I wonder why I need to be root (well, probably "only" need a net related
capability) when generating a bpf filter:
uwe@perseus:~$ /usr/sbin/tcpdump -d ether dst 01:02:03:04:05:06
tcpdump: wlp2s0: You don't have permission to capture on that device
(socket: Operation not permitted)
When run with sudo strace I see that tcpdump creates a packet socket and
puts the device into promiscuous mode. But after the bpf program is
dumped the socket is closed before it was read from.
So the obvious improvement is to not use a socket at all with -d which
would allow to call this program with less capabilities.
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (800, 'testing'), (600, 'unstable'), (500, 'testing-debug'),
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages tcpdump depends on:
ii libc6 2.23-2
ii libpcap0.8 1.7.4-3
tcpdump recommends no packages.
tcpdump suggests no packages.
-- no debconf information