I've been playing around with network traces and recently installed Wireshark (formerly Ethereal) which is a packet-capture tool that captures all the traffic across a network. (More from Wikipedia here.)
I had a bit of difficulty getting it up and running. Here is what I did:
Download the DMG from http://www.wireshark.org/download.html. Unpack it.
Move
Wireshark.appto/Applications/and copy all the executables in theUtilities/directory in the DMG to a place in your PATH, like/usr/local/bin/. (If you're running as a non-admin user, you'll have to authenticate as an admin to do this.)Now, anything in
/dev/bpf*needs to be both readable and writable by theadmingroup in order to run Wireshark. Unfortunately, we have to set these permissions during system start-up. The "Read me first.rtf" file in the Wireshark DMG explains how to copy over a start-up item that will handle this:The
Utilties/ChmodBPFfolder [on the DMG], contains the ChmodBPF startup item from thelibpcapdistribution. This can be used to set the permissions of/dev/bpf*when your system starts up. SeeUtilties/ChmodBPF/README.macosxfor more details.Copy the entire
ChmodBPFfolder to/Library/StartupItems. (again, if you're running as a non-admin, you'll have to authenticate as one to copy this over. In fact, Mac OS will probably ask you to "fix" this startup item and reboot after you reboot the first time after this.)At this point, you might think you can reboot and fire up Wireshark. Go for it; see what happens. However...
When you first start Wireshark you'll probably get an error that says something like:
The following errors were found while loading the MIBS: -:0 1 module-not-found failed to locate MIB module `IP-MIB' ...The key here is that Wireshark is looking for some stuff, and can't find it. After consulting this Wireshark bug thread, the solution seems to be simple:
- In Wireshark, open the Preferences ("Edit" -> "Preferences").
- Click on the "Name Resolution" tab.
- Click on "Edit" next to the entry for "SMI (MIB and PIB) paths".
- Click "New" and put
/usr/share/snmp/mibs/in there. - Click "Ok" until Preferences is closed. Restart Wireshark.
The error above should now be gone.
Now, if you're running as an admin user: first, shame on you, punk! Second, you'll probably see a list of network interfaces in Wireshark in the "Interface List". That's good and you're ready to start capturing packets.
However, if you don't see any available interfaces, you're probably running as a non-admin. If you plan on running as a non-admin when you use Wireshark in the future, you need to make one more change. The problem here is that the
ChmodBPFstart-up item we installed earlier (that changes permissions on/dev/bpf*) only works for users in theadmingroup. So, we need a way of allowing the user you're running as to at least read stuff in/dev/bpf*.A simple solution, and you can do this to check and see if you can capture with this change is to simply do
sudo chmod o+r /dev/bpf*. That works, but it allows any user on your machine to sniff packets. A better solution is to just add a line to theChmodBPFscript tochown(change the owner of) those things to the user you want to run as:- Open the
ChmodBPFscript, which is located in/Library/StartupItems/ChmodBPF/ChmodBPF, in a text editor. Add a
chownline so that the file looks like this:... chgrp admin /dev/bpf* chmod g+rw /dev/bpf* chown foobar:admin /dev/bpf* } ...But replace
foobarhere with the user you want to run Wireshark under.Save the file.
- Open the
If you're doing a fresh Wireshark install on Snow Leopard (Mac OS X 10.6), it appears that the ownership of the
ChmodBPFfiles needs to be changed. So, fire up the terminal and do the following:cd /Library/StartupItems sudo chown -R root:wheel ChmodBPF
After all of this, you should be able to capture network traces and such.
UPDATE [2009-11-11T06:36:32]: Added step 7 thanks to commentor Vi and Nick Kleinschmidt.
Comment feed for this post
In terminal:
cd /Applications/Wireshark.app/Contents/MacOS/
then command
sudo ./wireshark
I must have done something wrong in the ChmodBPF file.
You have saved me from countless hours of frustration.
Thanks
The explanation is at:
http://lists.apple.com/archives/X11-users/2008/Aug/msg00164.html
Hal
i tried this, and i think it is a much better guide than the one they provide in the Wireshark.dmg package but having said that i still cannot see the right interfaces. all i have is:
- en0: IP unknown
- fw0: IP unknown
- en1: does have an IP but it looks something like a mac address, for example:
fe34::cd0:a1f5:123ce:aef0and is the only interface capturing packets right now...- lo0: also has an IP but looks something like:
fed0::1those are the only interfaces available to me... i don't know how to capture packets from the wireless network since i cannot find the interface for it. i followed all your instructions there but maybe i am still missing something...
also my X11 version is:
-
XQuartz 2.1.6 (xorg-server 1.4.2-apple33)i don't know if the problem is there but someone mentioned in the comments that they had to update theirs. well any help would be greatly appreciated.
just so you know what i'm trying to do... originally i wanted to capture the packets sent from my iPod touch via the wireless network. that is why i wanted to see if wireshark can capture these informations using a wireless interface.
thanks.
Excuse me for the bad language i'm italian
I have even selected every file of the command line folder, get info and set to read/write for everything, but hand. The startup ChmodBPF fails, and I get a boatload of errors when running wireshark.
"Insecure Startup Item disabled.
/library/StartupItems/ChmodBPF" has not been started because it does not have the proper security setting."
Maybe I missed a step...
Anyway, a quick search on the Internet showed a solution from Nick Kleinschmidt's Blog.
http://kleinsch.com/2009/10/03/wireshark-chmodbpf-errors-on-snow-leopard/comment-page-1/#comment-29
Thanks again.