"tcpdump -w 1.pcap" works, but "tcpdump -C 100 -w 1.pcap" - permission denied

tcpdump rights

fd8 · Aug 5, 2013 · Viewed 16k times · Source

I need to limit file size when I run "tcpdump -w 1.pcap". I try to do this with the key "-C", but when I add it I get error "permission denied". So:

> sudo tcpdump -w 1.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C821 packets captured
847 packets received by filter
24 packets dropped by kernel

But:

> sudo tcpdump -C 100 -w 1.pcap
tcpdump: 1.pcap: Permission denied

I run the command from my home directory and I tried to remove and create the file before running the command with different permissions, finally I have:

-rwxrwxrwx 1 root root 0 Aug  5 10:30 1.pcap

-rwxrwxrwx 1 fd8 users 0 Aug  5 10:30 1.pcap

Could you suggest why in the second case I can't write to the file?

Answer

You need to do -Z root. Read the man page:

   -Z     Drops privileges (if root) and changes user ID to user and the group ID to the primary group of user.

          This behavior is enabled by default (-Z tcpdump), and can be disabled by -Z root.

"tcpdump -w 1.pcap" works, but "tcpdump -C 100 -w 1.pcap" - permission denied

Answer

Related questions