Wireshark-users: Re: [Wireshark-users] Cannot capture traffic on any interfaces after building Wi
From: Peter Wu <[email protected]>
Date: Thu, 28 Sep 2017 11:08:31 +0100
On Mon, Sep 25, 2017 at 02:49:13PM -0400, Jeff Morriss wrote:
> On Sun, Sep 24, 2017 at 2:23 PM, Bryce Thomas <[email protected]>
> wrote:
> 
> > There are numerous questions and answers online about how to successfully
> > capture packets in Wireshark without root permissions.  Notwithstanding, I
> > have
> > been unable to find an answer that addresses my particular scenario.
> >
> > I am building Wireshark from source, on an Ubuntu 17.04 machine.
> > Specifically,
> > I am building from Git source control, branch `master-2.4`, commit SHA
> > `bebcaf1379557fa19d8321634c59e8ee6c3c59e8`.  The reason I am buildng from
> > version controlled source is that I would ultimately like to work on a
> > plugin,
> > which will ideally be contributed back to the Wireshark project.
> >
> > I have gotten as far as successfully building and running Wireshark.  I
> > can see
> > a complete list of capture interfaces (wlan0, any, lo, eth0, etc.).
> > However,
> > when I attempt to capture on any of these interfaces, I get the following
> > error
> > in a dialog box:
> >
> > > The capture session could not be initiated on interface 'lo' (You don't
> > have
> > > permission to capture on that device).
> > >
> > > Please check to make sure you have > sufficient permissions, and that
> > you have
> > > the proper interface or pipe specified.
> >
> > I am building wireshark as follows:
> >
> 
> ... Which probably makes this question better suited for the -dev list.
> But no matter.
> 
> 
> > ```
> > ./autogen.sh
> > ./configure --enable-setcap-install --with-dumpcap-group=wireshark
> > make
> > ```
> >
> > Regarding groups & permissions, I already have a `wireshark` group, and my
> > user
> > belongs to the group:
> >
> > ```
> > groups | grep wireshark # it's there
> > groups $USER | grep wireshark # it's there
> > ```
> >
> > I am configuring the built version of dumpcap as follows:
> >
> > ```
> > sudo chmod 750 .libs/dumpcap
> > sudo chgrp wireshark .libs/dumpcap
> > sudo setcap cap_net_raw,cap_net_admin+eip .libs/dumpcap
> > ```
> >
> 
> I have worked like this in past (except that I just made .libs/dumpcap
> setuid-root) and it worked fine.  I'm not sure why it wouldn't work in your
> case.
> 
> Maybe try making it setuid-root and see if that works?

What filesystem is in use? tmpfs for example does not support filesystem
capabilities. Another possibility is that the dumpcap binary is
overwritten when you rebuild the project.

> Or try:
> 
> % grep Cap /proc/<dumpcap pid>/status
> 
> I think you should see at least one bit set in CapEff.  If you don't then
> the capability hasn't taken effect.
> 
> ps. FWIW a vast majority of the time while doing dissector development I
> work with stored PCAP files.  I'll capture the traffic elsewhere then work
> on the dissector until it works for the packets I've captured so far.  So:
> no need to do live capture in my development environment.

Yet another option (which I use) are "ambient capabilities". Rather than
applying the capabilities from the file (which is not possible if you
use tmpfs) or making the file setuid root, the capabilities are read
from the environment.

See https://unix.stackexchange.com/a/303738/8250 for the details and a
command example. This is the "enter-caps" script that I use for
Wireshark development:

    #!/bin/bash
    export PS1="#$PS1"
    caps=cap_net_admin,cap_net_raw
    #caps+=,cap_dac_override
    sudo -E capsh --keep=1 --caps="cap_setuid,cap_setgid,cap_setpcap+ep $caps+eip" \
        --user=$USER --addamb="$caps" -- "[email protected]"

You can run a command directly ("enter-caps dumpcap -D") or create shell
by just running "enter-caps").

Before I had this (or if I don't mind using an older version of
dumpcap), I just overwrite the dumpcap binary with a symlink to the one
installed on the system (supposedly with appropriate capabilities). E.g.
for builds with CMake in /tmp/wsbuild:

    ln -sfv /usr/bin/dumpcap /tmp/wsbuild/run/
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl