Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

This appears to be a libpcap issue, not a Wireshark issue, given that, in this question, somebody found that Apple's tcpdump, linked with Apple's libpcap, reported "tcpdump: SIOCGIFMEDIA on llw0 failed: Device power is off" for a tcpdump -D command.

tcpdump -D and Wireshark's interface list use the same libpcap routine, and that code, at least in the tcpdump.org version of libpcap, will, on macOS, do an SIOCGIFMEDIA on all devices it finds, and give up if it gets an error other than a small set of errors.

That set currently doesn't include EPWROFF ("Device power is off"), so that will cause an attempt to find all devices to fail with that error if that's what device llw0 reports.

I've just checked in a change to tcpdump.org's libpcap to treat EPWROFF as meaning "I don't know if this device is connected" rather than as an error; I will also report an error to Apple, telling them to pick up that change, as I assume they picked up that code from the tcpdump.org libpcap (they haven't open-sourced their libpcap in a while, so I don't know that for certain).

In any case, it appears that turning the Wi-Fi off can sometimes produce this; it did not do so when I tried it on my MacBook Pro running 10.15.3.

This appears to be a libpcap issue, not a Wireshark issue, given that, in this question, somebody found that Apple's tcpdump, linked with Apple's libpcap, reported "tcpdump: SIOCGIFMEDIA on llw0 failed: Device power is off" for a tcpdump -D command.

tcpdump -D and Wireshark's interface list use the same libpcap routine, and that code, at least in the tcpdump.org version of libpcap, will, on macOS, do an SIOCGIFMEDIA on all devices it finds, and give up if it gets an error other than a small set of errors.

That set currently doesn't include EPWROFF ("Device power is off"), so that will cause an attempt to find all devices to fail with that error if that's what device llw0 reports.

I've just checked in a change to tcpdump.org's libpcap to treat EPWROFF as meaning "I don't know if this device is connected" rather than as an error; I will have also report reported an error to Apple, telling them to pick up that change, as I assume they picked up that code from the tcpdump.org libpcap (they haven't open-sourced their libpcap in a while, so I don't know that for certain).certain). I included a patch for the change made to tcpdump.org's libpcap; if they pick it up for a future Catalina release, that should fix the problem.

It appears, from opensource.apple.com, that 10.15 shipped with libpcap 1.8.1, which did not have the SIOCGIFMEDIA code; 10.15.3 apparently (based on the output of tcpdump --version) ships with libpcap 1.9.1, which does have the problem. That's why updating to 10.15.2 or 10.15.3 causes the problem to show up.

In any case, it appears that turning the Wi-Fi off can sometimes produce this; it did not do so when I tried it on my MacBook Pro running 10.15.3.