Bug 1013234 - wireshark's USB capture does not work
wireshark's USB capture does not work
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: wireshark (Show other bugs)
rawhide
Unspecified Linux
unspecified Severity medium
: ---
: ---
Assigned To: Peter Hatina
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-28 12:33 EDT by Mansour Behabadi
Modified: 2016-05-31 21:32 EDT (History)
5 users (show)

See Also:
Fixed In Version: wireshark-1.10.3-8.fc21
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-18 09:42:27 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to fix the bug (quick and dirty - not recommended) (570 bytes, patch)
2013-09-28 12:43 EDT, Mansour Behabadi
no flags Details | Diff

  None (edit)
Description Mansour Behabadi 2013-09-28 12:33:48 EDT
Description of problem:

wireshark cannot see the usb_mon interfaces despite the user being a member of wireshark group.


Version-Release number of selected component (if applicable): 1.10.2-7


How reproducible: always


Steps to Reproduce:
1. Install wireshark
2. Add yourself to wireshark group:
 $ su -c 'usermod -a -G wireshark <username>'
3. Get the list of interfaces wireshark can capture on:
 $ dumpcap -D

Actual results: Only ethernet interfaces are shown


Expected results: usbmon* interfaces should also be shown


Additional info:

usbmon module is builtin to the kernel that ships with fedora and debugfs is mounted by default, the only requirements that wireshark states in their documentation.
Comment 1 Mansour Behabadi 2013-09-28 12:43:14 EDT
Created attachment 804458 [details]
patch to fix the bug (quick and dirty - not recommended)

The issue is that dumpcap cannot read the relevant dev files (ie it only has cap_net_raw and cap_net_admin capabilities - run `getcap /usr/sbin/dumpcap`).

The fix (patch attached) I have found is to allow dumpcap to have read capability (cap_dac_read_search). This does seem a little too permissive (ie dumpcap can read any file anywhere) and maybe a SELinux policy would be a better choice here to only give wireshark access to what it needs.

Running `strace dumpcap -D`, following devs are accessed by wireshark on my machine, all of which are denied access:

/sys/bus/usb/devices
/sys/kernel/debug/usb/usbmon/1t
/sys/kernel/debug/usb/usbmon/2t
/sys/kernel/debug/usb/usbmon/3t
/sys/kernel/debug/usb/usbmon/4t
/dev/usbmon1
/dev/usbmon2
/dev/usbmon3
/dev/usbmon4
Comment 2 Mansour Behabadi 2013-11-08 10:56:03 EST
Just saw an update (1.10.3) to wireshark for f19, with no news on this bug. Has this been looked into yet?
Comment 3 Peter Lemenkov 2013-11-08 10:58:02 EST
(In reply to Mansour Behabadi from comment #2)
> Just saw an update (1.10.3) to wireshark for f19, with no news on this bug.
> Has this been looked into yet?

Mansour, this should work now - please test it and report about the results.
Comment 4 Mansour Behabadi 2013-11-09 01:46:07 EST
Tested 1.10.3-2 and issue is still present.
Comment 5 Peter Lemenkov 2013-11-09 01:58:27 EST
(In reply to Mansour Behabadi from comment #4)
> Tested 1.10.3-2 and issue is still present.

Ah, sorry - that was fix for a different issue. This one is still unresolved. 

Mansour, please wait a bit more - it's better for maintainers to submit the current build (which fixes a bunch of CVEs) into stable. We'll try to deal with this bug right after that.
Comment 6 Peter Hatina 2013-12-10 06:52:12 EST
The issue is fixed in wireshark-1.10.3-8.fc21.

When the package is installed, system group "usbmon" will be added, if not present. Members of that group are able to read /dev/usbmon*.

So, to make unprivileged user capture network/usb traffic, add such user to groups wireshark and usbmon.
Comment 7 Peter Lemenkov 2013-12-18 09:42:27 EST
Works for me!

Note You need to log in before you can comment on or make changes to this bug.