Granting Root Privileges to Wireshark: Running it with sudo on Linux

Wireshark is an invaluable tool for capturing and analyzing network traffic. The ability to capture such traffic is ordinarily restricted to superuser accounts on a Linux system. This means that in order to use Wireshark on Linux, you will need to run the program with root permissions.

The process for accessing Wireshark with root can vary slightly, depending on how Wireshark was installed (for example, via package manager or installed from source), as well as the Linux distribution you are using. Sometimes, we need to manually grant the appropriate capabilities to the Wireshark binary (dumpcap). In this tutorial, we will go through the process of granting root privileges to Wireshark. The process involves giving the Wireshark executable file certain networking capabilities. By the end, Wireshark should run as expected through use of the sudo command.

In this tutorial you will learn:

  • How to manually set file capabilities for Wireshark with setcap command
  • How to manually reconfigure Wireshark root settings with dpkg in Ubuntu
  • How to manually edit file permissions for Wireshark with chown and chmod
  • How to run Wireshark with root privileges
Granting Root Privileges to Wireshark: Running it with sudo on Linux
Granting Root Privileges to Wireshark: Running it with sudo on Linux
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software Wireshark
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Grant Root Privileges to Wireshark




We will assume that if you are reading this, you are probably having trouble with running Wireshark on your Linux system, and you have determined that the issue is due to a lack of sufficient permissions. Below, we are going to cover a few different ways to configure Wireshark with the correct capabilities to run as expected.

Installing From Package on Ubuntu or Debian

When installing Wireshark from package manager on distributions like Debian Linux and Ubuntu Linux, you will be presentd with the following prompt during installation:

$ sudo apt install wireshark
Prompt asking the user if they want to allow non superusers to capture network traffic
Prompt asking the user if they want to allow non superusers to capture network traffic

Your choice on this prompt will affect whether you need to use the sudo command when capturing packets, or if normal users can capture them without superuser permissions. If you select the wrong option and want to go back to select a different answer, you can reconfigure the package at any time by running:

$ sudo dpkg-reconfigure wireshark-common

The same prompt will appear again. Answer Yes if you want to allow all users to capture packets without root access.

Manually Setting File Capabilities




Wireshark utilizes the dumpcap program to capture packets. If your Linux kernel supports file capabilities, then you will need the appropriate capabilities to be configured on the dumpcap binary file in order for it to work correctly. If you installed Wireshark from package manager, then this has likely already been configured for you. In other scenarios, you may need to use the setcap command to manually configure the proper file capabilities.

  1. First, let’s find out where our dumpcap binary is stored, by using the which command below:
    $ which dumpcap
    /usr/bin/dumpcap
    

    The output reveals that our dumpcap binary is stored at /usr/bin/dumpcap.

  2. Next, we need to use the setcap command to give the dumpcap binary the permissions of cap_net_raw and cap_net_admin+eip. This will allow the program to capture network packets that can later be analyzed by the Wireshark application.
    $ sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
    
  3. Afterwards, you can verify that these settings worked as expected by opening Wireshark with a non superuser account and trying to do a live capture on one of your system’s network interfaces.

Manually Setting File Permissions

The third scenario we will cover should only apply to Linux systems in which the kernel or file system does not support file capabilities. In this case, we can use Linux file permissions to make sure that we are running the dumpcap binary with root permissions.

  1. First, let’s find out where our dumpcap binary is stored, by using the which command below:
    $ which dumpcap
    /usr/bin/dumpcap
    

    The output reveals that our dumpcap binary is stored at /usr/bin/dumpcap.

  2. Next, use the chown command to make the root account the owner of the file:
    $ sudo chown root /usr/bin/dumpcap
    
  3. Lastly, we will use the chmod command to enable the setuid bit.
    $ sudo chmod u+s /usr/sbin/dumpcap
    
    DID YOU KNOW?
    When the setuid bit is used, the default permission behavior is modified so that when an executable is launched (dumpcap in this case), it does not run with the privileges of the user who launched it, but with that of the file owner instead. So, for example, if an executable has the setuid bit set on it, and it is owned by root, when launched by a normal user, it will run with root privileges.


Closing Thoughts

In this tutorial, we saw how to grant root privileges to Wireshark on a Linux system. More specifically, this involved editing the permissions on the dumpcap binary file, which comes bundled with Wireshark and is the file responsible for doing the actual packet capturing.

We have covered three different scenarios here, in order to accommodate users with various distributions and system kernel capabilities. For Ubuntu users that have installed Wireshark via APT package manager, the dpkg installation process presents us with a simple prompt for enabling root permissions on Wireshark. Otherwise, we can edit the file capabilities with setcap to grant the proper capabilities without needing to edit all related Linux file permissions. Finally, in scenarios where setting the file capabilities is not available, we can resort to using chown and the setuid setting from chmod to ensure that all users are able to utilize Wireshark packet capturing with root privileges.



Comments and Discussions
Linux Forum