Wireshark-dev: [Wireshark-dev] Capturing packets on Linux during development

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Mon, 6 Nov 2017 15:51:05 +0000
Hi,

Capturing packets requires a privileged process. Long time ago, this was
done on Linux using a setuid root executable file. Nowadays, Linux
distributions use file capabilities and a mode like 0754 to limit
capturing to a special group, typically called "wireshark". Members of
that group can capture packets as normal user (not root). The required
capabilities are for capture are:

 - cap_net_admin - for changing monitor/promisc mode
 - cap_net_raw - for actual capturing data.

During development however, the generated binary will be overwritten
every time, so changing the file capabilities is cumbersome. File
capabilities are also not supported for tmpfs filesystems. Therefore I
use "Ambient capabilities" which are possible since Linux 4.3. These do
not suffer from the previous limitations since the capabilities are
taken from the process environment rather than from the filesystem.

Attached is my "enter-caps" script. Run it without arguments to obtain a
shell from which you can start wireshark, tshark, etc. For more
background info, see https://unix.stackexchange.com/a/303738/8250


For USB captures using the usbmon interface, I typically do something
like this, once after a fresh boot:

    sudo modprobe usbmon
    sudo setfacl -m u:$USER:r /dev/usbmon*

This allows the current user (which is expanded automatically from
`$USER`) to Read (capture) USB traffic. In this way, dumpcap does not
need additional capabilities either.
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl
#!/bin/bash

export PS1="#$PS1"

caps=cap_net_admin,cap_net_raw
#caps+=,cap_dac_override
sudo -E capsh --keep=1 --caps="cap_setuid,cap_setgid,cap_setpcap+ep $caps+eip" \
    --user=$USER --addamb="$caps" -- "$@"