On Mon, Jul 15, 2002 at 04:20:03PM -0400, Mark Malson wrote:
> If you're on a Unix or Linux-based platform, make sure you are root when you
> kick off ethereal or "sudo ethereal" to launch.
Unfortunately, I suspect he's not: "Overlapped I/O operation is in
progress" sounds like a Windows message.
(Note that on some UNIX platforms you *can* do packet capture without
root privileges; for the full story, see the latest tcpdump man page:
Reading packets from a network interface may require that
you have special privileges:
Under SunOS 3.x or 4.x with
You must have read access to /dev/nit or /dev/bpf*.
Under Solaris with DLPI:
You must have read/write access to the network pseudo
device, e.g. /dev/le. On at least some versions of
Solaris, however, this is not sufficient to allow
tcpdump to capture in promiscuous mode; on those ver-
sions of Solaris, you must be root, or tcpdump must be
installed setuid to root, in order to capture in prom-
iscuous mode. Note that, on many (perhaps all) inter-
faces, if you don't capture in promiscuous mode, you
will not see any outgoing packets, so a capture not
done in promiscuous mode may not be very useful.
Under HP-UX with DLPI:
You must be root or tcpdump must be installed setuid to
root.
Under IRIX with snoop:
You must be root or tcpdump must be installed setuid to
root.
Under Linux:
You must be root or tcpdump must be installed setuid to
root.
Under Ultrix and Digital UNIX/Tru64 UNIX:
Any user may capture network traffic with tcpdump.
However, no user (not even the super-user) can capture
in promiscuous mode on an interface unless the super-
user has enabled promiscuous-mode operation on that
interface using pfconfig(8), and no user (not even the
super-user) can capture unicast traffic received by or
sent by the machine on an interface unless the super-
user has enabled copy-all-mode operation on that inter-
face using pfconfig, so useful packet capture on an
interface probably requires that either promiscuous-
mode or copy-all-mode operation, or both modes of
operation, be enabled on that interface.
Under BSD:
You must have read access to /dev/bpf*.
For example, I've given myself read access to the BPF devices on my home
FreeBSD partition, so I can run tcpdump, Ethereal, etc. to do packet
capturing without having to become root.
Linux distributions could support that, too, if
1) the distribution had a 2.2-or-later kernel, I think
and
2) it had a mechanism to give particular accounts particular
"capability" bits
as you could give your account CAP_NET_RAW, which would let you open a
PF_PACKET socket without being root. Unfortunately, I don't know of any
such mechanism to let capability bits get set in a user's login shell.)