OSQA is unmaintained. Help us figure out where to go from here.

I'm trying to capture on my laptop (Linux) packets, that goes through the wireless card. Wireshark shoes only the capture interfaces: bluetooth0, randpkt and udpdump. wlan0 isn't shown.

I used this and it worked. But is there a way that mon0 (or wlan0) will appear in Wireshark and I can use it normally and not having to do the "sudo tcpdump..." and then "wireshark -nr..." any time I want to capture?

asked 01 Sep, 09:44

sharp_pilot's gravatar image

sharp_pilot
11114
accept rate: 0%

1) What happens if you run tcpdump on mon0/wlan0 without sudo?

2) What Linux distribution is this?

(01 Sep, 14:27) Guy Harris ♦♦

1) tcpdump: mon0: You don't have permission to capture on that device (socket: Operation not permitted)

2) Mint

I tried sudo wireshark and it showing me all the interfaces that way, but is it safe to use it with root privileges?

I tried this:

https://askubuntu.com/questions/74059/how-do-i-run-wireshark-with-root-privileges

but it isn't helping the tcpdump nor the wireshark to show all interfaces.

(01 Sep, 23:08) sharp_pilot

(I installed wireshark by building the source and not via apt-get. So is sudo dpkg-reconfigure wireshark-common the way to activate that or should I do something else?)

(02 Sep, 22:46) sharp_pilot

I did this: https://wiki.wireshark.org/CaptureSetup/CapturePrivileges

And when I run /usr/bin/dumpcap -D it shows me all interfaces. great.

But when I do dumpcap -D it shows me only 1. bluetooth0.

And when I call wireshark it again doesn't show me all interfaces.

Any Idea how to make wireshark show all interfaces now?

(02 Sep, 23:07) sharp_pilot

I installed wireshark by building the source

If you built using the configure script, you need to run the configure script with --enable-setcap-install - and you may have to install it with make install, and that may require that you install it with sudo make install. Then run the installed version, not the version in your build tree. That should make dumpcap run with the right privileges.

If you build using CMake, you need to run CMake with -DENABLE_CAP=ON, and you might again have to install.

permanent link

answered 02 Sep, 23:39

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335194
accept rate: 19%

When I run stat /usr/local/bin/wireshark I see:

Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)

So it just installed it as root? And it run it has root now when I call wireshark?

How should I restrict that?

(03 Sep, 03:46) sharp_pilot
1

So it just installed it as root?

Yes.

And it run it has root now when I call wireshark?

No. Running a program whose executable image file is owned by root does not cause the program to run as root. Try running stat on, for example, /bin/sh or /bin/cat. That happens only if the executable image file has the set-UID bit set; if that were the case, stat would report -rwsr-x-rx - note the "s".

Wireshark isn't what needs elevated privileges to capture on Linux; dumpcap is. And --enable-setcap-install shouldn't cause dumpcap's executable image file to be set-UID root, it should just cause it to have the cap_net_admin and cap_net_raw capabilities, so that the process running dumpcap has the CAP_NET_ADMIN and CAP_NET_RAW capabilities. The file capabilities are set with the setcap command; you can see what capabilities a file has by using the getcap command.

(03 Sep, 11:23) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,611
×137
×113

question asked: 01 Sep, 09:44

question was seen: 481 times

last updated: 03 Sep, 11:23

p​o​w​e​r​e​d by O​S​Q​A