Red Hat Bugzilla – Bug 1013234
wireshark's USB capture does not work
Last modified: 2016-05-31 21:32:07 EDT
Description of problem:
wireshark cannot see the usb_mon interfaces despite the user being a member of wireshark group.
Version-Release number of selected component (if applicable): 1.10.2-7
How reproducible: always
Steps to Reproduce:
1. Install wireshark
2. Add yourself to wireshark group:
$ su -c 'usermod -a -G wireshark <username>'
3. Get the list of interfaces wireshark can capture on:
$ dumpcap -D
Actual results: Only ethernet interfaces are shown
Expected results: usbmon* interfaces should also be shown
usbmon module is builtin to the kernel that ships with fedora and debugfs is mounted by default, the only requirements that wireshark states in their documentation.
Created attachment 804458 [details]
patch to fix the bug (quick and dirty - not recommended)
The issue is that dumpcap cannot read the relevant dev files (ie it only has cap_net_raw and cap_net_admin capabilities - run `getcap /usr/sbin/dumpcap`).
The fix (patch attached) I have found is to allow dumpcap to have read capability (cap_dac_read_search). This does seem a little too permissive (ie dumpcap can read any file anywhere) and maybe a SELinux policy would be a better choice here to only give wireshark access to what it needs.
Running `strace dumpcap -D`, following devs are accessed by wireshark on my machine, all of which are denied access:
Just saw an update (1.10.3) to wireshark for f19, with no news on this bug. Has this been looked into yet?
(In reply to Mansour Behabadi from comment #2)
> Just saw an update (1.10.3) to wireshark for f19, with no news on this bug.
> Has this been looked into yet?
Mansour, this should work now - please test it and report about the results.
Tested 1.10.3-2 and issue is still present.
(In reply to Mansour Behabadi from comment #4)
> Tested 1.10.3-2 and issue is still present.
Ah, sorry - that was fix for a different issue. This one is still unresolved.
Mansour, please wait a bit more - it's better for maintainers to submit the current build (which fixes a bunch of CVEs) into stable. We'll try to deal with this bug right after that.
The issue is fixed in wireshark-1.10.3-8.fc21.
When the package is installed, system group "usbmon" will be added, if not present. Members of that group are able to read /dev/usbmon*.
So, to make unprivileged user capture network/usb traffic, add such user to groups wireshark and usbmon.
Works for me!