Tested on Ubuntu 18.04.
You will want to allow non-root users to capture packets. These users must be part of the wireshark group.
$ sudo apt update
$ sudo apt install -y tshark
in this example we are using the ubuntu user
$ sudo usermod -aG wireshark ubuntu
$ sudo mkdir -p /opt/data/network
$ sudo chown -R ubuntu. /opt/data
Capture all traffic on ports 53/80/443 and rotate each pcap when it reaches a buffer of 10MB, but will keep up to 2GB on disk.
$ sudo vim /opt/data/network/tshark.sh
Add the capture script
#!/bin/bash
tshark -a filesize:10000 -b files:200 -i eth0 -w /opt/data/network/sniff.pcap -f "port 80 or port 53 or port 443"
Executable permissions
$ sudo chmod +x /opt/data/network/tshark.sh
$ sudo chown ubuntu. /opt/data/network/tshark.sh
$ sudo vim /lib/systemd/system/tshark.service
Add the config below to this file /lib/systemd/system/tshark.service
[Unit]
Description=Tshark Capture Service
After=multi-user.target
[Service]
Type=idle
User=ubuntu
group=ubuntu
ExecStart=/opt/data/network/tshark.sh
[Install]
WantedBy=multi-user.target
Change permissions of the systemd config and enable the service
$ sudo chmod 644 /lib/systemd/system/tshark.service
$ sudo systemctl daemon-reload
$ sudo systemctl enable tshark.service
$ sudo systemctl start tshark.service
Up to 2GB of pcaps will be stored here. Once we hit 2GB of pcap data on disk tshark will begin rotating older capture files.
$ ll /opt/data/network/
total 20
drwxr-xr-x 2 ubuntu ubuntu 4096 Apr 7 20:55 ./
drwxr-xr-x 3 ubuntu ubuntu 4096 Apr 7 20:44 ../
-rw------- 1 ubuntu ubuntu 10016 Apr 7 21:02 sniff_00001_20200407205537.pcap
Transmission Control Protocol, Src Port: 55998, Dst Port: 443, Seq: 1, Ack: 1, Len: 0