Bug 1013234 - wireshark's USB capture does not work
Summary: wireshark's USB capture does not work
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: wireshark
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Peter Hatina
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-28 16:33 UTC by Mansour Behabadi
Modified: 2016-06-01 01:32 UTC (History)
5 users (show)

Fixed In Version: wireshark-1.10.3-8.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-18 14:42:27 UTC
Type: Bug


Attachments (Terms of Use)
patch to fix the bug (quick and dirty - not recommended) (570 bytes, patch)
2013-09-28 16:43 UTC, Mansour Behabadi
no flags Details | Diff

Description Mansour Behabadi 2013-09-28 16:33:48 UTC
Description of problem:

wireshark cannot see the usb_mon interfaces despite the user being a member of wireshark group.


Version-Release number of selected component (if applicable): 1.10.2-7


How reproducible: always


Steps to Reproduce:
1. Install wireshark
2. Add yourself to wireshark group:
 $ su -c 'usermod -a -G wireshark <username>'
3. Get the list of interfaces wireshark can capture on:
 $ dumpcap -D

Actual results: Only ethernet interfaces are shown


Expected results: usbmon* interfaces should also be shown


Additional info:

usbmon module is builtin to the kernel that ships with fedora and debugfs is mounted by default, the only requirements that wireshark states in their documentation.

Comment 1 Mansour Behabadi 2013-09-28 16:43:14 UTC
Created attachment 804458 [details]
patch to fix the bug (quick and dirty - not recommended)

The issue is that dumpcap cannot read the relevant dev files (ie it only has cap_net_raw and cap_net_admin capabilities - run `getcap /usr/sbin/dumpcap`).

The fix (patch attached) I have found is to allow dumpcap to have read capability (cap_dac_read_search). This does seem a little too permissive (ie dumpcap can read any file anywhere) and maybe a SELinux policy would be a better choice here to only give wireshark access to what it needs.

Running `strace dumpcap -D`, following devs are accessed by wireshark on my machine, all of which are denied access:

/sys/bus/usb/devices
/sys/kernel/debug/usb/usbmon/1t
/sys/kernel/debug/usb/usbmon/2t
/sys/kernel/debug/usb/usbmon/3t
/sys/kernel/debug/usb/usbmon/4t
/dev/usbmon1
/dev/usbmon2
/dev/usbmon3
/dev/usbmon4

Comment 2 Mansour Behabadi 2013-11-08 15:56:03 UTC
Just saw an update (1.10.3) to wireshark for f19, with no news on this bug. Has this been looked into yet?

Comment 3 Peter Lemenkov 2013-11-08 15:58:02 UTC
(In reply to Mansour Behabadi from comment #2)
> Just saw an update (1.10.3) to wireshark for f19, with no news on this bug.
> Has this been looked into yet?

Mansour, this should work now - please test it and report about the results.

Comment 4 Mansour Behabadi 2013-11-09 06:46:07 UTC
Tested 1.10.3-2 and issue is still present.

Comment 5 Peter Lemenkov 2013-11-09 06:58:27 UTC
(In reply to Mansour Behabadi from comment #4)
> Tested 1.10.3-2 and issue is still present.

Ah, sorry - that was fix for a different issue. This one is still unresolved. 

Mansour, please wait a bit more - it's better for maintainers to submit the current build (which fixes a bunch of CVEs) into stable. We'll try to deal with this bug right after that.

Comment 6 Peter Hatina 2013-12-10 11:52:12 UTC
The issue is fixed in wireshark-1.10.3-8.fc21.

When the package is installed, system group "usbmon" will be added, if not present. Members of that group are able to read /dev/usbmon*.

So, to make unprivileged user capture network/usb traffic, add such user to groups wireshark and usbmon.

Comment 7 Peter Lemenkov 2013-12-18 14:42:27 UTC
Works for me!


Note You need to log in before you can comment on or make changes to this bug.