博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
Sniffing with Wireshark as a Non-Root Use
阅读量:6246 次
发布时间:2019-06-22

本文共 5553 字,大约阅读时间需要 18 分钟。

hot3.png

Sniffing with Wireshark as a Non-Root User

By  | Friday, March 19, 2010 at 11:39 a.m. UTC

This article focuses on Linux and some UNIXes. For Windows users, there is .

Many network engineers become dismayed the first time they run Wireshark on a Linux machine and find that they don't have access to any network interfaces. This is because, by default, raw access to network interfaces (e.g. eth0) requires root privileges. Unfortunately, this often prompts people to simply run Wireshark as root - a bad idea. As an older  ebuild of Wireshark warns:

WIRESHARK CONTAINS OVER ONE POINT FIVE MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT.

Indeed, due to the complexity and sheer number of its many protocol dissectors, Wireshark is inherently vulnerable to malformed traffic (accidental or otherwise), which may result in denial of service conditions or possibly arbitrary code execution. But if we shouldn't run Wireshark with root privileges, how are we to capture packets?

The lead developer of Wireshark, Gerald Combs, points out some that Linux distributions are beginning to. In this article, we'll walk through putting this idea into practice on an Ubuntu 9.10 machine, and include a bit more detail behind the system commands.

Filesystem Capabilities

What are filesystem capabilities? From the :

For the purpose of performing permission checks, traditional Unix implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is non-zero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

The manual goes on to list over two dozen distinct POSIX capabilities which individual executables may be granted. For sniffing, we're interested in two specifically:

  • CAP_NET_ADMIN - Allow various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables).

  • CAP_NET_RAW - Permit use of RAW and PACKET sockets.

CAP_NET_ADMIN allows us to set an interface to promiscuous mode, and CAP_NET_RAW permits raw access to an interface for capturing directly off the wire. These capabilities are assigned using the setcap utility.

Enabling Non-root Capture

Step 1: Install setcap

First, we'll need to install the setcap executable if it hasn't been already. We'll use this to set granular capabilities on Wireshark's dumpcap executable. setcap is part of the libcap2-bin package.

stretch@Sandbox:~$ sudo apt-get install libcap2-binReading package lists... DoneBuilding dependency tree       Reading state information... DoneSuggested packages:  libcap-devThe following NEW packages will be installed:  libcap2-bin0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.Need to get 17.7kB of archives.After this operation, 135kB of additional disk space will be used.Get:1 http://us.archive.ubuntu.com karmic/universe libcap2-bin 1:2.16-5ubuntu1 [17.7kB]Fetched 17.7kB in 0s (36.7kB/s)    Selecting previously deselected package libcap2-bin.(Reading database ... 146486 files and directories currently installed.)Unpacking libcap2-bin (from .../libcap2-bin_1%3a2.16-5ubuntu1_amd64.deb) ...Processing triggers for man-db ...Setting up libcap2-bin (1:2.16-5ubuntu1) ...

Step 2: Create a Wireshark Group (Optional)

Since the application we'll be granting heightened capabilities can by default be executed by all users, you may wish to add a designated group for the Wireshark family of utilities (and similar applications) and restrict their execution to users within that group. However, this step isn't strictly necessary.

root@Sandbox# groupadd wiresharkroot@Sandbox# usermod -a -G wireshark stretch

After adding yourself to the group, your normal user may have to log out and back in. Or, you can run newgrp to force the effect of the new group (you'll have to launch Wireshark from this same terminal environment in step 3):

stretch@Sandbox$ newgrp wireshark

We assign the dumpcap executable to this group instead of Wireshark itself, as dumpcap is responsible for all the low-level capture work. Changing its mode to 750 ensures only users belonging to its group can execute the file.

root@Sandbox# chgrp wireshark /usr/bin/dumpcaproot@Sandbox# chmod 750 /usr/bin/dumpcap

Step 3: Grant Capabilities

Granting capabilities with setcap is a simple matter:

root@Sandbox# setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

In case you're wondering, that =eip bit after the capabilities list grants them in the effective, inheritable, and permitted bitmaps, respectively. A more thorough explanation is provided in section 2 of .

To verify our change, we can use getcap:

root@Sandbox# getcap /usr/bin/dumpcap/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

Now, as the user who we added to the wireshark group in step 2, execute Wireshark. You should now see the full list of available adapters and can begin sniffing. (If not, double-check that the wireshark group is listed in the output of groups. You may need to log out and back in for the new group assignment to take effect.)

转载于:https://my.oschina.net/coolfire368/blog/224898

你可能感兴趣的文章
最优化
查看>>
HDU1495 非常可乐
查看>>
CCF NOI1071 Pell数列
查看>>
Studio快捷键
查看>>
75. Sort Colors(按颜色进行排序)(leetcode)
查看>>
4_文件与目录权限
查看>>
SQLServer 2008 R2 清空日志文件
查看>>
总结第八天
查看>>
向空对象添加数据以及for in 遍历
查看>>
基础才是重中之重~理解内存中的栈和堆
查看>>
js错误问题 The operation is insecure.
查看>>
第四章 表达式
查看>>
Python数值计算:一 使用Pylab绘图(3)
查看>>
python爬虫知识点总结(十八)Scrapy框架基本使用
查看>>
限制textarea的字数(包括复制粘贴)
查看>>
ArcGIS Server中的各种服务
查看>>
HIVE: Transform应用实例
查看>>
Some examples about how to write anonymous method and lambda expression
查看>>
linux下可以禁用的一些服务
查看>>
aria2的下载配置
查看>>