Wireshark-users: Re: [Wireshark-users] Cannot capture traffic on any interfaces after building Wi
From: Jeff Morriss <[email protected]>
Date: Mon, 25 Sep 2017 14:49:13 -0400


On Sun, Sep 24, 2017 at 2:23 PM, Bryce Thomas <[email protected]> wrote:
There are numerous questions and answers online about how to successfully
capture packets in Wireshark without root permissions.  Notwithstanding, I have
been unable to find an answer that addresses my particular scenario.

I am building Wireshark from source, on an Ubuntu 17.04 machine.  Specifically,
I am building from Git source control, branch `master-2.4`, commit SHA
`bebcaf1379557fa19d8321634c59e8ee6c3c59e8`.  The reason I am buildng from
version controlled source is that I would ultimately like to work on a plugin,
which will ideally be contributed back to the Wireshark project.

I have gotten as far as successfully building and running Wireshark.  I can see
a complete list of capture interfaces (wlan0, any, lo, eth0, etc.).  However,
when I attempt to capture on any of these interfaces, I get the following error
in a dialog box:

> The capture session could not be initiated on interface 'lo' (You don't have
> permission to capture on that device).
> Please check to make sure you have > sufficient permissions, and that you have
> the proper interface or pipe specified.

I am building wireshark as follows:

... Which probably makes this question better suited for the -dev list.  But no matter.
 
```
./autogen.sh
./configure --enable-setcap-install --with-dumpcap-group=wireshark
make
```

Regarding groups & permissions, I already have a `wireshark` group, and my user
belongs to the group:

```
groups | grep wireshark # it's there
groups $USER | grep wireshark # it's there
```

I am configuring the built version of dumpcap as follows:

```
sudo chmod 750 .libs/dumpcap
sudo chgrp wireshark .libs/dumpcap
sudo setcap cap_net_raw,cap_net_admin+eip .libs/dumpcap
```

I have worked like this in past (except that I just made .libs/dumpcap setuid-root) and it worked fine.  I'm not sure why it wouldn't work in your case.

Maybe try making it setuid-root and see if that works?

Or try:

% grep Cap /proc/<dumpcap pid>/status

I think you should see at least one bit set in CapEff.  If you don't then the capability hasn't taken effect.

ps. FWIW a vast majority of the time while doing dissector development I work with stored PCAP files.  I'll capture the traffic elsewhere then work on the dissector until it works for the packets I've captured so far.  So: no need to do live capture in my development environment.