tcpdump post script Permission denied

Asked by Kaltsi on 2011-08-18

I would like monitoring tcp packets, and use post script such as zip them. But always get Permission denied when tcpdump creates a new file.

Code: sudo tcpdump -n -s 1500 -C 1 -W 10 -z gzip -i eth0 -w snoop.pcap

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
compress_savefile:execlp(gzip, snoop.pcap0): Permission denied
compress_savefile:execlp(gzip, snoop.pcap1): Permission denied
compress_savefile:execlp(gzip, snoop.pcap2): Permission denied

What do I do wrong?

ps aux

root 4500 1.8 0.2 19024 4424 pts/0 S+ 13:10 0:07 tcpdump -n -s 1500 -C 1 -W 10 -z gzip -i eth0 -w snoop.pcap
root 4607 1.2 0.1 19024 3360 pts/0 SN+ 13:10 0:03 tcpdump -n -s 1500 -C 1 -W 10 -z gzip -i eth0 -w snoop.pcap
root 4608 1.5 0.1 19024 3360 pts/0 SN+ 13:10 0:05 tcpdump -n -s 1500 -C 1 -W 10 -z gzip -i eth0 -w snoop.pcap
root 4609 0.9 0.1 19024 3360 pts/0 SN+ 13:10 0:03 tcpdump -n -s 1500 -C 1 -W 10 -z gzip -i eth0 -w snoop.pcap
root 4630 1.4 0.1 19024 3360 pts/0 SN+ 13:12 0:03 tcpdump -n -s 1500 -C 1 -W 10 -z gzip -i eth0 -w snoop.pcap
root 4691 15.5 0.1 19024 3360 pts/0 SN+ 13:16 0:01 tcpdump -n -s 1500 -C 1 -W 10 -z gzip -i eth0 -w snoop.pcap
root 4697 12.5 0.1 19024 3360 pts/0 SN+ 13:16 0:00 tcpdump -n -s 1500 -C 1 -W 10 -z gzip -i eth0 -w snoop.pcap
root 4716 4.6 0.1 19024 3360 pts/0 SN+ 13:16 0:00 tcpdump -n -s 1500 -C 1 -W 10 -z gzip -i eth0 -w snoop.pcap

lsof

tcpdump 4500 root 4w REG 104,17 528774 11010063 /home/kalacskai/snoop.pcap4
tcpdump 4607 root 4w REG 104,17 1000055 11010062 /home/kalacskai/snoop.pcap3
tcpdump 4608 root 4w REG 104,17 1001299 11010061 /home/kalacskai/snoop.pcap2
tcpdump 4609 root 4w REG 104,17 1000055 11010062 /home/kalacskai/snoop.pcap3
tcpdump 4630 root 4w REG 104,17 1000055 11010062 /home/kalacskai/snoop.pcap3
tcpdump 4691 root 4w REG 104,17 1000055 11010062 /home/kalacskai/snoop.pcap3
tcpdump 4697 root 4w REG 104,17 1000055 11010062 /home/kalacskai/snoop.pcap3
tcpdump 4716 root 4w REG 104,17 528774 11010063 /home/kalacskai/snoop.pcap4

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu tcpdump Edit question
Assignee:
No assignee Edit question
Last query:
2011-08-18
Last reply:
2011-09-03
Launchpad Janitor (janitor) said : #1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Zaki Akhmad (zakiakhmad) said : #2

I have the same problem. I've asked at Wireshark users mailing list.
http://www.wireshark.org/lists/wireshark-users/201202/msg00025.html

Zaki Akhmad (zakiakhmad) said : #3

I run tcpdump with -z option at Debian, and it works!

Zaki Akhmad (zakiakhmad) said : #4

Problems solved now. It didn't work at Ubuntu because of apparmor configuration.

1) See the apparmor configuration
# grep tcpdump /sys/kernel/security/apparmor/profiles

2) Change it to complaint
# aa-complain /usr/sbin/tcpdump

Reference:
http://ubuntuforums.org/showthread.php?t=1501339