There are no interfaces on which a capture can be done
I’m using Ubuntu 13.04. Wireshark won’t show me any logs, won’t function at all. I’m connected to my WiFi, Belkin router.
5 Answers 5
Open a terminal by pressing Ctrl + Alt + T and type the following commands:
sudo dpkg-reconfigure wireshark-common press the right arrow and enter for yes
sudo chmod +x /usr/bin/dumpcap you should now be able to run it without root and you will be able to capture.
+1. It works on 14.04 too. Note: the docs say: «capturing USB packets is not enabled for non-root users by using Linux Capabilities. You have to capture the packets using the method described in I./a., setting the set-user-id permanently using dpkg-statoverride or running Wireshark as root.»
It would be great help for newbies, if you can also describe as to what’s being done with above commands that make it work
chmod +x makes dumpcap executable to everyone. An alternative would be to add users you want to permit capture into wireshark group.
The «No interface can be used for capturing in this system with the current configuration» message commonly appears when you don’t have the privileges to access the network interfaces for monitoring. Try opening a terminal and running gksudo wireshark. If several network interfaces appear, it’s because when you run wireshark without root permissions you don’t have the privileges to monitor.
To fix that, run the following command in a terminal:
sudo setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_DAC_OVERRIDE+eip /usr/bin/dumpcap «Try opening a terminal and running gksudo wireshark.» Please note that this document says «WIRESHARK CONTAINS OVER TWO MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT.» before doing that. Do the sudo setcap command instead — or use sudo dpkg-reconfigure wireshark-common to have the package set the capabilities for you.
When I tried to run wireshark I was getting this error:
Couldn't run /usr/bin/dumpcap in child process: Permission denied so I used to run it as root, which disabled LUA. The pop-up window informing me that the LUA has been disabled was so annoying, that I tried to fix it.
first off I checked privileges by running
-rwxr-xr-- 1 root wireshark 96464 Jan 24 10:31 /usr/bin/dumpcap this was obvious, that’s what Wireshark has been telling me. So I just changed the owner from root to my acc
sudo chown -R $LOGNAME /usr/bin/dumpcap Which worked, I can now run wireshark without root
Googled “couldn’t run /usr/bin/dumpcap in child process” and found this question:
Which is marked as duplicate and brought me here. The proposed solution is:
sudo chmod +x /usr/bin/dumpcap The above command really works, but I would like to add a security WARNING. That will allow packet capture for ALL USERS on the system. It can be a temporary solution, but not desired as permanent solution.
I followed the instructions from wireshark page about about capture privileges:
They RECOMMEND restrict dumpcap execution to a specific group or user.
I followed those instructions (with adaptations):
Setting network privileges for dumpcap if your kernel and file system support file capabilities
- Ensure that you have installed the necessary tools, such as the setcap command. sudo setcap ‘CAP_NET_RAW+eip CAP_NET_ADMIN+eip’ /usr/bin/dumpcap
(NOTE: Replace /usr/bin with /usr/sbin in case you receive an error that indicates that dumpcap isn’t in /usr/bin)
- Start Wireshark as non-root and ensure you see the list of interfaces and can do live capture. (I IGNORED THIS INSTRUCTION. DID NOT WORK FOR ME)
Setting network privileges for dumpcap if your kernel and file system don’t support file capabilities
In this case, you will need to make dumpcap set-UID to root.
sudo chown root /usr/bin/dumpcap (NOTE: Replace /usr/bin with /usr/sbin in this command and the next command in case you receive an error that indicates that dumpcap isn’t in /usr/sbin)
sudo chmod u+s /usr/bin/dumpcap
Limiting capture permission to only one group
After having set dumpcap’s network privileges:
- Create user «wireshark» in group «wireshark». sudo chgrp wireshark /usr/sbin/dumpcap sudo chmod o-rx /usr/sbin/dumpcap
- Ensure Wireshark works only from root and from a user in the «wireshark» group (I DID THIS STEP ONLY IN THE END — NOT OVER YET)
And finally, two more steps:
sudo dpkg-reconfigure wireshark-common Log out ALL interfaces for the user (including ssh which was my biggest mistake) and log in again.
Hopefully, you should start wireshark and see all the interfaces as a regular user (not using sudo)
And if you check the file permissions
It allows ONLY the USER and the GROUP to execute
Ubuntu machine — no interfaces listed
I’ve tried the procedures listed in the CaptureSetup/CapturePrivileges, and the Debian specific file, but still see no interfaces. I saw an earlier post referring to bpf* file permissions, but this appears to only be relevant to Mac OS X users. I’m running Ubuntu 10.04 LTS. Any ideas?
asked 20 Nov ’11, 18:13
mrcpuhead
246 ● 3 ● 3 ● 5
accept rate: 0%
Hope i’m not stating the obvious here. Wireshark will only see interfaces that are actually active, are they? use ‘ifconfig’ on the prompt to see use ‘ifconfig eth0 up’ to activate then check wireshark again
Yes, the eth0 interface is quite active!
I had the same problem. I couldn’t figure out the specific files/devices that needed permissions in Ubuntu, so I resorted to:
I didn’t mind running as root since I was in a VM.
Sorry, had to ask 🙂 2nd obvious thing then would be to see if it would run under sudo..
While this might work (and is fine inside a VM), it should generally be avoided. The http://wiki.wireshark.org/CaptureSetup/CapturePrivileges article lays out what needs to be done, and file:///usr/share/doc/wireshark-common/README.Debian is the relevant document in this case.
Haven’t tried sudo yet — I’m willing to be it’ll work — just didn’t want to run wireshark that way if I didn’t have to.
As I mentioned in my orig post, I went to the aforementioned pages, and did what they said, with no luck. The problem is that the README.Debian page doesn’t really give the needed steps, it only states in general what you need to do. I’m comfortable enough with Linux to run through most any procedure. This one simply didn’t work. I even tried the «Other linux based. » steps: I verified wireshark group membership, group ownership of the dumpcap file, and the setcap command. No joy!
- Did you install Wireshark via a package ( apt-get install wireshark or similar) or from source?
- What are the user and group ownership and file permissions of /usr/bin/dumpcap (as provided by ls -l /usr/bin/dumpcap )?
- Did the setcap command result in any error output?
- What command do you execute to launch wireshark (if you use a launcher, what command does it execute)? If it is just wireshark , what is the output of file $(which wireshark) ?
Edit: Also, have you verified group membership in wireshark, and logged out and back in at least once?
For all you non Linux people like me. I just copied the icon to the desktop, then right clicked and opened as root. This opened the contain folder and I launched it (double Clicked) from there. Wireshark then prompted me it was running as root. I may become a Linux user yet.
As per the comment by @helloworld above running Wireshark as root is not a good idea. Wireshark contains millions of lines of code and the potential for exploitation is considerable.
Was there something deficient in the instructions in the accepted answer by @helloworld ?
EDIT: The instructions from README.Debian actually do work (except it’s missing the step that tells you to log out and then back in). The dpkg-reconfigure command creates the wireshark group (so you don’t need to), but then you need to add your user to the group, and re-login.
These commands work for me with Wireshark 1.6.2 on Ubuntu Server 11.10 (64-bit):
$ sudo apt-get install wireshark $ sudo dpkg-reconfigure wireshark-common $ sudo usermod -a -G wireshark $USER $ sudo rebootInstead of rebooting, you can logout with this command:
$ gnome-session-quit --logout --no-promptor simply (if you’re already at the login shell):
If the solution above still fails on your system, an alternative is to set the setuid bit for dumpcap (which lets dumpcap run effectively as the owner of the file, which is root in this case):
$ sudo chmod 4711 `which dumpcap`(FYI: There’s an open ticket for this «security vulnerability», but no one seems to have done anything about it since it was reported JAN-2010.)****
answered 21 Nov ’11, 15:20
helloworld
3.1k ● 4 ● 20 ● 41
accept rate: 28%
edited 16 Dec ’11, 07:47
helloworld — that last command (sudo chmod 4711 ‘which dumpcap’) did the trick — Thanks!
It really work for me too. great boss.
If you don’t want to kill your GNOME session process, you can run Wireshark from the command line using newgrp to get the new group privileges:
newgrp wireshark (wireshark &) ^DThe parenthesis and ampersand will run the process in the background, detached from the shell process, so you can log out from the terminal without losing the Wireshark.
possibly, sudo chmod 4711 ‘sudo which dumpcap’ . which dumpcap returned nothing when executed as myself.
only did , sudo chmod 4711 ‘which dumpcap’ , and interfaces appeared.
sudo addgroup -system wireshark sudo chown root:wireshark /usr/bin/dumpcap sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap sudo usermod -a -G wireshark YOUR_USER_NAMEThen just start Wireshark and select the network interface. It worked for me on 10.04 LTS.
answered 04 Apr ’12, 11:41
kyphos
106 ● 2 ● 2
accept rate: 0%
bravo. these commands works fine in my ubuntu 12.04 lts thnk..
Did this as it seemed quicker than the other methods — seems to be working 🙂
on mu ubuntu 13.10 and wireshark Version 1.10.2 (SVN Rev 51934 from /trunk-1.10) works perfect.
Worked perfectly for me on Xubuntu 14.04. Well done and thank you.
Its work for me, Using Ubuntu 14.04. Thank you buddy. @kyphos
Thanks, perfect, Raspberry Pi, RPi
CAN I GET SOME HELP? What do i do with the sudo? where would i add them?
You don’t add them anywhere. You run these commands just once, in the order given. sudo allows you to execute commands as s uper u ser although you’re not logged in as such.
sudo addgroup -system wireshark — you add a new group of users called wireshark
sudo chown root:wireshark /usr/bin/dumpcap — you make user root and group wireshark the owners of /usr/bin/dumpcap which is the binary which actually does the capture. With this setting, any member of the group wireshark can start the binary
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap — allow the binary to access the interfaces and capture on them
sudo usermod -a -G wireshark YOUR_USER_NAME — you make Mr. YOUR_USER_NAME also a member of the group wireshark (also because he remains a member of his original group), so if that user runs Wireshark, that instance of Wireshark can start dumpcap .
sudo groupadd wireshark sudo usermod -a -G wireshark $USER sudo chgrp wirshark /usr/bin/dumpcap sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcapanswered 10 Feb ’14, 04:16
adamali
25 ● 3
accept rate: 0%
edited 24 Feb ’15, 04:05
grahamb ♦
19.8k ● 3 ● 30 ● 206
Thanks Graham, it works now.
Why doesn’t wireshark detect my interface?
I just installed Wireshark, but when I click capture > interfaces , the dialog box appears, but it does not contain my network interface. When click on capture > interfaces it appears as in the screenshot below. What can cause this?
8 Answers 8
This is usually caused by incorrectly setting up permissions related to running Wireshark correctly. While you can avoid this issue by running Wireshark with elevated privileges (e.g. with sudo ), it should generally be avoided (see here, specifically here). This sometimes results from an incomplete or partially successful installation of Wireshark. Since you are running Ubuntu, this can be resolved by following the instructions given in this answer on the Wireshark Q&A site. In summary, after installing Wireshark, execute the following commands:
sudo dpkg-reconfigure wireshark-common sudo usermod -a -G wireshark $USER Then log out and log back in (or reboot), and Wireshark should work correctly without needing additional privileges. Finally, if the problem is still not resolved, it may be that dumpcap was not correctly configured, or there is something else preventing it from operating correctly. In this case, you can set the setuid bit for dumpcap so that it always runs as root.
sudo chmod 4711 `which dumpcap` One some distros you might get the following error when you execute the command above:
chmod: missing operand after ‘4711’
Try ‘chmod —help’ for more information.
sudo chmod 4711 `sudo which dumpcap`