Ask Your Question

updated catalina no interfaces found

asked 2019-12-11 15:47:12 +0000

dunne_with_it gravatar image

Updated today to Catalina 10.15.2 Launched Wireshark 3.0.7 and no en0 or en1 interfaces shown and no apparent way to add them. Downloaded and installed Version 3.2.0rc1 (v3.2.0rc1-0-g84fad90e808b) with no change. Anyone with any ideas? Thanks much!

edit retag flag offensive close merge delete


What does "ls -l /dev/bpf*" print?

Guy Harris gravatar imageGuy Harris ( 2019-12-11 18:33:44 +0000 )edit

What does "tcpdump -D" print?

Stig gravatar imageStig ( 2019-12-11 19:18:52 +0000 )edit

For the bpf* directory search, I get /dev/bpf0 thru /bpf255

For the "tcpdump -D", I get: tcpdump: SIOCGIFMEDIA on llw0 failed: Device power is off

dunne_with_it gravatar imagedunne_with_it ( 2019-12-11 20:04:39 +0000 )edit

For the bpf* directory search, I get /dev/bpf0 thru /bpf255

But did all the devices have permissions "rw-rw----", and are they all owned by the "access_bpf" group? If not, that would mean that no interfaces would be shown, not even "lo0".

And did it show "lo0" as an interface, even though it didn't show "en0" or "en1"?

Guy Harris gravatar imageGuy Harris ( 2019-12-12 08:14:28 +0000 )edit

To answer your question, this is what they all show:

crw-rw----  1 root            access_bpf      23,  15 Dec 12 07:12 bpf15

That being said, it seems Stig had the answer. Thank you for your interest, tho. Much appreciated.

dunne_with_it gravatar imagedunne_with_it ( 2019-12-12 13:44:57 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2019-12-12 07:27:53 +0000

Stig gravatar image

This looks like a bug in Catalina 10.15.2 when you have Wi-Fi turned off. Try turn Wi-Fi on and start Wireshark again.

edit flag offensive delete link more


Any idea what device "llw0" is? This suggests from "id=511 level=255 0x100=MAGICWAKE mod=11/07/2019 21:51 description=llw0 owner=IOSkywalkNetworkBSDClient" that it's part of the Skywalk subsystem, for which Apple has added a libpcap module in their version of libpcap.

Guy Harris gravatar imageGuy Harris ( 2019-12-12 09:54:06 +0000 )edit

Wow! Yes, it's a bug. I normally don't use Wi-Fi. Turning it on and relaunching Wireshark -- it all works and all the interfaces show up. Go figure!

Thanks so much for revealing this weirdness! Now, back to dealing with mDNS floods. Gotta love Bonjour.

dunne_with_it gravatar imagedunne_with_it ( 2019-12-12 13:30:18 +0000 )edit

Oh, wish I had seen this before... BTW, there is another fix that does not involve wifi, using terminal to launch wireshark accept -i en4 (replace en4 with whatever interface ur usb or ethernet is). If you dont know the interface ID, you can run networksetup -listallhardwareports

mblend27 gravatar imagemblend27 ( 2019-12-20 10:12:57 +0000 )edit

Has anyone logged this bug? I can't see it on the wireshark bug database

codecowboy gravatar imagecodecowboy ( 2020-01-08 07:33:16 +0000 )edit

Good catch!

Bob Clary gravatar imageBob Clary ( 2020-01-17 18:03:06 +0000 )edit

answered 2020-02-19 03:42:10 +0000

Guy Harris gravatar image

updated 2020-02-19 04:32:31 +0000

This appears to be a libpcap issue, not a Wireshark issue, given that, in this question, somebody found that Apple's tcpdump, linked with Apple's libpcap, reported "tcpdump: SIOCGIFMEDIA on llw0 failed: Device power is off" for a tcpdump -D command.

tcpdump -Dand Wireshark's interface list use the same libpcap routine, and that code, at least in the version of libpcap, will, on macOS, do an SIOCGIFMEDIA on all devices it finds, and give up if it gets an error other than a small set of errors.

That set currently doesn't include EPWROFF ("Device power is off"), so that will cause an attempt to find all devices to fail with that error if that's what device llw0 reports.

I've just checked in a change to's libpcap to treat EPWROFF as meaning "I don't know if this device is connected" rather than as an error; I have also reported an error to Apple, telling them to pick up that change, as I assume they picked up that code from the libpcap (they haven't open-sourced their libpcap in a while, so I don't know that for certain). I included a patch for the change made to's libpcap; if they pick it up for a future Catalina release, that should fix the problem.

It appears, from, that 10.15 shipped with libpcap 1.8.1, which did not have the SIOCGIFMEDIA code; 10.15.3 apparently (based on the output of tcpdump --version) ships with libpcap 1.9.1, which does have the problem. That's why updating to 10.15.2 or 10.15.3 causes the problem to show up.

In any case, it appears that turning the Wi-Fi off can sometimes produce this; it did not do so when I tried it on my MacBook Pro running 10.15.3.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-12-11 15:47:12 +0000

Seen: 2,119 times

Last updated: Feb 19