On 2014/08/13 10:12, Kevin Chadwick wrote: > previously on this list Nigel Taylor contributed: > > > I seem to recall it might have been me that put this there or at least > > an older version. > > > > You don't capture with wireshark, you use it as a graphical display tool > > only. Using tcpdump to create a file. > > > > The other way is to pipe tcpdump output into wireshark, > > > > sudo tcpdump -w - | wireshark -k -i - > > > > I never run this wireshark thing as root, what others do that's their > > choice. > > Do you have this working with /usr/local set nosuid. I get a dumpcap > permission denied even after doing a chmod -s on /usr/local/bin/dumpcap. > > I expect removing the nosuid from /usr/local would make the risk higher > than tcpdumps priv sep as dumpcap wants to run as root and running as > the user would be worse than tcpdump. > > The message I get is: > > Couldn't run /usr/local/bin/dumpcap in child process: Permission denied
The risk of using wireshark or most (if not all) of the bpf-users in ports (or tcpdump.org's tcpdump) is higher than running OpenBSD's version of tcpdump which does full privilege separation (for openbsd tcpdump, dissectors are run jailed as an unprivileged user, others run limited parts as root but run dissectors as the "normal" user running them). If you want to reduce risk to a minimum, capture using e.g. "tcpdump -s 1500 -w file.pcap" and then run wireshark offline as a dedicated user with low access to your filesystem (or even transfer the pcap file to another machine with *no* confidential information on it). And make sure you stay up to date (having wireshark in packages can help here because it's quite a slow build)..
