On 2014/08/14 17:07, Kevin Chadwick wrote: > On Thu, 14 Aug 2014 12:40:10 +0100 > Nigel Taylor wrote: > > > This does work > > > > sudo tcpdump -s 1500 -w - | wireshark -k -i - > > > > User needs to be in the _wireshark group, you can remove the suid from > > /usr/local/bin/dumpcap, the suid is only required if doing captures with > > dumpcap. > > Aye, I must be blind to have missed the lack of global execute > permissions on dumpcap. Having said that I'm sure wiresharks error could > have mentioned not being able to execute dumpcap. > > p.s. I couldn't find the wireshark group mentioned anywhere in a > pkg-readme or pkg_info -M >
The readme could do with a quick mention of nosuid mounts, but other than that I thought it was pretty clear.. $ cat /pkg-readmes/wireshark-1.10.9 $OpenBSD: README-main,v 1.1.1.1 2014/07/14 08:44:51 landry Exp $ +----------------------------------------------------------------------- | Running wireshark-1.10.9 on OpenBSD +----------------------------------------------------------------------- Packet dissectors (here in Wireshark, and in other programs such as tcpdump) have a long history of security problems. In wireshark, these are isolated from the packet capture code (which must have root privileges) by using a separate program, dumpcap, to run the capture. /usr/local/bin/dumpcap has been installed setuid root, with read/execute access granted only to users in the _wireshark group. For normal interactive use of wireshark, add your username to this group: usermod -G _wireshark username If you will only run wireshark offline on files captured using tcpdump -w, this step is not necessary. DO NOT RUN WIRESHARK AS ROOT.