Wireshark-dev: Re: [Wireshark-dev] DUMPCAP -g (Set ring buffer file group permissions)
A better way would be to run dumpcap as setuid-root ("chmod 4750
/usr/local/bin/dumpcap" would be one way). Then you could run dumpcap
as a normal user (at least one who is a member of the 'wireshark'
group--assuming you keep the ownership of the dumpcap utility the same).
Then with "-g" the files would come out group-readable (actually
they'd also come out readable by the user who started dumpcap :-)).
FWIW I fixed the man pages in r46513. I added this "-g" argument to
tshark at the same time.
On 12/11/2012 04:32 PM, John Powell wrote:
Think I have the solution - chmod g+s <capture directory> and then chgrp
wireshark <capture directory>
then using dumpcap -g will set the read bit on the group and it looks
like I am set.
Thanks Mike and Jeff!
On Tue, Dec 11, 2012 at 2:09 PM, <jrp999@xxxxxxxxx
<mailto:jrp999@xxxxxxxxx>> wrote:
Sorry mike!
Sent from my BlackBerry® wireless handheld
-----Original Message-----
From: jrp999@xxxxxxxxx <mailto:jrp999@xxxxxxxxx>
Date: Tue, 11 Dec 2012 20:09:22
To: Developer Wireshark<wireshark-dev@xxxxxxxxxxxxx
<mailto:wireshark-dev@xxxxxxxxxxxxx>>
Reply-To: jrp999@xxxxxxxxx <mailto:jrp999@xxxxxxxxx>
Subject: Re: [Wireshark-dev] DUMPCAP -g (Set ring buffer file group
permissions)
Hi Bill,
Thanks for the clarification, that makes sense.
I am running dumpcap as a service - do you have any suggestions on
how to make the dumpcap buffer files have a user defined group
permissions?
Thanks in advance!
-John
Sent from my BlackBerry® wireless handheld
-----Original Message-----
From: Michael Tuexen <Michael.Tuexen@xxxxxxxxxxxxxxxxx
<mailto:Michael.Tuexen@xxxxxxxxxxxxxxxxx>>
Sender: wireshark-dev-bounces@wireshark.orgDate: Tue, 11 Dec 2012
20:39:01
To: Developer support list for Wireshark<wireshark-dev@xxxxxxxxxxxxx
<mailto:wireshark-dev@xxxxxxxxxxxxx>>
Reply-To: Developer support list for Wireshark
<wireshark-dev@xxxxxxxxxxxxx <mailto:wireshark-dev@xxxxxxxxxxxxx>>
Subject: Re: [Wireshark-dev] DUMPCAP -g (Set ring buffer file group
permissions)
On Dec 11, 2012, at 8:24 PM, John Powell wrote:
> Hi Jeff,
>
> I must be missing something.
>
> I set dumpcap permissions to:
>
> # ls -l /usr/local/bin/dumpcap
> -rwxr-xr-- 1 root wireshark 230157 Dec 11 10:40
/usr/local/bin/dumpcap
>
> and the dumpcap command is:
>
> root /usr/local/bin/dumpcap -B 16 -i 2 -f vlan and
(not vrrp and not udp port 1985 and not ether host
01:00:0c:cc:cc:cc) -g wireshark -b filesize:250000 -b duration:900
-w /var/opt/data/captures.cap
After looking at the code, I think you misunderstood the -g option.
As far as I see, you can't specify the group, you can just allow the
group to
read the file.
So, for example:
dumpcap -w test0.pcapng
and then
dumpcap -g -w test1.pcapng
results in
[mba:~/Documents/wireshark/trunk] tuexen% ls -l test?.pcapng
-rw------- 1 tuexen staff 324 Dec 11 20:37 test0.pcapng
-rw-r----- 1 tuexen staff 532 Dec 11 20:37 test1.pcapng
So as you see, you can't specify the group, but control if the group
members can
read the file.
Best regards
Michael
>
> I also tried
>
> root /usr/local/bin/dumpcap -B 16 -i 2 -f
vlan and (not vrrp and not udp port 1985 and not ether host
01:00:0c:cc:cc:cc) -g -b filesize:250000 -b duration:900 -w
/var/opt/data/captures.cap
>
> but the ring buffer files still end up "root root".
>
> ]# ls /var/opt/data/captures/* -l
> -rw-r----- 1 root root 111542192 Dec 11 13:19 /var/
>
> Thoughts??
>
> Any guidance will be appreciated!
>
> Thanks!
>
> -John
>
> On Tue, Dec 11, 2012 at 1:11 PM, John Powell <jrp999@xxxxxxxxx
<mailto:jrp999@xxxxxxxxx>> wrote:
> Hi Jeff,
>
> After you said that I did DUMPCAP -h and behold there it was!!
>
> Thanks so much for all of the work you do on this project!!
>
> -John
>
>
> On Tue, Dec 11, 2012 at 12:59 PM, Jeff Morriss
<jeff.morriss.ws@xxxxxxxxx <mailto:jeff.morriss.ws@xxxxxxxxx>> wrote:
> John Powell wrote:
> Hi,
>
> I need to set the group permissions for files created by DumpCap.
>
> In this post I see the option " -g " is supposed to exist
(http://www.engardelinux.org/modules/index/list_archives.cgi?list=wireshark-users&page=0016.html&month=2010-09
<http://www.engardelinux.org/modules/index/list_archives.cgi?list=wireshark-users&page=0016.html&month=2010-09>)
>
> /> > The file permissions are hardcoded in the source code. I
have added /
> /> > the option '-g' to dumpcap to enable group read access as
this can /
> /> > indeed be handy when (automatically) capturing to a
ringbuffer. /
> /> > /
> /> > To be able to use this feature, you will have to use an
automated /
> /> > build[1] with a number higher than 33978 (available in a
couple of /
> /> > hours) or wait for the next 1.5.x development release. /
> /> > /
> /> > Cheers, /
> /> > /
> /> > /
> /> > Sake /
>
>
> Can someone please point me to how I can get a version that to
have access to this option?
>
> You'd need Wireshark 1.6.0 or later. The current version (1.8.4)
would be your best bet.
>
> BTW I noticed that this option is not listed in dumpcap's man
page; I'll correct that shortly.
>