My objective is to run sudo tcpdump -i eno1 -G 5 -w "/var/captures/capture-%Y-%m-%d_%H-%M-%S.pcap" -z /var/test.sh and process the pcap files as they are generated.
For some reason, I keep getting a permission error:
tcpdump: listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
compress_savefile: execlp(/var/captures/test.sh, /var/captures/capture-2025-03-25_19-05-55.pcap) failed: Permission denied
compress_savefile: execlp(/var/captures/test.sh, /var/captures/capture-2025-03-25_19-06-00.pcap) failed: Permission denied
compress_savefile: execlp(/var/captures/test.sh, /var/captures/capture-2025-03-25_19-06-05.pcap) failed: Permission denied
I've tried to assign ownership of the test.sh to root, to TCP dump, but no matter what I do, it results in the same error.
I also tried switching completely to root and trying it out, but it's not working.
Okay, so the issue seems to be with apparmour
I stopped, disabled app armour with systemctl, and restarted my computer, and it seems to work now.