On Tue, 18 Oct 2016 09:43:37 +0200 =?utf-8?q?Uwe_Kleine-K=C3=B6nig?=
<uklei...@debian.org> wrote:
> I wonder why I need to be root (well, probably "only" need a net related
> capability) when generating a bpf filter:
Because
1) in order to generate a BPF filter, you need a link-layer header type;
2) when tcpdump was written, the -d option didn't take a "use this
link-layer header type" argument to specify the link-layer header type, so it
used the link-layer header type of whatever input source would have been used
without -d;
3) that means opening the input source;
4) and opening a device for capturing on most platforms requires some
form of privilege by default.
> So the obvious improvement is to not use a socket at all with -d which
> would allow to call this program with less capabilities.
...and would require a way to specify the link-layer read type, so the only way
not to use a socket with -d, as it exists, is to use -r and read from a file.
If you don't want that, the only alternative is to add a new flag that works
like -d but that takes a name for a link-layer header type as an argument, e.g.
tcpdump --dump-bpf-with-dlt EN10MB ip
("default to DLT_EN10MB" isn't the right answer - it provides no alternative
for people who want a program for 802.11 or PPP or...).
