Running tshark as non-root cannot write to buffer file

asked 2018-05-23 02:43:18 +0000

updated 2018-05-23 07:02:24 +0000

grahamb gravatar image

I ran into a curious issue where I have set tshark to run as a non-root user, with group wireshark. I can run the following: tshark -c 500 -w /mnt/my_usb/test.pcap, without using sudo. However, when I try to run the following: tshark -b filesize:1000 -b file:10 -w /mnt/my_usb/test.pcap without sudo, it reports that the file /mnt/my_usb/test.pcap cannot be found or does not exist. The same command line preceded by sudo has no problems.

I have not found any explanation for this in documentation or pretty diligent search on the web. Anyone have any ideas? I wonder if the issue is that writing to the end of the file requires a root user level, even though dumpcap is chown root:wireshark, the file test.pcap is chmod 770, and setcap capnetraw,capnetadmin=eip /usr/bin/dumpcap, with dumpcap chmod 750.


TShark (Wireshark) 2.2.6 (Git Rev Unknown from unknown)
Compiled (32-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.8, with Gcrypt 1.7.6-beta, with MIT Kerberos, with GeoIP,
with nghttp2 1.18.1.
Running on Linux 4.14.34-v7+, with locale en_US.UTF-8, with libpcap version
1.8.1, with GnuTLS 3.5.8, with Gcrypt 1.7.6-beta, with zlib 1.2.8.
Built using gcc 6.3.0 20170516.
Running on Rasp 3B+

Thanks for ideas

edit retag flag offensive close merge delete


What happens if you first do touch /mnt/my_usb/test.pcap?

Jaap gravatar imageJaap ( 2018-05-23 11:36:46 +0000 )edit


Thanks, this is how I first responded to the "couldn't find file" error. I thought perhaps the file needed to exist for the buffer. I can run the command without the buffer or file existing using the non-root user, and the file is created automatically Once it is created, I can also run as non user into the same file over-writing previous. It's just that it won't let me use the file as non-root with a ring buffer option in place. With sudo, file is used and appended with number/date/time suffix.

Could this be solved with either a sticky bit or suid/guid bit? Is there any vulnerability introduced that I was hoping to solve by creating a non-root user of dumpcap/tshark?



pimpernel gravatar imagepimpernel ( 2018-05-23 13:53:01 +0000 )edit

if you strace the tshark execution you'll see that there's a stat() system call for the capture file you've defined. In the capture buffer case, this seems spurious, as the name is just a template to create real capture file names from. Question if where the stat() system call comes from.

Jaap gravatar imageJaap ( 2018-05-23 16:45:07 +0000 )edit