can't capture on any interface in OSX 10.14
Wireshark was working fine, then suddenly started hanging loading interfaces, So installed the newest version. Now I can't capture on any interface.
I've googled all over, tried everything in https://ask.wireshark.org/question/20...
No matter what I do, I can't capture. My user account is in the access_bpf group I'm even the owner of all of the /dev/bpf files
I've installed both the binary version and from homebrew. Same either way.
What happens if you run
tcpdump -i en0
as yourself (rather than as root)?tcpdump: en0: You don't have permission to capture on that device ((cannot open BPF device) /dev/bpf0: Permission denied)
for the record... crw-rw---- 1 jackassplus access_bpf 23, 0 Jul 3 18:13 /dev/bpf0
I'm pretty sure these should be owned by root, while you're supposed to be member of the access_bpf group.
"Owned by root" is not a requirement. With that ownership and permissions, anybody who's either 1) jackassplus or 2) in group access_bpf or 3) both should be able to capture.
What does the
id
command print?uid=501(jackass plus) gid=20(staff) groups=20(staff),702(com.apple.sharepoint.group.2),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),501(access_bpf),703(com.apple.sharepoint.group.3),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh)
That appears not to be the case, from the output of the
id
command.The output of that command also says "jackass plus" rather than "jackassplus", but I'm assuming that's the result of autocorrect being "helpful"; that's why my comment said it (I'll fix that).
What happens if you reboot the machine?
that was an autocorrect error. after a reboot, functionality is the same, but I get:
I enabled the root user, and I still don't have permission:
I ended up giving up and reinstalling OSX from scratch.