![]() Log out ALL interfaces for the user (including ssh which was my biggest mistake) and log in again. Limiting capture permission to only one groupĪfter having set dumpcap's network privileges:Ĭreate user "wireshark" in group "wireshark".Įnsure Wireshark works only from root and from a user in the "wireshark" group ( I DID THIS STEP ONLY IN THE END - NOT OVER YET)Īnd finally, two more steps: sudo dpkg-reconfigure wireshark-common (NOTE: Replace /usr/bin with /usr/sbin in this command and the next command in case you receive an error that indicates that dumpcap isn't in /usr/sbin) In this case, you will need to make dumpcap set-UID to root. Setting network privileges for dumpcap if your kernel and file system don't support file capabilities Start Wireshark as non-root and ensure you see the list of interfaces and can do live capture.There is a command-line version of the system, called Tshark. (NOTE: Replace /usr/bin with /usr/sbin in case you receive an error that indicates that dumpcap isn't in /usr/bin) Even though Wireshark is not directly responsible for the most powerful part of its operations, the network interface of Wireshark makes it a winner. ![]() Sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap Setting network privileges for dumpcap if your kernel and file system support file capabilitiesĮnsure that you have installed the necessary tools, such as the setcap command. I followed those instructions (with adaptations): They RECOMMEND restrict dumpcap execution to a specific group or user. I followed the instructions from wireshark page about about capture privileges: It can be a temporary solution, but not desired as permanent solution. That will allow packet capture for ALL USERS on the system. ![]() The above command really works, but I would like to add a security WARNING. The proposed solution is: sudo chmod +x /usr/bin/dumpcap Youre running quite an old version of Wireshark that is no longer supported (see the Wiki LifeCycle page). Which is marked as duplicate and brought me here. I'm not able to use wireshark "couldn't run /usr/bin/dumpcap in child process" Googled “couldn't run /usr/bin/dumpcap in child process” and found this question: Install WinPcap x.x - if the currently installed version is older than the one which comes with the Wireshark installer (or WinPcap is not installed at all). ![]()
0 Comments
Leave a Reply. |