はじめに
Wiresharkをインストールしたが、一般ユーザではパケットキャプチャがうまく動作しなかったので、調べた結果を残しておく。
環境
$ cat /etc/os-release | grep PRETTY_NAME PRETTY_NAME="Ubuntu 22.04.3 LTS" $ uname -srvm Linux 6.2.0-36-generic #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct 9 15:34:04 UTC 2 x86_64
インストール手順
まず、以下のようにaptを実行してWiresharkのインストールを実行する。
$ sudo apt install wireshark
すると、インストールの途中で以下の画面が表示される。 root以外の一般ユーザでもWiresharkを実行したいので、「はい」を選択して、インストールを完了させる。
この段階では、まだroot以外のユーザではパケットキャプチャがうまくいかない。 ここで、先程の画面に表示されている文章を訳すと、以下になる。
Dumpcapはシステムのグループである"wireshark"のメンバーがパケットをキャプチャできるような方法でインストールすることができます。これは、権限昇格して特権で実行するコードが比較的少量で済むため、rootで直接 Wireshark/Tsharkを実行するという選択肢よりも推奨されます。
より詳細な情報については、パッケージのインストール後に/usr/share/doc/wireshark-common/README.Debian.gzを参照してください。
この機能の有効化はセキュリティリスクになり得るため、デフォルトでは無効化されています。もし迷う場合は、無効化のままにしておくことを推奨します。
スーパーユーザー以外もパケットをキャプチャできるようにしますか?
ということで、以下のコマンドを実行してREADME.Debian.gzの内容を確認してみる。
$ zcat /usr/share/doc/wireshark-common/README.Debian.gz
これを読むと、root以外のユーザでも実行できるようにするには、以下のコマンドを実行してそのユーザをグループwiresharkに追加せよ、とある。
$ sudo usermod -a -G wireshark {username}
これで、一般ユーザでもWiresharkによるパケットキャプチャが可能になった。
ちなみに、README.Debian.gzによると、以下のコマンドを実行することで上掲のスクリーンショットの選択画面を再実行できるとある。
$ sudo dpkg-reconfigure wireshark-common
参考:README.Debian.gzの内容
I. Capturing packets with Wireshark/Tshark
There are two ways of installing Wireshark/Tshark on Debian; the
installation process may offer a choice between these two ways,
asking "Should non-superuser be able to capture packets?"
I./a. Installing dumpcap without allowing non-root users to capture packets
Only root user will be able to capture packets. It is advised to capture
packets with the bundled dumpcap program as root and then run
Wireshark/Tshark as an ordinary user to analyze the captured logs. [2]
This is the default on Debian systems; it is selected by answering
"<No>" to the question mentioned above.
I./b. Installing dumpcap and allowing non-root users to capture packets
Members of the wireshark group will be able to capture packets on network
interfaces. This is the preferred way of installation if Wireshark/Tshark
will be used for capturing and displaying packets at the same time, since
that way only the dumpcap process has to be run with elevated privileges
thanks to the privilege separation[1].
This is selected by answering "<Yes>" to the question mentioned
above.
Note that no user will be added to group wireshark automatically;
a system administrator has to add them manually, using the usermod
command:
sudo usermod -a -G wireshark {username}
or, if you're using a desktop environment that includes a tool for
managing users, such as the "Users and Groups" tool in GNOME (found
in the gnome-system-tools package), using that tool. After a user
is added to the wireshark group, she/he may need to log in again to
make her/his new group membership take effect and be able to capture
packets.
The additional privileges are provided using the Linux Capabilities
system where it is available and resorting to setting the set-user-id
bit of the dumpcap binary as a fall-back, where the Linux Capabilities
system is not present (Debian GNU/kFreeBSD, Debian GNU/Hurd).
Linux kernels provided by Debian support Linux Capabilities, but custom
built kernels may lack this support. If the support for Linux
Capabilities is not present at the time of installing wireshark-common
package, the installer will fall back to set the set-user-id bit to
allow non-root users to capture packets.
If installation succeeds with using Linux Capabilities, non-root users
will not be able to capture packets while running kernels not supporting
Linux Capabilities.
Note that capturing USB packets is not enabled for non-root users by using
Linux Capabilities. You have to capture the packets using the method
described in I./a., setting the set-user-id permanently using
dpkg-statoverride or running dumpcap as root.
The installation method can be changed any time by running:
sudo dpkg-reconfigure wireshark-common
The question mentioned above will be asked; answer "<Yes>" to it.
II. Installing SNMP MIBs
SNMP [4] OIDs can be decoded using MIBs provided by other packages.
wireshark-common suggests snmp-mibs-downloader which package can be used to
download a set of common MIBs Wireshark/Tshark tries to load at startup.
At the time of writing, MIBs are distributed under DFSG incompatible terms
[5] thus snmp-mibs-downloader has to be in the non-free archive area.
To keep wireshark in the main area [7], wireshark-common does not depend on
or recommend snmp-mibs-downloader and as a result snmp-mibs-downloader is
not installed automatically with wireshark.
To make Wireshark/Tshark able to decode OIDs, please install
snmp-mibs-downloader manually.
To help Wireshark/Tshark to decode OIDs without having to install packages
manually, please support the initiative of requesting additional rights
from RFC authors [5].
[1] https://gitlab.com/wireshark/wireshark/-/wikis/Development/PrivilegeSeparation
[2] https://gitlab.com/wireshark/wireshark/-/wikis/CaptureSetup/CapturePrivileges
[3] https://blog.wireshark.org/2010/02/running-wireshark-as-you
[4] https://gitlab.com/wireshark/wireshark/-/wikis/SNMP
[5] https://wiki.debian.org/NonFreeIETFDocuments
[6] https://www.debian.org/doc/debian-policy/ch-archive.html#s-non-free
[7] https://www.debian.org/doc/debian-policy/ch-archive.html#s-main
