Should I have a wireshark group?

Some time ago I installed Wireshark from the F37 repo and it’s been working fine. I start it with sudo wireshark in a terminal in order to actually capture packets off the net. However, I apparently should be a member of the wireshark group so that I don’t have to start it via sudo? But there is no wireshark group on my system. Should this have been created when I installed it via dnf?

It may well be that I missed a question or answered wrongly when prompted, I don’t recall. On Windows, the Wireshark installation does ask you if you want to run it without Admin privileges. If you get this wrong (which I did recently) then you’re prompted by UAC about a hundred times before you get to actually capture anything (maybe I slightly exaggerated the figure, but only slightly).

The absence of the wireshark group raises another question: how do you create groups that have root/sudoer privileges so that you don’t have to use sudo if you’re the member of the group? How does Linux confer elevated privileges to a process such that you don’t have to start it via sudo or while logged in as root? Specifically, how does Wireshark get access to the packet capture/BPF API if I’m not root/running with sudo?

What is a good source for understanding how the access control model works on Linux (from a systems programming perspective)? I’m researching a product that I would like to run with root privileges but without having to be root or use sudo: it might be (or include) a daemon, a system process or a kernel object. I’ve not written the latter for Linux, it’s been decades since I wrote a daemon proper, and I’ve never written a service process for Linux either (I have done all of the above for Windows/NT). Any pointers to online sources or books detailing the nitty gritty of privilege levels and access control for Linux processes would be very welcome, thanks! (I’ve referenced for some information so far, but there’s a load I’ve yet to read, and I have a copy of Linux Device Drivers, 3rd Edition on my machine, and ditto with the lots-to-read.)


Try reinstalling the Wireshark packages:

sudo dnf -y reinstall wireshark\*

Then check the output:

rpm -q -a wireshark\*; getent group wireshark

Yes, see:

rpm -q --scripts wireshark-cli

See the above output.

There are multiple methods:

  • File ownership and permissions configured with udev rules for devices:
ls -l /dev/usbmon*; cat /usr/lib/udev/rules.d/*wireshark*.rules
  • Polkit rules for applications:
sudo grep -r -e wheel /usr/share/polkit-1/rules.d
  • Setuid bit and file permissions for executables:
ls -l $(find /usr/{bin,sbin} -perm /u=s,g=s)
getcap /usr/bin/dumpcap; ls -l /usr/bin/dumpcap

The latter method mentioned above with CAP_NET_ADMIN and CAP_NET_RAW:

rpm -q -f /usr/bin/dumpcap

I just sudo dnf install’ed Wireshark on a new F37 installation. The group is created but I’m not in it. I logged in again just in case something needed to be reloaded. The above commands yield:


(Why fc36 if I’m on F37? Just bits not updated, or a repo mismatch?)

I also checked a Debian 11 installation: that has Wireshark installed (sudo apt install) but I need to run it with sudo there too.

I don’t think there’s anything i need to do other than install packages from the respective repo using the appropriate package manager?

On Fedora I’m a member of 2 groups: wheel and myself. On Debian I’m a member of about 10 groups (such as libvirt, cdrom, sudo, etc.), some of which I created myself, but none of which are wireshark. I’m sure that in the past I’ve installed wireshark and not needed to use sudo.

I added myself to wireshark via usermod -aG wireshark $USER, logged in and I can capture net traffic without sudo.

Any thoughts about why I’m not getting automatically added? Maybe I’m mistaken and automatically adding the user that installs wireshark to the wireshark group is not a normal thing. But then there’s no rubric anywhere (that I saw) letting you know that it might be a good idea if you want to capture traffic without having to use sudo from a terminal e.g.

Thanks for your help above!

1 Like

Enable the updates repo and perform a full upgrade:

sudo dnf config-manager --enable updates
sudo dnf --refresh upgrade

If the issue persists, check this:

dnf repolist; dnf -q list wireshark\*

Sudoers NOPASSWD option not working - #25 by vgaetera

1 Like