Resolving “tcpdump: out.pcap: Permission denied” Error on Fedora Linux


1 views

While attempting to capture network traffic on my Fedora 17 system (kernel 3.6.10-2), I encountered this frustrating error when running:

tcpdump -i p3p1 -n -w out.pcap -C 16

The command fails with:

tcpdump: out.pcap: Permission denied

Several factors come into play here:

  • Running as root user (prompt shows #)
  • Using Fedora 17 (Beefy Miracle release)
  • Trying to write to current working directory
  • Using -C option for rotating capture files

First attempts often include:

sudo chmod 777 /path/to/directory
# Security risk! Never do this in production

Or:

touch out.pcap && chmod 666 out.pcap
# Doesn't solve rotation file permission issues

For reliable packet capture:

# Best practice for tmp location:
tcpdump -i p3p1 -n -w /tmp/out.pcap -C 16 -Z root

# Preferred production approach:
mkdir -p /var/capture
chown root:root /var/capture
chmod 755 /var/capture
tcpdump -i p3p1 -n -w /var/capture/out.pcap -C 16 -Z root

Key points:

  • -Z root ensures proper ownership during rotation
  • /tmp or /var locations typically have correct permissions
  • Directory permissions matter more than file permissions

For service integration, create a systemd service file:

[Unit]
Description=Network capture service
After=network.target

[Service]
ExecStart=/usr/sbin/tcpdump -i p3p1 -n -w /var/capture/out.pcap -C 16 -Z root -W 10
Restart=always
PermissionsStartOnly=true
ExecStartPre=/bin/mkdir -p /var/capture
ExecStartPre=/bin/chown root:root /var/capture
ExecStartPre=/bin/chmod 755 /var/capture

[Install]
WantedBy=multi-user.target

This ensures proper environment setup before tcpdump starts.

On modern Fedora systems, check SELinux context:

ls -Z /var/capture
chcon -t tcpdump_exec_t /var/capture

If still facing issues, temporarily check if SELinux is the culprit:

setenforce 0
# Test your tcpdump command
setenforce 1

When running tcpdump with the -w flag to save packet captures to a file, you might encounter the frustrating "Permission denied" error. This typically occurs when:

  • The user doesn't have write permissions in the current directory
  • The target file exists and is owned by another user
  • SELinux policies are restricting file creation

Here are the most effective ways to resolve this:

# Solution 1: Run as root (not recommended for security reasons)
sudo tcpdump -i eth0 -w out.pcap

# Solution 2: Specify a directory where you have write permissions
tcpdump -i eth0 -w /tmp/out.pcap

# Solution 3: Change ownership of existing file
sudo chown $USER out.pcap

For a more secure approach, let's examine the directory permissions:

ls -ld .
drwxr-xr-x. 2 root root 4096 Dec 12 10:00 .

# To grant your user write access:
sudo chown $USER .
# OR
sudo chmod 777 .  # Less secure

On Fedora systems, SELinux might be blocking file creation. Check with:

# Check SELinux status
getenforce

# If enforcing, try:
sudo setenforce 0
# Then retry tcpdump

For regular packet capturing, consider creating a dedicated directory:

sudo mkdir /var/captures
sudo chown $USER /var/captures
tcpdump -i eth0 -w /var/captures/out.pcap -C 16

The -C 16 option creates 16MB capture files, rotating when full. Ensure you have sufficient disk space.

Modern tcpdump versions support dropping privileges:

sudo tcpdump -i eth0 -w out.pcap -Z $USER

This starts as root (to access interfaces) then drops to your user for file operations.