Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2025-01-02 23:41:23 +0000

Donald Locker gravatar image

Does Ubuntu 24.04 need different dumpcap configuration?

I've followed the standard directions for a [Synaptic] install (including, from my logs (of 19 Oct 2024):

$  sudo dpkg-reconfigure wireshark-common

and set to allow non-root users to access wireshark (prompt: “Dumpcap can be installed in a way that allows members of the "wireshark" system group to capture packets. This is recommended over the alternative of running Wireshark/Tshark directly as root, because less of the code will run with elevated privileges.” Selected “OK”, then to “Should non-superusers be able to capture packets?” prompt, selected Yes;

$ sudo adduser $USER wireshark
$ sudo modprobe usbmon
$ sudo setcap cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap

followed by several [months of] occasional reboots and logging back in, leading to today still not working; says insufficient permission for usbmon0

$  dumpcap --interface usbmon1
Capturing on 'usbmon1'
dumpcap: You do not have permission to capture on device "usbmon1".
(Attempt to open /dev/usbmon1 failed with EACCES - root privileges may be required)
Please check to make sure you have sufficient permissions.

followed by the usual how to reconfigure, etc; so I checked that all permissions (that I can see) and configurations matched recommendations. The results are the same on usbmon{0,1,2,3,4}

$  setcap -v cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap
/usr/bin/dumpcap: OK
$  groups $USER  ## with [myname] substituted for my real username which is equal to $USER
[myname]: [myname] adm cdrom sudo dip plugdev users lpadmin wireshark
$  ls -l /usr/bin/dumpcap
-rwxr-xr-- 1 root wireshark 229112 Apr 16  2024 /usr/bin/dumpcap
$  wireshark --version
Wireshark 4.2.2 (Git v4.2.2 packaged as 4.2.2-1.1build3).

Have I missed something? What should I try next?

click to hide/show revision 2
None

updated 2025-01-02 23:57:42 +0000

Guy Harris gravatar image

Does Ubuntu 24.04 need different dumpcap configuration?

I've followed the standard directions for a [Synaptic] install (including, from my logs (of 19 Oct 2024):

$  sudo dpkg-reconfigure wireshark-common

and set to allow non-root users to access wireshark (prompt: “Dumpcap can be installed in a way that allows members of the "wireshark" system group to capture packets. This is recommended over the alternative of running Wireshark/Tshark directly as root, because less of the code will run with elevated privileges.” Selected “OK”, then to “Should non-superusers be able to capture packets?” prompt, selected Yes;

$ sudo adduser $USER wireshark
$ sudo modprobe usbmon
$ sudo setcap cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap

followed by several [months of] occasional reboots and logging back in, leading to today still not working; says insufficient permission for usbmon0

$  dumpcap --interface usbmon1
Capturing on 'usbmon1'
dumpcap: You do not have permission to capture on device "usbmon1".
(Attempt to open /dev/usbmon1 failed with EACCES - root privileges may be required)
Please check to make sure you have sufficient permissions.

followed by the usual how to reconfigure, etc; so I checked that all permissions (that I can see) and configurations matched recommendations. The results are the same on usbmon{0,1,2,3,4}

$  setcap -v cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap
/usr/bin/dumpcap: OK
$  groups $USER  ## with [myname] substituted for my real username which is equal to $USER
[myname]: [myname] adm cdrom sudo dip plugdev users lpadmin wireshark
$  ls -l /usr/bin/dumpcap
-rwxr-xr-- 1 root wireshark 229112 Apr 16  2024 /usr/bin/dumpcap
$  wireshark --version
Wireshark 4.2.2 (Git v4.2.2 packaged as 4.2.2-1.1build3).

Have I missed something? What should I try next?

Does Ubuntu 24.04 need different dumpcap configuration?configuration for raw USB traffic capture?

I've followed the standard directions for a [Synaptic] install (including, from my logs (of 19 Oct 2024):

$  sudo dpkg-reconfigure wireshark-common

and set to allow non-root users to access wireshark (prompt: “Dumpcap can be installed in a way that allows members of the "wireshark" system group to capture packets. This is recommended over the alternative of running Wireshark/Tshark directly as root, because less of the code will run with elevated privileges.” Selected “OK”, then to “Should non-superusers be able to capture packets?” prompt, selected Yes;

$ sudo adduser $USER wireshark
$ sudo modprobe usbmon
$ sudo setcap cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap

followed by several [months of] occasional reboots and logging back in, leading to today still not working; says insufficient permission for usbmon0

$  dumpcap --interface usbmon1
Capturing on 'usbmon1'
dumpcap: You do not have permission to capture on device "usbmon1".
(Attempt to open /dev/usbmon1 failed with EACCES - root privileges may be required)
Please check to make sure you have sufficient permissions.

followed by the usual how to reconfigure, etc; so I checked that all permissions (that I can see) and configurations matched recommendations. The results are the same on usbmon{0,1,2,3,4}

$  setcap -v cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap
/usr/bin/dumpcap: OK
$  groups $USER  ## with [myname] substituted for my real username which is equal to $USER
[myname]: [myname] adm cdrom sudo dip plugdev users lpadmin wireshark
$  ls -l /usr/bin/dumpcap
-rwxr-xr-- 1 root wireshark 229112 Apr 16  2024 /usr/bin/dumpcap
$  wireshark --version
Wireshark 4.2.2 (Git v4.2.2 packaged as 4.2.2-1.1build3).

Edit to add: I found https://gitlab.com/wireshark/wireshark/-/raw/master/packaging/debian/README.Debian from which I tried

$  sudo dpkg-statoverride --add root wireshark 4754 /usr/bin/dumpcap
$  dpkg-statoverride --list
    root wireshark 4754 /usr/bin/dumpcap

but dumpcap --interface usbmon{0,1,2,3,4} still all report no permission. (I will try setuid root on the file next.)

Have I missed something? What should I try next?

Does Ubuntu need different dumpcap configuration for raw USB traffic capture?

I've followed the standard directions for a [Synaptic] install (including, from my logs (of 19 Oct 2024):

$  sudo dpkg-reconfigure wireshark-common

and set to allow non-root users to access wireshark (prompt: “Dumpcap can be installed in a way that allows members of the "wireshark" system group to capture packets. This is recommended over the alternative of running Wireshark/Tshark directly as root, because less of the code will run with elevated privileges.” Selected “OK”, then to “Should non-superusers be able to capture packets?” prompt, selected Yes;

$ sudo adduser $USER wireshark
$ sudo modprobe usbmon
$ sudo setcap cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap

followed by several [months of] occasional reboots and logging back in, leading to today still not working; says insufficient permission for usbmon0

$  dumpcap --interface usbmon1
Capturing on 'usbmon1'
dumpcap: You do not have permission to capture on device "usbmon1".
(Attempt to open /dev/usbmon1 failed with EACCES - root privileges may be required)
Please check to make sure you have sufficient permissions.

followed by the usual how to reconfigure, etc; so I checked that all permissions (that I can see) and configurations matched recommendations. The results are the same on usbmon{0,1,2,3,4}

$  setcap -v cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap
/usr/bin/dumpcap: OK
$  groups $USER  ## with [myname] substituted for my real username which is equal to $USER
[myname]: [myname] adm cdrom sudo dip plugdev users lpadmin wireshark
$  ls -l /usr/bin/dumpcap
-rwxr-xr-- 1 root wireshark 229112 Apr 16  2024 /usr/bin/dumpcap
$  wireshark --version
Wireshark 4.2.2 (Git v4.2.2 packaged as 4.2.2-1.1build3).

Edit to add: I found https://gitlab.com/wireshark/wireshark/-/raw/master/packaging/debian/README.Debian from which I tried

$  sudo dpkg-statoverride --add root wireshark 4754 /usr/bin/dumpcap
$  dpkg-statoverride --list
    root wireshark 4754 /usr/bin/dumpcap

but dumpcap --interface usbmon{0,1,2,3,4} still all report no permission. (I will try setuid root on the file next.)

$ sudo chmod u+s /usr/bin/dumpcap

resulted in no joy; neither did

$ sudo chmod ug+s /usr/bin/dumpcap

Have I missed something? What should I try next?

Does Ubuntu need different dumpcap configuration for raw USB traffic capture?

I've followed the standard directions for a [Synaptic] install (including, from my logs (of 19 Oct 2024):

$  sudo dpkg-reconfigure wireshark-common

and set to allow non-root users to access wireshark (prompt: “Dumpcap can be installed in a way that allows members of the "wireshark" system group to capture packets. This is recommended over the alternative of running Wireshark/Tshark directly as root, because less of the code will run with elevated privileges.” Selected “OK”, then to “Should non-superusers be able to capture packets?” prompt, selected Yes;

$ sudo adduser $USER wireshark
$ sudo modprobe usbmon
$ sudo setcap cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap

followed by several [months of] occasional reboots and logging back in, leading to today still not working; says insufficient permission for usbmon0

$  dumpcap --interface usbmon1
Capturing on 'usbmon1'
dumpcap: You do not have permission to capture on device "usbmon1".
(Attempt to open /dev/usbmon1 failed with EACCES - root privileges may be required)
Please check to make sure you have sufficient permissions.

followed by the usual how to reconfigure, etc; so I checked that all permissions (that I can see) and configurations matched recommendations. The results are the same on usbmon{0,1,2,3,4}

$  setcap -v cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap
/usr/bin/dumpcap: OK
$  groups $USER  ## with [myname] substituted for my real username which is equal to $USER
[myname]: [myname] adm cdrom sudo dip plugdev users lpadmin wireshark
$  ls -l /usr/bin/dumpcap
-rwxr-xr-- 1 root wireshark 229112 Apr 16  2024 /usr/bin/dumpcap
$  wireshark --version
Wireshark 4.2.2 (Git v4.2.2 packaged as 4.2.2-1.1build3).

Edit to add: I found https://gitlab.com/wireshark/wireshark/-/raw/master/packaging/debian/README.Debian from which I tried

$  sudo dpkg-statoverride --add root wireshark 4754 /usr/bin/dumpcap
$  dpkg-statoverride --list
    root wireshark 4754 /usr/bin/dumpcap

but dumpcap --interface usbmon{0,1,2,3,4} still all report no permission. (I will try setuid root on the file next.)

$ sudo chmod u+s /usr/bin/dumpcap

resulted in no joy; neither did

$ sudo chmod ug+s /usr/bin/dumpcap

FWIW, the simple test I failed to try works, so I know that root can actually read the interface:

$  sudo dumpcap --interface usbmon2
Capturing on 'usbmon2'
File: /tmp/wireshark_usbmon22SFRZ2.pcapng
Packets captured: 48
...^C
$

Perhaps because I'm not in the root group? (Sorry for rambling; I figure I might as well keep you posted, in case someone else needs similar help.)

Have I missed something? What should I try next?

Does Ubuntu need different dumpcap configuration for raw USB traffic capture?

I've followed the standard directions for a [Synaptic] install (including, from my logs (of 19 Oct 2024):

$  sudo dpkg-reconfigure wireshark-common

and set to allow non-root users to access wireshark (prompt: “Dumpcap can be installed in a way that allows members of the "wireshark" system group to capture packets. This is recommended over the alternative of running Wireshark/Tshark directly as root, because less of the code will run with elevated privileges.” Selected “OK”, then to “Should non-superusers be able to capture packets?” prompt, selected Yes;

$ sudo adduser $USER wireshark
$ sudo modprobe usbmon
$ sudo setcap cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap

followed by several [months of] occasional reboots and logging back in, leading to today still not working; says insufficient permission for usbmon0

$  dumpcap --interface usbmon1
Capturing on 'usbmon1'
dumpcap: You do not have permission to capture on device "usbmon1".
(Attempt to open /dev/usbmon1 failed with EACCES - root privileges may be required)
Please check to make sure you have sufficient permissions.

followed by the usual how to reconfigure, etc; so I checked that all permissions (that I can see) and configurations matched recommendations. The results are the same on usbmon{0,1,2,3,4}

$  setcap -v cap_net_raw,cap_net_admin=ep /usr/bin/dumpcap
/usr/bin/dumpcap: OK
$  groups $USER  ## with [myname] substituted for my real username which is equal to $USER
[myname]: [myname] adm cdrom sudo dip plugdev users lpadmin wireshark
$  ls -l /usr/bin/dumpcap
-rwxr-xr-- 1 root wireshark 229112 Apr 16  2024 /usr/bin/dumpcap
$  wireshark --version
Wireshark 4.2.2 (Git v4.2.2 packaged as 4.2.2-1.1build3).

Edit to add: I found https://gitlab.com/wireshark/wireshark/-/raw/master/packaging/debian/README.Debian from which I tried

$  sudo dpkg-statoverride --add root wireshark 4754 /usr/bin/dumpcap
$  dpkg-statoverride --list
    root wireshark 4754 /usr/bin/dumpcap

but dumpcap --interface usbmon{0,1,2,3,4} still all report no permission. (I will try setuid root on the file next.)

$ sudo chmod u+s /usr/bin/dumpcap

resulted in no joy; neither did

$ sudo chmod ug+s /usr/bin/dumpcap

FWIW, the simple test I failed to try works, so I know that root can actually read the interface:

$  sudo dumpcap --interface usbmon2
Capturing on 'usbmon2'
File: /tmp/wireshark_usbmon22SFRZ2.pcapng
Packets captured: 48
...^C
$

Perhaps because I'm not in the root group? (Sorry for rambling; I figure I might as well keep you posted, in case someone else needs similar help.)

Have I missed something? help.) Added myself to the root group

$ sudo usermod -a -G root [myname]
$ groups [myname]
[myname] : [mygrp] root adm cdrom sudo dip plugdev users lpadmin wireshark

But dumpcap still gives me no permission on usbmons

What should I try next?