This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to fully uninstall wireshark from a Mac?

1
2

Hello, loved the product. However, I'm done messing around and now cannot figure out how to fully uninstall from my mac? I've tried searching the documentation as well as this question area and cannot find any step by step guide on how to safely and easily uninstall?

Any help would be much appreciated!

asked 18 Jan '11, 16:11

Pblocked's gravatar image

Pblocked
16122
accept rate: 0%


3 Answers:

2

The installer .dmg contains a file called "Read me first.rtf" with the following info/instructions:

What changes does the installer make?

The installer writes to the following locations:

• /Applications/Wireshark. The main Wireshark application. • /Library/StartupItems/ChmodBPF. A script which adjusts permissions on the system's packet capture devices (/dev/bpf*) when the system starts up. • /Library/Wireshark. A wrapper script and symbolic links which will let you run Wireshark and its associated utilities from the command line. You can access them directly or by adding /Library/Wireshark to your PATH.

Additionally a group named access_bpf is created. The user who opened the package is added to the group.

How do I uninstall?

  1. Remove /Applications/Wireshark
  2. Remove /Library/Wireshark
  3. Remove /Library/StartupItems/ChmodBPF
  4. Remove the access_bpf group.

answered 22 Jul '11, 09:49

charris's gravatar image

charris
3113
accept rate: 0%

yes, but how do you uninstall the virtual ports it creates?

(24 Jul '11, 07:33) bwanaaa

What do you mean by "virtual ports"? What are examples of these virtual ports?

(24 Jul '11, 15:37) Guy Harris ♦♦

vmnet1 and vmnet8 are still there when you issue ifconfig on a mac in terminal

(27 Jul '11, 05:14) bwanaaa
1

That's because they're NOT created by Wireshark (really - they are NOT created by Wireshark), they're created by VMware Fusion; to get rid of them, you'll have to uninstall VMware Fusion.

(27 Jul '11, 10:19) Guy Harris ♦♦

oops. sry. tnx.

(27 Jul '11, 15:11) bwanaaa

Hi, but how do I remove the access_bpf group? or more correctly, where do I find the group?

Thx

(26 Sep '11, 05:44) Ant
showing 5 of 6 show 1 more comments

0

You just need to drag the application to the TrashCan. The only other two files I've found that lie outside of the application itself are pref folders. I'll assume that you did NOT manually install the command-line tools. If your local username is Pblocked then these would be: /Users/Pblocked/.wireshark/ /Users/Pblocked/.wireshark-etc

You can delete them by opening a terminal window and typing rm -rf ~/.wireshark*

Once you've deleted the application and those two directories you can scan your drive for any leftovers - but again, I haven't found any on mine and I've gone through several versions of WireShark on my system.

You can scan your drive with this command: sudo find / -iname "*ireshark*" -print | grep -v denied

answered 20 Jan '11, 06:56

GeonJay's gravatar image

GeonJay
4705922
accept rate: 5%

edited 20 Jan '11, 07:03

Note that "drag-uninstalling" any app won't get rid of preferences for the app; some might consider that a feature (as in "if I later decide I want the app again, I don't lose my preferences). That's not unique to Wireshark.

AppZapper supposedly cleans up other stuff for apps, including preferences, when you uninstall them; whether it knows about Wireshark, which follows UN*X dotfile/dotdirectory conventions rather than NeXTStEP/OS X .plist conventions for its preferences, is another matter.

(26 Jan '11, 19:36) Guy Harris ♦♦

I searched far and wide for hidden prefs, application support files, etc. I'm thinking that because of WireShark's "ported" nature it doesn't behave in the same manner as usual Mac applications. I'd bet that I missed something though.

(27 Jan '11, 12:07) GeonJay

Yes - as I noted, Wireshark stores the personal configuration files in traditional UN*X style; that means that various personal configuration are stored in ~/.wireshark rather than ~/Library/Preferences etc.

(22 Jul '11, 11:21) Guy Harris ♦♦

0

I had Wireshark 2 RC and a legacy GTK dev version. I wanted to delete everything and start from scratch with latest W2.

I uninstalled the following files

/Applications/Wireshark.app
/Applications/Wireshark [dev build].app
/Library/Application Support/Wireshark
/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist
/Library/LaunchDaemons/org.wireshark.XQuartzFixer.plist
/Library/Receipts/boms/org.wireshark.ChmodBPF.pkg.bom
/Library/Receipts/boms/org.wireshark.cli.pkg.bom
/Library/Receipts/boms/org.wireshark.Wireshark.pkg.bom
/private/var/db/BootCaches/*/app.org.wireshark.Wireshark.playlist
/private/var/db/receipts/org.wireshark.ChmodBPF.pkg.bom
/private/var/db/receipts/org.wireshark.ChmodBPF.pkg.plist
/private/var/db/receipts/org.wireshark.cli.pkg.bom
/private/var/db/receipts/org.wireshark.cli.pkg.plist
/private/var/db/receipts/org.wireshark.Wireshark.pkg.bom
/private/var/db/receipts/org.wireshark.Wireshark.pkg.plist
/private/var/db/receipts/org.wireshark.XQuartzFixer.pkg.bom
/private/var/db/receipts/org.wireshark.XQuartzFixer.pkg.plist
/private/var/folders/mr/*/T/wireshark_pcapng_*
~/.wireshark
~/.wireshark-etc
~/Library/Application Support/CrashReporter/wireshark-bin_*.plist
~/Library/Logs/DiagnosticReports/.wireshark-bin_*.crash.plist
~/Library/Logs/DiagnosticReports/wireshark-bin_*.crash
~/Library/Preferences/org.wireshark.Wireshark.plist
~/Library/Saved Application State/org.wireshark.Wireshark.savedState
/usr/local/bin/capinfos
/usr/local/bin/dftest
/usr/local/bin/dumpcap
/usr/local/bin/editcap
/usr/local/bin/mergecap
/usr/local/bin/randpkt
/usr/local/bin/rawshark
/usr/local/bin/text2pcap
/usr/local/bin/tshark
/usr/local/bin/wireshark

Since I was reinstalling I didn't need to remove access_bpf, but in this other topic is explained how to.

sudo dscl . -delete /Groups/access_bpf

answered 16 Feb '16, 09:00

wsk's gravatar image

wsk
21237
accept rate: 0%