This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark not installing on OSX Mavericks

1

Last month I had Wireshark 1.10.8 working on my Macbook Pro with no problems. I foolishly (as it happens) decided to give the QT+ version a try so uninstalled, as per the instructions in the attached Readme file in the installation package, my existing version of Wireshark and installed the QT+ version (1.99.0 I believe). It worked for a short period but constantly had to be restarted because it would lose half its open window above the top of my screen and then it lost access to the interfaces. I uninstalled it (again, as per the Readme in the installation package) and installed X11 and Wireshark 1.10.8. This installation did not work. The error I received can only be described as "vague" at best;

Jul 22 08:17:08 Johns-MacBook.local installd[615]: PackageKit: Install Failed: Error Domain=PKInstallErrorDomain Code=112 "An error occurred while running scripts from the package “Wireshark 1.10.8 Intel 64.pkg”." UserInfo=0x7ff893d17e80 {NSFilePath=./postinstall, NSURL=file://localhost/Volumes/Wireshark/Wireshark%201.10.8%20Intel%2064.pkg#chmodbpf.pkg, PKInstallPackageIdentifier=org.wireshark.ChmodBPF.pkg, NSLocalizedDescription=An error occurred while running scripts from the package “Wireshark 1.10.8 Intel 64.pkg”.} {
    NSFilePath = "./postinstall";
    NSLocalizedDescription = "An error occurred while running scripts from the package \U201cWireshark 1.10.8 Intel 64.pkg\U201d.";
    NSURL = "file://localhost/Volumes/Wireshark/Wireshark%201.10.8%20Intel%2064.pkg#chmodbpf.pkg";
    PKInstallPackageIdentifier = "org.wireshark.ChmodBPF.pkg";
}

...but seems to imply that there's a problem with ChmodBPF. When I look in /Library/LaunchDaemons org.wireshark.ChmodBPF.plist is there and appears to have the correct permissions (system, wheel, me) however there are no helper scripts in /usr/local/bin. Needless to say although Wireshark starts correctly (or appears to do so) there are no interfaces in the interface list.

Does anyone have any ideas on how I can get this working? ...and no, multiple uninstalls, cleans and installs do not work.

John

asked 22 Jul '14, 05:50

jcheriton's gravatar image

jcheriton
26113
accept rate: 0%


2 Answers:

1

Try running the following commands first:

sudo rm -f \
    /usr/local/bin/capinfos \
    /usr/local/bin/dftest \
    /usr/local/bin/dumpcap \
    /usr/local/bin/editcap \
    /usr/local/bin/mergecap \
    /usr/local/bin/randpkt \
    /usr/local/bin/rawshark \
    /usr/local/bin/text2pcap \
    /usr/local/bin/tshark \
    /usr/local/bin/wireshark
sudo pkgutil --forget org.wireshark.cli.pkg
sudo rm -rf /Library/StartupItems/ChmodBPF
sudo rm -rf "/Library/Application Support/Wireshark"
sudo launchctl unload /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist
sudo rm -f /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist
sudo pkgutil --forget org.wireshark.ChmodBPF.pkg
sudo rm -rf /Applications/Wireshark.app
sudo pkgutil --forget org.wireshark.Wireshark.pkg

That should remove all traces of both versions of Wireshark from the system AND make the OS X packaging system completely forget about it, so that, the next time you try installing Wireshark, the packaging system thinks you're doing a fresh installation.

Then try installing 1.10.8 again. (Note that 1.10.8 doesn't install ChmodBPF; instead, it removes ChmodBPF and installs a launchd launch daemon instead, to make the same permission change on the BPF devices that the ChmodBPF startup item did.)

If it still fails, report a bug at the Wireshark bugzilla.

answered 23 Jul '14, 15:12

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks for that Guy but it still refuses to install. It seems to be an issue with installing ChmodBPF in /Library/Application Support/Wireshark however even changing the permission on that directory and reinstalling make no difference.

(24 Jul '14, 04:50) jcheriton

Then try running those commands again, start up the Wireshark installer and, before answering any questions, select "Installer Log" from the "Windows" menu, select "Show All Logs" rather than "Show Errors Only" in that window, and continue the install. Then, if the install fails, make a copy of the entire contents of that window - in case we need more information later - and look for any messages concerning the ChmodBPF package and paste them here. (I just tried removing it from a Mavericks virtual machine I have, rebooting to get the BPF devices back to "normal", and installing 1.10.8, and everything worked.)

(24 Jul '14, 16:32) Guy Harris ♦♦

Ok, so after a good clean reboot and reinstall (or not, as it happens) I have, for ChmodBPF;

    Jul 29 08:15:25 Johns-MacBook.local Installer[1171]:        Wireshark 1.10.8 Intel 64.pkg#chmodbpf.pkg : org.wireshark.ChmodBPF.pkg : 1.0
Jul 29 08:15:25 Johns-MacBook.local Installer[1171]: -[IFDInstallController(Private) _buildInstallPlan]: file://localhost/Volumes/Wireshark/Wireshark%201.10.8%20Intel%2064.pkg#chmodbpf.pkg
Jul 29 08:15:25 Johns-MacBook.local installd[1184]: PackageKit: packages=(
        "PKLeopardPackage <file://localhost/Volumes/Wireshark/Wireshark%201.10.8%20Intel%2064.pkg#wireshark.pkg>",
        "PKLeopardPackage <file://localhost/Volumes/Wireshark/Wireshark%201.10.8%20Intel%2064.pkg#chmodbpf.pkg>",
        "PKLeopardPackage <file://localhost/Volumes/Wireshark/Wireshark%201.10.8%20Intel%2064.pkg#utilitylauncher.pkg>"
    )
Jul 29 08:15:25 Johns-MacBook.local installd[1184]: PackageKit: Extracting file://localhost/Volumes/Wireshark/Wireshark%201.10.8%20Intel%2064.pkg#chmodbpf.pkg (destination=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/84E912AD-3F3E-4EA4-9C1B-4931E586AD21.activeSandbox/Root/Library/Application Support/Wireshark, uid=0)
Jul 29 08:15:26 Johns-MacBook.local installd[1184]: PackageKit: Executing script "./postinstall" in /private/tmp/PKInstallSandbox.Gfd4Z1/Scripts/org.wireshark.ChmodBPF.pkg.DjNEh4
Jul 29 08:15:26 Johns-MacBook.local installd[1184]: PackageKit: Install Failed: Error Domain=PKInstallErrorDomain Code=112 "An error occurred while running scripts from the package “Wireshark 1.10.8 Intel 64.pkg”." UserInfo=0x7fda52d60850 {NSFilePath=./postinstall, NSURL=file://localhost/Volumes/Wireshark/Wireshark%201.10.8%20Intel%2064.pkg#chmodbpf.pkg, PKInstallPackageIdentifier=org.wireshark.ChmodBPF.pkg, NSLocalizedDescription=An error occurred while running scripts from the package “Wireshark 1.10.8 Intel 64.pkg”.} {
        NSFilePath = "./postinstall";
        NSLocalizedDescription = "An error occurred while running scripts from the package \U201cWireshark 1.10.8 Intel 64.pkg\U201d.";
        NSURL = "file://localhost/Volumes/Wireshark/Wireshark%201.10.8%20Intel%2064.pkg#chmodbpf.pkg";
        PKInstallPackageIdentifier = "org.wireshark.ChmodBPF.pkg";
    }
Jul 29 08:15:26 Johns-MacBook.local Installer[1171]: install:didFailWithError:Error Domain=PKInstallErrorDomain Code=112 "An error occurred while running scripts from the package “Wireshark 1.10.8 Intel 64.pkg”." UserInfo=0x7fce124f9880 {NSFilePath=./postinstall, NSURL=file://localhost/Volumes/Wireshark/Wireshark%201.10.8%20Intel%2064.pkg#chmodbpf.pkg, PKInstallPackageIdentifier=org.wireshark.ChmodBPF.pkg, NSLocalizedDescription=An error occurred while running scripts from the package “Wireshark 1.10.8 Intel 64.pkg”.}

Again, thanks for the help with this. The full log can be found here

(29 Jul '14, 05:26) jcheriton

OK, here's the contents of org.wireshark.chmodbpf.pkg's post-install script:

#!/bin/sh

CHMOD_BPF="/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist" BPF_GROUP="access_bpf" BPF_GROUP_NAME="BPF device access ACL"

dscl . -read /Groups/"$BPF_GROUP" > /dev/null 2>&1 ||
dseditgroup -q -o create "$BPF_GROUP" dseditgroup -q -o edit -a "$USER" -t user "$BPF_GROUP"

cp "/Library/Application Support/Wireshark/ChmodBPF/org.wireshark.ChmodBPF.plist"
"$CHMOD_BPF" chmod 755 "$CHMOD_BPF" chown root:wheel "$CHMOD_BPF"

rm -rf /Library/StartupItems/ChmodBPF

launchctl load "$CHMOD_BPF"

Try copying that to a script file, giving it execute permission, running it with sudo, and see what it prints.

(29 Jul ‘14, 10:56) Guy Harris ♦♦

Hi,

Before failing to install Wireshark (and not surprisingly I guess) I get a lot of;

chmod: /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist: No such file or directory

After failing to install Wireshark I simply get;

nothing found to load

This seems to imply that the Wireshark directory in /Library/Application Support is deficient in something. I have been here before - even changing the permissions for that directory and all it contains makes no difference.

Having said that, if I request information for the directory using Finder’s Get Info menu the Permissions list shows “Fetching…” for the Read/Write owner.

Who should own this directory? root:wheel again?

(30 Jul ‘14, 05:56) jcheriton

@jcheriton

Your “answer” has been converted to a comment as that’s how this site works. Please read the FAQ for more information.

(30 Jul ‘14, 06:23) grahamb ♦

What do the commands

ls -ld "/Library/Application Support/Wireshark"

ls -ld "/Library/Application Support/Wireshark/ChmodBPF"

and

ls -ld "/Library/Application Support/Wireshark/ChmodBPF/org.wireshark.ChmodBPF.plist"

(complete with quotes) print?

(30 Jul ‘14, 09:50) Guy Harris ♦♦
showing 5 of 7 show 2 more comments

0

This problem is easily reproduced if the user uses the -w argument to "Unload the org.wireshark.ChmodBPF.plist launchd job."

# launchctl unload -w /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist

The -w argument overrides the Disabled key and sets it to true. On OS X 10.9.5, the state of the Disabled key is stored in /var/db/launchd.db/com.apple.launchd/overrides.plist.

Therefore, the user needs to remove the following lines from /var/db/launchd.db/com.apple.launchd/overrides.plist or else the installer will not complete successfully.

<key>org.wireshark.ChmodBPF</key>
<dict>
    <key>Disabled</key>
    <true/>
</dict>

Once the override has been successfully removed, installation using "Wireshark 1.10.8 Intel 64", "Wireshark 1.12.3 Intel 64" and "Wireshark 1.99.1 Intel 64" should work (only tested on OS X 10.9.5).

This issue could also be mitigated from the installer by modifying chmodbpf's postinstall script to also use the -w argument when loading $CHMOD_BPF.

Another way to mitigate this issue would be by modifying the "Read me first.rtf" document supplied with Wireshark to directly state the command that was intended for use when unloading the org.wireshark.ChmodBPF.plist launchd job. The problem is that if a user were to search Google for, "Unload the org.wireshark.ChmodBPF.plist launchd" the first result is this help page and the second is a page that has the user use the -w option.

answered 15 Feb '15, 07:48

paretech's gravatar image

paretech
62
accept rate: 0%