Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] DUMPCAP -g (Set ring buffer file group permissions)

Date: Tue, 11 Dec 2012 20:09:22 +0000
Hi Bill,

Thanks for the clarification, that makes sense.

I am running dumpcap as a service - do you have any suggestions on how to make the dumpcap buffer files have a user defined group permissions?

Thanks in advance!

-John 
Sent from my BlackBerry® wireless handheld

-----Original Message-----
From: Michael Tuexen <Michael.Tuexen@xxxxxxxxxxxxxxxxx>
Sender: [email protected]: Tue, 11 Dec 2012 20:39:01 
To: Developer support list for Wireshark<wireshark-dev@xxxxxxxxxxxxx>
Reply-To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] DUMPCAP -g (Set ring buffer file group
	permissions)

On Dec 11, 2012, at 8:24 PM, John Powell wrote:

> Hi Jeff,
> 
> I must be missing something.
> 
> I set dumpcap permissions to:
> 
> # ls -l /usr/local/bin/dumpcap
> -rwxr-xr-- 1 root wireshark 230157 Dec 11 10:40 /usr/local/bin/dumpcap
> 
> and the dumpcap command is:
> 
> root             /usr/local/bin/dumpcap -B 16 -i 2 -f vlan and (not vrrp and not udp port 1985 and not ether host 01:00:0c:cc:cc:cc) -g wireshark -b filesize:250000 -b duration:900 -w /var/opt/data/captures.cap
After looking at the code, I think you misunderstood the -g option.

As far as I see, you can't specify the group, you can just allow the group to
read the file.

So, for example:

dumpcap -w test0.pcapng

and then

dumpcap -g -w test1.pcapng

results in

[mba:~/Documents/wireshark/trunk] tuexen% ls -l test?.pcapng
-rw-------  1 tuexen  staff  324 Dec 11 20:37 test0.pcapng
-rw-r-----  1 tuexen  staff  532 Dec 11 20:37 test1.pcapng

So as you see, you can't specify the group, but control if the group members can
read the file.

Best regards
Michael
> 
> I also tried
> 
> root                        /usr/local/bin/dumpcap -B 16 -i 2 -f vlan and (not vrrp and not udp port 1985 and not ether host 01:00:0c:cc:cc:cc) -g -b filesize:250000 -b duration:900 -w /var/opt/data/captures.cap
> 
> but the ring buffer files still end up "root root".
> 
> ]# ls /var/opt/data/captures/*  -l
> -rw-r-----  1 root root      111542192 Dec 11 13:19 /var/
> 
> Thoughts??
> 
> Any guidance will be appreciated!
> 
> Thanks!
> 
> -John
> 
> On Tue, Dec 11, 2012 at 1:11 PM, John Powell <jrp999@xxxxxxxxx> wrote:
> Hi Jeff,
> 
> After you said that I did DUMPCAP -h and behold there it was!!
> 
> Thanks so much for all of the work you do on this project!!
> 
> -John
> 
> 
> On Tue, Dec 11, 2012 at 12:59 PM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
> John Powell wrote:
> Hi,
> 
> I need to set the group permissions for files created by DumpCap.
> 
> In this post I see the option " -g " is supposed to exist (http://www.engardelinux.org/modules/index/list_archives.cgi?list=wireshark-users&page=0016.html&month=2010-09 <http://www.engardelinux.org/modules/index/list_archives.cgi?list=wireshark-users&page=0016.html&month=2010-09>)
> 
> /> > The file permissions are hardcoded in the source code. I have added /
> /> > the option '-g' to dumpcap to enable group read access as this can /
> /> > indeed be handy when (automatically) capturing to a ringbuffer. /
> /> > /
> /> > To be able to use this feature, you will have to use an automated /
> /> > build[1] with a number higher than 33978 (available in a couple of /
> /> > hours) or wait for the next 1.5.x development release. /
> /> > /
> /> > Cheers, /
> /> > /
> /> > /
> /> > Sake /
> 
> 
> Can someone please point me to how I can get a version that to have access to this option?
> 
> You'd need Wireshark 1.6.0 or later.  The current version (1.8.4) would be your best bet.
> 
> BTW I noticed that this option is not listed in dumpcap's man page; I'll correct that shortly.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
> 
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe