Wireshark: Accessing USB Bus Interfaces without sudo

5

1

I am trying to monitor some USB traffic using Wireshark on Linux (Ubuntu). If I start Wireshark as my normal user without root privileges, the USB bus interfaces are not listed. If I sudo wireshark though, I do see the USB bus interfaces. This is perhaps best illustrated using the dumpcap command to list the available capture interfaces:

~$dumpcap -D

1. eth0
2. any (Pseudo-device that captures on all interfaces)
3. lo

versus

~$sudo dumpcap -D

1. eth0
2. usbmon1 (USB bus number 1)
3. usbmon2 (USB bus number 2)
4. usbmon3 (USB bus number 3)
5. usbmon4 (USB bus number 4)
6. usbmon5 (USB bus number 5)
7. usbmon6 (USB bus number 6)
8. usbmon7 (USB bus number 7)
9. usbmon8 (USB bus number 8)
10. any (Pseudo-device that captures on all interfaces)
11. lo

Is there a way I can configure Wireshark so that I don't have to run as root to get access to the usb bus interfaces? I've previously followed a guide to setup wireshark so that I don't have to run it as root to see the Ethernet interfaces, so I'm wondering whether it's simply a matter of changing permissions on some other executable to be able see USB interfaces without running as root...

Bryce Thomas

Posted 2012-07-24T12:15:32.943

Reputation: 671

Answers

6

Yes, you just need to add another capability to the dumpcap utility. CAP_DAC_OVERRIDE gives the ability to override permission checks on files, and allows dumpcap to access the files necessary for the USB capture. It's not a beautiful solution, but it's far better than running the entire Wireshark as root. Since you've already done most of the work, you just need to run this last command.

sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_DAC_OVERRIDE+eip' /usr/bin/dumpcap

Read the reply from Evan Huus on this bug report for some more information:

https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/893828

Christian Kindel

Posted 2012-07-24T12:15:32.943

Reputation: 61

3

CAP_DAC_OVERRIDE will certainly give wireshark the ability to capture usb as non-root but it also allows access to everything else. From a security perspective this is not good. There's another way however. sudo chmod go+r /dev/usbmon* This will give access to just the usb monitoring. This could be further refined by creating a group named wireshark then doing the fallowing:

sudo chgrp wireshark /usr/bin/dumpcap
sudo chmod g+s /usr/bin/dumpcap
sudo chgrp wireshark dev/usbmon*
sudo chmod g+r /dev/usbmon*

This set things up so that dumpcap has access to monitor usb and is still bound by normal permission restrictions. Additionally programs that are members of the 'wireshark' group will have such access.

For those who don't know dumpcap is the underling worker program for wireshark. Also unless addition configuration changes are made /dev/usbmon* will revert to default permissions on reboot disabling usb monitoring access. Just rerun sudo chmod g+r /dev/usbmon* to enable. The changes to dumpcap's permissions will survive reboot.

wheredidthatnamecomefrom

Posted 2012-07-24T12:15:32.943

Reputation: 198

Asked: 2012-07-24T12:15:32.943

Viewed: 3 389 times

Active: 2016-12-03T16:33:35.540