Package: tcpdump Version: 4.7.4-3 Severity: minor File: /usr/sbin/tcpdump Hello,
I wonder why I need to be root (well, probably "only" need a net related capability) when generating a bpf filter: uwe@perseus:~$ /usr/sbin/tcpdump -d ether dst 01:02:03:04:05:06 tcpdump: wlp2s0: You don't have permission to capture on that device (socket: Operation not permitted) When run with sudo strace I see that tcpdump creates a packet socket and puts the device into promiscuous mode. But after the bpf program is dumped the socket is closed before it was read from. So the obvious improvement is to not use a socket at all with -d which would allow to call this program with less capabilities. Thanks Uwe -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (800, 'testing'), (600, 'unstable'), (500, 'testing-debug'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tcpdump depends on: ii libc6 2.23-2 ii libpcap0.8 1.7.4-3 tcpdump recommends no packages. tcpdump suggests no packages. -- no debconf information