes

asked 2023-05-03 11:37:57 +0000

jru2 gravatar image

updated 2023-05-03 11:53:22 +0000

I am running Ubuntu LTS 20.04. I have a customized wireshark 3.4.4 installed (required for a customized dissector). I uninstalled the version of wireshark I initially installed through apt. And then I successfully built from source, and installed it. I did the things that I see on the internet about reconfiguring the package to allow non-root users to capture, and adding my user to the wireshark group or adding s+x permissions to dumpcap. However, when I start wireshark it always gives the same error that it can't capture packets.

ls -la /usr/bin/dumpcap 
-rwsr-xr-x 1 root wireshark 468224 May  3 07:27 /usr/bin/dumpcap

sudo getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

sudo adduser user wireshark  
The user `user' is already a member of `wireshark'.

groups
user adm cdrom sudo dip plugdev lpadmin lxd sambashare wireshark

However, sometimes it will crash and I'm asked to report the problem to Ubuntu. When I do that, and then hit "relaunch", it then works fine and can capture packets fine. Until the next time I close it and re-open it when it goes back to not being able to capture packets. Any idea how I can get around this issue?

edit retag flag offensive close merge delete

Comments

WSUG: 1.6.7. Reporting Crashes on UNIX/Linux platforms

Is there a core file or any diagnostics to describe the crash?

Chuckc gravatar imageChuckc ( 2023-05-03 15:41:26 +0000 )edit

There was, but I don't know where it's stored now. Unfortunately I can't find a reliable way to make it crash (or I'd just use that as a workaround to get me past the issue). And 

gdb `whereis wireshark | cut -f2 -d: | cut -d' ' -f2` core >& backtrace.txt

from the link you posted, isn't doing anything.

jru2 gravatar imagejru2 ( 2023-05-03 16:29:20 +0000 )edit

The gdb command is looking for the file core.

Chuckc gravatar imageChuckc ( 2023-05-03 17:02:57 +0000 )edit

While you write "...adding my user to the wireshark group or adding s+x permissions to dumpcap..." what the quoted output shows is that you have done "...adding my user to the wireshark group and adding s+x permissions to dumpcap...".

Since we can assume you have a Linux kernel supporting capabilities I would suggest to remove the set-uid bit from dumpcap. Then logout and login again (do not skip this). Then see what Wireshark does.

Jaap gravatar imageJaap ( 2023-05-04 13:57:32 +0000 )edit

.

ls -la /usr/bin/dumpcap 
-rwxr-xr-x 1 root wireshark 468224 May  3 07:27 /usr/bin/dumpcap

getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.202  netmask 255.255.255.0  broadcast 192.168.1.255

When I log out and log in, or restart the entire machine, I still get the error that I don't have permissions to sniff on eno1

jru2 gravatar imagejru2 ( 2023-05-04 14:26:26 +0000 )edit
see more comments