« Using beamer with lucimatx | EVT/WOTE 2009 Update » |
Setting up WireShark on Mac OS X
hacks, open source, chilling effectsI've been playing around with network traces and recently installed Wireshark (formerly Ethereal) which is a packet-capture tool that captures all the traffic across a network. (More from Wikipedia here.)
I had a bit of difficulty getting it up and running. Here is what I did:
Download the DMG from http://www.wireshark.org/download.html. Unpack it.
Move
Wireshark.app
to/Applications/
and copy all the executables in theUtilities/
directory in the DMG to a place in your PATH, like/usr/local/bin/
. (If you're running as a non-admin user, you'll have to authenticate as an admin to do this.)Now, anything in
/dev/bpf*
needs to be both readable and writable by theadmin
group in order to run Wireshark. Unfortunately, we have to set these permissions during system start-up. The "Read me first.rtf
" file in the Wireshark DMG explains how to copy over a start-up item that will handle this:The
Utilties/ChmodBPF
folder [on the DMG], contains the ChmodBPF startup item from thelibpcap
distribution. This can be used to set the permissions of/dev/bpf*
when your system starts up. SeeUtilties/ChmodBPF/README.macosx
for more details.Copy the entire
ChmodBPF
folder to/Library/StartupItems
. (again, if you're running as a non-admin, you'll have to authenticate as one to copy this over. In fact, Mac OS will probably ask you to "fix" this startup item and reboot after you reboot the first time after this.)At this point, you might think you can reboot and fire up Wireshark. Go for it; see what happens. However...
When you first start Wireshark you'll probably get an error that says something like:
The following errors were found while loading the MIBS: -:0 1 module-not-found failed to locate MIB module `IP-MIB' ...
The key here is that Wireshark is looking for some stuff, and can't find it. After consulting this Wireshark bug thread, the solution seems to be simple:
- In Wireshark, open the Preferences ("Edit" -> "Preferences").
- Click on the "Name Resolution" tab.
- Click on "Edit" next to the entry for "SMI (MIB and PIB) paths".
- Click "New" and put
/usr/share/snmp/mibs/
in there. - Click "Ok" until Preferences is closed. Restart Wireshark.
The error above should now be gone.
Now, if you're running as an admin user: first, shame on you, punk! Second, you'll probably see a list of network interfaces in Wireshark in the "Interface List". That's good and you're ready to start capturing packets.
However, if you don't see any available interfaces, you're probably running as a non-admin. If you plan on running as a non-admin when you use Wireshark in the future, you need to make one more change. The problem here is that the
ChmodBPF
start-up item we installed earlier (that changes permissions on/dev/bpf*
) only works for users in theadmin
group. So, we need a way of allowing the user you're running as to at least read stuff in/dev/bpf*
.A simple solution, and you can do this to check and see if you can capture with this change is to simply do
sudo chmod o+r /dev/bpf*
. That works, but it allows any user on your machine to sniff packets. A better solution is to just add a line to theChmodBPF
script tochown
(change the owner of) those things to the user you want to run as:- Open the
ChmodBPF
script, which is located in/Library/StartupItems/ChmodBPF/ChmodBPF
, in a text editor. Add a
chown
line so that the file looks like this:... chgrp admin /dev/bpf* chmod g+rw /dev/bpf* chown foobar:admin /dev/bpf* } ...
But replace
foobar
here with the user you want to run Wireshark under.Save the file.
- Open the
If you're doing a fresh Wireshark install on Snow Leopard (Mac OS X 10.6), it appears that the ownership of the
ChmodBPF
files needs to be changed. So, fire up the terminal and do the following:cd /Library/StartupItems sudo chown -R root:wheel ChmodBPF
After all of this, you should be able to capture network traces and such.
UPDATE [2009-11-11T06:36:32]: Added step 7 thanks to commentor Vi and Nick Kleinschmidt.
In terminal:
cd /Applications/Wireshark.app/Contents/MacOS/
then command
sudo ./wireshark
I must have done something wrong in the ChmodBPF file.
You have saved me from countless hours of frustration.
Thanks
The explanation is at:
http://lists.apple.com/archives/X11-users/2008/Aug/msg00164.html
Hal
i tried this, and i think it is a much better guide than the one they provide in the Wireshark.dmg package but having said that i still cannot see the right interfaces. all i have is:
- en0: IP unknown
- fw0: IP unknown
- en1: does have an IP but it looks something like a mac address, for example:
fe34::cd0:a1f5:123ce:aef0
and is the only interface capturing packets right now...- lo0: also has an IP but looks something like:
fed0::1
those are the only interfaces available to me... i don't know how to capture packets from the wireless network since i cannot find the interface for it. i followed all your instructions there but maybe i am still missing something...
also my X11 version is:
-
XQuartz 2.1.6 (xorg-server 1.4.2-apple33)
i don't know if the problem is there but someone mentioned in the comments that they had to update theirs. well any help would be greatly appreciated.
just so you know what i'm trying to do... originally i wanted to capture the packets sent from my iPod touch via the wireless network. that is why i wanted to see if wireshark can capture these informations using a wireless interface.
thanks.
Excuse me for the bad language i'm italian
I have even selected every file of the command line folder, get info and set to read/write for everything, but hand. The startup ChmodBPF fails, and I get a boatload of errors when running wireshark.
"Insecure Startup Item disabled.
/library/StartupItems/ChmodBPF" has not been started because it does not have the proper security setting."
Maybe I missed a step...
Anyway, a quick search on the Internet showed a solution from Nick Kleinschmidt's Blog.
http://kleinsch.com/2009/10/03/wireshark-chmodbpf-errors-on-snow-leopard/comment-page-1/#comment-29
Thanks again.
...
chgrp admin /dev/bpf*
chmod g+rw /dev/bpf*
# chown foobar:admin /dev/bpf*
}
..."
You should comment out that chown .... IF you already belong to the admin group. Worked for me. Now I can start Wireshark by just clicking the Wireshark.app
Otherwise I've done all the tricks instructed above. =)
M
"Insecure Startup Item disabled.
/library/StartupItems/ChmodBPF" has not been started because it does not have the proper security setting."
error. Anyone have an idea of what I am doing wrong?
step 7 solved my problems with the missing interfaces.
Just reboot once again after typing the two lines into terminal and the startup message disappears
thanks again
Also, this post was very helpful. Thank you Joseph!
If I use the command sudo chmod o+r /dev/bpf* it works fine, but if I add the chown myusername:admin /dev/bpf* to the ChmodBPF it does not work.
I guess the location of the folder is correct: /Users/myusername/Library/StartupItems/ChmodBPF
Beccause I´m using Snow Leopard 10.6.3, I´ve also tried step 7, but still no interfaces.
sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark
:)
always nice when people such as yourself share your experience and expertise.
@Bob Guru : "Why is this not in their ReadMe?"
Because there is two read-me file : one in the "ChmodBPF" folder and the other in the dmg file ("Read-me FIRST") ;-)
Work on Leopard 10.6.4 ; it's ok, I can start Wireshark by just clicking the .app but step 7 canceled step 6 ? I had restarted the step by step until step 6.
I'm on Snow Leopard 10.6.4 and have the latest version of Wireshark. I am admin (and only user) of my mac and did change the ownerships and permissions with the sudo command. I then restarted and got the "Insecure Startup Item disabled. "/library/StartupItems/ChmodBPF" has not been started because it does not have the proper security setting." message.
Any help ? Thanks!
"/library/StartupItems/ChmodBPF" has not been started because it does not have the proper security setting."
thanks for this how to.
My second issue is in Step 7 (of course), in which after I enter the sudo line, I receive a warning about how it can screw up my system. I am given two options: enter my password and continue, or press control+c to abort. For some reason, my terminal will not let me enter my password, and I am forced to abort every time. Any suggestions for either of the steps?
Running the ChmodBPF script directly gives an error:
"line 35: $1: unbound variable"
Line 35 is simply: RunService "$1"
I believe it breaks because I do not have a /dev folder. There is a hidden /dev alias, but it points nowhere. Do I need to install Xcode to get the /dev folder? Any other reason why it wouldn't work in admin, but does in root?