This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing with Wireshark on mac os 10.6.6?

0

hi

I would like to capture the communication between my browser and a server with Wireshark on mac os 10.6.6 but i can't get any interface..

So I went "in read me 1st" then through forums and i understood that I must put the ChmodBPF folder (provided with the soft) in the /Library/StartupItems directory in order to give to Wireshark access to the BPF device. (I hope I'm on the right way to solve the issue..)

I tried with the console and administrator session to do this but seems that i don't have permission to do this so i put it in /Library and just to try i launched ChmodBPF manually (still with administrator session) but I get this as answer : 'line 35: $1: unbound variable logout'

I m really stuck since more than 40 hours now, I read tutorials and watched videos on Wireshark and it seems really great, this is why I insist so much in trying to have it work, I keep on searching but now I m starting to believe that I wont find without ur help. Pls I need u :)

This question is marked "community wiki".

asked 15 Mar '11, 08:21

sharknoobie's gravatar image

sharknoobie
1113
accept rate: 0%

edited 15 Mar '11, 08:58

ok it s natural that I can't launch ChmodBPF manually since it s supposed to b launched by the system only (this is why it has to b put in /Lib/StartupItems where the system will find it and launch it when it initialises). So remains the problem to b able to put it there.. This is why I ll focus on understanding how it comes that, even from administrator session, I don't have the permission to do this. It s more a mac user question but remains the way to install Sharkwire correctly..

(15 Mar '11, 09:22) sharknoobie

Please expand on your latest issue. What are you trying to do, and what is the error message that you are getting. Can you also include the output from: "ls -la /Library/StartupItems"

(17 Mar '11, 05:56) GeonJay

One Answer:

2

Something is amiss. So, let's try this. First we'll delete the ChmodBPF directory that you've created, then we'll copy the directory over properly.

1) Download the latest Wireshark .dmg file and open it up. If done properly, a new Finder window should open. Just leave it.

2) Open a terminal window. Issue this command to verify that the dmg is loaded in the usual spot: "ls /Volumes/Wireshark/Utilities/" If you see the list of files then it's loaded properly.

3) Now, let's delete what you've installed before. Issue this command: "sudo rm -rf /Library/StartupItems/ChmodBPF" If this returns an error then the ChmodBPF must not be there.

4) Now to copy the ChmodBPF startup item properly: "sudo cp -R /Volumes/Wireshark/Utilities/ChmodBPF /Library/StartupItems"

5) Now change the owner of the ChmodBPF startup item: "sudo chown -R root:wheel /Library/StartupItems/ChmodBPF"

6) Now just run "sudo SystemStarter start ChmodBPF" or reboot, and test it out.

answered 15 Mar '11, 09:16

GeonJay's gravatar image

GeonJay
4705922
accept rate: 5%

edited 13 May '11, 10:49

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

oo ty :) i ll try this and report :) I m not used in using terminal so i might b long but i m on this and this only. thank you again for helping Geonjay :)

(15 Mar '11, 09:25) sharknoobie

Ok i followed the steps and all worked exactly like you said :

1 the window opened at download,

2 I left it and found the files when typed the 'ls' command,

3 then 'sudo rm' didn't return any error so it means that it was there and got deleted,

4 no error neither when i copied the ChmodBPF with 'sudo cp' :) I had a reboot and it looked as usual (no problem)

(i find whole Wireshark directory in the Library/StartupItems directory)

So I opened Sharkwire opened capture to choose an interface but no interface yet..

(15 Mar '11, 09:44) sharknoobie

OK, try one more step:

sudo chown -R root:wheel /Library/StartupItems/ChmodBPF

and then run

sudo SystemStarter ChmodBPF
(15 Mar '11, 10:05) Guy Harris ♦♦

1st command I had to change a bit since we had created another path

So I finally did : sudo chown -R root:wheel /Library/StartupItems/Wireshark/utilities/ChmodBPF (or should I better change the path and put ChmodBPF directly in Library/StartupItems?)

and then I did sudo SystemStarter ChmodBPF which returned :


usage: SystemStarter [-vdqn?] [ <action> [ <item> ] ] <action>: action to take (start|stop|restart); default is start <item> : name of item to act on; default is all items options: -v: verbose startup -d: print debugging output -q: be quiet (disable debugging output) -n: don't actually perform action on items (pretend mode) -?: show this help


When I reboot no interface yet

(15 Mar '11, 10:35) sharknoobie

(Note: "Answers" should be answers to the question you originally posted, not answers to questions asked in comments; answers to questions asked in comments should be posted as comments. I've converted them to comments.)

Sorry, I meant

sudo SystemStarter start ChmodBPF

(I forgot the <action>, which should be "start" in this case).

And, yes, you must change the path and put ChmodBPF directly in /Library/StartupItems.

(15 Mar '11, 10:42) Guy Harris ♦♦

ok I retrace what i do

1) I launch WireShark .dmg file. a new Finder window opens. I leave it.

2) I Open a terminal window. Issuing this command to verify that the dmg is loaded in the usual spot: "ls /Volumes/Wireshark/Utilities/" I see the list of files sothen it's loaded properly.

3) I delete what I've installed before, issuing this command: "sudo rm -rf /Library/StartupItems/Wireshark"

4) I copy the ChmodBPF file : "sudo cp -R /Volumes/Wireshark/Utilities/ChmodBPF/ChmodBPF /Library/StartupItems"

5) sudo chown -R root:wheel /Library/StartupItems/ChmodBPF (I see no message when I do it so I think it works)

6) sudo SystemStarter start ChmodBPF (no message neither)

I reboot then and still no interface

(15 Mar '11, 11:13) sharknoobie

On step 4) there's a booboo. It should be "sudo cp -R /Volumes/Wireshark/Utilities/ChmodBPF /Library/StartupItems"

You need to copy the entire directory, not just the script.

(15 Mar '11, 11:22) GeonJay
1

OK, I've edited the answer to fix the issues we've hit when testing, and to note that you don't need to reboot, you can just run SystemStarter to run ChmodBPF.

(Unfortunately, if a startup item doesn't exist, SystemStarter doesn't report an error if you try to run it, so just because "sudo SystemStarter start ChmodBPF" doesn't print a message, that doesn't mean ChmodBPF ran.)

(15 Mar '11, 11:40) Guy Harris ♦♦

Yaaayyyyyyyy :D thank you so much GeonJay and Guy Harris you both rule dang I m so happy and I although realise, that i would certainly have given up before it works without your help..

I just put on here the whole way to do it for the next ones like me :)

1) Download Wireshark 64 bit version launch WireShark .dmg file. a new Finder window opens. Leave it.

2) Open a terminal window. Issuing this command to verify that the dmg is loaded in the usual spot: "ls /Volumes/Wireshark/Utilities/" If u see the list of files then it's loaded properly.

3) Copy the ChmodBPF file : "sudo cp -R /Volumes/Wireshark/Utilities/ChmodBPF/ /Library/StartupItems"

4) sudo chown -R root:wheel /Library/StartupItems/ChmodBPF

5) sudo SystemStarter start ChmodBPF

Thank you again Geonjay and Guy Harris :D now i ll b able to enjoy this powerful tool on my mac os version 10.6

(15 Mar '11, 11:46) sharknoobie

Thanks GeonJay and Guy Harris. That solved my issues as well.

(17 Mar '11, 17:43) markdmc

I was having the same issue of NO interface cards showing up and the Fix Above using steps 1,2,3,4 worked for me.... But OMG this is one of the MOST involved installs EVER! It would be nice if someone could make this install more USER FRIENDLY. Seriously installing XCODE4 was a cinch, why does Wireshark have to be so hard.

thank you for the help!

(05 May '11, 16:17) Talos

Guy Harris:

Good answer. thanks. small correction, Change step 5 to:

Now change the owner of the ChmodBPF startup item: "sudo chown -R root:wheel /Library/StartupItems/ChmodBPF"

(13 May '11, 10:44) arthurgoldberg

Step 5 has been changed.

BTW, bug 5756 was filed, requesting an installer package for Wireshark; the current OS X automated builds for the Wireshark trunk have an installer package, rather than being drag-install, and they set up the ChmodBPF startup item for you.

(13 May '11, 10:57) Guy Harris ♦♦
showing 5 of 13 show 8 more comments