Wireshark mailing list archives
Re: DUMPCAP -g (Set ring buffer file group permissions)
From: John Powell <jrp999 () gmail com>
Date: Wed, 12 Dec 2012 12:39:27 -0600
Hi Jeff, Thanks for updating the man pages and adding the option to TSHARK. The way that I am allowing non-root users to run dumpcap is using: - setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/local/bin/dumpcap -v This way I do not need the SETUID and I think it is more secure. -John On Tue, Dec 11, 2012 at 8:12 PM, Jeff Morriss <jeff.morriss.ws () gmail com>wrote:
A better way would be to run dumpcap as setuid-root ("chmod 4750 /usr/local/bin/dumpcap" would be one way). Then you could run dumpcap as a normal user (at least one who is a member of the 'wireshark' group--assuming you keep the ownership of the dumpcap utility the same). Then with "-g" the files would come out group-readable (actually they'd also come out readable by the user who started dumpcap :-)). FWIW I fixed the man pages in r46513. I added this "-g" argument to tshark at the same time. On 12/11/2012 04:32 PM, John Powell wrote:Think I have the solution - chmod g+s <capture directory> and then chgrp wireshark <capture directory> then using dumpcap -g will set the read bit on the group and it looks like I am set. Thanks Mike and Jeff! On Tue, Dec 11, 2012 at 2:09 PM, <jrp999 () gmail com <mailto:jrp999 () gmail com>> wrote: Sorry mike! Sent from my BlackBerry® wireless handheld -----Original Message----- From: jrp999 () gmail com <mailto:jrp999 () gmail com> Date: Tue, 11 Dec 2012 20:09:22 To: Developer Wireshark<wireshark-dev@**wireshark.org<wireshark-dev () wireshark org> <mailto:wireshark-dev@**wireshark.org <wireshark-dev () wireshark org>>> Reply-To: jrp999 () gmail com <mailto:jrp999 () gmail com> Subject: Re: [Wireshark-dev] DUMPCAP -g (Set ring buffer file group permissions) Hi Bill, Thanks for the clarification, that makes sense. I am running dumpcap as a service - do you have any suggestions on how to make the dumpcap buffer files have a user defined group permissions? Thanks in advance! -John Sent from my BlackBerry® wireless handheld -----Original Message----- From: Michael Tuexen <Michael.Tuexen@lurchi.**franken.de<Michael.Tuexen () lurchi franken de> <mailto:Michael.Tuexen@lurchi.**franken.de<Michael.Tuexen () lurchi franken de>Sender: wireshark-dev-bounces@**wireshark.orgDate: Tue, 11 Dec 2012 20:39:01 To: Developer support list for Wireshark<wireshark-dev@** wireshark.org <wireshark-dev () wireshark org> <mailto:wireshark-dev@**wireshark.org <wireshark-dev () wireshark org>>> Reply-To: Developer support list for Wireshark <wireshark-dev () wireshark org <mailto:wireshark-dev@**wireshark.org<wireshark-dev () wireshark org>Subject: Re: [Wireshark-dev] DUMPCAP -g (Set ring buffer file group permissions) On Dec 11, 2012, at 8:24 PM, John Powell wrote: > Hi Jeff, > > I must be missing something. > > I set dumpcap permissions to: > > # ls -l /usr/local/bin/dumpcap > -rwxr-xr-- 1 root wireshark 230157 Dec 11 10:40 /usr/local/bin/dumpcap > > and the dumpcap command is: > > root /usr/local/bin/dumpcap -B 16 -i 2 -f vlan and (not vrrp and not udp port 1985 and not ether host 01:00:0c:cc:cc:cc) -g wireshark -b filesize:250000 -b duration:900 -w /var/opt/data/captures.cap After looking at the code, I think you misunderstood the -g option. As far as I see, you can't specify the group, you can just allow the group to read the file. So, for example: dumpcap -w test0.pcapng and then dumpcap -g -w test1.pcapng results in [mba:~/Documents/wireshark/**trunk] tuexen% ls -l test?.pcapng -rw------- 1 tuexen staff 324 Dec 11 20:37 test0.pcapng -rw-r----- 1 tuexen staff 532 Dec 11 20:37 test1.pcapng So as you see, you can't specify the group, but control if the group members can read the file. Best regards Michael > > I also tried > > root /usr/local/bin/dumpcap -B 16 -i 2 -f vlan and (not vrrp and not udp port 1985 and not ether host 01:00:0c:cc:cc:cc) -g -b filesize:250000 -b duration:900 -w /var/opt/data/captures.cap > > but the ring buffer files still end up "root root". > > ]# ls /var/opt/data/captures/* -l > -rw-r----- 1 root root 111542192 Dec 11 13:19 /var/ > > Thoughts?? > > Any guidance will be appreciated! > > Thanks! > > -John > > On Tue, Dec 11, 2012 at 1:11 PM, John Powell <jrp999 () gmail com <mailto:jrp999 () gmail com>> wrote: > Hi Jeff, > > After you said that I did DUMPCAP -h and behold there it was!! > > Thanks so much for all of the work you do on this project!! > > -John > > > On Tue, Dec 11, 2012 at 12:59 PM, Jeff Morriss <jeff.morriss.ws () gmail com <mailto:jeff.morriss.ws@gmail.**com<jeff.morriss.ws () gmail com>>> wrote: > John Powell wrote: > Hi, > > I need to set the group permissions for files created by DumpCap. > > In this post I see the option " -g " is supposed to exist (http://www.engardelinux.org/**modules/index/list_archives.** cgi?list=wireshark-users&page=**0016.html&month=2010-09<http://www.engardelinux.org/modules/index/list_archives.cgi?list=wireshark-users&page=0016.html&month=2010-09> <http://www.engardelinux.org/**modules/index/list_archives.** cgi?list=wireshark-users&page=**0016.html&month=2010-09<http://www.engardelinux.org/modules/index/list_archives.cgi?list=wireshark-users&page=0016.html&month=2010-09>)> > /> > The file permissions are hardcoded in the source code. I have added / > /> > the option '-g' to dumpcap to enable group read access as this can / > /> > indeed be handy when (automatically) capturing to a ringbuffer. / > /> > / > /> > To be able to use this feature, you will have to use an automated / > /> > build[1] with a number higher than 33978 (available in a couple of / > /> > hours) or wait for the next 1.5.x development release. / > /> > / > /> > Cheers, / > /> > / > /> > / > /> > Sake / > > > Can someone please point me to how I can get a version that to have access to this option? > > You'd need Wireshark 1.6.0 or later. The current version (1.8.4) would be your best bet. > > BTW I noticed that this option is not listed in dumpcap's man page; I'll correct that shortly. >______________________________**______________________________** _______________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/**lists/wireshark-dev<http://www.wireshark.org/lists/wireshark-dev> Unsubscribe: https://wireshark.org/mailman/**options/wireshark-dev<https://wireshark.org/mailman/options/wireshark-dev> mailto:wireshark-dev-request@**wireshark.org<wireshark-dev-request () wireshark org> ?subject=**unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- DUMPCAP -g (Set ring buffer file group permissions) John Powell (Dec 11)
- Re: DUMPCAP -g (Set ring buffer file group permissions) Jeff Morriss (Dec 11)
- Re: DUMPCAP -g (Set ring buffer file group permissions) John Powell (Dec 11)
- Re: DUMPCAP -g (Set ring buffer file group permissions) John Powell (Dec 11)
- Re: DUMPCAP -g (Set ring buffer file group permissions) Michael Tuexen (Dec 11)
- Re: DUMPCAP -g (Set ring buffer file group permissions) jrp999 (Dec 11)
- Message not available
- Re: DUMPCAP -g (Set ring buffer file group permissions) jrp999 (Dec 11)
- Re: DUMPCAP -g (Set ring buffer file group permissions) John Powell (Dec 11)
- Re: DUMPCAP -g (Set ring buffer file group permissions) Jeff Morriss (Dec 11)
- Re: DUMPCAP -g (Set ring buffer file group permissions) John Powell (Dec 12)
- Re: DUMPCAP -g (Set ring buffer file group permissions) John Powell (Dec 11)
- Re: DUMPCAP -g (Set ring buffer file group permissions) Jeff Morriss (Dec 11)