So I am running the latest Wireshark (2.2.1) on Mac OS (10.12.1) and experiencing some issues when trying to run WiFi capture on the interface that is shown and available. When I initially loaded Wireshark, everything runs fine, but upon re-launching it several days later, I am getting this Error message: The capture session could not be initiated on interface 'en1' (You don't have permission to capture on that device). Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified. In addition, originally one can see the traffic being produced when launching Wireshark on the initial Dashboard, which no does not show any traffic at all. Not sure if this is a BUG or some type of issue/nuance/preference pane I am not familiar with. Also I cannot find where one can change the permission status when running Wireshark. I am logged in as Admin user (501). And finally, when running ps -ef I do not see that Wireshark session is even running. Any advice, help, solution is appreciated in advance. On a last note, when I re-install Wireshark (over the existing application), everything works fine for that day. Odd issue I guess. Thank you asked 11 Nov '16, 09:00 Natureboy showing 5 of 9 show 4 more comments |
What does the command
ls -l /dev/bpf*
print?Running ls -l /dev/bpf* prints the following:
And once again Wireshark is not capturing traffic on any interface. Only will work if I re-install it. Then works for that one time.
What do the commands
print?
So here are the results:
But this command: ls -l /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist ..yielded:
sudo ls -ld ' /Library/Applications Support/Wireshark’ ..yielded:
ls -lR ‘/Library/Application Support/Wireshark’ ..yielded:
So my questions still remains as to wether this is an odd event, a BUG, or some type of Application whitelist or firewall prevention. The confusing part however is that when I re-download the application, it runs just fine. But after I close it and try again the next day, I seem to get the errors.
So if you re-install Wireshark, what does
report?
Possibly.
Possibly.
Probably not.
That’s why I’m asking these questions.
I will re-install and post what I see. In the meantime, here some further investigation I found out:
A few more details once I looked into this folder /Library/Applications Support/Wireshark
At first it seemed to be locked or write protected and showed this as far as access rights - see attachment.
So I edit this and added me as a read/write access. the .plist is as follows, once I opened it in textmate:
<plist version=“1.0”> <dict> <key>Label</key> <string>org.wireshark.ChmodBPF</string> <key>RunAtLoad</key> <true/> <key>Program</key> <string>/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF</string> </dict> </plist>
Hope that helps. PS- I cannot find anything in the Launch Daemon that point to wireshark. Not sure why that is.
Thanks for the help in advance.
So now that I completely uninstalled and reinstalled the Applications, the following output is as follows:
-rwxr-xr-x 1 root wheel 382 Nov 12 21:19 /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist
The big issue here is “why isn’t there a copy of the plist in
/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist
? It’s supposed to be installed there by the Wireshark installer, but it’s not there on your machine. (It’s there on my machine, also running 10.12.1.)That’s the launchd job that, at system startup, is supposed to give group read/write permission to the BPF devices and make them owned by the
access_bpf
group. As the job isn’t actually there, it’s obviously not getting run.OK, so I’m guessing that
ls -l /dev/bpf*
now shows a lot of devices, with permissionsrw-rw—-
and group owneraccess_bpf
. If that’s the case, Wireshark should be able to capture on the Wi-Fi interface (and the loopback interface).If, in the future, it stops working, see whether
/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist
is still there.