wireshark/tshark

Debian系统下通过sudo dpkg-reconfigure wireshark-common会出现下图所示的配置界面

wireshark-common

wireshark-common包中相应的postinst代码如下

#!/bin/sh

set -e

. /usr/share/debconf/confmodule
PROGRAM=/usr/bin/dumpcap
GROUP=wireshark

if ! dpkg-statoverride --list $PROGRAM > /dev/null; then
    db_get wireshark-common/install-setuid
    if [ -e "$PROGRAM" ]; then
        if [ "$RET" = "false" ] ; then
            chown root:root $PROGRAM
            chmod u=rwx,go=rx $PROGRAM
        else
            if ! addgroup --quiet --system $GROUP; then
                echo "Executing \"addgroup --quiet --system $GROUP\" failed."
                echo "Most probably the $GROUP group exists, but is not a system group."
                echo "Please delete the existing group or re-create it as a system group and try configuring wireshark-common again."
                exit 1
            fi
            chown root:$GROUP $PROGRAM
            if which setcap > /dev/null ; then
                chmod u=rwx,g=rx,o=r $PROGRAM
                if ! setcap cap_net_raw,cap_net_admin=eip $PROGRAM; then
                    echo "Setting capabilities for dumpcap using Linux Capabilities failed."
                    echo "Falling back to setting set-user-id bit."
                    chmod u=rwxs,g=rx,o=r $PROGRAM
                fi
            else
                chmod u=rwxs,g=rx,o=r $PROGRAM
            fi
        fi
    fi
else
    echo "Preserving owner and mode for $PROGRAM set by dpkg-statoverride:"
    dpkg-statoverride --list $PROGRAM
fi

我们可以看出,主要进行了如下几步操作:

  1. 创建用户组wireshark
  2. 修改程序dumpcap属于用户组wireshark
  3. 设置程序dumpcap组权限读取与运行
  4. 设置程序dumpcap cap权限cap_net_raw,cap_net_admin=eip

普通用户需要使用tcpdump/wireshark仅需将用户加入wireshark用户组即可。

tcpdump

tcpdump实现普通用户运行,只需执行类似wireshark-common的操作:

PROGRAM=`which tcpdump`
GROUP=wireshark
chown root:$GROUP $PROGRAM
chmod u=rwx,g=rx,o=r $PROGRAM
setcap cap_net_raw,cap_net_admin=eip $PROGRAM
文章目录
  1. 1. wireshark/tshark
  2. 2. tcpdump