Articles

tcpdump as Non-Root: Set Capabilities for Unprivileged Capture (2026)

April 6, 2026 4 min read

The kernel refuses to let tcpdump sniff packets without root privileges because it needs direct access to network interface hardware, a capability reserved for privileged processes.

The problem you’re facing is that tcpdump needs to open a raw socket to capture network traffic, and on Linux, creating raw sockets is a privileged operation. By default, only the root user can do this. You’ve tried running tcpdump as a regular user and got permission denied errors, or perhaps it just didn’t capture anything. This is because your user account doesn’t have the necessary permissions to bypass the kernel’s network access controls.

Here’s how to grant tcpdump the specific permission it needs without giving it full root access, using Linux capabilities.

Common Causes and Fixes

  1. Missing CAP_NET_RAW Capability

    • Diagnosis: Check current capabilities of the tcpdump executable:
      getcap /usr/sbin/tcpdump
      If this command outputs nothing or shows an empty string, the capability is not set.
    • Fix: Grant the CAP_NET_RAW capability to the tcpdump executable:
      sudo setcap cap_net_raw+ep /usr/sbin/tcpdump
      This command adds the CAP_NET_RAW capability to the effective (e) and permitted (p) sets of the /usr/sbin/tcpdump binary. The +ep means "add capability to effective and permitted sets."
    • Why it works: CAP_NET_RAW specifically allows a process to create raw sockets, which is precisely what tcpdump needs to capture packets at the network interface level without needing full root.

  2. Missing CAP_NET_ADMIN Capability (Less Common for Basic Capture)

    • Diagnosis: While CAP_NET_RAW is usually sufficient for basic packet capture, some advanced tcpdump features or specific interface configurations might implicitly require CAP_NET_ADMIN. Check with:
      getcap /usr/sbin/tcpdump
      Look for cap_net_admin.
    • Fix: If CAP_NET_ADMIN is missing and you suspect it’s needed for your specific use case:
      sudo setcap cap_net_raw,cap_net_admin+ep /usr/sbin/tcpdump
      This adds both CAP_NET_RAW and CAP_NET_ADMIN to the executable’s capabilities.
    • Why it works: CAP_NET_ADMIN allows for network interface configuration and management. While not strictly for capturing packets, some interactions with the network stack might depend on it, especially if tcpdump is trying to put interfaces into promiscuous mode or manipulate routing.

  3. Incorrect Path to tcpdump

    • Diagnosis: Ensure you are setting capabilities on the correct tcpdump executable. Run which tcpdump to find its location.
    • Fix: If which tcpdump returns something other than /usr/sbin/tcpdump (e.g., /bin/tcpdump), use that path in the setcap command:
      sudo setcap cap_net_raw+ep /bin/tcpdump
    • Why it works: Capabilities are tied to specific executable files. If you set them on the wrong file, the tcpdump command you run won’t inherit them.

  4. SELinux/AppArmor Restrictions

    • Diagnosis: Check system logs for SELinux or AppArmor denials related to tcpdump or network access. For SELinux, use sudo ausearch -m avc -ts recent. For AppArmor, check /var/log/syslog or /var/log/audit/audit.log.
    • Fix: This is more complex and depends on your distribution and security policy. You might need to adjust SELinux booleans or AppArmor profiles. A temporary (and less secure) workaround for SELinux might be:
      sudo semanage fcontext -a -t tcpdump_exec_t "/usr/sbin/tcpdump"
sudo restorecon -v /usr/sbin/tcpdump
      Or, if you’re certain it’s a policy issue and want to allow it broadly (use with caution):
      sudo setsebool -P tcpdump_can_network 1
      For AppArmor, you’d typically edit the tcpdump profile in /etc/apparmor.d/.
    • Why it works: SELinux and AppArmor are Mandatory Access Control (MAC) systems that can impose stricter rules than standard Linux permissions. They might prevent even a capability-enabled tcpdump from accessing network devices if the policy doesn’t explicitly allow it.

  5. libcap Library Not Installed or Incompatible

    • Diagnosis: The setcap command is part of the libcap package. If it’s not found, the package is likely missing.
      command -v setcap
      If this returns nothing, setcap is not in your PATH.
    • Fix: Install the libcap package. On Debian/Ubuntu:
      sudo apt-get update
sudo apt-get install libcap2-bin
      On RHEL/CentOS/Fedora:
      sudo yum update
sudo yum install libcap
      Then retry the setcap command.
    • Why it works: The setcap utility is the interface for manipulating file capabilities. Without it, you cannot grant the necessary capabilities to the tcpdump binary.

  6. Network Interface Not Available or Misconfigured

    • Diagnosis: Even with correct capabilities, tcpdump needs a valid network interface to listen on. Check if the interface is up and has an IP address (though tcpdump can capture on interfaces without IPs).
      ip a
      Look for interfaces like eth0, enp3s0, wlan0, etc., that are marked UP.
    • Fix: Bring the interface up and assign an IP address if necessary:
      sudo ip link set dev eth0 up
sudo ip addr add 192.168.1.100/24 dev eth0
      (Replace eth0 and IP details with your actual interface and network configuration.)
    • Why it works: tcpdump operates by attaching to a specific network interface. If the interface is down or non-existent, tcpdump cannot capture traffic from it, regardless of its own permissions.

After successfully setting the capabilities, you should be able to run tcpdump as a non-root user:

tcpdump -i eth0 'tcp port 80'

The next error you’ll likely encounter, assuming no other system-level issues, is tcpdump: no suitable device found, if you specified an interface that doesn’t exist or isn’t recognized by the system.

More Deep Dives in Tcpdump

Want structured learning?

Take the full Tcpdump course →