19

Am having trouble running tcpdump. I must run tcpdump with non-root user. Searched the web for my problem and figured out I should:

sudo setcap cap_net_admin=eip /usr/sbin/tcpdump

That enabled me to run tcpdump with my user but then I got:

you don't have permission to capture on that device

on any device I tried capturing.

Also went a little brute-force and did:

sudo chmod +s /usr/sbin/tcpdump

That didn't do it either.

tshepang
  • 1,937
  • 3
  • 20
  • 35
Sivan Sigal
  • 191
  • 1
  • 1
  • 4
  • Tcpdump requires root privileges,you’ll have to set specific Linux capabilities to the binary: $ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump – Bhagirathsinh Gohil Oct 01 '14 at 08:17
  • Did that too but i keep getting: `tcpdump: eth0: You don't have permission to capture on that device (socket: Operation not permitted` – Sivan Sigal Oct 01 '14 at 08:28
  • see here.http://askubuntu.com/questions/39281/how-to-run-an-application-using-sudo-without-a-password – g_p Oct 01 '14 at 15:23
  • This is also problematic because don't want to change the source code which i'm running... Also, what _DreamCoder_ suggested should work but strangely it don't. Anyone have another offer? – Sivan Sigal Oct 02 '14 at 07:38

2 Answers2

47

It's a little late, but I just had the same problem. You need to give tcpdump the permission and capability to allow raw packet captures and network interface manipulation.

Add a capture group and add yourself to it:

sudo groupadd pcap
sudo usermod -a -G pcap $USER

Next, change the group of tcpdump and set permissions:

sudo chgrp pcap /usr/sbin/tcpdump
sudo chmod 750 /usr/sbin/tcpdump

Finally, use setcap to give tcpdump the necessary permissions:

sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Be careful, that this will allow everybody from the group pcap to manipulate network interfaces and read raw packets!

Found it here: Configure tcpdump to work as non-root

Kevin Bowen
  • 19,395
  • 55
  • 76
  • 81
Horst
  • 571
  • 4
  • 5
  • I was able to limit this a bit and just use `cap_net_raw,cap_setpcap=ep`. The removal of the `i` was because my program didn't need to fork. This is for a custom binary, so ymmv. – Dan Aug 15 '16 at 23:27
  • This also worked for `iftop` a program that shows network utilization by IP address / DNS name – HeatfanJohn Jul 13 '19 at 22:53
0

Perhaps this might work. Similar to what was posted already. It has not been tested on ubuntu.

(use a group of which your user is a member) chgrp wireshark /usr/sbin/tcpdump

setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/sbin/tcpdump

using getcap /usr/sbin/tcpdump you should see /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip

Serjan
  • 1
  • 1