Home

How to fix tcpdump error with file permission denied

Fri, 2016.01.15 - 14:22 — müzso
http://ask.xmodulo.com/fix-tcpdump-error-file-permission-denied.html
The referenced page describes that a potential reason for a "permission denied" message while trying to run tcpdump can come from Ubuntu's apparmor profiles. The syslog will contain something like this (if you run tcpdump with the "-r" switch to read from a packet capture dump):
Jan 15 14:09:21 somehost kernel: [877965.617109] type=1400 audit(1452863361.199:133): apparmor="DENIED" operation="open" profile="/usr/sbin/tcpdump" name="/home/someuser/capture-21980_2016-01-14T15-37-01.dump" pid=9724 comm="tcpdump" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

You can check the apparmor profile here: /etc/apparmor.d/usr.sbin.tcpdump
The reason for the above error message was the filename ... the apparmor profile grants read permission only on files with the ".pcap" extension. Simply renaming the file solved my problem. However if you really have to work around something in the profile, you can add your own rules to /etc/apparmor.d/local/usr.sbin.tcpdump which is included in the main profile at the end (thus you can override everything that was set in the main profile).

P.S.: if you just want to disable the apparmor profile, check you this other post on the same blog.