5

I want to capture UDP packages sent by an FPGA with ~10 Gbit/s bandwidth. I found that tcpdump combined with a fast SSD is perfectly capable of receiving a continuous 10 Gbit/s stream and storing it on disk without loss.

When I run sudo tcpdump, everything works as expected.

However, I need to be able to run tcpdump without sudo. Without sudo I get this error:

tcpdump: enp4s0f0: You don't have permission to capture on that device
(socket: Operation not permitted)

Here is what I found and tried so far to enable tcpdump without sudo:

sudo su
groupadd pcap
usermod -a -G pcap $USER
chgrp pcap /usr/sbin/tcpdump
chmod 750 /usr/sbin/tcpdump
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Proposed solution from here

According to the various pages that list this solution, this should give my regular user account the possibility to run tcpdump, right?

However, when I switch to my regular user account and run tcpdump, I get this:

bash: /sbin/tcpdump: Permission denied

(note that this error message is different compared to the initial error message)

I've verified via getent group pcap that my account is part of the pcap group. I've also verified that /sbin/tcpdump is owned by the group pcap. What am I missing?

Christian Disch
  • 81

2 Answers2

3

After some experimenting, here is what finally worked for me:

sudo visudo

at the very END* of the sudoers file, enter this:

your_username ALL = NOPASSWD: /usr/sbin/tcpdump

(replace your_username with your username, write the changes to disk close the editor)

open a new terminal and run sudo tcpdump. It no longer asks for a password.

*putting the new rule at the end avoids that it might be overwritten by other rules.

Christian Disch
  • 81
0

I do not have enough reputation to leave a comment, but it seems that you have a mistake in the binary paths.

In the commands chgrp and chmod you use the path /usr/sbin/tcpdump (notice the /usr at the beginning). But in the error you seem to try to run the executable /sbin/tcpdump (without the /usr at the beginning.)

Try to run the command which tcpdump to find the path to the binary you are calling when running the tcpdump command and then use this path at the chgrp and chmod commands.

I just used the commands at your post with the correct path (i.e. the one given by which tcpdump) and it worked for my in Ubuntu 22.04 installation.

By the way, this is proper way to run tcpdump. You should run it as a user. Running it as root or with sudo is dangerous.

Foivos
  • 19
  • 1
    I think you have enough in here to warrant it being an attempt at an answer, rather than a comment. However, I also think you're wrong here ;-). /sbin is simply a symlink to /usr/sbin (see ls -l /) in Ubuntu (and most other distros), so either is correct (and the same) in this case. In other words, this seems to be unlikely to be a solution to the OP's problem. – NotTheDr01ds Sep 14 '23 at 11:05
  • Also, can you provide reference for the statement that, "Running it as root or with sudo is dangerous"? Most all examples that I could find from highly reputable sources used sudo. Thanks! – NotTheDr01ds Sep 14 '23 at 11:05
  • You are right both paths are the same directory. In this case, I do not know why it worked in my case and not in the OP's case.

    Here is a short reference about why you should avoid running tcpdump (and in general any executable) as root if you can avoid it: https://www.securityartwork.es/2012/06/18/tcpdump-drop-privileges-2/

    Recent versions of tcpdump seem to have some safeguards when the user runs them as root, since by default they use the relinquish-privileges flag.

     – Foivos Sep 14 '23 at 11:26
  • 1
    Thanks - I'm glad it did work for you, of course ;-). – NotTheDr01ds Sep 14 '23 at 12:01