First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

dumpcap -w option with -b option does not seem to work

  • retag add tags

* UPDATED TO MERGE THE DUPLICATE QUESTION INFO *

Running dumpcap on Ubuntu 18.04 LTS 64-bit. I can run Wireshark in the GUI just fine, can capture packets, etc. Please note that I can run dumpcap, outputting to a temporary file. That works. My user is in the group 'wireshark' and yes I chose those pcap installation options to have it work that way. So, from a basic permissions point of view, dumpcap does run, does capture packets.

If there is some reason anyone knows why "sudo command" is not the same as "running as root" then please tell me.

My problem is not having ANY success getting the output options to work properly.

They seem very broken.

First of all, just using the -w filename option does not work unless I first create the file. That does not make any sense to have it work that way! 

sudo dumpcap -i enp0s3 -w `pwd`/myfile.pcapng  -q
Capturing on 'enp0s3'
dumpcap: The file to which the capture would be saved ("/home/jgustavson/myfile.pcapng") could not be opened: Permission denied.

Notice that the file in fact does not exist but the program says "Permission denied" as the error. I am in my home directory at the time. If I create the file via echo foo >myfile.pcapng and then try the dumpcap command, it works. Very unexpected! 

sudo dumpcap -i enp0s3 -w `pwd`/myfile.pcapng  -q
Capturing on 'enp0s3'
File: /home/jgustavson/myfile.pcapng
Packets captured: 141
[ctrl-C here]
Packets received/dropped on interface 'enp0s3': 141/0 (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (100.0%)

Anyone understand why dumpcap seems to be incapable of creating a file if I tell it the name to use with the -w option? If I leave the -w option out, it will create and write to a temporary file just fine.

What I really want to do is set up a ring buffer option, so dumpcap will start a new file every nnn seconds:

sudo dumpcap -i enp0s3 -w `pwd`/myfile.pcapng -b interval:60 -q
Capturing on 'enp0s3'
dumpcap: The file to which the capture would be saved ("/home/jgustavson/myfile.pcapng") could not be opened: No such file or directory.

... but as you can see, that fails too. (yes, I had deleted myfile.pcapng before running the command, to start "clean") If I leave out the -w option it complains "dumpcap: Ring buffer requested, but capture isn't being saved to a permanent file."

Now I want to run dumpcap, using a ring buffer option to start a new file every 60 seconds. I use the command line:

   sudo dumpcap -i enp0s3 -w `pwd`/dump.pcapng -b interval:60 -q

No matter what I do, so long as I have the -b option on the command line, I get grousing:

  Capturing on 'enp0s3'
   dumpcap: The file to which the capture would be saved ("/home/jgustavson/dump.pcapng") could not be opened: 
   No such file or directory.

This seems like it should ... (more)

jogusto's avatar
1
jogusto
asked 2020-06-10 23:53:42 +0000, updated 2020-06-11 15:21:40 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Look at the answer here.
Not running dumpcap as root is recommended.
I tested on my Ubuntu system with 2.6.10 and 3.2.3 - worked fine after chgrp and chmod.
If it fails after setting the permissions, verify that the directory is writable.

Chuckc's avatar
3k
Chuckc
answered 2020-06-11 02:41:56 +0000
edit flag offensive 0 remove flag delete link
more

Comments

what does sudo do? runs as root. I'm not understanding your statement "not running... as root"

Which chgrp and chmod commands did you issue? Perhaps giving the specific information might help me get this solved.

If I create the -w output file first, dumpcap can write to my file and my directory. If I run it without the -w option, it happily captures, and writes to a temp file. How can this be explained by permissions? I am in my home directory, I should have permissions, and besides, I'm running as root.

jogusto's avatar jogusto (2020-06-11 14:58:26 +0000) edit
more
  • delete

See the wiki page here on applying the correct permissions to dumpcap and creating the appropriate group when running on Ubuntu.

grahamb's avatar grahamb (2020-06-11 16:17:37 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer