This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

So I am running the latest Wireshark (2.2.1) on Mac OS (10.12.1) and experiencing some issues when trying to run WiFi capture on the interface that is shown and available. When I initially loaded Wireshark, everything runs fine, but upon re-launching it several days later, I am getting this Error message: The capture session could not be initiated on interface 'en1' (You don't have permission to capture on that device). Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.

In addition, originally one can see the traffic being produced when launching Wireshark on the initial Dashboard, which no does not show any traffic at all. Not sure if this is a BUG or some type of issue/nuance/preference pane I am not familiar with. Also I cannot find where one can change the permission status when running Wireshark. I am logged in as Admin user (501). And finally, when running ps -ef I do not see that Wireshark session is even running.

Any advice, help, solution is appreciated in advance. On a last note, when I re-install Wireshark (over the existing application), everything works fine for that day. Odd issue I guess.

Thank you

asked 11 Nov '16, 09:00

Natureboy's gravatar image

Natureboy
6113
accept rate: 0%

1

What does the command ls -l /dev/bpf* print?

(11 Nov '16, 11:27) Guy Harris ♦♦

Running ls -l /dev/bpf* prints the following:

crw-------  1 root  wheel   23,   0 Nov 12 10:50 /dev/bpf0
crw-------  1 root  wheel   23,   1 Nov 12 10:50 /dev/bpf1
crw-------  1 root  wheel   23,   2 Nov 12 13:35 /dev/bpf2
crw-------  1 root  wheel   23,   3 Nov 12 13:35 /dev/bpf3
crw-------  1 root  wheel   23,   4 Nov 12 13:13 /dev/bpf4

And once again Wireshark is not capturing traffic on any interface. Only will work if I re-install it. Then works for that one time.

(12 Nov '16, 10:54) Natureboy
1

What do the commands

ls -l /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist

sudo ls -ld '/Library/Application Support/Wireshark'

sudo ls -lR '/Library/Application Support/Wireshark'

print?

(12 Nov '16, 13:19) Guy Harris ♦♦

So here are the results:

But this command: ls -l /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist ..yielded:

ls: /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist: No such file or directory

sudo ls -ld ' /Library/Applications Support/Wireshark' ..yielded:

drwx------  3 504  wheel  102 Oct  3 17:08 /Library/Application Support/Wireshark
sh-3.2# ls -lR '/Library/Application Support/Wireshark'
total 0
drwxrwxr-x  4 504  staff  136 Nov 11 12:02 ChmodBPF

ls -lR '/Library/Application Support/Wireshark' ..yielded:

total 16
-rwxrwxr-x  1 504  staff  1437 Oct  4 13:36 ChmodBPF
-rw-rw-r--  1 504  staff   382 Oct  4 13:36 org.wireshark.ChmodBPF.plist

So my questions still remains as to wether this is an odd event, a BUG, or some type of Application whitelist or firewall prevention. The confusing part however is that when I re-download the application, it runs just fine. But after I close it and try again the next day, I seem to get the errors.

(12 Nov '16, 18:00) Natureboy
1

So if you re-install Wireshark, what does

 ls -l /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist

report?

So my questions still remains as to wether this is an odd event,

Possibly.

a BUG,

Possibly.

or some type of Application whitelist or firewall prevention.

Probably not.

That's why I'm asking these questions.

(12 Nov '16, 18:05) Guy Harris ♦♦

I will re-install and post what I see. In the meantime, here some further investigation I found out:

A few more details once I looked into this folder /Library/Applications Support/Wireshark

At first it seemed to be locked or write protected and showed this as far as access rights - see attachment.

So I edit this and added me as a read/write access. the .plist is as follows, once I opened it in textmate:

<plist version="1.0"> <dict> <key>Label</key> <string>org.wireshark.ChmodBPF</string> <key>RunAtLoad</key> <true/> <key>Program</key> <string>/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF</string> </dict> </plist>

Hope that helps. PS- I cannot find anything in the Launch Daemon that point to wireshark. Not sure why that is.

Thanks for the help in advance.

(12 Nov '16, 18:14) Natureboy

So now that I completely uninstalled and reinstalled the Applications, the following output is as follows:

-rwxr-xr-x 1 root wheel 382 Nov 12 21:19 /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist

(12 Nov '16, 18:23) Natureboy

The big issue here is "why isn't there a copy of the plist in /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist? It's supposed to be installed there by the Wireshark installer, but it's not there on your machine. (It's there on my machine, also running 10.12.1.)

That's the launchd job that, at system startup, is supposed to give group read/write permission to the BPF devices and make them owned by the access_bpf group. As the job isn't actually there, it's obviously not getting run.

(12 Nov '16, 18:26) Guy Harris ♦♦
1

OK, so I'm guessing that ls -l /dev/bpf* now shows a lot of devices, with permissions rw-rw---- and group owner access_bpf. If that's the case, Wireshark should be able to capture on the Wi-Fi interface (and the loopback interface).

If, in the future, it stops working, see whether /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist is still there.

(12 Nov '16, 18:32) Guy Harris ♦♦
showing 5 of 9 show 4 more comments
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×134
×114
×8

question asked: 11 Nov '16, 09:00

question was seen: 6,328 times

last updated: 12 Nov '16, 18:32

p​o​w​e​r​e​d by O​S​Q​A