Run Wireshark in openSUSE as non-root user
June 3, 2014 1 Comment
There are two aspects of using Wireshark in openSUSE: capturing packets and displaying packets. To display packets or view pcap files you don’t need to run Wireshark as root. You also don’t need to do anything extra other than installing it. However, to capture packets you need root privileges. If you don’t have root privileges or want to capture packets as your regular user then you need a few extra steps.
sudo zypper install wireshark
Run Wireshark as non-root user to view captures
There is one caveat to running Wireshark in openSUSE as non-root user: when you run Wireshark from the GUI (say GNOME Shell) you are prompted to enter the root password. There’s a simple workaround to this by creating a local wireshark.desktop file, copied from /usr/share/applications/wireshark.desktop, with a slight modification.
cat /usr/share/applications/wireshark.desktop | sed -e 's!Exec=/usr/bin/xdg-su -c /usr/bin/wireshark %f!Exec=/usr/bin/wireshark %f!g' > /home/cguser/.local/share/applications/wireshark.desktop
In the command above we are creating a copy of /usr/share/applications/wireshark.desktop and saving it to /home/cguser/.local/share/applications/wireshark.desktop. The one change we make is to execute Wireshark as a regular user and not as root. You’ll have to do this for all non-root users who need to run Wireshark.
Now when you start Wireshark as a regular (non-root) user you’ll be able to display packets without providing root credentials.
Run Wireshark as non-root user to capture packets
This portion was taken from Sniffing with Wireshark as a Non-Root User. Read that page first before proceeding.
setcap to set the capabilities of /usr/bin/dumpcap:
sudo zypper install libcap-progs
Create a new group wireshark to restrict users who can use Wireshark to capture packets:
sudo groupadd wireshark
Add your user to the wireshark group to be able to capture packets:
sudo usermod -a -G wireshark cguser
Change the group of
dumpcap to wireshark:
sudo chgrp wireshark /usr/bin/dumpcap
Change the permissions of
dumpcap to only allow users in wireshark group to be able to run it:
sudo chmod o-rwx /usr/bin/dumpcap
Set the capabilities required by
dumpcap to run since its group is no longer root:
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
View the capabilities of
dumpcap to confirm they were set correctly:
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
Logout and login again to finalize the addition of your user to the wireshark group.
Now when you start Wireshark as a regular (non-root) user you’ll be able to capture packets without providing root credentials.
Note: This was tested working in openSUSE 13.1.