I ran into a curious issue where I have set tshark to run as a non-root user, with group wireshark. I can run the following: tshark -c 500 -w /mnt/my_usb/test.pcap, without using sudo. However, when I try to run the following: tshark -b filesize:1000 -b file:10 -w /mnt/my_usb/test.pcap without sudo, it reports that the file /mnt/my_usb/test.pcap cannot be found or does not exist. The same command line preceded by sudo has no problems.
I have not found any explanation for this in documentation or pretty diligent search on the web. Anyone have any ideas? I wonder if the issue is that writing to the end of the file requires a root user level, even though dumpcap is chown root:wireshark, the file test.pcap is chmod 770, and setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap, with dumpcap chmod 750.
Details: TShark (Wireshark) 2.2.6 (Git Rev Unknown from unknown) Compiled (32-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3, with GLib 2.50.3, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS 3.5.8, with Gcrypt 1.7.6-beta, with MIT Kerberos, with GeoIP, with nghttp2 1.18.1. Running on Linux 4.14.34-v7+, with locale en_US.UTF-8, with libpcap version 1.8.1, with GnuTLS 3.5.8, with Gcrypt 1.7.6-beta, with zlib 1.2.8. Built using gcc 6.3.0 20170516. Running on Rasp 3B+
Thanks for ideas
