 | 1 | initial version |
In macOS, permission to capture on individual network interfaces means permission to open a /dev/bpf device for reading.
The "ChmodBPF" script Wireshark installs changes the permissions on the BPF devices to be rw-rw---- and the group owner of the BPF devices to be the "access_bpf" group.
This means that any process with "access_bpf" as its primary group or in its secondary group set can do capturing.
Wireshark also puts the user who installs Wireshark into the "access_bpf" group, but it doesn't put any other user into that group. If the user who installs Wireshark isn't an admin user, that means that 1) the user who installs Wireshark has permission to capture and 2) whatever account is the admin user doesn't have permission to capture.
Yes, it means that there is at least one thing that at least one non-admin user can do and that at least one admin user can't do. "An admin user has a superset of the privileges that a non-admin user has" is not guaranteed to be true.
So either:
or both.
As for the hang, that might have the same cause as bug 14284, in which case making sure that all accounts under which you run Wireshark are in the "access_bpf" group should fix that.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
