On 08/13/14 11:35, Stuart Henderson wrote: > On 2014/08/13 10:12, Kevin Chadwick wrote: >> previously on this list Nigel Taylor contributed: >> >>> I seem to recall it might have been me that put this there or at least >>> an older version. >>> >>> You don't capture with wireshark, you use it as a graphical display tool >>> only. Using tcpdump to create a file. >>> >>> The other way is to pipe tcpdump output into wireshark, >>> >>> sudo tcpdump -w - | wireshark -k -i - >>> >>> I never run this wireshark thing as root, what others do that's their >>> choice. >> >> Do you have this working with /usr/local set nosuid. I get a dumpcap >> permission denied even after doing a chmod -s on /usr/local/bin/dumpcap. >> >> I expect removing the nosuid from /usr/local would make the risk higher >> than tcpdumps priv sep as dumpcap wants to run as root and running as >> the user would be worse than tcpdump. >> >> The message I get is: >> >> Couldn't run /usr/local/bin/dumpcap in child process: Permission denied > > The risk of using wireshark or most (if not all) of the bpf-users in ports > (or tcpdump.org's tcpdump) is higher than running OpenBSD's version of > tcpdump which does full privilege separation (for openbsd tcpdump, > dissectors are run jailed as an unprivileged user, others run limited > parts as root but run dissectors as the "normal" user running them). > > If you want to reduce risk to a minimum, capture using e.g. "tcpdump -s > 1500 -w file.pcap" and then run wireshark offline as a dedicated user with > low access to your filesystem (or even transfer the pcap file to another > machine with *no* confidential information on it). And make sure you > stay up to date (having wireshark in packages can help here because > it's quite a slow build).. > > This does work
sudo tcpdump -s 1500 -w - | wireshark -k -i - User needs to be in the _wireshark group, you can remove the suid from /usr/local/bin/dumpcap, the suid is only required if doing captures with dumpcap. wireshark does a dumpcap -L or -D to list the interfaces available when started, the list of interfaces is not needed as piping the capture. $ dumpcap -D dumpcap: There are no interfaces on which a capture can be done dumpcap is returning no interfaces because the suid has been removed doesn't matter wireshark still runs just no interfaces are listed. Most of the time I use wireshark as Stuart suggests, capture to a file with tcpdump, and view with wireshark on a different machine.