Wireshark: Accessing USB Bus Interfaces without sudo

sudousbwireshark

I am trying to monitor some USB traffic using Wireshark on Linux (Ubuntu). If I start Wireshark as my normal user without root privileges, the USB bus interfaces are not listed. If I sudo wireshark though, I do see the USB bus interfaces. This is perhaps best illustrated using the dumpcap command to list the available capture interfaces:

~$dumpcap -D

1. eth0
2. any (Pseudo-device that captures on all interfaces)
3. lo

versus

~$sudo dumpcap -D

1. eth0
2. usbmon1 (USB bus number 1)
3. usbmon2 (USB bus number 2)
4. usbmon3 (USB bus number 3)
5. usbmon4 (USB bus number 4)
6. usbmon5 (USB bus number 5)
7. usbmon6 (USB bus number 6)
8. usbmon7 (USB bus number 7)
9. usbmon8 (USB bus number 8)
10. any (Pseudo-device that captures on all interfaces)
11. lo

Is there a way I can configure Wireshark so that I don't have to run as root to get access to the usb bus interfaces? I've previously followed a guide to setup wireshark so that I don't have to run it as root to see the Ethernet interfaces, so I'm wondering whether it's simply a matter of changing permissions on some other executable to be able see USB interfaces without running as root…

Best Answer

  • Yes, you just need to add another capability to the dumpcap utility. CAP_DAC_OVERRIDE gives the ability to override permission checks on files, and allows dumpcap to access the files necessary for the USB capture. It's not a beautiful solution, but it's far better than running the entire Wireshark as root. Since you've already done most of the work, you just need to run this last command.

    sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_DAC_OVERRIDE+eip' /usr/bin/dumpcap

    Read the reply from Evan Huus on this bug report for some more information:

    https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/893828

  • Related Question