Ethereal - not sufficient permission?

I have installed the pcap library and ethereal on a new installation
of Mandrake Linux 10.1 (with powerpack, which is where I got the
library and ethereal.) When I start Ethereal and attempt to perform a
capture I get an error message saying the socket operation is not
permitted - either I do not have sufficient permissions or maybe I
don't have the pipes set up correctly. Do I need special permissions
to access the library? Or what? How do I do this? I am extremely
newbie as regards Linux.
Thanks in advance.

notgiven wrote:
> I have installed the pcap library and ethereal on a new installation
> of Mandrake Linux 10.1 (with powerpack, which is where I got the
> library and ethereal.) When I start Ethereal and attempt to perform a
> capture I get an error message saying the socket operation is not
> permitted - either I do not have sufficient permissions or maybe I
> don't have the pipes set up correctly. Do I need special permissions
> to access the library? Or what? How do I do this? I am extremely
> newbie as regards Linux.
> Thanks in advance.
>
You need root (administrator) privilege to use Ethereal - it's the
act of sniffing the network that's restricted.

Open a console window and enter the command "su" (without the
quotes). At the prompt, enter the root password. Now you have a
command prompt running with root privilege. Enter the command
"ethereal", ignore all the rubbish that scrolls by, adn you should
get a working ethereal window pop up. Don't close the command
prompt window until you have finished with ethereal, or it
will disappear again.

Use "exit" to drop out of root priv at the prompt as soon as
you can - leaving a root prompt open is dangerous (mistakes
in there have the rights to do lots of damage).

Steve

notgiven wrote:
> I have installed the pcap library and ethereal on a new installation
> of Mandrake Linux 10.1 (with powerpack, which is where I got the
> library and ethereal.) When I start Ethereal and attempt to perform a
> capture I get an error message saying the socket operation is not
> permitted - either I do not have sufficient permissions or maybe I
> don't have the pipes set up correctly. Do I need special permissions
> to access the library? Or what? How do I do this? I am extremely
> newbie as regards Linux.

You can't capture packets if you are not root. Imagine the mess
that would be if any user could capture the packets in a host.

> Thanks in advance.

Regards.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

On Wed, 23 Mar 2005 18:02:55 +0000, Steve Horsley wrote:

> notgiven wrote:
>> I have installed the pcap library and ethereal on a new installation of
>> Mandrake Linux 10.1 (with powerpack, which is where I got the library
>> and ethereal.) When I start Ethereal and attempt to perform a capture I
>> get an error message saying the socket operation is not permitted -
>> either I do not have sufficient permissions or maybe I don't have the
>> pipes set up correctly. Do I need special permissions to access the
>> library? Or what? How do I do this? I am extremely newbie as regards
>> Linux.
>> Thanks in advance.
>>
> You need root (administrator) privilege to use Ethereal

Only in packet capture mode. You can run it as a user to open and examine
a previously recorded packet trace.

> - it's the act of sniffing the network that's restricted.

Yes.

My preference is to capture the packets using tcpdump as root on the
command line (with the -w <file> -s 1500 flags), then ship the file to my
workstation, run ethereal as non root and open it. I prefer to avoid
running X apps as root whenever possible.

Some of my servers don't even have ethereal installed. They all have
tcpdump.

I've never had ethereal misbehave on Linux, but on AIX the IBM built
ethereal binary tends to crash the whole system if run in packet capture
mode. This is probably why I'm a bit paranoid about it Of course this
isn't reportable as ethereal is part of the unsupported Open Source
software collection IBM provide. But tcpdump is a supported part of the
OS. And it doesn't crash it

The only time I run ethereal in packet capture mode is if I want to watch
them in real time. This isn't practical in most situations as they come
too quickly.

Regards, Ian

Ian Northeast wrote:
>>
>>You need root (administrator) privilege to use Ethereal
>
>
> Only in packet capture mode. You can run it as a user to open and examine
> a previously recorded packet trace.

True.

>
> My preference is to capture the packets using tcpdump as root on the
> command line (with the -w <file> -s 1500 flags), then ship the file to my
> workstation, run ethereal as non root and open it. I prefer to avoid
> running X apps as root whenever possible.
>
For the paranoid - there have been buffer overflow errors in the Ethereal
packet decoders in the past that could in theory allow an attacker who
knew he was being sniffed with Ethereal to send specially constructed
packets that would execute code of their choice. So only using
Ethereal for examining capture files in userland does actually
increase your security.

I'm more lazy than paranoid though, so have never bothered with this
two-step approach.

> Some of my servers don't even have ethereal installed. They all have
> tcpdump.
>
> I've never had ethereal misbehave on Linux, but on AIX the IBM built
> ethereal binary tends to crash the whole system if run in packet capture
> mode. This is probably why I'm a bit paranoid about it

Ooh, nasty. I've never seen that on either Linux or Windoze.

Steve