“tcpdump -w 1.pcap” works, but “tcpdump -C 100 -w 1.pcap” - permission denied

Question

I need to limit file size when I run \"tcpdump -w 1.pcap\". I try to do this with the key \"-C\", but when I add it I get error \"permission denied\". So:

&g         


        

Answer 1

I experienced similar issues on Ubuntu 12.04 LTS and my case was fixed as below procedures.

sudo apt-get install apparmor-utils

The aa-complain command which referred by user2704275 is included in this package.

If your environment is RedHat/CentOS distro, you can same command by yum.

sudo aa-complain /usr/sbin/tcpdump

This will change AppArmor mode of tcpdump from "enforce" to "complain". You can check AppArmor status in /sys/kernel/security/apparmor/profiles.

Then I can success to get tcpdump with sudo.

After getting tcpdump, for security reason, you might revert apparmor status to previous mode as below command.

sudo aa-enforce /usr/sbin/tcpdump

Regards.

Answer 2

I experienced similar problems when I tried to read from file, like

tcpdump -r example.cap 'icmp[icmptype] = icmp-echo'

For me AppArmor caused the problem I had to switch from 'enforcement' mode to 'complain' mode on 'tcpdump'. Run the following command as root:

aa-complain /usr/sbin/tcpdump

Answer 3

You need to do -Z root. Read the man page:

   -Z     Drops privileges (if root) and changes user ID to user and the group ID to the primary group of user.

          This behavior is enabled by default (-Z tcpdump), and can be disabled by -Z root.