|« Using beamer with lucimatx||EVT/WOTE 2009 Update »|
I've been playing around with network traces and recently installed Wireshark (formerly Ethereal) which is a packet-capture tool that captures all the traffic across a network. (More from Wikipedia here.)
I had a bit of difficulty getting it up and running. Here is what I did:
Download the DMG from http://www.wireshark.org/download.html. Unpack it.
/Applications/and copy all the executables in the
Utilities/directory in the DMG to a place in your PATH, like
/usr/local/bin/. (If you're running as a non-admin user, you'll have to authenticate as an admin to do this.)
Now, anything in
/dev/bpf*needs to be both readable and writable by the
admingroup in order to run Wireshark. Unfortunately, we have to set these permissions during system start-up. The "
Read me first.rtf" file in the Wireshark DMG explains how to copy over a start-up item that will handle this:
Utilties/ChmodBPFfolder [on the DMG], contains the ChmodBPF startup item from the
libpcapdistribution. This can be used to set the permissions of
/dev/bpf*when your system starts up. See
Utilties/ChmodBPF/README.macosxfor more details.
Copy the entire
/Library/StartupItems. (again, if you're running as a non-admin, you'll have to authenticate as one to copy this over. In fact, Mac OS will probably ask you to "fix" this startup item and reboot after you reboot the first time after this.)
At this point, you might think you can reboot and fire up Wireshark. Go for it; see what happens. However...
When you first start Wireshark you'll probably get an error that says something like:
The following errors were found while loading the MIBS: -:0 1 module-not-found failed to locate MIB module `IP-MIB' ...
The key here is that Wireshark is looking for some stuff, and can't find it. After consulting this Wireshark bug thread, the solution seems to be simple:
- In Wireshark, open the Preferences ("Edit" -> "Preferences").
- Click on the "Name Resolution" tab.
- Click on "Edit" next to the entry for "SMI (MIB and PIB) paths".
- Click "New" and put
- Click "Ok" until Preferences is closed. Restart Wireshark.
The error above should now be gone.
Now, if you're running as an admin user: first, shame on you, punk! Second, you'll probably see a list of network interfaces in Wireshark in the "Interface List". That's good and you're ready to start capturing packets.
However, if you don't see any available interfaces, you're probably running as a non-admin. If you plan on running as a non-admin when you use Wireshark in the future, you need to make one more change. The problem here is that the
ChmodBPFstart-up item we installed earlier (that changes permissions on
/dev/bpf*) only works for users in the
admingroup. So, we need a way of allowing the user you're running as to at least read stuff in
A simple solution, and you can do this to check and see if you can capture with this change is to simply do
sudo chmod o+r /dev/bpf*. That works, but it allows any user on your machine to sniff packets. A better solution is to just add a line to the
chown(change the owner of) those things to the user you want to run as:
- Open the
ChmodBPFscript, which is located in
/Library/StartupItems/ChmodBPF/ChmodBPF, in a text editor.
chownline so that the file looks like this:
... chgrp admin /dev/bpf* chmod g+rw /dev/bpf* chown foobar:admin /dev/bpf* } ...
foobarhere with the user you want to run Wireshark under.
Save the file.
- Open the
If you're doing a fresh Wireshark install on Snow Leopard (Mac OS X 10.6), it appears that the ownership of the
ChmodBPFfiles needs to be changed. So, fire up the terminal and do the following:
cd /Library/StartupItems sudo chown -R root:wheel ChmodBPF
After all of this, you should be able to capture network traces and such.
UPDATE [2009-11-11T06:36:32]: Added step 7 thanks to commentor Vi and Nick Kleinschmidt.