How to fix tcpdump error with file permission denied

Question: When I run tcpdump with "-r" option to read from a packet dump file, I am getting an error from tcpdump saying that "file permission denied". I am getting this error even when I run tcpdump with root privilege. How can I fix this error?

If this problem happens on Ubuntu, it is possible that AppArmor (Ubuntu's access control system) may be interfering with tcpdump when it attempts to read from a packet dump.

To verify this behavior:

$ sudo cat /var/log/syslog | grep denied
Jan  7 10:48:50 server kernel: [1706354.881017] type=1400 audit(1389109730.217:14): apparmor="DENIED" operation="open" parent=26733 profile="/usr/sbin/tcpdump" name="/home/dev/packet.dump" pid=26734 comm="tcpdump" requested_mask="r" denied_mask="r" fsuid=0 ouid=1001

To avoid this problem, you can disable the restrictive AppArmor profile for tcpdump temporarily as follows.

$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump

If you want to disable the AppArmor profile permanently across reboots, refer to this tutorial.

Download this article as ad-free PDF (made possible by your kind donation): 
Download PDF

Subscribe to Ask Xmodulo

Do you want to receive Linux related questions & answers published at Ask Xmodulo? Enter your email address below, and we will deliver our Linux Q&A straight to your email box, for free. Delivery powered by Google Feedburner.


Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

Leave a comment

Your email address will not be published. Required fields are marked *