6

I installed wireshark using yum (RUN yum install -y wireshark wireshark-qt) - and cannot run it when I ssh into the container.

# tshark
tshark: Couldn't run /usr/sbin/dumpcap in child process: Operation not permitted
Are you a member of the 'wireshark' group? Try running
'usermod -a -G wireshark _your_username_' as root.

I tried running usermod -a -G wireshark root (as when I ssh into the machine, it is as root). This does not help.

Also tried su -c '/usr/sbin/tshark' unsuccessfully.

What should I do?

Improve this question

2 Answers 2

Reset to default
7

dumpcap requires NET_RAW (use RAW and PACKET sockets) NET_ADMIN (perform network-related operations) capabilities

$ getcap $(which dumpcap)
/usr/sbin/dumpcap = cap_net_admin,cap_net_raw+ep

They are not granted by default to unprivileged containers and must be added explicitly with --cap-add=NET_RAW --cap-add=NET_ADMIN when starting container

$ docker build -t tshark - <<EOF 
FROM ubuntu:18.04
RUN apt-get update && apt-get install -y tshark && rm -rf /var/lib/apt/lists/*
ENTRYPOINT ["tshark"]
EOF

$ docker run --rm -it \
    --net=[container:<name|id> | host] \
    --cap-add=NET_RAW --cap-add=NET_ADMIN tshark
Improve this answer
1
  • 1
    In docker compose you should add to your service the list cap_add: - NET_RAW - NET_ADMIN.
    – Javier
    Commented Jul 10, 2020 at 16:33
1

I used this command and it run:

usermod -a -G wireshark _your_username_  

newgrp wireshark

sudo chgrp wireshark /usr/sbin/dumpcap

tshark -i eth0 -w outfile

Please try.

Improve this answer
1
  • This seemed to mostly work for me on OEL7.
    – Jay Taylor
    Commented Sep 24, 2018 at 23:06

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .