13

I need to limit file size when I run "tcpdump -w 1.pcap". I try to do this with the key "-C", but when I add it I get error "permission denied". So:

> sudo tcpdump -w 1.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C821 packets captured
847 packets received by filter
24 packets dropped by kernel

But:

> sudo tcpdump -C 100 -w 1.pcap
tcpdump: 1.pcap: Permission denied

I run the command from my home directory and I tried to remove and create the file before running the command with different permissions, finally I have:

-rwxrwxrwx 1 root root 0 Aug  5 10:30 1.pcap

or

-rwxrwxrwx 1 fd8 users 0 Aug  5 10:30 1.pcap

Could you suggest why in the second case I can't write to the file?

fd8
  • 137
  • 1
  • 1
  • 6
  • When you executed `sudo tcpdump -C 100 -w 1.pcap` was `1.pcap` already present with ownership as root:root? – Varun Aug 05 '13 at 04:52
  • 1
    @VarunLakkur Since he's running it with sudo, permissions shouldn't matter. – Barmar Aug 05 '13 at 04:56
  • `sudoers` configuration can specify particular commands and options allowed while running `sudo`. Could that be a possibility here? – Varun Aug 05 '13 at 05:00
  • @VarunLakkur I have full rights according to sudoers. So I don't think that there is problem with file permissions. Often people write that they have troubles with -w at all. They solve this with complie flags of tcpdump such as chroot or suid, but I can't find how to check this on my system... – fd8 Aug 05 '13 at 05:30
  • I have the problem even when I run it as root (sudo su). – fd8 Aug 05 '13 at 05:56

3 Answers3

15

You need to do -Z root. Read the man page:

   -Z     Drops privileges (if root) and changes user ID to user and the group ID to the primary group of user.

          This behavior is enabled by default (-Z tcpdump), and can be disabled by -Z root.
jameshfisher
  • 34,029
  • 31
  • 121
  • 167
Eric Loyd
  • 151
  • 1
  • 2
  • Yes, I have read the man page, but I still can't understand why "tcpdump -w 1.pcap" works fine without -Z, and "sudo tcpdump -C 100 -w 1.pcap" does not. – fd8 Jan 07 '14 at 07:40
  • By default, tcpdump in RHEL will "drop privileges" to the tcpdump user when writing the file, meaning that the file gets saved as a non-root user. In RHEL, the user should be "tcpdump". So you can get around the issue by `chmod 777 /path/to/logdir/`, or even `chown tcpdump /path/to/logdir`. If your log directory is owned by a specific user, you can use `-Z` to save files as that user instead, but `-Z root` lets you write files anywhere. – ghoti May 01 '14 at 18:45
  • 2
    Oh, and "because that's how it works" is a terrible thing to put in a StackOverflow answer. :-) – ghoti May 01 '14 at 18:46
6

I experienced similar issues on Ubuntu 12.04 LTS and my case was fixed as below procedures.

sudo apt-get install apparmor-utils

The aa-complain command which referred by user2704275 is included in this package.

If your environment is RedHat/CentOS distro, you can same command by yum.

sudo aa-complain /usr/sbin/tcpdump

This will change AppArmor mode of tcpdump from "enforce" to "complain". You can check AppArmor status in /sys/kernel/security/apparmor/profiles.

Then I can success to get tcpdump with sudo.

After getting tcpdump, for security reason, you might revert apparmor status to previous mode as below command.

sudo aa-enforce /usr/sbin/tcpdump

Regards.

Inetgate
  • 120
  • 1
  • 12
4

I experienced similar problems when I tried to read from file, like

tcpdump -r example.cap 'icmp[icmptype] = icmp-echo'

For me AppArmor caused the problem I had to switch from 'enforcement' mode to 'complain' mode on 'tcpdump'. Run the following command as root:

aa-complain /usr/sbin/tcpdump
user2704275
  • 56
  • 1
  • 2
    Thank you for your answer! But AppArmor is used for Ubuntu, and I have RHEL on the server. The answer was to use "-Z root" key for tcpdump. But we still don't know why tcpdump behaves thas way because SELinux is turned off on the server. – fd8 Aug 30 '13 at 08:35
  • It might just be the case of disabling the AppArmor profile (since complain mode can be a security issue) using: `sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump` – douglaslps May 05 '15 at 13:24