Not Quite a Blog

• Archives
• Categories

63 comments

1. § Keith said on : 07/28/09 @ 13:44
   Perfect! Just what I needed to get Wireshark configured. Thanks!
2. § joe® said on : 07/28/09 @ 15:54
   great!
3. § Dum said on : 08/16/09 @ 15:28
   Thanks, very straight forward !!
4. § Greg said on : 08/19/09 @ 13:39
   Worked like a charm. Although I still need to start wireshark via the Terminal window by:
   
   In terminal:
   cd /Applications/Wireshark.app/Contents/MacOS/
   then command
   sudo ./wireshark
   
   I must have done something wrong in the ChmodBPF file.
5. § joe® said on : 08/19/09 @ 13:44
   Yeah, you need to revisit the `chown foobar:admin /dev/bpf*` line and replace foobar with the name of the user you want to run it as (type `whoami` at the terminal to get that username).
6. § Greg said on : 08/19/09 @ 14:16
   Works like a charm!!!
   
   You have saved me from countless hours of frustration.
   
   Thanks
7. § Eric said on : 08/21/09 @ 08:36
   Great ! Thank you !
8. § Chris said on : 09/05/09 @ 01:12
   Thank you! Saved me a ton of time
9. § Jason said on : 09/09/09 @ 11:20
   Thanks!
10. § Garth said on : 09/14/09 @ 22:48
    Hey thanks for the advice.... like others, the setup was now a breeze. After an hour or so, previously, of frustration, I suppose I could've googled this earlier to save myself the time. Anyway, thanks for the help.
11. § hal said on : 10/14/09 @ 14:48
    Works really well. Additional problem I had was that my X11 wasn't working properly. I had to download a new version of XQuartz(x11): http://xquartz.macosforge.org/trac/wiki
    
    The explanation is at:
    http://lists.apple.com/archives/X11-users/2008/Aug/msg00164.html
    
    Hal
12. § loi said on : 10/20/09 @ 03:45
    Hi,
    
    i tried this, and i think it is a much better guide than the one they provide in the Wireshark.dmg package but having said that i still cannot see the right interfaces. all i have is:
    
    - en0: IP unknown
    - fw0: IP unknown
    - en1: does have an IP but it looks something like a mac address, for example: fe34::cd0:a1f5:123ce:aef0 and is the only interface capturing packets right now...
    - lo0: also has an IP but looks something like: fed0::1
    
    those are the only interfaces available to me... i don't know how to capture packets from the wireless network since i cannot find the interface for it. i followed all your instructions there but maybe i am still missing something...
    
    also my X11 version is:
    - XQuartz 2.1.6 (xorg-server 1.4.2-apple33)
    
    i don't know if the problem is there but someone mentioned in the comments that they had to update theirs. well any help would be greatly appreciated.
    
    just so you know what i'm trying to do... originally i wanted to capture the packets sent from my iPod touch via the wireless network. that is why i wanted to see if wireshark can capture these informations using a wireless interface.
    
    thanks.
13. § joe® said on : 10/20/09 @ 07:43
    Alas, I'm not sure how to help you... do let me know if you figure it out!
14. § Bob Guru said on : 10/22/09 @ 22:07
    I love you. Why is this not in their ReadMe?
15. § joe® said on : 10/23/09 @ 20:09
    ::)
16. § irrationalidiot said on : 10/27/09 @ 17:29
    Worked beautifully. Thanks!
17. § iJim said on : 11/02/09 @ 08:21
    Hi, i use tiger and i can't run wireshark, i think i wrong some step! Someone could help me?
    Excuse me for the bad language i'm italian
18. § jayray said on : 11/02/09 @ 18:13
    Thanks Joe!
19. § Mars said on : 11/10/09 @ 09:55
    My /Library/StartupItems/ChmodBPF will not run. I have it in the folder, I am an admin, THE admin, I run as the admin, and it says insecure item at startup and does NOT offer a "fix" button at all. Even though the Mac help mentions the fix button. No fix button.
    
    I have even selected every file of the command line folder, get info and set to read/write for everything, but hand. The startup ChmodBPF fails, and I get a boatload of errors when running wireshark.
20. § Vi said on : 11/10/09 @ 18:00
    Thank you for this detailed procedure. Definitely couldn't have done it without your help. One last note, I did run into a security error with chmodbfd.
    
    "Insecure Startup Item disabled.
    /library/StartupItems/ChmodBPF" has not been started because it does not have the proper security setting."
    
    Maybe I missed a step...
    
    Anyway, a quick search on the Internet showed a solution from Nick Kleinschmidt's Blog.
    http://kleinsch.com/2009/10/03/wireshark-chmodbpf-errors-on-snow-leopard/comment-page-1/#comment-29
    
    Thanks again.
21. § joe® said on : 11/11/09 @ 06:34
    Yeah, it looks like if you're doing a fresh install on Snow Leopard, the permissions aren't set correctly on ChmodBPF/. I'll add a note, thanks!
22. § Chris Gregg said on : 11/13/09 @ 08:20
    One more quick fix for a possible non-start issue on Snow Leopard: on my system there was a problem with the ~/.fontconfig font caches. Removing this folder allowed Wireshark to run (it crashed on startup initially).
23. § Nikhil said on : 11/18/09 @ 15:06
    Awesome. It worked just out of the box. Thanks
24. § EK said on : 11/29/09 @ 02:10
    Its easier to login as 'root', unhide all folders,then you can drag and drop everything you need to copy or move...no confusing terminal commands. Rehide folders when done, then reboot. Done.
25. § joe® said on : 11/30/09 @ 12:56
    I'd recommend sticking with the terminal commands, folks...
26. § spockr said on : 12/01/09 @ 11:00
    And don't forget to add the number you first thought of. Really, how ridiculous it is that you have to jump through these hoops.
27. § Pradeep said on : 12/11/09 @ 10:21
    thanks!
28. § Dan said on : 12/18/09 @ 12:42
    One more hint: I just installed the latest version normally (drop in aps) and then couldn't access the interfaces (as expected). If I ran as root (sudo Wireshark as suggested above) I could see the interfaces, but didn't appear to be able to access the Wireshark window thru the GUI. It turns out that there's a pop-up warning window saying "Hey, you're running as root and you could ruin everything so be careful", but the window pops-under, so I didn't find it until much later. Just acknowledge that you know what you're doing (even if you don't) and it seems to work find. This is on OS 10.5 with Wireshark Version 1.2.5 (SVN Rev 31296)
29. § andrew said on : 12/24/09 @ 13:44
    I did all the steps above and for some reason i do not have a /dev/bpf* file or folder. what do i do?
30. § joe® said on : 12/29/09 @ 10:53
    sorry, I have no clue... let me know if you figure it out.
31. § Ray said on : 01/31/10 @ 00:58
    I'm a little concerned about changing the ownership of the interface device files to a general user. Why not add my user name to the wheel group? Thx
32. § Tim Fetter said on : 02/01/10 @ 20:57
    Thank you so much for sharing your knowledge. I was installing on the snow cat and was getting the permissions error from the startup items. I took your advice and am now happily? looking at mountains of data. I have no idea what I was doing in Terminal, but it worked.
33. § CSK said on : 02/05/10 @ 06:06
    love u dude :)
34. § Sigurdur Armannsson said on : 02/21/10 @ 17:38
    Giving directions is not a natural talent all developers have. I am glad that someone like you can fill up the gaps.
35. § MK said on : 04/23/10 @ 05:13
    "Add a chown line so that the file looks like this:
    
    ...
    chgrp admin /dev/bpf*
    chmod g+rw /dev/bpf*
    # chown foobar:admin /dev/bpf*
    }
    ..."
    
    You should comment out that chown .... IF you already belong to the admin group. Worked for me. Now I can start Wireshark by just clicking the Wireshark.app
    Otherwise I've done all the tricks instructed above. =)
    
    M
    
36. § joe® said on : 04/23/10 @ 11:11
    But, that's just the thing, you probably shouldn't be running as an admin. :)
37. § Johnny said on : 05/07/10 @ 15:26
    trying to run this on snow leopard, did step 7 but still get the
    "Insecure Startup Item disabled.
    /library/StartupItems/ChmodBPF" has not been started because it does not have the proper security setting."
    error. Anyone have an idea of what I am doing wrong?
38. § Armin said on : 05/15/10 @ 11:14
    Thanks for your tutorial!
    step 7 solved my problems with the missing interfaces.
    Just reboot once again after typing the two lines into terminal and the startup message disappears
    
    thanks again
39. § noah said on : 05/25/10 @ 09:09
    Johnny, I think you need to change the owner of those files to be root. If you throw your error into Google you should find some helpful links on the first couple pages, as I did.
    
    Also, this post was very helpful. Thank you Joseph!
40. § SusieQ said on : 05/26/10 @ 17:30
    Thanks for the guide. I´m struggling with step 6, and I can´t see the interfaces.
    
    If I use the command sudo chmod o+r /dev/bpf* it works fine, but if I add the chown myusername:admin /dev/bpf* to the ChmodBPF it does not work.
    
    I guess the location of the folder is correct: /Users/myusername/Library/StartupItems/ChmodBPF
    
    Beccause I´m using Snow Leopard 10.6.3, I´ve also tried step 7, but still no interfaces.
41. § SusieQ said on : 05/26/10 @ 17:56
    Sorry, just solved it. Was using the wrong Library-folder :) Works now!
42. § Adam said on : 07/07/10 @ 21:51
    Dude,
    
    sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark
    
    :)
    
43. § neil said on : 08/03/10 @ 06:31
    many thanks for this, it solved my Wireshark permissions problem.
    
    always nice when people such as yourself share your experience and expertise.
44. § Stian said on : 08/04/10 @ 07:40
    Woah, this is one of the simplest and most effective guides I've ever read and used, thanks man! I really needed this too, seeing as I just started using Mac OSX a month ago, when I bought my first Mac. Keep this up please!
45. § Paul said on : 08/13/10 @ 03:24
    Just a quick comment... After step 7 you might make it explicit that you need to restart (step 8?). Since these files are system-wide, a logout and back-in won't enable the change. You must restart. (It was early, not fully awake, etc. but I figured it out.)
46. § hulvire said on : 08/19/10 @ 09:50
    this thread is very helpful like somebody said up there "much better than the one they provide in the Wireshark.dmg package" thx so much
47. § Peter said on : 08/24/10 @ 05:43
    Yeah, it finally works. Thanks:)
48. § Totophe said on : 09/05/10 @ 09:23
    Perfect work, many thanks.
    @Bob Guru : "Why is this not in their ReadMe?"
    Because there is two read-me file : one in the "ChmodBPF" folder and the other in the dmg file ("Read-me FIRST") ;-)
    
    Work on Leopard 10.6.4 ; it's ok, I can start Wireshark by just clicking the .app but step 7 canceled step 6 ? I had restarted the step by step until step 6.
    
49. § joe® said on : 09/07/10 @ 13:38
    Hmm, if people are having trouble with later versions of Mac OS or Wireshark or such, please leave a comment. I don't use Wireshark everyday, so I'm probably a few versions behind (and so these instructions may be ignorant to newer versions).
50. § Louis said on : 09/23/10 @ 22:31
    Hey,
    
    I'm on Snow Leopard 10.6.4 and have the latest version of Wireshark. I am admin (and only user) of my mac and did change the ownerships and permissions with the sudo command. I then restarted and got the "Insecure Startup Item disabled. "/library/StartupItems/ChmodBPF" has not been started because it does not have the proper security setting." message.
    
    Any help ? Thanks!
51. § dany said on : 09/25/10 @ 01:20
    thank you dude! I love you
52. § Oleg said on : 10/30/10 @ 07:01
    I did the instructions on the following link to solve the following issue :
    "/library/StartupItems/ChmodBPF" has not been started because it does not have the proper security setting."
    
    thanks for this how to.
53. § Colin said on : 11/10/10 @ 02:22
    So I have a few problems. First, let me start out by saying that I am running OS X 10.6.4, and I downloaded the OS X 10.6 (Snow Leopard) Intel 64-Bit version of Wireshark. My first problem is at step 5, in which the entry for "SMI (MIB and PIB) Modules and Paths" is simply N/A, with a mouseover text reading "Support for this feature was not compiled into this version of Wireshark."
    
    My second issue is in Step 7 (of course), in which after I enter the sudo line, I receive a warning about how it can screw up my system. I am given two options: enter my password and continue, or press control+c to abort. For some reason, my terminal will not let me enter my password, and I am forced to abort every time. Any suggestions for either of the steps?
54. § Curt said on : 11/10/10 @ 12:36
    Thanks very much for this guide. Worked great for me on OS X 10.6.4 using the 64-bit Snow Leopard version of Wireshark.
55. § ramin said on : 11/10/10 @ 20:21
    I just want to say thank you. All the paths that you provided really helped
56. § Raybo said on : 12/18/10 @ 07:11
    Fantastic. Thanks much.
57. § David McDonald said on : 12/30/10 @ 12:17
    Finally got past the ChmoBPF issue and my interfaces show up with Wireshark running under Snow Leopard but only en2 captures data. I want to capture on Airport ( en1 ) but no data is captured despite other active devices on the network. My DSL modem is directly connected to Airport Extreme and my Mac accesses the network wirelessly. Do I need a hard wired connection to capture on the network? Am I missing something else.
58. § pblocked said on : 01/02/11 @ 23:17
    Great tutorial! Now how can i get it off my mac?? PLEASE HELP!
59. § joe® said on : 01/03/11 @ 13:02
    @David McDonald: I haven't updated this guide in a while, so I'm not sure what kinds of problems you might have that prohibits en1 capture.
60. § Duane said on : 01/03/11 @ 17:58
    I have installed the OS X 10.6 (Snow Leopard) Intel 64-Bit version of Wireshark. I have placed CHmodBPF in the startupitems and the Utilities items into the usr/local/bin. I restarted the MAC....no error messages. I am running as an admin. i do not see and interfaces. any ideas why?
61. § Steven said on : 09/05/11 @ 21:23
    Similar to Duane, I guess. I have the ChmodBPF script in the StartupItems (placed there by the Wireshark installer, but see no interfaces running as admin. I do see interfaces and capturing works fine if I run as root.
    
    Running the ChmodBPF script directly gives an error:
    "line 35: $1: unbound variable"
    Line 35 is simply: RunService "$1"
    I believe it breaks because I do not have a /dev folder. There is a hidden /dev alias, but it points nowhere. Do I need to install Xcode to get the /dev folder? Any other reason why it wouldn't work in admin, but does in root?
62. § captcha breaker said on : 07/06/12 @ 14:15
    When I initially commented I clicked the "Notify me when new comments are added" checkbox and now each time a comment is added I get three e-mails with the same comment. Is there any way you can remove me from that service? Cheers!
63. § joe® said on : 07/06/12 @ 16:09
    You're full of shit, captcha breaker.