117

A standard installation of Wireshark doesn't give the program permission to access the network interface.

I suppose I have to run the program with sudo, but do not know how to add it to the icon - if that's the way to do it.

Tim
  • 32,861
  • 27
  • 118
  • 178
Sven AA
  • 1,173
  • Are you talking about WireShark? If not, can you link to the application's home page so we can see what you're talking about. Thanks. – Oli Oct 31 '11 at 12:23
  • Actually, he's probably talking about Wireshark rather than WireShark. :-) –  May 01 '14 at 21:47
  • You could try tcpdump tool in Linux if wireshark is giving you too much troubles. – warfreak92 Nov 15 '17 at 15:24
  • For me its OK to run: First: sudo dpkg-reconfigure wireshark-commonselect yes then: sudo chmod +x /usr/bin/dumpcap – EsmaeelE Apr 07 '20 at 20:08

4 Answers4

182

For WireShark there's a better way. The bit that normally needs root is the packet collection application and this can be configured to allow certain people to use it without sudo, gksu, etc.

In a terminal (very important that you're in a terminal, not just the Alt+F2 dialogue) run this:

sudo dpkg-reconfigure wireshark-common

This will ask you if you want to allow non-root user to be able to sniff. That's what we're aiming for, so select Yes and hit return.

Reconfiguring wireshark-common

This adds a wireshark group. Anybody in that group will be able to sniff without being root. This is obviously more secure than just letting anybody sniff but does mean there's no password checking. Technically any person with access to a computer logged in with a wireshark account will be able to sniff. If that's acceptable to you, carry on.

If not, run that again and select no.

Then you just need to add the user to that group. Run this:

sudo adduser $USER wireshark

And restart or log out. When you're back in it should let you start sniffing without any fuss about being root.

lgarzo
  • 19,832
Oli
  • 293,335
  • 2
    Any way to skip restart/logout step? – Taha Jahangir Dec 07 '13 at 13:53
  • 4
    This solution stopped working in 14.04 – Janghou May 01 '14 at 08:32
  • 2
    @Janghou Still works for me. Did add your user to the wireshark group and restart? – Oli May 01 '14 at 09:59
  • @Oli, I upgraded from 13.10 and it stopped working. I tried now again and after a restart it worked (with some hassle). Thx. – Janghou May 01 '14 at 11:05
  • 12
    And, yes, it's definitely a much better way than running Wireshark as root. The README.packaging file in the Wireshark source says "WIRESHARK CONTAINS OVER TWO MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT." –  May 01 '14 at 21:49
  • 1
    @TahaJahangir no, groups are applied on login, so you need to re-login for group changes to take effect. – kraxor Jul 01 '14 at 00:38
  • +1 for info about adduser for wireshark. – S.M.Mousavi Jun 28 '16 at 11:14
  • 7
    @TahaJahangir If restart/logout is inconvenient, you can use the newgrp wireshark command to temporarily enter the group after you have become a member of the wireshark group. – Lekensteyn Mar 14 '17 at 14:25
  • 3
    @TahaJahangir and Oli: Much more convenient than logging out is to use su - $USER as described at Reload a Linux user's group assignments without logging out - Super User – nealmcb Apr 13 '17 at 02:56
  • 1
    @TahaJahngir & Lekensleyn -- The newgp command changes your primary group id. That denied me access to key mounted filesystems. Much more reliable to use su - username. – will Sep 24 '19 at 04:53
  • It just bothers me that this dialog window says both "This is recommended" and "this may be a security risk ... it is suggested to leave it disabled". The conflicting statements are confusing, and even had me wondering if the "it" that it's referring to in both sentences are one and the same. – jewbix.cube Dec 17 '19 at 22:55
13

Really you do not need to launch WireShark as root. Please read official page. In brief you should do:

sudo groupadd wireshark
sudo usermod -a -G wireshark $USER
sudo chgrp wireshark /usr/bin/dumpcap
sudo chmod o-rx /usr/bin/dumpcap
sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap
sudo getcap /usr/bin/dumpcap

Then log-out and log-in again.

Note: this method was tested on 16.04 LTS, 17.10 and 18.04 LTS.

N0rbert
  • 99,918
pyprism
  • 377
  • 1
  • 7
  • 16
4

You can also run Wireshark with root privileges by running gksu wireshark from the terminal.

Note that there are security concerns with running Wireshark in this mode, namely that any exploit that compromises Wireshark now has root privileges rather than user privileges. This is more of a concern with Wireshark than other application because, by it's very nature (capturing and processing arbitrary input), Wireshark is more vulnerable to exploits than typical desktop applications. You are probably safe on a SOHO network, but you should be aware of this concern before proceeding.

Citations:

lofidevops
  • 20,924
Maverick
  • 57
  • I just configured it with --enable-setcap-install flag then I can't do this. – Smile.Hunter Dec 23 '12 at 00:26
  • This is far more dangerous and more problematic, because there are for more exploitable bugs when running the full gui as root, and configuration issues can crop up when a gui program runs as root. See the dpkg-reconfigure solution above for a much better option. – nealmcb Jan 15 '13 at 23:53
  • For desktop users, I consider this to be a workaround. When you sudo the app, all files it creates have root permission, and you need to constantly keep changing file permissions to make them available to your current user in your home directory. For server and sysadmins in general, sudo is actually the best approach. – JulioHM Feb 26 '13 at 15:07
  • 1
    @JulioHM Running Wireshark as root is dangerous for everyone, including server and sysadmins. – kraxor Jul 01 '14 at 00:42
  • 2
    At approximately line 40 of Wireshark's doc/README.packaging file, it says "WIRESHARK CONTAINS OVER TWO MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT." Take that statement very seriously. –  Aug 10 '14 at 07:48
2

you can try this also, open the terminal, run this command

# setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

run wireshark as a non-root user

muru
  • 197,895
  • 55
  • 485
  • 740
vik
  • 21