Wireshark: Re: DUMPCAP -g (Set ring buffer file group permissions)

[John Powell <jrp999 () gmail com>]

Think I have the solution - chmod g+s <capture directory> and then chgrp
wireshark <capture directory>

then using dumpcap -g will set the read bit on the group and it looks like
I am set.

Thanks Mike and Jeff!

On Tue, Dec 11, 2012 at 2:09 PM, <jrp999 () gmail com> wrote:

> Sorry mike!
> Sent from my BlackBerry® wireless handheld
>
> -----Original Message-----
> From: jrp999 () gmail com
> Date: Tue, 11 Dec 2012 20:09:22
> To: Developer Wireshark<wireshark-dev () wireshark org>
> Reply-To: jrp999 () gmail com
> Subject: Re: [Wireshark-dev] DUMPCAP -g (Set ring buffer file group
> permissions)
>
> Hi Bill,
>
> Thanks for the clarification, that makes sense.
>
> I am running dumpcap as a service - do you have any suggestions on how to
> make the dumpcap buffer files have a user defined group permissions?
>
> Thanks in advance!
>
> -John
> Sent from my BlackBerry® wireless handheld
>
> -----Original Message-----
> From: Michael Tuexen <Michael.Tuexen () lurchi franken de>
> Sender: wireshark-dev-bounces () wireshark orgDate: Tue, 11 Dec 2012 20:39:01
> To: Developer support list for Wireshark<wireshark-dev () wireshark org>
> Reply-To: Developer support list for Wireshark <
> wireshark-dev () wireshark org>
> Subject: Re: [Wireshark-dev] DUMPCAP -g (Set ring buffer file group
>         permissions)
>
> On Dec 11, 2012, at 8:24 PM, John Powell wrote:
>
> > Hi Jeff,
> >
> > I must be missing something.
> >
> > I set dumpcap permissions to:
> >
> > # ls -l /usr/local/bin/dumpcap
> > -rwxr-xr-- 1 root wireshark 230157 Dec 11 10:40 /usr/local/bin/dumpcap
> >
> > and the dumpcap command is:
> >
> > root             /usr/local/bin/dumpcap -B 16 -i 2 -f vlan and (not vrrp
> and not udp port 1985 and not ether host 01:00:0c:cc:cc:cc) -g wireshark -b
> filesize:250000 -b duration:900 -w /var/opt/data/captures.cap
> After looking at the code, I think you misunderstood the -g option.
>
> As far as I see, you can't specify the group, you can just allow the group
> to
> read the file.
>
> So, for example:
>
> dumpcap -w test0.pcapng
>
> and then
>
> dumpcap -g -w test1.pcapng
>
> results in
>
> [mba:~/Documents/wireshark/trunk] tuexen% ls -l test?.pcapng
> -rw-------  1 tuexen  staff  324 Dec 11 20:37 test0.pcapng
> -rw-r-----  1 tuexen  staff  532 Dec 11 20:37 test1.pcapng
>
> So as you see, you can't specify the group, but control if the group
> members can
> read the file.
>
> Best regards
> Michael
> > I also tried
> >
> > root                        /usr/local/bin/dumpcap -B 16 -i 2 -f vlan
> and (not vrrp and not udp port 1985 and not ether host 01:00:0c:cc:cc:cc)
> -g -b filesize:250000 -b duration:900 -w /var/opt/data/captures.cap
> > but the ring buffer files still end up "root root".
> >
> > ]# ls /var/opt/data/captures/*  -l
> > -rw-r-----  1 root root      111542192 Dec 11 13:19 /var/
> >
> > Thoughts??
> >
> > Any guidance will be appreciated!
> >
> > Thanks!
> >
> > -John
> >
> > On Tue, Dec 11, 2012 at 1:11 PM, John Powell <jrp999 () gmail com> wrote:
> > Hi Jeff,
> >
> > After you said that I did DUMPCAP -h and behold there it was!!
> >
> > Thanks so much for all of the work you do on this project!!
> >
> > -John
> >
> >
> > On Tue, Dec 11, 2012 at 12:59 PM, Jeff Morriss <
> jeff.morriss.ws () gmail com> wrote:
> > John Powell wrote:
> > Hi,
> >
> > I need to set the group permissions for files created by DumpCap.
> >
> > In this post I see the option " -g " is supposed to exist (
> http://www.engardelinux.org/modules/index/list_archives.cgi?list=wireshark-users&page=0016.html&month=2010-09<
> http://www.engardelinux.org/modules/index/list_archives.cgi?list=wireshark-users&page=0016.html&month=2010-09
> > )
> >
> > /> > The file permissions are hardcoded in the source code. I have added
> /
> > /> > the option '-g' to dumpcap to enable group read access as this can /
> > /> > indeed be handy when (automatically) capturing to a ringbuffer. /
> > /> > /
> > /> > To be able to use this feature, you will have to use an automated /
> > /> > build[1] with a number higher than 33978 (available in a couple of /
> > /> > hours) or wait for the next 1.5.x development release. /
> > /> > /
> > /> > Cheers, /
> > /> > /
> > /> > /
> > /> > Sake /
> >
> >
> > Can someone please point me to how I can get a version that to have
> access to this option?
> > You'd need Wireshark 1.6.0 or later.  The current version (1.8.4) would
> be your best bet.
> > BTW I noticed that this option is not listed in dumpcap's man page; I'll
> correct that shortly.
> >
> ___________________________________________________________________________
> > Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> >             mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
> >
> ___________________________________________________________________________
> > Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> >             mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe