Articles

Wireshark Linux Packet Capture: Privileges and Setup (2026)

April 6, 2026 3 min read

Packet capture on Linux with Wireshark often fails because the user running Wireshark doesn’t have the necessary permissions to access the network interface in promiscuous mode.

Common causes and fixes:

  1. Missing CAP_NET_RAW capability for dumpcap:

    • Diagnosis: Run getcap /usr/sbin/dumpcap. If it doesn’t show cap_net_raw+ep, this is the problem.
    • Fix: Grant the capability: sudo setcap cap_net_raw+ep /usr/sbin/dumpcap.
    • Why it works: dumpcap (the command-line utility Wireshark uses for capture) needs the CAP_NET_RAW capability to open raw network sockets, which are required for capturing packets directly from the interface.

  2. User not in the wireshark group:

    • Diagnosis: Run groups <your_username>. Check if wireshark is listed.
    • Fix: Add your user to the wireshark group: sudo usermod -aG wireshark <your_username>. You’ll need to log out and log back in for this to take effect.
    • Why it works: The wireshark group is typically granted specific permissions to access capture devices. By adding yourself, you inherit those permissions.

  3. Incorrect dumpcap ownership or permissions:

    • Diagnosis: Run ls -l /usr/sbin/dumpcap. It should be owned by root:root and have permissions like -rwxr-xr-x.
    • Fix: If ownership is wrong, set it: sudo chown root:root /usr/sbin/dumpcap. If permissions are wrong, set them: sudo chmod 755 /usr/sbin/dumpcap.
    • Why it works: dumpcap needs to be executable by root, which then uses its elevated privileges (or capabilities) to perform the capture. Incorrect ownership or permissions prevent it from running correctly.

  4. Network interface not in promiscuous mode:

    • Diagnosis: While Wireshark is running and attempting to capture, run ip link show <interface_name> (e.g., ip link show eth0). Look for the PROMISC flag. If it’s not present, the interface isn’t in promiscuous mode.
    • Fix: Enable promiscuous mode for the interface: sudo ip link set <interface_name> promisc on.
    • Why it works: By default, network interfaces only capture packets destined for their own MAC address. Promiscuous mode forces the interface to capture all packets it sees on the wire, regardless of destination.

  5. AppArmor or SELinux blocking access:

    • Diagnosis: Check system logs for audit or syslog entries mentioning dumpcap or wireshark and "denied." For SELinux, sudo ausearch -m avc -ts recent. For AppArmor, sudo dmesg | grep -i apparmor.
    • Fix: This is highly system-dependent. For SELinux, you might need to adjust policies (e.g., sudo semanage fcontext -a -t ... or sudo setenforce 0 temporarily for testing). For AppArmor, you might need to edit profiles in /etc/apparmor.d/. A common fix is to ensure the dumpcap executable has the correct security context.
    • Why it works: Mandatory Access Control systems like SELinux and AppArmor add an extra layer of security, restricting what processes can do even if they have standard Unix permissions. If the security policy doesn’t explicitly allow dumpcap to access raw sockets, it will be blocked.

  6. libpcap not installed or corrupted:

    • Diagnosis: Wireshark itself might report errors about libpcap or No capture devices found. Running sudo dumpcap -D should list interfaces; if it fails with library errors, this is a suspect.
    • Fix: Reinstall libpcap and wireshark: sudo apt-get install --reinstall libpcap0.8 wireshark-common (Debian/Ubuntu) or sudo dnf reinstall libpcap wireshark-qt (Fedora/RHEL).
    • Why it works: libpcap is the library that interfaces with the kernel for packet capture. If it’s missing, outdated, or corrupted, Wireshark and dumpcap cannot function.

After fixing the privilege issues, the next error you’ll likely encounter is a "The capture session could not be initiated on interface '<interface_name>'."

More Deep Dives in Wireshark

Want structured learning?

Take the full Wireshark course →