How to use POSIX capabilities to allow non-root users to perform network packet capturing on Linux

... because it seemed a sensible thing to do, but I couldn't find a single concise document saying how to do it! These instructions worked for me on a recent Debian testing installation, YMMV.

For specific users (or, the right way)

  1. Install the tools:
    sudo aptitude install libcap2-bin
  2. Grant the necessary programs the ability to inherit the CAP_NET_RAW capability when execed:

    sudo /sbin/setcap cap_net_raw+ei /usr/bin/dumpcap
    sudo /sbin/setcap cap_net_raw+ei /usr/sbin/tcpdump

    (dumpcap is the backend used by Wireshark).

  3. Add the pam_cap module to your authentication process, eg. add something like:

    auth    required

    ... to the top of /etc/pam.d/common-auth.

  4. Create /etc/security/capability.conf (using, for example, /usr/share/doc/libcap2-bin/examples/capability.conf), and grant the desired users the CAP_NET_RAW privilege. For example:

    # needed to run packet sniffers
    cap_net_raw             andrewb

For all users (or, the lazy/easy way)

Replace step 2 above with:

sudo /sbin/setcap cap_net_raw+ep /usr/bin/dumpcap
sudo /sbin/setcap cap_net_raw+ep /usr/sbin/tcpdump

... and skip the remaining steps. This means that every time these processes are execed, they will automatically acquire the CAP_NET_RAW capability.