Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DUMPCAP -g (Set ring buffer file group permissions)

From: John Powell <jrp999 () gmail com>
Date: Wed, 12 Dec 2012 12:39:27 -0600
Hi Jeff,

Thanks for updating the man pages and adding the option to TSHARK.

The way that I am allowing non-root users to run dumpcap is using:

   - setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/local/bin/dumpcap -v

This way I do not need the SETUID and I think it is more secure.

-John

On Tue, Dec 11, 2012 at 8:12 PM, Jeff Morriss <jeff.morriss.ws () gmail com>wrote:



A better way would be to run dumpcap as setuid-root ("chmod 4750
/usr/local/bin/dumpcap" would be one way).  Then you could run dumpcap as a
normal user (at least one who is a member of the 'wireshark'
group--assuming you keep the ownership of the dumpcap utility the same).
 Then with "-g" the files would come out group-readable (actually they'd
also come out readable by the user who started dumpcap :-)).

FWIW I fixed the man pages in r46513.  I added this "-g" argument to
tshark at the same time.


On 12/11/2012 04:32 PM, John Powell wrote:


Think I have the solution - chmod g+s <capture directory> and then chgrp
wireshark <capture directory>

then using dumpcap -g will set the read bit on the group and it looks
like I am set.

Thanks Mike and Jeff!

On Tue, Dec 11, 2012 at 2:09 PM, <jrp999 () gmail com
<mailto:jrp999 () gmail com>> wrote:

    Sorry mike!
    Sent from my BlackBerry® wireless handheld

    -----Original Message-----
    From: jrp999 () gmail com <mailto:jrp999 () gmail com>
    Date: Tue, 11 Dec 2012 20:09:22
    To: Developer Wireshark<wireshark-dev@**wireshark.org<wireshark-dev () wireshark org>
    <mailto:wireshark-dev@**wireshark.org <wireshark-dev () wireshark org>>>
    Reply-To: jrp999 () gmail com <mailto:jrp999 () gmail com>
    Subject: Re: [Wireshark-dev] DUMPCAP -g (Set ring buffer file group
         permissions)

    Hi Bill,

    Thanks for the clarification, that makes sense.

    I am running dumpcap as a service - do you have any suggestions on
    how to make the dumpcap buffer files have a user defined group
    permissions?

    Thanks in advance!

    -John
    Sent from my BlackBerry® wireless handheld

    -----Original Message-----
    From: Michael Tuexen <Michael.Tuexen@lurchi.**franken.de<Michael.Tuexen () lurchi franken de>
    <mailto:Michael.Tuexen@lurchi.**franken.de<Michael.Tuexen () lurchi franken de>



    Sender: wireshark-dev-bounces@**wireshark.orgDate: Tue, 11 Dec 2012
    20:39:01
    To: Developer support list for Wireshark<wireshark-dev@**
wireshark.org <wireshark-dev () wireshark org>
    <mailto:wireshark-dev@**wireshark.org <wireshark-dev () wireshark org>>>
    Reply-To: Developer support list for Wireshark
    <wireshark-dev () wireshark org <mailto:wireshark-dev@**wireshark.org<wireshark-dev () wireshark org>



    Subject: Re: [Wireshark-dev] DUMPCAP -g (Set ring buffer file group
             permissions)

    On Dec 11, 2012, at 8:24 PM, John Powell wrote:

     > Hi Jeff,
     >
     > I must be missing something.
     >
     > I set dumpcap permissions to:
     >
     > # ls -l /usr/local/bin/dumpcap
     > -rwxr-xr-- 1 root wireshark 230157 Dec 11 10:40
    /usr/local/bin/dumpcap
     >
     > and the dumpcap command is:
     >
     > root             /usr/local/bin/dumpcap -B 16 -i 2 -f vlan and
    (not vrrp and not udp port 1985 and not ether host
    01:00:0c:cc:cc:cc) -g wireshark -b filesize:250000 -b duration:900
    -w /var/opt/data/captures.cap
    After looking at the code, I think you misunderstood the -g option.

    As far as I see, you can't specify the group, you can just allow the
    group to
    read the file.

    So, for example:

    dumpcap -w test0.pcapng

    and then

    dumpcap -g -w test1.pcapng

    results in

    [mba:~/Documents/wireshark/**trunk] tuexen% ls -l test?.pcapng
    -rw-------  1 tuexen  staff  324 Dec 11 20:37 test0.pcapng
    -rw-r-----  1 tuexen  staff  532 Dec 11 20:37 test1.pcapng

    So as you see, you can't specify the group, but control if the group
    members can
    read the file.

    Best regards
    Michael
     >
     > I also tried
     >
     > root                        /usr/local/bin/dumpcap -B 16 -i 2 -f
    vlan and (not vrrp and not udp port 1985 and not ether host
    01:00:0c:cc:cc:cc) -g -b filesize:250000 -b duration:900 -w
    /var/opt/data/captures.cap
     >
     > but the ring buffer files still end up "root root".
     >
     > ]# ls /var/opt/data/captures/*  -l
     > -rw-r-----  1 root root      111542192 Dec 11 13:19 /var/
     >
     > Thoughts??
     >
     > Any guidance will be appreciated!
     >
     > Thanks!
     >
     > -John
     >
     > On Tue, Dec 11, 2012 at 1:11 PM, John Powell <jrp999 () gmail com
    <mailto:jrp999 () gmail com>> wrote:
     > Hi Jeff,
     >
     > After you said that I did DUMPCAP -h and behold there it was!!
     >
     > Thanks so much for all of the work you do on this project!!
     >
     > -John
     >
     >
     > On Tue, Dec 11, 2012 at 12:59 PM, Jeff Morriss
    <jeff.morriss.ws () gmail com <mailto:jeff.morriss.ws@gmail.**com<jeff.morriss.ws () gmail com>>>
wrote:
     > John Powell wrote:
     > Hi,
     >
     > I need to set the group permissions for files created by DumpCap.
     >
     > In this post I see the option " -g " is supposed to exist
    (http://www.engardelinux.org/**modules/index/list_archives.**
cgi?list=wireshark-users&page=**0016.html&month=2010-09<http://www.engardelinux.org/modules/index/list_archives.cgi?list=wireshark-users&page=0016.html&month=2010-09>
    <http://www.engardelinux.org/**modules/index/list_archives.**
cgi?list=wireshark-users&page=**0016.html&month=2010-09<http://www.engardelinux.org/modules/index/list_archives.cgi?list=wireshark-users&page=0016.html&month=2010-09>

)

     >
     > /> > The file permissions are hardcoded in the source code. I
    have added /
     > /> > the option '-g' to dumpcap to enable group read access as
    this can /
     > /> > indeed be handy when (automatically) capturing to a
    ringbuffer. /
     > /> > /
     > /> > To be able to use this feature, you will have to use an
    automated /
     > /> > build[1] with a number higher than 33978 (available in a
    couple of /
     > /> > hours) or wait for the next 1.5.x development release. /
     > /> > /
     > /> > Cheers, /
     > /> > /
     > /> > /
     > /> > Sake /
     >
     >
     > Can someone please point me to how I can get a version that to
    have access to this option?
     >
     > You'd need Wireshark 1.6.0 or later.  The current version (1.8.4)
    would be your best bet.
     >
     > BTW I noticed that this option is not listed in dumpcap's man
    page; I'll correct that shortly.
     >



______________________________**______________________________**
_______________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/**lists/wireshark-dev<http://www.wireshark.org/lists/wireshark-dev>
Unsubscribe: 
https://wireshark.org/mailman/**options/wireshark-dev<https://wireshark.org/mailman/options/wireshark-dev>
            mailto:wireshark-dev-request@**wireshark.org<wireshark-dev-request () wireshark org>
?subject=**unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: