Monday, February 13, 2017

tcpdump in userspace

Typically, a person needs root permission to get tcpdump:
$ tcpdump
tcpdump: wifi01: You don't have permission to capture on that device
but it appears a person can make a PCAP group and get access to their card. Eg, let's say the card is wifi01.

what worked

  1. # groupadd pcap
    # usermod -a -G pcap user
  2. Now this appears to be the tricky part. We're already members of tcpdump, however now we're going to change the membership and permissions of tcpdump over to pcap's control.(Note: this may not be necessary if my user is already a member of the tcpdump group.)
    # chgrp pcap /bin/tcpdump
    # chmod 750 /bin/tcpdump
  3. Finally, we have to use setcap to set file capabilities. Not sure if this is permanent.
    # setcap cap_net_raw,cap_net_admin=eip /bin/tcpdump
  4. But I had to repeat the process for /usr/bin/tcpdump before it would work.
    # chgrp pcap /usr/bin/tcpdump
    # chmod 750 /usr/bin/tcpdump
    # setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump
  5. This worked:
    $ tcpdump
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on wifi01, link-type EN10MB (Ethernet), capture size 262144 bytes
  6. However with the tcpdump backend configured, I went to wireshark to get me to CSV, so I could parse. Wireshark saves to PCAP: save it as some PCAP. Once saved, I could export to CSV and whittle it down.