Run Wireshark in openSUSE as non-root user

There are two aspects of using Wireshark in openSUSE: capturing packets and displaying packets. To display packets or view pcap files you don’t need to run Wireshark as root. You also don’t need to do anything extra other than installing it. However, to capture packets you need root privileges. If you don’t have root privileges or want to capture packets as your regular user then you need a few extra steps.

Install Wireshark: sudo zypper install wireshark

Run Wireshark as non-root user to view captures

There is one caveat to running Wireshark in openSUSE as non-root user: when you run Wireshark from the GUI (say GNOME Shell) you are prompted to enter the root password. There’s a simple workaround to this by creating a local wireshark.desktop file, copied from /usr/share/applications/wireshark.desktop, with a slight modification.

cat /usr/share/applications/wireshark.desktop | sed -e 's!Exec=/usr/bin/xdg-su -c /usr/bin/wireshark %f!Exec=/usr/bin/wireshark %f!g' > /home/cguser/.local/share/applications/wireshark.desktop

In the command above we are creating a copy of /usr/share/applications/wireshark.desktop and saving it to /home/cguser/.local/share/applications/wireshark.desktop. The one change we make is to execute Wireshark as a regular user and not as root. You’ll have to do this for all non-root users who need to run Wireshark.

Now when you start Wireshark as a regular (non-root) user you’ll be able to display packets without providing root credentials.

Run Wireshark as non-root user to capture packets

This portion was taken from Sniffing with Wireshark as a Non-Root User. Read that page first before proceeding.

Install setcap to set the capabilities of /usr/bin/dumpcap: sudo zypper install libcap-progs

Create a new group wireshark to restrict users who can use Wireshark to capture packets: sudo groupadd wireshark

Add your user to the wireshark group to be able to capture packets: sudo usermod -a -G wireshark cguser

Change the group of dumpcap to wireshark: sudo chgrp wireshark /usr/bin/dumpcap

Change the permissions of dumpcap to only allow users in wireshark group to be able to run it: sudo chmod o-rwx /usr/bin/dumpcap

Set the capabilities required by dumpcap to run since its group is no longer root: sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

View the capabilities of dumpcap to confirm they were set correctly: getcap /usr/bin/dumpcap

/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

Logout and login again to finalize the addition of your user to the wireshark group.

Now when you start Wireshark as a regular (non-root) user you’ll be able to capture packets without providing root credentials.

Note: This was tested working in openSUSE 13.1.

One Response to Run Wireshark in openSUSE as non-root user

  1. Steve says:

    Thanks for a great tutorial. Works well on 13.2. I did make one error and added my user name instead of cguser, thinking, I needed to replace cguser with my user name for the YAST user group management!! I have left it and just ran the command as you listed it. Will that be a problem do you think? Anyway again, many thanks for a very clear tutorial. All the best – Steve.

%d bloggers like this: