How to use tcpdump safely (-Z option vs file capabilities / setcap)?

I am evaluating, how tcpdump can be used in a safer manner with as few as possible privileges. Two possibilities: ## 1. -Z option > If tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output, change the user ID to user and the group ID to the primary group of user. > > This behavior can also be enabled by default at compile time. Afaik tcpdump opens the network interface to be sniffed in promiscuous mode and a possible file (-r flag) with root, but changes to user privileges *before* any further outputting is started. This should minimize possible attack vectors, as parsing the network traffic and possible malicious network packets is done as unprivileged user. E.g. what about taking user nobody to ensure minimum permissions:

tcpdump -i wlan0 -s 0 -Z nobody src portrange 1-80

## 2. setcap Use setcap to add file capabilities CAP_NET_ADMIN, CAP_NET_RAW to /usr/sbin/tcpdump, as suggested here and here :

sudo su
groupadd pcap
usermod -a -G pcap $USER
chgrp pcap /usr/sbin/tcpdump
chmod 750 /usr/sbin/tcpdump
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

## Comparison Above solutions seem to be mutually exclusive: -Z option docs state, user switching is only done, if tcpdump is run as root. Disadvantage I see with solution 2: the malicious code still would have user permission for tcpdump and CAP_NET_ADMIN / CAP_NET_RAW. So I would favor solution 1. What do you think?