Bug 1013234

Summary: wireshark's USB capture does not work
Product: [Fedora] Fedora Reporter: Mansour Behabadi <mansour>
Component: wiresharkAssignee: Peter Hatina <phatina>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: huzaifas, lemenkov, phatina, rvokal, tsmetana
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: wireshark-1.10.3-8.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-18 14:42:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch to fix the bug (quick and dirty - not recommended) none

Description Mansour Behabadi 2013-09-28 16:33:48 UTC
Description of problem:

wireshark cannot see the usb_mon interfaces despite the user being a member of wireshark group.


Version-Release number of selected component (if applicable): 1.10.2-7


How reproducible: always


Steps to Reproduce:
1. Install wireshark
2. Add yourself to wireshark group:
 $ su -c 'usermod -a -G wireshark <username>'
3. Get the list of interfaces wireshark can capture on:
 $ dumpcap -D

Actual results: Only ethernet interfaces are shown


Expected results: usbmon* interfaces should also be shown


Additional info:

usbmon module is builtin to the kernel that ships with fedora and debugfs is mounted by default, the only requirements that wireshark states in their documentation.

Comment 1 Mansour Behabadi 2013-09-28 16:43:14 UTC
Created attachment 804458 [details]
patch to fix the bug (quick and dirty - not recommended)

The issue is that dumpcap cannot read the relevant dev files (ie it only has cap_net_raw and cap_net_admin capabilities - run `getcap /usr/sbin/dumpcap`).

The fix (patch attached) I have found is to allow dumpcap to have read capability (cap_dac_read_search). This does seem a little too permissive (ie dumpcap can read any file anywhere) and maybe a SELinux policy would be a better choice here to only give wireshark access to what it needs.

Running `strace dumpcap -D`, following devs are accessed by wireshark on my machine, all of which are denied access:

/sys/bus/usb/devices
/sys/kernel/debug/usb/usbmon/1t
/sys/kernel/debug/usb/usbmon/2t
/sys/kernel/debug/usb/usbmon/3t
/sys/kernel/debug/usb/usbmon/4t
/dev/usbmon1
/dev/usbmon2
/dev/usbmon3
/dev/usbmon4

Comment 2 Mansour Behabadi 2013-11-08 15:56:03 UTC
Just saw an update (1.10.3) to wireshark for f19, with no news on this bug. Has this been looked into yet?

Comment 3 Peter Lemenkov 2013-11-08 15:58:02 UTC
(In reply to Mansour Behabadi from comment #2)
> Just saw an update (1.10.3) to wireshark for f19, with no news on this bug.
> Has this been looked into yet?

Mansour, this should work now - please test it and report about the results.

Comment 4 Mansour Behabadi 2013-11-09 06:46:07 UTC
Tested 1.10.3-2 and issue is still present.

Comment 5 Peter Lemenkov 2013-11-09 06:58:27 UTC
(In reply to Mansour Behabadi from comment #4)
> Tested 1.10.3-2 and issue is still present.

Ah, sorry - that was fix for a different issue. This one is still unresolved. 

Mansour, please wait a bit more - it's better for maintainers to submit the current build (which fixes a bunch of CVEs) into stable. We'll try to deal with this bug right after that.

Comment 6 Peter Hatina 2013-12-10 11:52:12 UTC
The issue is fixed in wireshark-1.10.3-8.fc21.

When the package is installed, system group "usbmon" will be added, if not present. Members of that group are able to read /dev/usbmon*.

So, to make unprivileged user capture network/usb traffic, add such user to groups wireshark and usbmon.

Comment 7 Peter Lemenkov 2013-12-18 14:42:27 UTC
Works for me!