Wireshark · Wireshark-users: Re: [Wireshark-users] Cannot capture traffic on any interfaces after building Wireshark from Git sou

[Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>]

On Sun, Sep 24, 2017 at 2:23 PM, Bryce Thomas <bryce.m.thomas@xxxxxxxxx> wrote:

There are numerous questions and answers online about how to successfully

capture packets in Wireshark without root permissions.  Notwithstanding, I have

been unable to find an answer that addresses my particular scenario.

I am building Wireshark from source, on an Ubuntu 17.04 machine.  Specifically,

I am building from Git source control, branch `master-2.4`, commit SHA

`bebcaf1379557fa19d8321634c59e8ee6c3c59e8`.  The reason I am buildng from

version controlled source is that I would ultimately like to work on a plugin,

which will ideally be contributed back to the Wireshark project.

I have gotten as far as successfully building and running Wireshark.  I can see

a complete list of capture interfaces (wlan0, any, lo, eth0, etc.).  However,

when I attempt to capture on any of these interfaces, I get the following error

in a dialog box:

> The capture session could not be initiated on interface 'lo' (You don't have

> permission to capture on that device).

> 

> Please check to make sure you have > sufficient permissions, and that you have

> the proper interface or pipe specified.

I am building wireshark as follows:

... Which probably makes this question better suited for the -dev list.  But no matter.

 

```

./autogen.sh

./configure --enable-setcap-install --with-dumpcap-group=wireshark

make

```

Regarding groups & permissions, I already have a `wireshark` group, and my user

belongs to the group:

```

groups | grep wireshark # it's there

groups $USER | grep wireshark # it's there

```

I am configuring the built version of dumpcap as follows:

```

sudo chmod 750 .libs/dumpcap

sudo chgrp wireshark .libs/dumpcap

sudo setcap cap_net_raw,cap_net_admin+eip .libs/dumpcap

```

I have worked like this in past (except that I just made .libs/dumpcap setuid-root) and it worked fine.  I'm not sure why it wouldn't work in your case.

Maybe try making it setuid-root and see if that works?

Or try:

% grep Cap /proc/<dumpcap pid>/status

I think you should see at least one bit set in CapEff.  If you don't then the capability hasn't taken effect.

ps. FWIW a vast majority of the time while doing dissector development I work with stored PCAP files.  I'll capture the traffic elsewhere then work on the dissector until it works for the packets I've captured so far.  So: no need to do live capture in my development environment.