All geek questions in one place

"tcpdump -w 1.pcap" works, but "tcpdump -C 100 -w 1.pcap" permission denied

I need to limit the file size when running "tcpdump -w 1.pcap". I try to do this with the "-C" switch, but when I add it, I get a "resolved" error message. So:

> sudo tcpdump -w 1.pcap tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C821 packets captured 847 packets received by filter 24 packets dropped by kernel

But:

 > sudo tcpdump -C 100 -w 1.pcap tcpdump: 1.pcap: Permission denied

I run the command from my home directory, and I tried to delete and create a file before running the command with different permissions, finally I have:

 -rwxrwxrwx 1 root root 0 Aug 5 10:30 1.pcap

or

 -rwxrwxrwx 1 fd8 users 0 Aug 5 10:30 1.pcap

Could you suggest why in the second case I cannot write to a file?

+6
source share
3 answers

I had similar problems when I tried to read from a file, for example

 tcpdump -r example.cap 'icmp[icmptype] = icmp-echo'

For me, AppArmor caused a problem that I had to switch from enforcement mode to complaint mode to tcpdump. Run the following command with root privileges:

 aa-complain /usr/sbin/tcpdump
+2
source

You need to do -Z root . Read the manual page:

  -Z Drops privileges (if root) and changes user ID to user and the group ID to the primary group of user. This behavior is enabled by default (-Z tcpdump), and can be disabled by -Z root.
+8
source

I had similar problems in Ubuntu 12.04 LTS and my case was fixed as described below.

 sudo apt-get install apparmor-utils

This package includes the aa-complain command, which is specified by user2704275.

If your environment is a RedHat / CentOS distribution, you can use the same yum command.

 sudo aa-complain /usr/sbin/tcpdump

This will change the AppArmor tcpdump mode from "forced" to "complaint." You can check the status of AppArmor in / sys / kernel / security / apparmor / profiles.

Then I can succeed in tcpdump with sudo.

After receiving tcpdump for security reasons, you can return the apparmor status to previous mode, as described below.

 sudo aa-enforce /usr/sbin/tcpdump

Sincerely.

+4
source

Source: https://habr.com/ru/post/951013/

More articles:


All Articles