Wireshark group and user question

[Rumpletumbler]

I see a lot of posts about capture permissions and people saying "type this" and someone saying "hey, worked great!" I guess I'd like to ask a question before I just "type this" so what I think I'm seeing jives with what is really happening.

From the Wireshark wiki: http://wiki.wireshark.org/CaptureSet...turePrivileges

Limiting capture permission to only one group

1. Create user "wireshark" in group "wireshark".
2. "chgrp wireshark /usr/bin/dumpcap"
3. chmod 754 /usr/bin/dumpcap
4. "setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap"
5. Ensure Wireshak works only from root and from a user in the "wireshark" group

Okay so:

1. There is no group created called Wireshark after the install. so this should really read "create group wireshark and then create user Wireshark and make them a member of the group.
2. fine
3. fine
4. fine
5. Since we don't want to run it as root why run it as root? To see if it only works as a user in the group then I would need to login as that user to run Wireshark right? If the user "wireshark" is a normal user then why not just add myself to the group "wireshark" instead of creating a new user and logging in as that user?

Thanks for your help.

[Rubi1200]

Once Wireshark is installed, the correct way to run it without invoking root privileges (which is extremely dangerous) can be done like this from the terminal:

Code:

sudo apt-get install libcap2-bin wireshark
sudo chgrp admin /usr/bin/dumpcap
sudo chmod 750 /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

Run each command separately and then run Wireshark.

Courtesy of forum member cdenley.

Hope this helps.

[Rumpletumbler]

Thank you for your help.

I was trying to avoid doing this as per my op.

Any ideas on the questions I asked there?

[Rubi1200]

Thank you for your help.

I was trying to avoid doing this as per my op.

Any ideas on the questions I asked there?

Ok, I think there may be some misunderstanding here.

If you want to run Wireshark and capture packets, but not as root, then you need to use the commands I posted.

I have discussed this with both cdenley and bodhi.zazen, both highly experienced members (bodhi wrote the security stickies for the forum), and they advised setting up Wireshark this way.

[Rubi1200]

Perhaps this is more what you were looking for?

http://packetlife.net/blog/2010/mar/...non-root-user/

Although, I think it boils down to almost the same thing.

Hope this helps.

[Rumpletumbler]

Perhaps this is more what you were looking for?

http://packetlife.net/blog/2010/mar/...non-root-user/

Although, I think it boils down to almost the same thing.

Hope this helps.

I was trying to understand why the directions were different and what the differences were and definitely don't want to run the program as root.

If I just type:

sudo apt-get install libcap2-bin wireshark
sudo chgrp admin /usr/bin/dumpcap
sudo chmod 750 /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

and it works then that satisfies the working of the program but not necessarily my understanding of why it's done that way and what the differences are between that and the recommendations from Wireshark.

I do appreciate the help. Thanks.

[Rumpletumbler]

So as I understand it in the first example you're setting up a group and user "wireshark" and giving them permissions to the dumpcap executable.

In setting it up this way would you have to login as the wireshark user?

In the 2'nd example you're doing the same thing only with the admin group of which I am a member already and that makes more sense to me as I could run it without logging in as a different user etc.

I don't really see the need for the additional group and or user.

The only reason I would see using the admin group is if you were going to add others to the admin group who needed to be able to use Wireshark.

Is that right?

[Rubi1200]

So as I understand it in the first example you're setting up a group and user "wireshark" and giving them permissions to the dumpcap executable.

In setting it up this way would you have to login as the wireshark user?

In the 2'nd example you're doing the same thing only with the admin group of which I am a member already and that makes more sense to me as I could run it without logging in as a different user etc.

I don't really see the need for the additional group and or user.

The only reason I would see using the admin group is if you were going to add others to the admin group who needed to be able to use Wireshark.

Is that right?

In setting it up this way would you have to login as the wireshark user?

No; as normal user and then run Wireshark from the menu as a normal program.

Is that right?

Possibly, not sure about this.

Sorry, I am not able to give you a more definitive answer.

[Rumpletumbler]

No; as normal user and then run Wireshark from the menu as a normal program.

Any idea how to test this?

5. Ensure Wireshak works only from root and from a user in the "wireshark" group

If I set it up this way and then run as myself then of course I'm not testing anything. How would one go about determining that it works only from a user in the Wireshark group? Again, anyone know why this would be more secure than just giving myself permissions to it? I don't get it.

[Rumpletumbler]

bump