tcpdump: permission denied running as root

Running tcpdump with (-w) option in order to write the raw packets to a file fails with “tcpdump: packets: Permission denied” error, even if the command was run by root –

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04 LTS
Release: 14.04
Codename: trusty
# tcpdump -i eth0 -nn -l -s 2000 'port 8000' -w packets
tcpdump: packets: Permission denied

User, in this case root, can create and delete files in this directory –

root@vm:/opt# pwd
/opt
root@vm:/opt# id
uid=0(root) gid=0(root) groups=0(root)
root@vm:/opt# touch myfile
root@vm:/opt# rm myfile

Succeeds in /tmp and /root (home directory of root user ) –

root@newsvm1010:/opt# cd /tmp/
root@newsvm1010:/tmp# tcpdump -i eth0 -nn -l -s 2000 'port 8000' -w packets
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 2000 bytes

Easy fix resolution  – make sure to run it under /tmp or /root.

Root cause and permanent fix

The underlying cause was AppArmor, it was set in “enforce” mode and changing it to “complain” mode for tcpdump resolved the issue.

Before fix –

grep tcp /sys/kernel/security/apparmor/profiles

After fix –

# apt-get install apparmor-utils

# aa-complain /usr/sbin/tcpdump
Setting /usr/sbin/tcpdump to complain mode.

# grep tcp /sys/kernel/security/apparmor/profiles
/usr/sbin/tcpdump (complain)

# cd /opt/
root@vm:/opt# tcpdump -i eth0 -nn -l -s 2000 'port 8000' -w packets
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 2000 bytes