can't capture on any interface in OSX 10.14

asked 2019-07-04 01:45:01 +0000

jackassplus gravatar image

Wireshark was working fine, then suddenly started hanging loading interfaces, So installed the newest version. Now I can't capture on any interface.

I've googled all over, tried everything in https://ask.wireshark.org/question/20...

No matter what I do, I can't capture. My user account is in the access_bpf group I'm even the owner of all of the /dev/bpf files

I've installed both the binary version and from homebrew. Same either way.

edit retag flag offensive close merge delete

Comments

What happens if you run tcpdump -i en0 as yourself (rather than as root)?

Guy Harris gravatar imageGuy Harris ( 2019-07-04 01:46:50 +0000 )edit

tcpdump: en0: You don't have permission to capture on that device ((cannot open BPF device) /dev/bpf0: Permission denied)

for the record... crw-rw---- 1 jackassplus access_bpf 23, 0 Jul 3 18:13 /dev/bpf0

jackassplus gravatar imagejackassplus ( 2019-07-04 04:46:40 +0000 )edit

I'm pretty sure these should be owned by root, while you're supposed to be member of the access_bpf group.

Jaap gravatar imageJaap ( 2019-07-04 05:57:21 +0000 )edit

"Owned by root" is not a requirement. With that ownership and permissions, anybody who's either 1) jackassplus or 2) in group access_bpf or 3) both should be able to capture.

What does the id command print?

Guy Harris gravatar imageGuy Harris ( 2019-07-04 07:35:19 +0000 )edit

uid=501(jackass plus) gid=20(staff) groups=20(staff),702(com.apple.sharepoint.group.2),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),501(access_bpf),703(com.apple.sharepoint.group.3),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh)

jackassplus gravatar imagejackassplus ( 2019-07-04 16:12:40 +0000 )edit
see more comments