This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark/Tshark Ubuntu usbmon error

0

I ran tshark on Ubuntu/Windows 10 as follows

$ tshark -i 6

Capturing on 'usbmon1'

tshark: The capture session could not be initiated on interface 'usbmon1' (Can't open USB bus file /sys/kernel/debug/usb/usbmon/1t: Permission denied). Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified. 0 packets captured

(I get the same message when I run Wireshark)

I followed instructions on this web site including "sudo dpkg-reconfigure wireshark-common"; responding "yes", signing off and on. Again I got the same error message.

WiresharAny idea how to fix this problem?

Update: Thank you for the advice that I got from the community

I was able to handle usbmon as suggested and I got to capture data for it. he way for me to run tshark without errors was by executing it through gksudo.

gksudo -- tshark -i 1 -l -a duration:30

The -- between gksudo and tshark are necessary for tshark to interpret the parameters. The only problem is that ^C does not stop the running program

asked 01 Jun '17, 13:25

jh2222's gravatar image

jh2222
6113
accept rate: 0%

edited 06 Jun '17, 06:30

What does ls -l /usr/bin/dumpcap print?

(01 Jun '17, 13:56) Guy Harris ♦♦

ls -l /usr/bin/dumpcap -rwxr-xr-- 1 root wireshark 88272 Apr 8 2016 /usr/bin/dumpcap

(06 Jun '17, 03:20) jh2222

You really should not be running tshark (or Wireshark) as root. If you think you have to do that, it simply means you haven't given sufficient capture privileges to your user on the required interfaces.

(06 Jun '17, 06:52) grahamb ♦

One Answer:

0

On Linux, you need to load the usbmon module (sudo modprobe usbmon) and make the /dev/usbmonX files readable for your user (sudo setfacl -m u:$USER:r /dev/usbmon*). After doing so you can capture USB traffic as a regular user.

Alternatively you can allow any user that executes the capture process to bypass file permissions (this is done by Arch Linux for example), but might be more risky.

sudo setcap CAP_DAC_OVERRIDE+eip /usr/bin/dumpcap

See https://wiki.wireshark.org/CaptureSetup/USB

answered 04 Jun '17, 08:55

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

edited 04 Jun '17, 08:56

Thank you. It works. So both usbmon1 and usbmon2 capture packets!

(04 Jun '17, 18:09) jh2222

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(06 Jun '17, 04:34) grahamb ♦