$ tcpdumpbut it appears a person can make a PCAP group and get access to their card. Eg, let's say the card is wifi01.
tcpdump: wifi01: You don't have permission to capture on that device
# groupadd pcap
# usermod -a -G pcap user
- Now this appears to be the tricky part. We're already members of tcpdump, however now we're going to change the membership and permissions of tcpdump over to pcap's control.(Note: this may not be necessary if my user is already a member of the tcpdump group.)
# chgrp pcap /bin/tcpdump
# chmod 750 /bin/tcpdump
- Finally, we have to use setcap to set file capabilities. Not sure if this is permanent.
# setcap cap_net_raw,cap_net_admin=eip /bin/tcpdump
- But I had to repeat the process for /usr/bin/tcpdump before it would work.
# chgrp pcap /usr/bin/tcpdump
# chmod 750 /usr/bin/tcpdump
# setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump
- This worked:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wifi01, link-type EN10MB (Ethernet), capture size 262144 bytes
- However with the tcpdump backend configured, I went to wireshark to get me to CSV, so I could parse. Wireshark saves to PCAP: save it as some PCAP. Once saved, I could export to CSV and whittle it down.