[Wireshark]Sniffing with Wireshark(or tshark) as a Non-Root User on CentOS

This HOWTO is referencing the article written by Stretch

Filesystem Capabilities

What are filesystem capabilities? From the man page:

The manual goes on to list over two dozen distinct POSIX capabilities which individual executables may be granted. For sniffing, we’re interested in two specifically:

CAP_NET_ADMIN - Allow various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables).
CAP_NET_RAW - Permit use of RAW and PACKET sockets.

CAP_NET_ADMIN allows us to set an interface to promiscuous mode, and CAP_NET_RAW permits raw access to an interface for capturing directly off the wire. These capabilities are assigned using the

setcap

utility.

Enabling Non-root Capture

Step 1: Install setcap

First, we’ll need to install the

setcap

executable if it hasn’t been already. We’ll use this to set granular capabilities on Wireshark’s

dumpcap

executable.

On CentOS,

setcap

is part of

libcap

As

root

, check if setcap is installed:

[root@localhost ~]# rpm -lq libcap
/lib64/libcap.so.2
/lib64/libcap.so.2.16
/lib64/security/pam_cap.so
/usr/sbin/capsh
/usr/sbin/getcap
/usr/sbin/getpcaps
/usr/sbin/setcap
/usr/share/doc/libcap-2.16
/usr/share/doc/libcap-2.16/License
/usr/share/doc/libcap-2.16/capability.notes
/usr/share/man/man1/capsh.1.gz
/usr/share/man/man8/getcap.8.gz
/usr/share/man/man8/setcap.8.gz

If it is not installed, use

yum install libcap

to install it.

Step 2: Create a Wireshark Group (Optional)

Since the application we’ll be granting heightened capabilities can by default be executed by all users, you may wish to add a designated group for the Wireshark family of utilities (and similar applications) and restrict their execution to users within that group. However, this step isn’t strictly necessary.

As

root

, check if group

wireshark

already exists.

[root@localhost ~]# cat /etc/group | grep wireshark

If not (where

web

is the user you want to run wireshark):

groupadd wireshark
usermod -a -G wireshark web

We assign the

dumpcap

executable to this group instead of Wireshark itself, as

dumpcap

is responsible for all the low-level capture work. Changing its mode to 750 ensures only users belonging to its group can execute the file.

chgrp wireshark /usr/sbin/dumpcap
chmod 750 /usr/sbin/dumpcap

Step 3: Grant Capabilities

Granting capabilities with

setcap

is a simple matter:

setcap cap_net_raw,cap_net_admin=eip /usr/sbin/dumpcap

In case you’re wondering, that

=eip

bit after the capabilities list grants them in the effective, inheritable, and permitted bitmaps, respectively. A more thorough explanation is provided in section 2 of this FAQ.

To verify our change, we can use

getcap

:

[root@localhost ~]# getcap /usr/sbin/dumpcap
/usr/sbin/dumpcap = cap_net_admin,cap_net_raw+eip

Start and stop packet capture with tshark

Now, log in as

web

, type

tshark -D

to list the interfaces.

To start capturing, use

tshark -i eth0 -w /tmp/test.pcap

to capture traffic on

eth0

and save it to

/tmp/test.pcap

To stop capturing, use

killall tshark

. It will flush all the packets in the buffer to

/tmp/test.pcap

and gracefully stop the

tshark

process.