[Wireshark]Sniffing with Wireshark(or tshark) as a Non-Root User on CentOS
2015-07-24 10:40
579 查看
This HOWTO is referencing the article written by Stretch
The manual goes on to list over two dozen distinct POSIX capabilities which individual executables may be granted. For sniffing, we’re interested in two specifically:
CAP_NET_ADMIN allows us to set an interface to promiscuous mode, and CAP_NET_RAW permits raw access to an interface for capturing directly off the wire. These capabilities are assigned using the
On CentOS,
As
If it is not installed, use
As
If not (where
We assign the
In case you’re wondering, that
To verify our change, we can use
To start capturing, use
To stop capturing, use
Filesystem Capabilities
What are filesystem capabilities? From the man page:The manual goes on to list over two dozen distinct POSIX capabilities which individual executables may be granted. For sniffing, we’re interested in two specifically:
CAP_NET_ADMIN - Allow various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables). CAP_NET_RAW - Permit use of RAW and PACKET sockets.
CAP_NET_ADMIN allows us to set an interface to promiscuous mode, and CAP_NET_RAW permits raw access to an interface for capturing directly off the wire. These capabilities are assigned using the
setcaputility.
Enabling Non-root Capture
Step 1: Install setcap
First, we’ll need to install thesetcapexecutable if it hasn’t been already. We’ll use this to set granular capabilities on Wireshark’s
dumpcapexecutable.
On CentOS,
setcapis part of
libcap
As
root, check if setcap is installed:
[root@localhost ~]# rpm -lq libcap /lib64/libcap.so.2 /lib64/libcap.so.2.16 /lib64/security/pam_cap.so /usr/sbin/capsh /usr/sbin/getcap /usr/sbin/getpcaps /usr/sbin/setcap /usr/share/doc/libcap-2.16 /usr/share/doc/libcap-2.16/License /usr/share/doc/libcap-2.16/capability.notes /usr/share/man/man1/capsh.1.gz /usr/share/man/man8/getcap.8.gz /usr/share/man/man8/setcap.8.gz
If it is not installed, use
yum install libcapto install it.
Step 2: Create a Wireshark Group (Optional)
Since the application we’ll be granting heightened capabilities can by default be executed by all users, you may wish to add a designated group for the Wireshark family of utilities (and similar applications) and restrict their execution to users within that group. However, this step isn’t strictly necessary.As
root, check if group
wiresharkalready exists.
[root@localhost ~]# cat /etc/group | grep wireshark
If not (where
webis the user you want to run wireshark):
groupadd wireshark usermod -a -G wireshark web
We assign the
dumpcapexecutable to this group instead of Wireshark itself, as
dumpcapis responsible for all the low-level capture work. Changing its mode to 750 ensures only users belonging to its group can execute the file.
chgrp wireshark /usr/sbin/dumpcap chmod 750 /usr/sbin/dumpcap
Step 3: Grant Capabilities
Granting capabilities withsetcapis a simple matter:
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/dumpcap
In case you’re wondering, that
=eipbit after the capabilities list grants them in the effective, inheritable, and permitted bitmaps, respectively. A more thorough explanation is provided in section 2 of this FAQ.
To verify our change, we can use
getcap:
[root@localhost ~]# getcap /usr/sbin/dumpcap /usr/sbin/dumpcap = cap_net_admin,cap_net_raw+eip
Start and stop packet capture with tshark
Now, log in asweb, type
tshark -Dto list the interfaces.
To start capturing, use
tshark -i eth0 -w /tmp/test.pcapto capture traffic on
eth0and save it to
/tmp/test.pcap
To stop capturing, use
killall tshark. It will flush all the packets in the buffer to
/tmp/test.pcapand gracefully stop the
tsharkprocess.
相关文章推荐
- linux定时任务crontab配置
- Linux内存管理和进程调度相关知识点
- (大数据工程师学习路径)第一步 Linux 基础入门----基本概念及操作
- linux安装安卓开发工具android studio
- CentOS下双网卡绑定-bond0
- linux用户和用户组
- log4cxx在linux下的编译和使用
- linux系统性能标准
- Linux中link,unlink,close,fclose详解
- SecureCRT 连接本地linux虚拟机
- linux把光盘复制成ISO文件方法
- 有没有一个命令把linux下的分区的各个卷标都对应着显示出来?
- Linux下磁盘分区管理
- U盘安装CentOS 6.2(超级详细图解教程)
- Linux中的隐藏文件夹
- Linux文本处理命令
- linux下如何查看CPU数量或核数
- centos7 安装配置openstack-dashboard (官网openstack-juno版)
- Linux-git简明教程(二)
- 关于linux下的ssh服务配置文件的说明