Wireshark is an invaluable tool for capturing and analyzing network traffic. The ability to capture such traffic is ordinarily restricted to superuser accounts on a Linux system. This means that in order to use Wireshark on Linux, you will need to run the program with root permissions.
The process for accessing Wireshark with root can vary slightly, depending on how Wireshark was installed (for example, via package manager or installed from source), as well as the Linux distribution you are using. Sometimes, we need to manually grant the appropriate capabilities to the Wireshark binary (dumpcap). In this tutorial, we will go through the process of granting root privileges to Wireshark. The process involves giving the Wireshark executable file certain networking capabilities. By the end, Wireshark should run as expected through use of the sudo command.
In this tutorial you will learn:
- How to manually set file capabilities for Wireshark with
setcapcommand - How to manually reconfigure Wireshark root settings with
dpkgin Ubuntu - How to manually edit file permissions for Wireshark with
chownandchmod - How to run Wireshark with root privileges
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Any Linux distro |
| Software | Wireshark |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Grant Root Privileges to Wireshark
We will assume that if you are reading this, you are probably having trouble with running Wireshark on your Linux system, and you have determined that the issue is due to a lack of sufficient permissions. Below, we are going to cover a few different ways to configure Wireshark with the correct capabilities to run as expected.
Installing From Package on Ubuntu or Debian
When installing Wireshark from package manager on distributions like Debian Linux and Ubuntu Linux, you will be presentd with the following prompt during installation:
$ sudo apt install wireshark
Your choice on this prompt will affect whether you need to use the sudo command when capturing packets, or if normal users can capture them without superuser permissions. If you select the wrong option and want to go back to select a different answer, you can reconfigure the package at any time by running:
$ sudo dpkg-reconfigure wireshark-common
The same prompt will appear again. Answer Yes if you want to allow all users to capture packets without root access.
Manually Setting File Capabilities
Wireshark utilizes the
dumpcap program to capture packets. If your Linux kernel supports file capabilities, then you will need the appropriate capabilities to be configured on the dumpcap binary file in order for it to work correctly. If you installed Wireshark from package manager, then this has likely already been configured for you. In other scenarios, you may need to use the setcap command to manually configure the proper file capabilities.
- First, let’s find out where our
dumpcapbinary is stored, by using thewhichcommand below:$ which dumpcap /usr/bin/dumpcap
The output reveals that our
dumpcapbinary is stored at/usr/bin/dumpcap. - Next, we need to use the
setcapcommand to give thedumpcapbinary the permissions ofcap_net_rawandcap_net_admin+eip. This will allow the program to capture network packets that can later be analyzed by the Wireshark application.$ sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
- Afterwards, you can verify that these settings worked as expected by opening Wireshark with a non superuser account and trying to do a live capture on one of your system’s network interfaces.
Manually Setting File Permissions
The third scenario we will cover should only apply to Linux systems in which the kernel or file system does not support file capabilities. In this case, we can use Linux file permissions to make sure that we are running the dumpcap binary with root permissions.
- First, let’s find out where our
dumpcapbinary is stored, by using thewhichcommand below:$ which dumpcap /usr/bin/dumpcap
The output reveals that our
dumpcapbinary is stored at/usr/bin/dumpcap. - Next, use the chown command to make the
rootaccount the owner of the file:$ sudo chown root /usr/bin/dumpcap
- Lastly, we will use the
chmodcommand to enable thesetuidbit.$ sudo chmod u+s /usr/sbin/dumpcap
DID YOU KNOW?
When thesetuidbit is used, the default permission behavior is modified so that when an executable is launched (dumpcapin this case), it does not run with the privileges of the user who launched it, but with that of the file owner instead. So, for example, if an executable has the setuid bit set on it, and it is owned by root, when launched by a normal user, it will run with root privileges.
Closing Thoughts
In this tutorial, we saw how to grant root privileges to Wireshark on a Linux system. More specifically, this involved editing the permissions on the dumpcap binary file, which comes bundled with Wireshark and is the file responsible for doing the actual packet capturing.
We have covered three different scenarios here, in order to accommodate users with various distributions and system kernel capabilities. For Ubuntu users that have installed Wireshark via APT package manager, the dpkg installation process presents us with a simple prompt for enabling root permissions on Wireshark. Otherwise, we can edit the file capabilities with setcap to grant the proper capabilities without needing to edit all related Linux file permissions. Finally, in scenarios where setting the file capabilities is not available, we can resort to using chown and the setuid setting from chmod to ensure that all users are able to utilize Wireshark packet capturing with root privileges.
