Discussion:
Ubuntu 14.04 user level capture permissions from source
Alan Marchiori
2014-06-17 12:27:02 UTC
Permalink
I'm trying to build wireshark (1.10.6) from source on my Ubuntu 14.04
machine to work on a plugin. I also have the ubuntu wireshark package
installed and working properly from my user account and am able to capture
packets on eth0 (using the wireshark group). However, when I build from
source, my user account cannot capture on eth0.

I have tried various options with the configure script, eg:
./configure --enable-dumpcap --enable-setcap-install
--with-dumpcap-group=wireshark

And set the capture properties to match the ubuntu package's dumpcap:
$ getcap /usr/local/bin/dumpcap
/usr/local/bin/dumpcap = cap_net_admin,cap_net_raw+eip

src/wireshark-1.10.6$ getcap ./dumpcap
./dumpcap = cap_net_admin,cap_net_raw+eip

but still my compiled wireshark/dumpcap cannot access eth0.

Any ideas?

Thanks,
Jeff Morriss
2014-06-17 13:44:18 UTC
Permalink
Post by Alan Marchiori
I'm trying to build wireshark (1.10.6) from source on my Ubuntu 14.04
machine to work on a plugin. I also have the ubuntu wireshark package
installed and working properly from my user account and am able to
capture packets on eth0 (using the wireshark group). However, when I
build from source, my user account cannot capture on eth0.
./configure --enable-dumpcap --enable-setcap-install
--with-dumpcap-group=wireshark
$ getcap /usr/local/bin/dumpcap
/usr/local/bin/dumpcap = cap_net_admin,cap_net_raw+eip
src/wireshark-1.10.6$ getcap ./dumpcap
./dumpcap = cap_net_admin,cap_net_raw+eip
but still my compiled wireshark/dumpcap cannot access eth0.
Any ideas?
When you compile from source ./dumpcap isn't an binary executable, it's
a (libtool) shell script. Linux doesn't allow shell scripts to have
capabilities nor be setuid so when you run it, it'll run as you and
without the necessary capabilities.

Unfortunately the only ways around this are to install what you've built
(e.g., "make install" or build a package and install it) or run as root
(not a great idea--and if you're using a real plugin as opposed to a
built-in dissector, your plugin won't get loaded while running as root
from the build directory).

Personally when I'm doing development I use my build only for reading
capture files (except on the rare occasion I'm trying to fix something
in the capture mechanism).

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Alan Marchiori
2014-06-17 15:11:53 UTC
Permalink
Thanks, that helps explain things. To achieve my desired result I just did:
./configure --enable-dumpcap --enable-setcap-install
--with-dumpcap-group=wireshark --prefix=$HOME/wireshark

(add prefix to home)

then make install (into my local copy),

~/wireshark/bin$ sudo setcap 'cap_net_raw+eip cap_net_admin+eip' ./dumpcap

and I can do user level capture off my build.

Even though this isn't exactly what I had hoped, for it solves the puzzle
and I can move forward.
Post by Alan Marchiori
I'm trying to build wireshark (1.10.6) from source on my Ubuntu 14.04
machine to work on a plugin. I also have the ubuntu wireshark package
installed and working properly from my user account and am able to
capture packets on eth0 (using the wireshark group). However, when I
build from source, my user account cannot capture on eth0.
./configure --enable-dumpcap --enable-setcap-install
--with-dumpcap-group=wireshark
$ getcap /usr/local/bin/dumpcap
/usr/local/bin/dumpcap = cap_net_admin,cap_net_raw+eip
src/wireshark-1.10.6$ getcap ./dumpcap
./dumpcap = cap_net_admin,cap_net_raw+eip
but still my compiled wireshark/dumpcap cannot access eth0.
Any ideas?
When you compile from source ./dumpcap isn't an binary executable, it's a
(libtool) shell script. Linux doesn't allow shell scripts to have
capabilities nor be setuid so when you run it, it'll run as you and without
the necessary capabilities.
Unfortunately the only ways around this are to install what you've built
(e.g., "make install" or build a package and install it) or run as root
(not a great idea--and if you're using a real plugin as opposed to a
built-in dissector, your plugin won't get loaded while running as root from
the build directory).
Personally when I'm doing development I use my build only for reading
capture files (except on the rare occasion I'm trying to fix something in
the capture mechanism).
____________________________________________________________
_______________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
unsubscribe
Jaap Keuter
2014-06-17 21:24:52 UTC
Permalink
Post by Alan Marchiori
I'm trying to build wireshark (1.10.6) from source on my Ubuntu 14.04
machine to work on a plugin. I also have the ubuntu wireshark package
installed and working properly from my user account and am able to
capture packets on eth0 (using the wireshark group). However, when I
build from source, my user account cannot capture on eth0.
./configure --enable-dumpcap --enable-setcap-install
--with-dumpcap-group=wireshark
$ getcap /usr/local/bin/dumpcap
/usr/local/bin/dumpcap = cap_net_admin,cap_net_raw+eip
src/wireshark-1.10.6$ getcap ./dumpcap
./dumpcap = cap_net_admin,cap_net_raw+eip
but still my compiled wireshark/dumpcap cannot access eth0.
Any ideas?
When you compile from source ./dumpcap isn't an binary executable, it's a
(libtool) shell script. Linux doesn't allow shell scripts to have capabilities
nor be setuid so when you run it, it'll run as you and without the necessary
capabilities.
Unfortunately the only ways around this are to install what you've built (e.g.,
"make install" or build a package and install it) or run as root (not a great
idea--and if you're using a real plugin as opposed to a built-in dissector, your
plugin won't get loaded while running as root from the build directory).
Ah, no, there's a way:

1) Run your own build of Wireshark once (which cannot show interfaces)
2) sudo /sbin/setcap cap_net_raw,cap_net_admin=eip .libs/lt-dumpcap
3) Run your Wireshark again, presto, interfaces listed

Enjoy,
Jaap


___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Joerg Mayer
2014-06-17 21:44:01 UTC
Permalink
Post by Alan Marchiori
$ getcap /usr/local/bin/dumpcap
/usr/local/bin/dumpcap = cap_net_admin,cap_net_raw+eip
Btw, the "i" is not needed:
setcap cap_net_raw,cap_net_admin+ep /path/to/dumpcap

Ciao
Jörg
--
Joerg Mayer <***@loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-***@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-***@wireshark.org?subject=unsubsc
Joerg Mayer
2014-06-17 14:27:16 UTC
Permalink
Post by Alan Marchiori
./configure --enable-dumpcap --enable-setcap-install
--with-dumpcap-group=wireshark
Did you also use --with-libcap ?

Ciao
Jörg
--
Joerg Mayer <***@loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-***@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-reque
Loading...