Concern over running WireShark as root

root wireshark

I started WireShark on my Ubuntu machine and discovered that there were no interfaces I could listen to. So I launched it as root. This gave me access to all the interfaces, but gave me a warning:

Running WireShark as user 'root' in group 'root'. This could be dangerous...

So, is it dangerous? Otherwise, how can I listen to the interfaces?


Solution 1:

Wireshark is quickly approaching two million lines of code. You shouldn't run them as root for the same reasons that you shouldn't run Firefox, OpenOffice, GIMP, or any other similarly-sized application as root.

On Linux you don't need to be root to capture packets. You just need the CAP_NET_ADMIN and CAP_NET_RAW privileges. On most distributions this is easy to get up and running. Ubuntu doesn't do this by default yet, but it hopefully will at some point in the future.

Solution 2:

according to http://wiki.wireshark.org/CaptureSetup/CapturePrivileges you should not run it as root.

Instead, use root privileges to dump using dumpcap or tcpdump and then analyse using wireshark.

Solution 3:

Wireshark has a long history of security bugs in the disectors (the plugins which describe how to interpret various over-the-wire protocols). For that reason, it's safer to perform your captures with a simpler tool such as tcpdump, then use wireshark to interpret them as an unprivileged user.

Related

What do the various IP addresses mean?
Google Notifier Replacement for Mac OS X? [closed]
Can I create a custom Field Code in Word 2010 or use a Macro?
In Firebug, how can I stop a redirect?
How can I remove a folder without a name in Win7?
Using symbolic link in Windows XP
How can I make sure my system uses the ~/.screenrc file?
Game for DirectX 9 not working with DirectX 11
Task and Time management (tracking) software for Windows
Can I find the session ID for a user logged on to another machine?
Exclude list of specific files in wget
Allow only one extra user to access the display