tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: -G and -C options

From: Michal Ruprich <michalruprich () gmail com>
Date: Tue, 17 Sep 2019 13:26:15 +0200
On 9/16/19 4:21 PM, Michael Richardson wrote:

Michal Ruprich <michalruprich () gmail com> wrote:
    > with -C option, the manpage says "Note that when used with -Z option
    > (enabled by default), privilegesĀ  areĀ  droppedĀ  before opening first
    > savefile." So when I run tcpdump as root like this:

    > # tcpdump -n -i eth0 -s 0 -C 3 -w /opt/tcpdump%F--%T.pcap

    > I immediately get 'Permission' denied error - as expected.

assuming that your username has no permissions on /opt

Actually no, the privileges are dropped every time - even when I run
tcpdump as root, the privileges are dropped before the file is created
and user tcpdump is used. But this is not the point, This behavior is
expected, my concern was about the manpage that's all.


    > Now with -G, I think that the behavior should be similar but tcpdump
    > drops root privileges after creating the first file:

    > # tcpdump -n -i eth0 -s 0 -G 3 -w /opt/tcpdump%F--%T.pcap

That might be a reasonable behaviour, but it's not.
You'd generally want to switch to a username that has write permission.

    > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
    > 262144 bytes
    > tcpdump: /opt/tcpdump2019-09-16--07:03:32.pcap: Permission denied

    > # ls /opt

    > tcpdump2019-09-16--07:03:29.pcap

    > So with -G I get just the first file created. -C and -G have a very
    > similar rotation logic so perhaps the behavior should be similar as
    > well? Or at least this could be mentioned in the manpage under -G - the
    > fact that at least one file will be created.

There a lot of considerations around this.
If you want to rotate files, then you need to keep permissions to write.
I'll try to review the man page, but any updates to document what *is* would
be welcome, even if what *is* makes little sense.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr () sandelman ca  http://www.sandelman.ca/        |   ruby on rails    [


_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: