I have encountered numerous problems in the installation of Wireshark, and the capture of USB traffic, especially due to user permissions.
How to install Wireshark on Linux and capture USB traffic?
Asked
Active
Viewed 3.0k times
1 Answers
41
Tested on Ubuntu 14.04, but probably works on other distributions since none of the steps are specific to Ubuntu.
The first time you follow the tutorial, do all the steps 1 -> 7.
When you restart your computer, you have to repeat steps 6 and 7 to see the USB interfaces in Wireshark.
Install Wireshark and libpcap:
sudo apt-get install wireshark libpcap0.8For Debian, Ubuntu and other Debian derivatives, continue to step 3.
For other Linux based systems or other installation methods, see the Wireshark Wiki, then go to step 6.
Reconfigure wireshark to allow non-superusers to track packets:
sudo dpkg-reconfigure wireshark-commonSelect
<Yes>in the promptAdd your username to the "wireshark" usergroup:
sudo usermod -a -G wireshark <your_username>You can verify if it’s done correctly by displaying the groups your username is part of:
groups <your_username>If not, you can add the group "wireshark" manually:
groupadd wiresharkAnd then add your username to the group (see above)
Important: Logout of your session, then log back in.
This step depends on the kernel version that is installed on your machine. To know the version of your kernel, type:
uname -rFor versions of the kernel prior to 2.6.21, if debugfs is not already mounted on /sys/kernel/debug, ensure that it is mounted there by issuing the following command:
sudo mount -t debugfs / /sys/kernel/debug
For kernel version 2.6.21 and later, load the loadable module usbmon in the Kernel:
`sudo modprobe usbmon`
See [Wireshark Wiki](https://wiki.wireshark.org/CaptureSetup/USB#Linux) for more information about this differentiation.
If the usbmon interfaces don't appear in Wireshark, look for interfaces using dumpcap (the command-line tool of Wireshark):
sudo dumpcap -DYou should see the usbmon* interfaces. Now display the permissions of the usbmon interfaces:
ls -l /dev/usbmon*If the usbmon* files have 'crw-------', then it's normal that Wireshark cannot read them because it's not run as root. Do not execute wireshark in root mode, it may damage files. Instead, you can give it regular users privileges :
sudo setfacl -m u:$USER:r /dev/usbmon*
Now the usbmon interfaces should appear in Wireshark.
Sources:
https://wiki.wireshark.org/CaptureSetup/USB#Linux
https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Most_UNIXes
Willi Mentzel
- 27,862
- 20
- 113
- 121
matthieu
- 1,412
- 1
- 11
- 33
-
Thanks, I had a problem with permissions after updating wireshark and now it's working great. – Hammi Dec 24 '16 at 10:24
-
1Just in case someone was wondering how to make loading of usbmon (step 6) persistent over reboots: create a file in `/etc/modules-load.d/` called `usbmon.conf `and in this file add one line with the module name `usbmon`. – Gerrit Mar 15 '18 at 10:25
-
@Gerrit thanks! That helped. And how do I persist the permissions? – m4l490n Mar 29 '18 at 20:01
-
Step 7 `sudo chmod 644 /dev/usbmon*` can be replaced with the more restrictive `sudo setfacl -m u:$USER:r /dev/usbmon*`. This more closely matches the [Wireshark USB Wiki](https://wiki.wireshark.org/CaptureSetup/USB#Linux). – MilesF Dec 21 '18 at 18:49
-
@m4l490n here is a sample udev rule for doing that kind of thing `SUBSYSTEM=="usbmon", GROUP="wireshark", MODE="0640"` – Lorraine Oct 15 '20 at 09:59
-
Great answer, still works in Ubuntu 20.04, except I wasn't able to get Wireshark to see the usmbon interface even after `setfacl`. Running Wireshark as root solves that issue. – Violet Giraffe Jul 05 '21 at 09:24
-
8. How do I start capture? – tishma Jun 29 '22 at 14:02
-
I would set the ACL to the wireshark group – Didi Kohen Dec 27 '22 at 21:06