Using wireshark as an unprivileged user to analyze USB traffic

lammermann · January 9, 2024, 9:33am

Hi,
I am trying to read USB traffic with wireshark. For this I activate usbmon

sudo modprobe usbmon

But whenever I try to sniff my USB connection I get a message like this:

You do not have permission to capture on device “usbmon1”.

(Attempt to open /dev/usbmon1 failed with EACCES - root privileges may be required)

Please check to make sure you have sufficient permissions.

On Debian and Debian derivatives such as Ubuntu, if you have installed Wireshark from a package, try running
sudo dpkg-reconfigure wireshark-common
selecting “” in response to the question
Should non-superusers be able to capture packets?
adding yourself to the “wireshark” group by running
sudo usermod -a -G wireshark {your username}
and then logging out and logging back in again.

If you did not install Wireshark from a package, ensure that Dumpcap has the needed CAP_NET_RAW and CAP_NET_ADMIN capabilities by running
sudo setcap cap_net_raw,cap_net_admin=ep {path/to/}dumpcap
and then restarting Wireshark.

I am already in the wireshark group and installed wireshark as a module (programs.wireshark.eneable = true;). However this seems to not help very much with USB but only with network traffic.

Is there any advice how to adjust my settings to get this working?

Thanks in advance

lammermann · January 9, 2024, 10:03am

I found out temporarily it can be done with

sudo chgrp wireshark /dev/usbmon*
sudo chmod g+r /dev/usbmon*

lammermann · January 11, 2024, 7:37am

Just for the record if anybody else needs a solution to this, too. To solve this permanently add

  services.udev = {
    extraRules = ''
      SUBSYSTEM=="usbmon", GROUP="wireshark", MODE="0640"
    '';
  };

to your configuration.nix