Okay, just did some playing around, and I now have wireshark/dumpcap configured to use a password from my user account. (This is to prevent someone from using a trojan running as you to sniff your packets, if you’ve set up dumpcap to run setuid root, or with linux capabilities.)

To start wireshark, I run:

$ sudo -g netcap /usr/bin/wireshark

This prompts me for my own password the first time I run it, then sudo credentials take effect for whatever policy you have set on your system.

Instructions for making this happen on Linux Mint 17.2:

0) Read all these instructions and make sure you understand them before actually running them. If you have any concerns about them, check with someone you trust. If you break your system, you get to keep both parts, etc.

1) create a netcap system user:

$ sudo addgroup netcap

*don’t add yourself to the group* — by default, you _don’t_ want to be in the netcap group.

2) You can either use sudoers or newgrp to acquire group netcap permissions. Here’s the sudoers way:

In /etc/sudoers.d, create a text file with no “~” or “.” in the name (for instance, “netcap”), and add a line like this:

scott ALL = (:netcap) /usr/bin/dumpcap, /usr/bin/wireshark

(Replace “scott” with your own username.)

What this does is tells sudo that you can sudo to the netcap group for running either dumpcap directly, or running wireshark.

3) Use Linux permissions to only allow users in the group “netcap” to run /usr/bin/dumpcap or /usr/bin/wireshark (for good measure):

$ cd /usr/bin
$ sudo chgrp netcap dumpcap wireshark
$ sudo chmod o-rwx dumpcap wireshark

4) Enable the necessary Linux capabilities on dumpcap:

$ sudo setcap ‘CAP_NET_RAW+eip CAP_NET_ADMIN+eip’ /usr/bin/dumpcap

5) Double check that dumpcap is set up properly:

$ ls -l /usr/bin/dumpcap
-rwxr-x— 1 root netcap 77080 Mar 10 2014 /usr/bin/dumpcap

$ getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

6) Finally, make sure it works:

$ sudo -g netcap /usr/bin/wireshark


You could also make dumpcap setuid root, but that’s overkill, and not recommended. wireshark uses dumpcap to access interfaces, so wireshark doesn’t require any special permissions on its own. DON’T RUN WIRESHARK AS ROOT.

Let me know what you think.


An acquaintance has brought up the possibility of keyloggers grabbing sudo passwords.  Prevent that with:

$ SUDO_ASKPASS=/usr/bin/ssh-askpass sudo -A -g netcap wireshark

Script it, and you’re good to go. ­čÖé