# Tcpdump as regular user

## Kobboi

Is it possible to run tcpdump as a regular user? I am a member of the wireshark and tcpdump groups. I can capture with wireshark but don't see anything with tcpdump. Also some TCL libraries we use at work for automation give me "Socket: Operation not permitted" messages. Although it's my own machine, I'd like to do it without becoming root. Using libpcap-0.9.8-r1.

----------

## Hu

In a default install, /usr/sbin/tcpdump is mode 755.  Thus, you can run it as a normal user, but it will not receive any special privileges.  Normal users lack permission to capture packets.  In short, you cannot do it without running tcpdump with the CAP_NET_RAW capability.  Wireshark has the same restriction, but you notice it less since it uses a setuid helper.

If you really want to avoid switching to root, you could make a setuid root wrapper to invoke tcpdump for you.  However, incorrectly implemented setuid wrappers are a common source of privilege escalation bugs.

----------

## Kobboi

Interesting, I had never heard about capabilities before. Is is a property of a process or a user? Is there an easy way to enable only that capability for a process or user? Edit: man capablities, but extra input/insight welcomed, especially if related to my problem  :Cool: 

----------

## Hu

Capabilities are an attempt at avoiding the all-or-nothing power of superuser versus regular user.  Capabilities are per process, and some kernel changes coming in the next year or so should make it more interesting.  For now, you will still need a root privileged process somewhere in the chain, either via setuid root or by running a root shell.

You may be able to have a setuid root wrapper that drops all capabilities not needed by tcpdump, and then execs tcpdump.  The capabilities documentation implies that this will not work, but I have not tried this.  I cannot be sure whether it would work or be free of potential security side effects.

----------

