以非root运行wireshark

CAP_NET_ADMIN – Allow various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables).
CAP_NET_RAW – Permit use of RAW and PACKET sockets.
CAP_NET_ADMIN allows us to set an interface to promiscuous mode, and CAP_NET_RAW permits raw access to an interface for capturing directly off the wire. These capabilities are assigned using the setcap utility.

Enabling Non-root Capture
如果没有 setcap 这个程序,请自行安装。
ubuntu:

1
sudo apt-get install libcap2-bin

Archlinux:

1
sudo pacman -S libcap

2.如果系统里面没有 wireshark 组,创建一个,然后把自己添加到这个组:

1
2
3
sudo groupadd wireshark
sudo usermod -a -G wireshark YOUR-USER-NAME
# 或者sudo gpasswd -a  YOUR-USER-NAME wireshark

在把自己添加到wireshark 组之后,通常情况下你要登出然后再登入才能生效,
你还可以运行这个来强制使新创建的组生效(注意,等下你要在同一个terminal中
运行 wireshark 命令来启动wireshark才能成功):

1
newgrp wireshark

下面我们修改dumpcap 的权限,使它属于 wireshark 组,然后,我们让这个组
拥有执行权限:

1
2
sudo chgrp wireshark /usr/bin/dumpcap
sudo chmod 754 /usr/bin/dumpcap

3.Grant Capabilities

1
2
3
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
# 或者:
sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

然后 我们看下:

1
2
[admin@huangye ~]$ sudo getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

然后运行下wireshark , 是不是不要root也能抓包啦?

wireshark-non-root.png

如果你运行时出现如下错误提示:

Couldn’t run /usr/bin/dumpcap in child process: Permission denied

很可能是你没有重新登录系统或者你是采用newgrp方法使组信息生效的并且不是
在同一个terminal中运行wireshark的。

参考:
Sniffing with Wireshark as a Non-Root User – Packet Life
CaptureSetup/CapturePrivileges – The Wireshark Wiki

更多
No Responses Post a comment

Leave a Reply

Note: You may use basic HTML in your comments. Your email address will not be published.

Subscribe to this comment feed via RSS