In this post I take a quick look at how to run Wireshark without being root.
Getting "promiscuous" access to a network interface on Linux requires root privileges. Running packet captures as root are dangerous. Ubuntu even has tcpdump covered when using apparmor. Why? Because malicious traffic could break tcpdump or wireshark or whatever is listening on the interface and then potentially have remote access as the same use running the dump...which is root.
I like this warning:
WIRESHARK CONTAINS OVER ONE POINT FIVE MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT.
First, install wireshark.
curtis$ sudo apt-get install wireshark -y
Then we can reconfigure. I imagine there is a way to do this in one step, but I haven't looked it up. Let me know in the comments if there is.
curtis$ sudo dpkg-reconfigure wireshark-common
This dialog will pop up. Select
yes and hit enter.
There will now be a wireshark group in
curtis$ grep wireshark /etc/group wireshark:x:129:
Add your user to it.
curtis$ adduser curtis wireshark curtis$ grep wireshark /etc/group wireshark:x:129:curtis
Relogin to have access to the new group, or use
su and relogin that way in this particular terminal. Then run
curtis$ su - curtis curtis$ wireshark
Now you should be able to start a capture.
Linux capabilities. Notice
dumpcap in the list.
curtis$ /sbin/getcap /usr/bin/* /usr/bin/arping = cap_net_raw+ep /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip /usr/bin/fping = cap_net_raw+ep /usr/bin/fping6 = cap_net_raw+ep /usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep /usr/bin/i3status = cap_net_admin+ep /usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep /usr/bin/traceroute6.iputils = cap_net_raw+ep
Wireshark is using dumpcap to access the interface, and dumpcap has the Linux capabilities required to do just that. So instead of running 1.5 million lines of code with superuser privileges, we just have dumpcap doing so, thus a reduced attack surface.
curtis$ ps ax | grep "[w]ireshark\|[d]umpcap" 9786 pts/14 Sl 0:07 wireshark 9813 pts/14 S 0:00 /usr/bin/dumpcap -S -Z none
I really need to look into Linux capabilities more. Essentially that is the technology that is allowing the development of container systems like LXC and Docker.