# [SOLVED] wiireshark doesn't launch as user anymore

## queen

I made 2 changes yesterday to USE flags of wireshark. Today I rebooted and I can't launch wireshark anymore as user. The error is 

```
  dumpcap: There are no interfaces on which a capture can be done

dumpcap: cap_set_proc() fail return: Operation not permitted

dumpcap: cap_set_proc() fail return: Operation not permitted

dumpcap: There are no interfaces on which a capture can be done

```

I checked with ifconfig -a and eth0 is up, I even have IP.  

I can launch it as root and see the interfaces but even as root it has lots of errors. 

```

14:19:12          Warn /root/.wireshark/preferences line 1167: No such preference "gsm_map.old_gsm_map_version" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2321: No such preference "user_dlt_a.dlt" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2326: No such preference "user_dlt_a.special_encap" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2330: No such preference "user_dlt_a.payload" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2334: No such preference "user_dlt_a.header_size" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2338: No such preference "user_dlt_a.trailer_size" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2342: No such preference "user_dlt_a.header_proto" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2346: No such preference "user_dlt_a.trailer_proto" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2351: No such preference "user_dlt_b.dlt" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2356: No such preference "user_dlt_b.special_encap" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2360: No such preference "user_dlt_b.payload" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2364: No such preference "user_dlt_b.header_size" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2368: No such preference "user_dlt_b.trailer_size" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2372: No such preference "user_dlt_b.header_proto" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2376: No such preference "user_dlt_b.trailer_proto" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2381: No such preference "user_dlt_c.dlt" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2386: No such preference "user_dlt_c.special_encap" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2390: No such preference "user_dlt_c.payload" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2394: No such preference "user_dlt_c.header_size" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2398: No such preference "user_dlt_c.trailer_size" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2402: No such preference "user_dlt_c.header_proto" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2406: No such preference "user_dlt_c.trailer_proto" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2411: No such preference "user_dlt_d.dlt" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2416: No such preference "user_dlt_d.special_encap" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2420: No such preference "user_dlt_d.payload" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2424: No such preference "user_dlt_d.header_size" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2428: No such preference "user_dlt_d.trailer_size" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2432: No such preference "user_dlt_d.header_proto" (applying your preferences once should remove this warning)

14:19:12          Warn /root/.wireshark/preferences line 2436: No such preference "user_dlt_d.trailer_proto" (applying your preferences once should remove this warning)

dumpcap: cap_set_proc() fail return: Operation not permitted

dumpcap: cap_set_proc() fail return: Operation not permitted

dumpcap: cap_set_proc() fail return: Operation not permitted

dumpcap: cap_set_proc() fail return: Operation not permitted

```

I thought that the latest changes created a problem with /bin/su

```
-rws--x--x 1 root root 26772 2008-03-03 21:00 /bin/su

```

```
[I] net-analyzer/wireshark

     Available versions:  1.0.3 [M]~1.1.0 {adns c-ares caps gcrypt gnutls gtk ipv6 kerberos lua pcap pcre portaudio profile selinux smi threads zlib}

     Installed versions:  1.0.3(10:32:49 PM 09/27/2008)(caps gcrypt gnutls gtk ipv6 kerberos lua pcap pcre zlib -adns -portaudio -profile -selinux -smi -threads)

     Homepage:            http://www.wireshark.org/

     Description:         A network protocol analyzer formerly known as ethereal

```

```

dumpcap uses obsolete (PF_INET,SOCK_PACKET)

```

Any ideas how to fix it?Last edited by queen on Sun Oct 05, 2008 6:06 am; edited 1 time in total

----------

## barbar

Do you have a group wireshark and does your user belong to this group?

----------

## queen

 *barbar wrote:*   

> Do you have a group wireshark and does your user belong to this group?

 

Yes, I have an I belong to this group. I tried to emerge again without caps use flag and it didn't help either. 

I think that it's the dumpcap library that does all the problems

----------

## smerf

Post output of:

stat `which dumpcap`

getcap `which dumpcap`

Run dumpcap as normal user, any errors? Do you have

capabilities turned on in the kernel? Try stracing dumpcap if it fails.

----------

## queen

 *smerf wrote:*   

> Post output of:
> 
> stat `which dumpcap`
> 
> getcap `which dumpcap`
> ...

 

```

# stat `which dumpcap`

  File: `/usr/bin/dumpcap'

  Size: 50880           Blocks: 104        IO Block: 4096   regular file

Device: 803h/2051d      Inode: 8272293     Links: 1

Access: (6550/-r-sr-s---)  Uid: (    0/    root)   Gid: ( 1019/wireshark)

Access: 2008-10-04 15:12:42.000000000 +0300

Modify: 2008-10-04 15:12:49.000000000 +0300

Change: 2008-10-04 15:13:00.000000000 +0300

queen ~ # getcap `which dumpcap`

-su: getcap: command not found

queen~ #
```

as a user 

```
dumpcap

dumpcap: cap_set_proc() fail return: Operation not permitted

dumpcap: cap_set_proc() fail return: Operation not permitted

dumpcap: There are no interfaces on which a capture can be done
```

I don't see anything in the kernel related to dumpcap. what should I look for in the kernel. All this started to happen after enabling 2 more use flags. 

started to run strace. Here are the things that pop up and look suspicious. 

```
ioctl(3, SIOCGIFINDEX, {ifr_name="eth0", ifr_index=3}) = 0

bind(3, {sa_family=AF_PACKET, proto=0x03, if3, pkttype=PACKET_HOST, addr(0)={0, }, 20) = 0

getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0

setsockopt(3, SOL_PACKET, PACKET_ADD_MEMBERSHIP, "\3\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0", 16) = 0

capset(0x19980330, 0, {0, 0, 0})        = -1 EPERM (Operation not permitted)

write(2, "dumpcap: ", 9dumpcap: )                = 9

write(2, "cap_set_proc() fail return: Oper"..., 51cap_set_proc() fail return: Operation not permitted) = 51

write(2, "\n", 1

)                       = 1

socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4

ioctl(4, SIOCGIFADDR, {ifr_name="eth0", ifr_addr={AF_INET, inet_addr("87.69.129.239")}}) = 0

ioctl(4, SIOCGIFNETMASK, {ifr_name="eth0", ifr_netmask={AF_INET, inet_addr("255.255.255.0")}}) = 0

close(4)                                = 0

setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0\0\0\210\203\344\267", 8) = 0

fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)

fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0

recv(3, 0xbf9ade5b, 1, MSG_TRUNC)       = -1 EAGAIN (Resource temporarily unavailable)

```

----------

## smerf

There is nothing related to dumpcap in the kernel. I meant CAPABILITIES, not PACKET CAPTURE! Try:

```
grep CAPABILITIES [path_to_kernel_config_file]

CONFIG_SECURITY_CAPABILITIES=y

CONFIG_SECURITY_FILE_CAPABILITIES=y
```

What flags have you turned on?

You probably don't have capabilities compiled in the kernel, hence capset fails:

capset(0x19980330, 0, {0, 0, 0})        = -1 EPERM (Operation not permitted)

With cap_net_raw and cap_net_admin dumpcap does not even need to be suid.

(setcap is in sys-libs/libcap - not to be confused with net-libs/libpcap)

See http://www.securityfocus.com/infocus/1400 and many other articles for details.

See /usr/include/linux/capability.h for possible capabilities.

----------

## queen

 *smerf wrote:*   

> There is nothing related to dumpcap in the kernel. I meant CAPABILITIES, not PACKET CAPTURE! Try:
> 
> ```
> grep CAPABILITIES [path_to_kernel_config_file]
> 
> ...

 

```
 grep CAPABILITIES /usr/src/linux/.config

# CONFIG_SECURITY_CAPABILITIES is not set
```

I will add it. I turned on USE flags kerberos and  gcrypt.

----------

## queen

I solved the problem. I enabled capabilities in the kernel. After that I emerged again wireshark. 

Interesting, it worked fine before that, even without these settings in the kernel.

----------

