diff -ur linux-2.4.26/include/linux/sysctl.h linux-2.4.26-patched/include/linux/sysctl.h
--- linux-2.4.26/include/linux/sysctl.h	2004-06-14 17:25:41.000000000 +0200
+++ linux-2.4.26-patched/include/linux/sysctl.h	2004-07-28 14:57:40.000000000 +0200
@@ -222,6 +222,7 @@
 	NET_CORE_MOD_CONG=16,
 	NET_CORE_DEV_WEIGHT=17,
 	NET_CORE_SOMAXCONN=18,
+	NET_CORE_CAPTURE_GROUP=19,
 };
 
 /* /proc/sys/net/ethernet */
Only in linux-2.4.26-patched/include/linux: sysctl.h.orig
diff -ur linux-2.4.26/net/core/sysctl_net_core.c linux-2.4.26-patched/net/core/sysctl_net_core.c
--- linux-2.4.26/net/core/sysctl_net_core.c	2004-02-18 14:36:32.000000000 +0100
+++ linux-2.4.26-patched/net/core/sysctl_net_core.c	2004-07-28 14:59:24.000000000 +0200
@@ -31,6 +31,8 @@
 extern int sysctl_somaxconn;
 extern int sysctl_hot_list_len;
 
+extern gid_t sysctl_capture_group;
+
 #ifdef CONFIG_NET_DIVERT
 extern char sysctl_divert_version[];
 #endif /* CONFIG_NET_DIVERT */
@@ -92,6 +94,9 @@
 	{NET_CORE_SOMAXCONN, "somaxconn",
 	 &sysctl_somaxconn, sizeof(int), 0644, NULL,
 	 &proc_dointvec },
+	{NET_CORE_CAPTURE_GROUP, "capture_group",
+	 &sysctl_capture_group, sizeof(gid_t), 0644, NULL,
+	 &proc_dointvec },
 #endif /* CONFIG_NET */
 	{ 0 }
 };
diff -ur linux-2.4.26/net/packet/af_packet.c linux-2.4.26-patched/net/packet/af_packet.c
--- linux-2.4.26/net/packet/af_packet.c	2004-04-14 15:05:41.000000000 +0200
+++ linux-2.4.26-patched/net/packet/af_packet.c	2004-07-28 15:00:04.000000000 +0200
@@ -954,12 +954,16 @@
  *	Create a packet of type SOCK_PACKET. 
  */
 
+/* If non-zero, id of group which is allowed to create SOCK_PACKETs. */
+gid_t sysctl_capture_group = 0;
+
 static int packet_create(struct socket *sock, int protocol)
 {
 	struct sock *sk;
 	int err;
 
-	if (!capable(CAP_NET_RAW))
+	if (! (capable(CAP_NET_RAW) || 
+           (sysctl_capture_group != 0 && in_group_p(sysctl_capture_group))))
 		return -EPERM;
 	if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW
 #ifdef CONFIG_SOCK_PACKET