Ethereal-users: Re: [Ethereal-users] ethereal 0.8.19 on Sun Sparc S 5.6

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 7 Feb 2002 13:44:26 -0800 (PST)
> I just installed ethereal 0.8.19. Login as root, I can capture network
> data. However, wheen logon as other accounts, I got permission denied:
> 'The capture session could not initiated (/dev/hem0: No such
> file  or directory). Please check to make sure you have sufficient
> permission, and that you have the proper interface or pipe specified.'
> 
> Is that mean Ethereal can ONLY be ran by 'root' ?

On Solaris, Ethereal could be run as a non-root user *if* you make the
device that it opens readable and writable by other users.  In the case
of the "hmeN" devices, that'd be "/dev/hme" (no, no "0" after it).

*However*, on recent versions of Solaris, it appears that you have to be
root to put the interface into promiscuous mode, so you would only be
able to see traffic sent to your machine - not even traffic sent *from*
your machine, as you can see that, on Solaris, only in promiscuous mode.

So, while you can capture packets as a non-root user, *if* you change
the permissions on the device in question, you probably can't
capture enough packets for the capture to be interesting, so you can do
*interesting* captures only as root, yes, because that's a limitation
imposed by the operating system; there's nothing that Ethereal can do
about it and, for that matter, there's nothing that tcpdump, or snoop,
or any *other* packet capture program can do about it, either.

The man page for the current version of tcpdump (3.7.1) has a fairly
detailed description of the privilege requirements for doing packet
capture - the requirements are the same for Ethereal, as tcpdump and
Ethereal use the same library to do packet capture.  That man page says:

     Reading packets from a network interface  may  require  that
     you have special privileges:

     Under SunOS 3.x or	4.x with
	  You must have	read access to /dev/nit	or /dev/bpf*.

     Under Solaris with	DLPI:
	  You must have	read/write access to the  network  pseudo
	  device,  e.g.	  /dev/le.   On	at least some versions of
	  Solaris, however,  this  is  not  sufficient	to  allow
	  tcpdump  to  capture in promiscuous mode; on those ver-
	  sions	of Solaris, you	must be	root, or tcpdump must  be
	  installed  setuid to root, in	order to capture in prom-
	  iscuous mode.

     Under HP-UX with DLPI:
	  You must be root or tcpdump must be installed	setuid to
	  root.

     Under IRIX	with snoop:
	  You must be root or tcpdump must be installed	setuid to
	  root.

     Under Linux:
	  You must be root or tcpdump must be installed	setuid to
	  root.

     Under Ultrix and Digital UNIX:
	  Once the super-user has enabled promiscuous-mode opera-
	  tion	using  pfconfig(8),  any user may capture network
	  traffic with tcpdump.

     Under BSD:
	  You must have	read access to /dev/bpf*.