Concern over running WireShark as root

8

2

I started WireShark on my Ubuntu machine and discovered that there were no interfaces I could listen to. So I launched it as root. This gave me access to all the interfaces, but gave me a warning:

Running WireShark as user 'root' in group 'root'. This could be dangerous...

So, is it dangerous? Otherwise, how can I listen to the interfaces?

Nathan Osman

Posted 2010-05-09T05:12:07.280

Reputation: 2 552

sudo dpkg-reconfigure wireshark-common – jfs – 2014-06-01T02:12:37.637

Answers

4

Wireshark is quickly approaching two million lines of code. You shouldn't run them as root for the same reasons that you shouldn't run Firefox, OpenOffice, GIMP, or any other similarly-sized application as root.

On Linux you don't need to be root to capture packets. You just need the CAP_NET_ADMIN and CAP_NET_RAW privileges. On most distributions this is easy to get up and running. Ubuntu doesn't do this by default yet, but it hopefully will at some point in the future.

Gerald Combs

Posted 2010-05-09T05:12:07.280

Reputation: 263

3

according to http://wiki.wireshark.org/CaptureSetup/CapturePrivileges you should not run it as root.

Instead, use root privileges to dump using dumpcap or tcpdump and then analyse using wireshark.

bryan

Posted 2010-05-09T05:12:07.280

Reputation: 7 848

Ah... but can harm come of using root privileges? – Nathan Osman – 2010-05-09T05:34:57.113

2In general, yes/no. Better not to use root where you can get by without it. But if this is just your home machine and you're not going to bring down your office network/servers, fire away.

In relation to wireshark, I think you'll be safe enough. – bryan – 2010-05-09T05:55:39.157

2unless someone on your network is spewing packets specially crafted to exploit bugs in wireshark; then, using it as root is bad, bad news. – Charles Duffy – 2010-05-09T08:18:19.417

3

Wireshark has a long history of security bugs in the disectors (the plugins which describe how to interpret various over-the-wire protocols). For that reason, it's safer to perform your captures with a simpler tool such as tcpdump, then use wireshark to interpret them as an unprivileged user.

Charles Duffy

Posted 2010-05-09T05:12:07.280

Reputation: 1 661

1

It depends on what's on your machine really. Do you use a spare laptop just for sniffing? Then run as root. If you have important data on that machine then run tcpdump from the cli and use wireshark to analyze the traffic.

speeds images

Posted 2010-05-09T05:12:07.280

Reputation: 486

Asked: 2010-05-09T05:12:07.280

Viewed: 4 090 times

Active: 2010-05-10T17:29:01.110