Wireshark on Ubuntu not as root

I often need to capture BACnet network traffic using Wireshark while I am running Ubuntu Linux. I’ve always had to run Wireshark as root (usually via gksu or kdesu) in order to capture from any interfaces (i.e. eth0, wlan0).  For awhile, there was an additional Wireshark menu item that included the “run as root” option. However, running an application “as root” has some downsides (like being insecure), and in the latest release of Ubuntu, there is no menu item to run “as root”.   The downside of running as root for me was that the capture files saved by default into /root directory, and saved with root group and owner permissions.

Today, after launching the menu and seeing no interfaces (again), I decided to search the Internet and find a better way, and found two things of note. The first method, which I found posted on Ubuntu Forums, is the manual way of configuring Wireshark to run as a normal user (with admin group privileges) by configuring only dumpcap to have the elevated privileges:

$ sudo apt-get install libcap2-bin wireshark
$ sudo chgrp admin /usr/bin/dumpcap
$ sudo chmod 750 /usr/bin/dumpcap
$ sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

The second method was outlined in Ubuntu Bug #513903 at Lauchpad and can be done with Ubuntu Lucid and beyond. It creates a new group “wireshark”, configures dumpcap with setcap, and requires the user to manually add themselves to the “wireshark” group (then log out and log back in to activate it).

$ sudo dpkg-reconfigure wireshark-common
$ sudo adduser skarg wireshark
$ exit

Don’t do both methods, as they are slightly different solutions.

About skarg

I write software for a living. So, I dedicated some web space for some stuff that I have worked on. I mostly write embedded C for PC based controllers, but I have dabbled in a few other areas as well.
This entry was posted in BACnet, Linux and tagged , . Bookmark the permalink.

7 Responses to Wireshark on Ubuntu not as root

  1. Hi everybody!

    If you are in Debian or in Ubuntu (I suppose the same happens with all Debian derivatives as Mint), you can do this directly executing the next command (as root):

    dpkg-reconfigure wireshark-common

    I read this by a reference on the wiki of Wireshark (http://ur1.ca/4ugx2).

  2. Dave says:

    I’ve been spinning in circles for a few hours on this same Trek. I’m stumped when I enter the following (on Ubuntus 10.04)
    sudo dpkg-reconfigure wireshark-common

    Up pops a Package configure screen (in a Terminal window) that asks:
    Should dumpcap be installed “setuid root”?

    The is highlighted in red, as if it’s the default. But I don’t know how to answer . There is no character entry prompt. It’s a text window, not a GUI, so clicking the mouse on or has no effect. I’ve tried typing Yes, followed by return. Nothing happens – I just get back to a Terminal prompt. There is no wireshark group created on my system, so I can’t add my userid to the group.

    What is the secret to instructing the dpkg-reconfigure to proceed with the <Yes? option??

  3. skarg says:

    The Package configuration screen looks something like this:

    ??????????????????????? Configuring wireshark-common ????????????????????????
    ? ?
    ? Dumpcap can be installed with the set-user-id bit set, so members of the ?
    ? “wireshark” system group will have the privileges required to use it. ?
    ? This way of capturing packets using Wireshark/Tshark is recommended over ?
    ? the alternative of running them directly as superuser, because less of ?
    ? the code will run with elevated privileges. ?
    ? ?
    ? Enabling this feature may be a security risk, so it is disabled by ?
    ? default. If in doubt, it is suggested to leave it disabled. ?
    ? ?
    ? Should dumpcap be installed “setuid root”? ?
    ? ?
    ? Yes No ?
    ? ?

    Use your arrow keys or TAB key to highlight the Yes in red, and press ENTER key.

  4. arniu says:

    The second method doesn’t work in ubuntu 12.04. “Lua: Error during loading:
    [string “/usr/share/wireshark/init.lua”]:45: dofile has been disabled” does disappear, while a new warning, “Couldn’t run /usr/bin/dumpcap in child process: permissions not allowed ” ?takes place.

  5. arniu says:

    I’m really sorry for my words before? the second method does actually work?It appears not working before your next login.

  6. Jordon says:

    Run each command separately:

    sudo apt-get install libcap2-bin wireshark
    sudo chgrp admin /usr/bin/dumpcap
    sudo chmod 750 /usr/bin/dumpcap
    sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

  7. Paul Charles Leddy says:

    I had to log out of my openbox desktop and back in to pick up the new group, btw.

Leave a Reply

Your email address will not be published. Required fields are marked *