can't capture on any interface in OSX 10.14

asked 2019-07-04 01:45:01 +0000

jackassplus gravatar image

Wireshark was working fine, then suddenly started hanging loading interfaces, So installed the newest version. Now I can't capture on any interface.

I've googled all over, tried everything in https://ask.wireshark.org/question/20...

No matter what I do, I can't capture. My user account is in the access_bpf group I'm even the owner of all of the /dev/bpf files

I've installed both the binary version and from homebrew. Same either way.

edit retag flag offensive close merge delete

Comments

What happens if you run tcpdump -i en0 as yourself (rather than as root)?

Guy Harris gravatar imageGuy Harris ( 2019-07-04 01:46:50 +0000 )edit

tcpdump: en0: You don't have permission to capture on that device ((cannot open BPF device) /dev/bpf0: Permission denied)

for the record... crw-rw---- 1 jackassplus access_bpf 23, 0 Jul 3 18:13 /dev/bpf0

jackassplus gravatar imagejackassplus ( 2019-07-04 04:46:40 +0000 )edit

I'm pretty sure these should be owned by root, while you're supposed to be member of the access_bpf group.

Jaap gravatar imageJaap ( 2019-07-04 05:57:21 +0000 )edit

"Owned by root" is not a requirement. With that ownership and permissions, anybody who's either 1) jackassplus or 2) in group access_bpf or 3) both should be able to capture.

What does the id command print?

Guy Harris gravatar imageGuy Harris ( 2019-07-04 07:35:19 +0000 )edit

uid=501(jackass plus) gid=20(staff) groups=20(staff),702(com.apple.sharepoint.group.2),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),501(access_bpf),703(com.apple.sharepoint.group.3),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh)

jackassplus gravatar imagejackassplus ( 2019-07-04 16:12:40 +0000 )edit

My user account is in the access_bpf group

That appears not to be the case, from the output of the id command.

The output of that command also says "jackass plus" rather than "jackassplus", but I'm assuming that's the result of autocorrect being "helpful"; that's why my comment said it (I'll fix that).

What happens if you reboot the machine?

Guy Harris gravatar imageGuy Harris ( 2019-07-04 20:14:50 +0000 )edit

that was an autocorrect error. after a reboot, functionality is the same, but I get:

ls -al /dev/bpf*
crw-rw----  1 root  access_bpf   23,   0 Jul  5 07:05 /dev/bpf0
crw-rw----  1 root  access_bpf   23,   1 Jul  5 07:04 /dev/bpf1
crw-rw----  1 root  access_bpf   23,   2 Jul  5 07:04 /dev/bpf2
crw-rw----  1 root  access_bpf   23,   3 Jul  5 07:04 /dev/bpf3
jackassplus gravatar imagejackassplus ( 2019-07-05 13:58:28 +0000 )edit

I enabled the root user, and I still don't have permission:

sh-3.2# /Library/Application\ Support/Wireshark/ChmodBPF/ChmodBPF
/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF: line 35: /dev/bpf0: Permission denied
/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF: line 35: /dev/bpf1: Permission denied
/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF: line 35: /dev/bpf2: Permission denied
/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF: line 35: /dev/bpf3: Permission denied
jackassplus gravatar imagejackassplus ( 2019-07-05 14:46:24 +0000 )edit

I ended up giving up and reinstalling OSX from scratch.

jackassplus gravatar imagejackassplus ( 2019-07-06 18:37:52 +0000 )edit
see more comments