Ethereal-users: Re: [Ethereal-users] problem

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <guy@xxxxxxxxxx>
Date: Mon, 15 Jul 2002 16:11:23 -0700
On Mon, Jul 15, 2002 at 04:20:03PM -0400, Mark Malson wrote:
> If you're on a Unix or Linux-based platform, make sure you are root when you
> kick off ethereal or "sudo ethereal" to launch.

Unfortunately, I suspect he's not: "Overlapped I/O operation is in
progress" sounds like a Windows message.

(Note that on some UNIX platforms you *can* do packet capture without
root privileges; for the full story, see the latest tcpdump man page:

     Reading packets from a network interface  may  require  that
     you have special privileges:

     Under SunOS 3.x or	4.x with
	  You must have	read access to /dev/nit	or /dev/bpf*.

     Under Solaris with	DLPI:
	  You must have	read/write access to the  network  pseudo
	  device,  e.g.	  /dev/le.   On	at least some versions of
	  Solaris, however,  this  is  not  sufficient	to  allow
	  tcpdump  to  capture in promiscuous mode; on those ver-
	  sions	of Solaris, you	must be	root, or tcpdump must  be
	  installed  setuid to root, in	order to capture in prom-
	  iscuous mode.	 Note that, on many (perhaps all)  inter-
	  faces,  if  you  don't capture in promiscuous	mode, you
	  will not see any outgoing packets,  so  a  capture  not
	  done in promiscuous mode may not be very useful.

     Under HP-UX with DLPI:
	  You must be root or tcpdump must be installed	setuid to
	  root.

     Under IRIX	with snoop:
	  You must be root or tcpdump must be installed	setuid to
	  root.

     Under Linux:
	  You must be root or tcpdump must be installed	setuid to
	  root.

     Under Ultrix and Digital UNIX/Tru64 UNIX:
	  Any user may	capture	 network  traffic  with	 tcpdump.
	  However,  no user (not even the super-user) can capture
	  in promiscuous mode on an interface unless  the  super-
	  user	has  enabled  promiscuous-mode	operation on that
	  interface using pfconfig(8), and no user (not	even  the
	  super-user)  can capture unicast traffic received by or
	  sent by the machine on an interface unless  the  super-
	  user has enabled copy-all-mode operation on that inter-
	  face using pfconfig, so useful  packet  capture  on  an
	  interface  probably  requires	 that either promiscuous-
	  mode or  copy-all-mode  operation,  or  both	modes  of
	  operation, be	enabled	on that	interface.

     Under BSD:
	  You must have	read access to /dev/bpf*.

For example, I've given myself read access to the BPF devices on my home
FreeBSD partition, so I can run tcpdump, Ethereal, etc. to do packet
capturing without having to become root.

Linux distributions could support that, too, if

	1) the distribution had a 2.2-or-later kernel, I think

and

	2) it had a mechanism to give particular accounts particular
	   "capability" bits

as you could give your account CAP_NET_RAW, which would let you open a
PF_PACKET socket without being root.  Unfortunately, I don't know of any
such mechanism to let capability bits get set in a user's login shell.)