tcpdump: permission denied running as root
Running tcpdump with (-w) option in order to write the raw packets to a file fails with “tcpdump: packets: Permission denied” error, even if the command was run by root –
# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04 LTS Release: 14.04 Codename: trusty # tcpdump -i eth0 -nn -l -s 2000 'port 8000' -w packets tcpdump: packets: Permission denied
User, in this case root, can create and delete files in this directory –
root@vm:/opt# pwd /opt root@vm:/opt# id uid=0(root) gid=0(root) groups=0(root) root@vm:/opt# touch myfile root@vm:/opt# rm myfile
Succeeds in /tmp and /root (home directory of root user ) –
root@newsvm1010:/opt# cd /tmp/ root@newsvm1010:/tmp# tcpdump -i eth0 -nn -l -s 2000 'port 8000' -w packets tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 2000 bytes
Easy fix resolution – make sure to run it under /tmp or /root.
Root cause and permanent fix
The underlying cause was AppArmor, it was set in “enforce” mode and changing it to “complain” mode for tcpdump resolved the issue.
Before fix –
grep tcp /sys/kernel/security/apparmor/profiles
After fix –
# apt-get install apparmor-utils # aa-complain /usr/sbin/tcpdump Setting /usr/sbin/tcpdump to complain mode. # grep tcp /sys/kernel/security/apparmor/profiles /usr/sbin/tcpdump (complain) # cd /opt/ root@vm:/opt# tcpdump -i eth0 -nn -l -s 2000 'port 8000' -w packets tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 2000 bytes