Concern over running WireShark as root

I started WireShark on my Ubuntu machine and discovered that there were no interfaces I could listen to. So I launched it as root. This gave me access to all the interfaces, but gave me a warning:

Running WireShark as user 'root' in group 'root'. This could be dangerous...

So, is it dangerous? Otherwise, how can I listen to the interfaces?


Solution 1:

Wireshark is quickly approaching two million lines of code. You shouldn't run them as root for the same reasons that you shouldn't run Firefox, OpenOffice, GIMP, or any other similarly-sized application as root.

On Linux you don't need to be root to capture packets. You just need the CAP_NET_ADMIN and CAP_NET_RAW privileges. On most distributions this is easy to get up and running. Ubuntu doesn't do this by default yet, but it hopefully will at some point in the future.

Solution 2:

according to http://wiki.wireshark.org/CaptureSetup/CapturePrivileges you should not run it as root.

Instead, use root privileges to dump using dumpcap or tcpdump and then analyse using wireshark.

Solution 3:

Wireshark has a long history of security bugs in the disectors (the plugins which describe how to interpret various over-the-wire protocols). For that reason, it's safer to perform your captures with a simpler tool such as tcpdump, then use wireshark to interpret them as an unprivileged user.