How to fix tcpdump error with file permission denied

Last updated on November 21, 2020 by Dan Nanni

Question: When I run tcpdump with -r option to read from a packet dump file, I am getting an error from tcpdump saying that "file permission denied". I am getting this error even when I run tcpdump with root privilege. How can I fix this error?

If this problem happens on Ubuntu, it is possible that AppArmor (Ubuntu's access control system) may be interfering with tcpdump when it attempts to read from a packet dump.

To verify that AppArmor indeeds causes this problem:

$ sudo cat /var/log/syslog | grep denied
Jan  7 10:48:50 server kernel: [1706354.881017] type=1400 audit(1389109730.217:14): apparmor="DENIED" operation="open" parent=26733 profile="/usr/sbin/tcpdump" name="/home/dev/packet.dump" pid=26734 comm="tcpdump" requested_mask="r" denied_mask="r" fsuid=0 ouid=1001

To avoid this problem, you can disable the restrictive AppArmor profile for tcpdump temporarily as follows.

$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump

If you want to disable the AppArmor profile permanently across reboots, refer to this tutorial.

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal (Credit Card) or Bitcoin (1M161JGAkz3oaHNvTiPFjNYkeABox8rb4g).

Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean