I need to limit file size when I run "tcpdump -w 1.pcap". I try to do this with the key "-C", but when I add it I get error "permission denied". So:
> sudo tcpdump -w 1.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C821 packets captured
847 packets received by filter
24 packets dropped by kernel
But:
> sudo tcpdump -C 100 -w 1.pcap
tcpdump: 1.pcap: Permission denied
I run the command from my home directory and I tried to remove and create the file before running the command with different permissions, finally I have:
-rwxrwxrwx 1 root root 0 Aug 5 10:30 1.pcap
or
-rwxrwxrwx 1 fd8 users 0 Aug 5 10:30 1.pcap
Could you suggest why in the second case I can't write to the file?
I experienced similar problems when I tried to read from file, like
tcpdump -r example.cap 'icmp[icmptype] = icmp-echo'
For me AppArmor caused the problem I had to switch from 'enforcement' mode to 'complain' mode on 'tcpdump'. Run the following command as root:
aa-complain /usr/sbin/tcpdump
You need to do -Z root
. Read the man page:
-Z Drops privileges (if root) and changes user ID to user and the group ID to the primary group of user.
This behavior is enabled by default (-Z tcpdump), and can be disabled by -Z root.
I experienced similar issues on Ubuntu 12.04 LTS and my case was fixed as below procedures.
sudo apt-get install apparmor-utils
The aa-complain command which referred by user2704275 is included in this package.
If your environment is RedHat/CentOS distro, you can same command by yum.
sudo aa-complain /usr/sbin/tcpdump
This will change AppArmor mode of tcpdump from "enforce" to "complain". You can check AppArmor status in /sys/kernel/security/apparmor/profiles.
Then I can success to get tcpdump with sudo.
After getting tcpdump, for security reason, you might revert apparmor status to previous mode as below command.
sudo aa-enforce /usr/sbin/tcpdump
Regards.
来源:https://stackoverflow.com/questions/18050659/tcpdump-w-1-pcap-works-but-tcpdump-c-100-w-1-pcap-permission-denied