Ask Your Question
0

Why can't I see network adapters, or capture on them, after installing Wireshark on Ubuntu?

asked 2024-03-01 08:45:56 +0000

gbuday gravatar image

updated 2024-03-01 20:37:55 +0000

Guy Harris gravatar image

I use Wireshark on Ubuntu 22.04 .

First of all, it was not exactly clear which colour was meant to select the Yes or No answer on the configuration whether a non-superuser should be able to capture packets of network interfaces. I thought it was the red background when I selected a button.

When I selected that non-superusers should be allowed, I haven't seen the hardware network interfaces.

When I seleceted that they are not, the hardware network interfaces showed up, but when I tried to capture packets, the system said I cannot access that network interface.

The solution was to run Wireshark with sudo.

Is this a bug in Wireshark or I didn't do something correctly?

edit retag flag offensive close merge delete

Comments

There are instructions to configure capture for non-elevated users: https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#other-linux-based-systems-or-other-installation-methods.

For most Linux distros, I do three things:

  1. At install, allow non-root users
  2. Add a user to the Wireshark group (be sure to logout and back in again, as new group won't automatically take)
  3. Run the setcap commands given in the doc against dumpcap (and usually do tcpdump at the same time if I installed it)
Bob Jones gravatar imageBob Jones ( 2024-03-01 16:15:48 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-03-01 20:36:03 +0000

Guy Harris gravatar image

What you should do is:

  1. install with "non-superusers should be allowed to capture from network interfaces";
  2. run sudo gpasswd -a $USER wireshark from the command line.

At minimum, after doing the sudo gpasswd ..., you will have to log out and log in again, but if that doesn't fix the problem, you may have to reboot.

First of all, it was not exactly clear which colour was meant to select the Yes or No answer on the configuration whether a non-superuser should be able to capture packets of network interfaces. I thought it was the red background when I selected a button.

The color indicates which of the two buttons, Yes and No, is currently selected. The Tab key switches between Yes and No.

When installing Wireshark with Synaptic, there's just a single button to push to select allowing non-root users to capture.

We should probably document this in the User's Guide.

When I selected that non-superusers should be allowed, I haven't seen the hardware network interfaces.

That's because Ubuntu's installer only does half the job. It configures Wireshark so that dumpcap, the program that does the capturing, has the appropriate capabilities set, so that it can open capture files without running as root (running with that capability is safer than running as root), and is set up only to be executable by root and by users in the group "wireshark", but it does NOT add the user who installs Wireshark to the "wireshark" group. You have to do that yourself.

This means that you don't have permission to run dumpcap, so, when Wireshark runs it to get a list of interfaces, that fails, and Wireshark does not report an error for this.

When I seleceted that they are not, the hardware network interfaces showed up, but when I tried to capture packets, the system said I cannot access that network interface.

That's because, in tat case, dumpcap can be run by anybody, but it doesn't have the appropriate capabilities set, and getting a list of interfaces does not require those capabilities - only capturing on them does. I.e., Wireshark can run dumpcap to get a list of the interfaces, but if it runs it to capture, dumpcap gets a "permission denied" error when trying to open the interface for capturing.

The solution was to run Wireshark with sudo.

That's... not a good idea, given how large Wireshark is; running it with root privileges is not recommended.

Is this a bug in Wireshark or I didn't do something correctly?

There are a bunch of problems here, one of which is a Wireshark bug, but fixing that bug won't make it possible to capture, it will, at best, tell you what you have to do to fix the other problems, which aren't Wireshark bugs:

  1. The Ubuntu Wireshark package doesn't indicate that the "non-superusers should be allowed to capture traffic" means "selected non-superusers should be allowed to capture traffic ...
(more)
edit flag offensive delete link more

Comments

Yet all this is described in the included README file here.

Jaap gravatar imageJaap ( 2024-03-02 07:55:53 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-03-01 08:45:56 +0000

Seen: 474 times

Last updated: Mar 01