diff -ru linux-2.6.5/include/linux/sysctl.h linux-2.6.5-patched/include/linux/sysctl.h
--- linux-2.6.5/include/linux/sysctl.h	2004-04-04 05:37:23.000000000 +0200
+++ linux-2.6.5-patched/include/linux/sysctl.h	2004-07-12 13:32:30.000000000 +0200
@@ -231,6 +231,7 @@
 	NET_CORE_MOD_CONG=16,
 	NET_CORE_DEV_WEIGHT=17,
 	NET_CORE_SOMAXCONN=18,
+	NET_CORE_CAPTURE_GROUP=19,
 };
 
 /* /proc/sys/net/ethernet */
diff -ru linux-2.6.5/net/core/sysctl_net_core.c linux-2.6.5-patched/net/core/sysctl_net_core.c
--- linux-2.6.5/net/core/sysctl_net_core.c	2004-04-04 05:36:56.000000000 +0200
+++ linux-2.6.5-patched/net/core/sysctl_net_core.c	2004-07-12 13:29:36.000000000 +0200
@@ -31,6 +31,8 @@
 extern int sysctl_optmem_max;
 extern int sysctl_somaxconn;
 
+extern gid_t sysctl_capture_group;
+
 #ifdef CONFIG_NET_DIVERT
 extern char sysctl_divert_version[];
 #endif /* CONFIG_NET_DIVERT */
@@ -184,6 +186,14 @@
 		.mode		= 0644,
 		.proc_handler	= &proc_dointvec
 	},
+	{
+		.ctl_name	= NET_CORE_CAPTURE_GROUP,
+		.procname	= "capture_group",
+		.data		= &sysctl_capture_group,
+		.maxlen		= sizeof(gid_t),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec
+	},
 	{ .ctl_name = 0 }
 };
 
diff -ru linux-2.6.5/net/packet/af_packet.c linux-2.6.5-patched/net/packet/af_packet.c
--- linux-2.6.5/net/packet/af_packet.c	2004-04-04 05:37:36.000000000 +0200
+++ linux-2.6.5-patched/net/packet/af_packet.c	2004-07-12 13:44:03.000000000 +0200
@@ -950,13 +950,17 @@
  *	Create a packet of type SOCK_PACKET. 
  */
 
+/* If non-zero, id of group which is allowed to create SOCK_PACKETs. */
+gid_t sysctl_capture_group = 0;
+
 static int packet_create(struct socket *sock, int protocol)
 {
 	struct sock *sk;
 	struct packet_opt *po;
 	int err;
 
-	if (!capable(CAP_NET_RAW))
+	if (! (capable(CAP_NET_RAW) || 
+           (sysctl_capture_group != 0 && in_group_p(sysctl_capture_group))))
 		return -EPERM;
 	if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW
 #ifdef CONFIG_SOCK_PACKET