It is sometimes necessary to capture the content of network traffic. Most people use a tool like wireshark or tcpdump to do that. Since these tools have the need to listen in promiscuous mode to the network interface, most people run them as root. Wireshark has had a lot of vulnerabilities in the code, which is unavoidable with the enormous amount of protocols being supported by reverse engineering. They have taken steps in the past to mitigate the impact of vulnerabilities by using a separate tool, dumpcap, which has a much smaller and simpler codebase.
Still, most people run wireshark as root, ‘because then it works’. Right, Gerald Combs has written an article on how to configure your system with capabilities so you don’t have to run wireshark as root any more. It works by granting users you want to be able to capture, the capability of being able to capture. That simple.
Continuous improvement 