Ask Your Question
0

Does Ubuntu need different dumpcap configuration for raw USB traffic capture?

asked 2025-01-02 23:41:23 +0000

Donald Locker gravatar image

updated 2025-01-03 00:49:25 +0000

I've followed the standard directions for a [Synaptic] install (including, from my logs (of 19 Oct 2024):

$  sudo dpkg-reconfigure wireshark-common

and set to allow non-root users to access wireshark (prompt: “Dumpcap can be installed in a way that allows members of the "wireshark" system group to capture packets. This is recommended over the alternative of running Wireshark/Tshark directly as root, because less of the code will run with elevated privileges.” Selected “OK”, then to “Should non-superusers be able to capture packets?” prompt, selected Yes;

$ sudo adduser $USER wireshark
$ sudo modprobe usbmon
$ sudo setcap cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap

followed by several [months of] occasional reboots and logging back in, leading to today still not working; says insufficient permission for usbmon0

$  dumpcap --interface usbmon1
Capturing on 'usbmon1'
dumpcap: You do not have permission to capture on device "usbmon1".
(Attempt to open /dev/usbmon1 failed with EACCES - root privileges may be required)
Please check to make sure you have sufficient permissions.

followed by the usual how to reconfigure, etc; so I checked that all permissions (that I can see) and configurations matched recommendations. The results are the same on usbmon{0,1,2,3,4}

$  setcap -v cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap
/usr/bin/dumpcap: OK
$  groups $USER  ## with [myname] substituted for my real username which is equal to $USER
[myname]: [myname] adm cdrom sudo dip plugdev users lpadmin wireshark
$  ls -l /usr/bin/dumpcap
-rwxr-xr-- 1 root wireshark 229112 Apr 16  2024 /usr/bin/dumpcap
$  wireshark --version
Wireshark 4.2.2 (Git v4.2.2 packaged as 4.2.2-1.1build3).

Edit to add: I found https://gitlab.com/wireshark/wireshark/-/raw/master/packaging/debian/README.Debian from which I tried

$  sudo dpkg-statoverride --add root wireshark 4754 /usr/bin/dumpcap
$  dpkg-statoverride --list
    root wireshark 4754 /usr/bin/dumpcap

but dumpcap --interface usbmon{0,1,2,3,4} still all report no permission. (I will try setuid root on the file next.)

$ sudo chmod u+s /usr/bin/dumpcap

resulted in no joy; neither did

$ sudo chmod ug+s /usr/bin/dumpcap

FWIW, the simple test I failed to try works, so I know that root can actually read the interface:

$  sudo dumpcap --interface usbmon2
Capturing on 'usbmon2'
File: /tmp/wireshark_usbmon22SFRZ2.pcapng
Packets captured: 48
...^C
$

Perhaps because I'm not in the root group? (Sorry for rambling; I figure I might as well keep you posted, in case someone else needs similar help.) Added myself to the root group

$ sudo usermod -a -G root [myname]
$ groups [myname]
[myname] : [mygrp] root adm cdrom sudo dip plugdev users lpadmin wireshark

But dumpcap still gives me no permission on usbmons

What should I try next?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2025-01-02 23:56:59 +0000

Guy Harris gravatar image

Capturing on 'usbmon1'

libpcap uses different mechanisms for capturing on different devices.

On Linux, for regular network interfaces, it uses the Linux PF_PACKET socket mechanism, which just requires CAP_NET_RAW and CAP_NET_ADMIN (and, for some purposes, doesn't even require the latter).

However, for USB traffic capture, it uses the USB monitor mechanism, which, unfortunately, requires...

...root privileges. Thanks, Linux!

(Linux isn't the only annoying one; macOS's libpcap supports an "any" device, but it doesn't use the BPF capture mechanism, so it requires...

...root privileges. Thanks, Apple!)

Perhaps we should, for all platforms, just have dumpcap require root privileges.

If you want to capture USB traffic, try doing

chown root /usr/bin/dumpcap
chmod u+s /usr/bin/dumpcap

dumpcap does know about root privileges and will give them up as soon as it can, just as it does with CAP_NET_RAW and CAP_NET_ADMIN. It means that, before it does, it has more privileges than with CAP_NET_RAW and CAP_NET_ADMIN, but, as noted, that's not easy to escape.

(Really, the ideal would be if libpcap ran very small helper programs that opens the relevant device, with whatever privileges are required, and then hands a descriptor for it back to libpcap over a UNIX-domain socket, which would confine the elevate privileges to a very tiny program. It would also allow all capture programs, such as tcpdump, to run without any elevated privileges.)

edit flag offensive delete link more

Comments

I know that should have worked, but I have already done it and dumpcap only succeeds if run by sudo:

$  ls -l /usr/bin/dumpcap
-rwsr-sr-- 1 root wireshark 229112 Apr 16  2024 /usr/bin/dumpcap

$  dumpcap usbmon1
Capturing on 'enp108s0'

DANG! Nevermind - I tried again this morning and the setuid bit apparently has it working.

I really did try it last night after setting (first) the uid bit, then the gid bit, then adding myself to the root group (as in my edited question) and nothing was working. Now I'm going to back out each change from the end and ensure that the minimum are retained.

Many thanks.

Donald Locker gravatar imageDonald Locker ( 2025-01-03 10:55:13 +0000 )edit

I think that modifying user privileges requires a log off and log on again to acquire the new privs.

grahamb gravatar imagegrahamb ( 2025-01-03 12:07:08 +0000 )edit

I think that modifying user privileges requires a log off and log on again to acquire the new privs.

If by "user privileges" you mean privileges assigned to a user account - or groups associated with a user account - that's true (with an exception in macOS for groups).

However, this is modifying privileges associaed with a program.

Guy Harris gravatar imageGuy Harris ( 2025-01-03 19:41:29 +0000 )edit

As Guy Harris stated in the accepted answer, simple changing the setuid bit was sufficient to give dumpcap the ability to access the usbmon devices.

Donald Locker gravatar imageDonald Locker ( 2025-01-03 20:06:23 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-01-02 23:41:23 +0000

Seen: 57 times

Last updated: Jan 03

Related questions

How to kill dumpcap.exe - not able to kill it with taskkill running as admin

How can we dump pcap file data onto CAN bus

How can I use dumpcap to capture traffic only on port 53?

Dumpcap captures traffic, but Wireshark and Tshark can't see the interfaces

dumpcap using frame contains and write to file

Running Wireshark concurrent with dumpcap

dumpcap problem with multiple interfaces and filter

LoRaWan PCAP, wireshark not able to interpret

Wireshark dumpcap with setcap set to no-root capture failes to start in Ubuntu 18.10

dumpcap -a duration:XX not working when capturing from Napatech card