The display filter is what we see and the capture filter is related to logging. We have two filters: display and capture. Select "Yes" and then restart machine and open wireshark. $ sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap rwxr-xr- 1 root wireshark 88272 /usr/bin/dumpcap We may want to check the permissions on dumpcap: We need to add user "k" to "wireshark" group: We may get the following when we fire up wireshark:Ĭouldn't run /usr/bin/dumpcap in child process: Permission Denied. The advantage of this solution is that while dumpcap is run as root the vast majority of Wireshark's code is run as a normal user (where it can do much less damage).
This can be achieved by installing dumpcap setuid root.
Wireshark has implemented Privilege Separation which means that the Wireshark GUI (or the tshark CLI) can run as a normal user while the dumpcap capture utility runs as root. The Security page provides explanations why this is a good idea.
To be secure (at least in a way), it is recommended that even an administrator should always run in an account with (limited) user privileges, and only start processes that really need the administrator privileges. The way this is done differs from operating system to operating system. We need to run Wireshark or TShark on an account with sufficient privileges to capture, or need to give the account on which we're running Wireshark or TShark sufficient privileges to capture. Capture privileges - How to enable Wireshark without running as root
0 kommentar(er)
