This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hey,

I'm trying to monitor my wireless network but I can't see the interface in the capture options.

Network Utility lists it as active, and it is active under the Preferences -> Network pane.

Am I missing something?

asked 06 Dec '11, 20:34

ASGR's gravatar image

ASGR
20448
accept rate: 0%

edited 07 Dec '11, 08:50

multipleinterfaces's gravatar image

multipleinte...
1.3k152340

Can you see any interfaces? (I assume, from "Network Utility", that "mac" means "Mac", as in what used to be called "Macintoshes", so, for example, you would probably have en0 and en1 and lo0 interfaces, at least; Network Utility might not show you lo0, as it doesn't correspond to any real hardware or, in fact, to anything that can be used to communicate with another machine, but it is a network interface at the software layer, and you can capture on it.)

(07 Dec '11, 00:21) Guy Harris ♦♦

Thanks for reply.

Yes. Both en0 and lo0 are listed as selectable interfaces and are capable of capturing packets from, but it's en1 that refuses to be identified. I also tested WS with a wireless network connected with the status of the wireless network as active and still nothing.

Network Utility listed the interfaces as you described. I had it working before but I get the feeling that I had to do something specific like running WS from root?

(07 Dec '11, 05:11) ASGR

In order to see any interfaces, dumpcap needs to be running with a user and group ID that have read access to the /dev/bpfN devices. With the standard Wireshark 1.6.x installation for Mac OS X Snow Leopard, that happens. This doesn't depend on the interface; if you see any interfaces at all, you're running with the right privilege.

However, the interface has to be "up"; what does /sbin/ifconfig -a print?

(07 Dec '11, 10:00) Guy Harris ♦♦

Below is the output for wireless interface only...

en1: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
        ether (output withheld)
        media: autoselect (<unknown type>) status: inactive
        supported media: autoselect
(07 Dec '11, 10:46) ASGR

I've just changed the ownership of /dev/bpf* to the same user as WireShark and all the interfaces are now available including firewire and wireless.

I was relying on accessing /dev/bpf* through group privileges that had rw- but it doesn't seem to like this.

For prosperity... Use an admin account to run wireshark and give the /dev/bpf* files the same user with rw- privileges.

Confirmed that it is now working. Thanks for your help.

A.

permanent link

answered 07 Dec '11, 10:57

ASGR's gravatar image

ASGR
20448
accept rate: 0%

I'm still surprised you even saw en0 and lo0 if you didn't have access to /dev/bpf*.

What version of Mac OS X are you running? What version of Wireshark are you running? How did you install that version of Wireshark? As indicated, at least on Snow Leopard, the Wireshark installer should give you access to /dev/bpf* by adding you to the access_bpf group and adding a startup item to make all the BPF devices that exist at start-up time readable and writable by that group; that works on my machine, for example.

(07 Dec '11, 11:24) Guy Harris ♦♦

And does the wireless interface still not have the UP flag set now that you can capture on it?

(07 Dec '11, 11:26) Guy Harris ♦♦

I'm just as surprised... The owner:group was set to 'root:wheel' with rw-rw----. That seemed to work for en0 and lo0 but not for fw0 or en1.

After changing the owner:group to 'root:admin' with the same rw-rw----, Wireshark now recognises all interfaces available.

I'm running OSX 10.5.8 with Wireshark 1.6.4 that was installed by the packaged installer. After looking through the StartUpItems, nothing seems to be out-of-order. All items have 'root:wheel' so it should all be executed properly. But yet it seemed to fail to change the group!

(07 Dec '11, 12:11) ASGR

The wireless interface did not have the UP flag according to ifconfig, so it was not available for capture. If you can capture on it now, it probably has the UP flag set.

permanent link

answered 07 Dec '11, 11:27

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

It certainly has...

en1: flags=8823<up,broadcast,smart,simplex,multicast> mtu 1500 ether (...) media: autoselect (<unknown type="">) status: inactive supported media: autoselect

... and the status changes to active.

(07 Dec '11, 12:20) ASGR

I've double checked the access and permissions and it does seem to look like the problem was in there somewhere.

Also I may have not pressed the 'Apply' button to get the 'UP' flag on the interface. Apple can have an inconsistent UI sometimes.

(07 Dec '11, 13:20) ASGR
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×139
×114
×10

question asked: 06 Dec '11, 20:34

question was seen: 8,738 times

last updated: 07 Dec '11, 13:20

p​o​w​e​r​e​d by O​S​Q​A