Wireshark is very powerful packet analyser which often is highly useful when debugging network applications or configurations. It’s packaged by the major Linux distributions, there is however one caveat related to privileges required for packet capturing.
Wireshark has privilege separation between the user interface (Wireshark GUI or tshark CLI) and the dumpcap packet capture utility which needs to perform various privileged network related operations as well as use raw and packet sockets. Unfortunately when Wireshark is packaged for installation the default installation tends to require the entire Wireshark to be run with root privileges. This typically manifests itself as no available capture interfaces when running the Wireshark GUI as a nonprivileged user, as shown in the screencap below.
Unix operating systems traditionally distinguish between privileged processes, which bypass all permission checks within the kernel, and unprivileged processes, which are subjected to permissions checking. The mainline Linux kernel has since version 2.2 supported filesystem capabilities which offer more fine-grained control over what privileges a process possesses.
Filesystem capabilities are configured with the setcap command which accepts a space-separated list of capability clauses and a target file as arguments. A capability clause consists of a comma-separated list of capability names followed by a list of operator-flag pairs. The available operators are ‘=’, ‘+’ and ‘-’. The available flags are ‘e’, ‘i’ and ‘p’ which correspond to the Effective, Inheritable and Permitted capability sets. The ‘=’ operator will raise the specified capability sets and reset the others. If no flags are given in conjunction with the ‘=’ operator all the capability sets will be reset. The ‘+’ and ‘-’ operators will raise or lower the one or more specified capability sets respectively.
To allow the dumpcap utility to be run by ordinary users belonging to a particular group the executable needs to be owned by the particular group. The group also needs executable rights to dumpcap, but other users should be restricted from invoking the utility. Lastly each capability set needs to be raised for the CAP_NET_RAW and CAP_NET_ADMIN capabilities on dumpcap. This can be achieved with the following commands:
$ sudo chgrp wireshark /usr/bin/dumpcap $ sudo chmod 754 /usr/bin/dumpcap $ setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap
In Debian based distributions, this can be configured using dpkg by running:
$ sudo dpkg-reconfigure wireshark-common
This will display the dialog shown below. Choosing ‘Yes’ will configure dumpcap essentially in the same way as described above.
If filesystem capabilities aren’t available there is still the possibility of setting the SUID bit for dumpcap:
$ sudo chown root:wireshark /usr/bin/dumpcap $ sudo chmod 4754 /usr/bin/dumpcap
However, keep in mind that setting the SUID bit on programs should not be done lightly as such programs should be carefully designed and implemented to avoid security vulnerabilities such as buffer overflows. Vulnerable applications run with root privileges are targets for privilege escalation attacks.
Wireshark can be easily be made available to unprivileged users by granting the dumpcap utility the necessary filesystem capabilities. However, care should be taken not to allow unrestricted access to such a powerfull tool.