For sniffing, we're interested in:
CAP_NET_ADMIN - Allow various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables). 
CAP_NET_RAW - Permit use of RAW and PACKET sockets. 
CAP_NET_ADMIN allows us to set an interface to promiscuous mode, and CAP_NET_RAW permits raw access to an interface for capturing directly off the wire. These capabilities are assigned using the setcap utility.
 
apt-get install libcap2-bin
 
groupadd wireshark
usermod -a -G wireshark stretch
 
After adding yourself to the group, your normal user may have to log out and back in. Or, you can run newgrp to force the effect of the new group (you'll have to launch Wireshark from this same terminal environment in step 3):
newgrp wireshark
 
We assign the dumpcap executable to this group instead of Wireshark itself, as dumpcap is responsible for all the low-level capture work. Changing its mode to 750 ensures only users belonging to its group can execute the file.
chgrp wireshark /usr/bin/dumpcap
chmod 750 /usr/bin/dumpcap
 
Granting capabilities with setcap is a simple matter:
setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
In case you're wondering, that =eip bit after the capabilities list grants them in the effective, inheritable, and permitted bitmaps, respectively.
 
To verify our change, we can use getcap:
getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip