4

Even after changing the group and ownership of tcpdump to user mode, I still get the following error:

tcpdump -i eth0
tcpdump: eth0: You don't have permission to capture on that device
(socket: Operation not permitted)

ls -la /usr/sbin/tcpdump
-rwxr-x--- 1 user1 user1 830920 Apr 24 21:28 /usr/sbin/tcpdump

I know it is not good to drop the permission of tcpdump from root to user but for ease of use in my case, I would like to be able to use it from user level.

I took the hint from: "tcpdump -w 1.pcap" works, but "tcpdump -C 100 -w 1.pcap" - permission denied

and installed AppArmor as I am using Ubuntu 12.04 LTS.

And did:

sudo aa-complain /usr/sbin/tcpdump

Still I get the same error msg. If I use "-Z" with the tcpdump command, I can drop the privileges and run tcpdump but not otherwise. Is there a way out?

Thanks

Community
  • 1
  • 1
user907810
  • 3,208
  • 10
  • 39
  • 47

1 Answers1

3

libpcap (which tcpdump is based on) require admin privilege to set your interface into promiscuous mode. There is nothing you can do about it, the kernel won't let you/tcpdump/libpcap do that, period.

What you can do is use tcpdump without promiscuous mode, but that will severely limit its functionality: you will only see traffic directed explicitly to/from your machine, as opposed to everything that's seen on the wire, which is usually what you want to to (and is why using promisc mode is the default). In order to do that, use this tcpdump option:

   --no-promiscuous-mode
          Don't  put  the  interface into promiscuous mode.  Note that the
          interface might be in promiscuous mode for  some  other  reason;
          hence,  `-p'  cannot  be used as an abbreviation for `ether host
          {local-hw-addr} or ether broadcast'.

For more info on promiscuous mode:

http://en.wikipedia.org/wiki/Promiscuous_mode

I quote:

Many operating systems require superuser privileges to enable promiscuous mode.

In Linux, at the low level, this is done by setting the IFF_PROMISC flag on the netdevice via a SIOCSIFFLAGS ("set flag") ioctl. And as you can see here:

http://man7.org/linux/man-pages/man7/netdevice.7.html

... "Setting the active flag word is a privileged operation", and "using it requires an effective user ID of 0 or the CAP_NET_ADMIN capability. If this is not the case, EPERM will be returned."

So another direction may be to give your "userjoe" account the CAP_NET_ADMIN rights, but I would advice against this. Security wise it's not better, if not worst, than to be part of the sudo'ers and explictly sudo when you need to.

jbm
  • 3,063
  • 1
  • 16
  • 25
  • Correction to the last paragraph: the `CAP_NET_ADMIN` capability is set on a binary, not a user and is a lot better than running the binary as `root` as it will not have all the privileges `root` has. – drrlvn Aug 13 '19 at 12:20