Ask Your Question
0

Catalina 10.15.4 and Wireshark

asked 2020-05-08 00:46:23 +0000

Nolliwira gravatar image

After Catalina upgrade, Wireshark stop working or stop capturing ... what's the fix?

edit retag flag offensive close merge delete

Comments

"Catalina upgrade" meaning "upgrade from an earlier release of Catalina to 10.15.4", or "upgrade from a pre-Catalina release of macOS to Catalina"?

On what device are you trying to capture? If it's a Wi-Fi device, are you trying to capture in monitor mode? If so, what model of Mac do you have?

Guy Harris gravatar imageGuy Harris ( 2020-05-08 04:04:25 +0000 )edit

Yes, I had upgraded Catalina from an earlier release where Wireshark was working great. The device is a Mac Mini with WIFI but never used. I capture on the Ethernet port with Mikrotik providing the sniffer tool and feed. It worked great until the Catalina upgrade and was waiting on some 2TB USB3 flash drive to arrive ... the drives arrived a day before the upgrade. I also get the permission error another member mentioned.

Nolliwira gravatar imageNolliwira ( 2020-05-09 06:45:01 +0000 )edit

What do the commands ls -l /dev/bpf* and id print?

Guy Harris gravatar imageGuy Harris ( 2020-05-09 06:58:24 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-05-09 16:02:22 +0000

Bob Jones gravatar image

The device is a Mac Mini with WIFI but never used. I capture on the Ethernet port

Try turning on WiFi and then the wired capture devices may become available. My new Macbook Pro does not behave this but my upgraded Macbook Airs do need this.

edit flag offensive delete link more

Comments

That's messed up. Apple doesn't seem to have any A team members working on packet capture any more.

Please see if that can be reproduced with tcpdump (use the -i flag to capture on specific devices) and then file a report on it with Feedback Assistant or the Feedback Assistant Web site.

Guy Harris gravatar imageGuy Harris ( 2020-05-09 23:03:08 +0000 )edit

Not Apple's fault ... Wireshark is aware of it and should/must fix it.

Nolliwira gravatar imageNolliwira ( 2020-05-13 13:57:57 +0000 )edit

Not Apple's fault

Pro tip: submit evidence when you make claims

Some commands from a MacBook Air, after upgrading. Turn off WiFi from the menu:

bobkj@bobkjs-MacBook-Air % ifconfig en0
en0: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
        options=400<CHANNEL_IO>
        ether 8c:29:37:e8:5f:7c
        nd6 options=201<PERFORMNUD,DAD>
        media: autoselect (<unknown type>)
        status: inactive

bobkj@bobkjs-MacBook-Air % tcpdump -D
tcpdump: SIOCGIFMEDIA on llw0 failed: Device power is off

Turn WiFi on:

bobkj@bobkjs-MacBook-Air % ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=400<CHANNEL_IO>
        ether 8c:29:37:e8:5f:7c
        inet6 fe80::3a:ee49:e8df:f369%en0 prefixlen 64 secured scopeid 0x4
        nd6 options=201<PERFORMNUD,DAD>
        media: autoselect
        status: active
bobkj@bobkjs-MacBook-Air % tcpdump -D
1.en0 [Up, Running]
2.p2p0 [Up, Running]
3.awdl0 [Up, Running]
4.llw0 [Up, Running]
5.utun0 [Up, Running]
6.utun1 [Up, Running]
7.utun2 [Up, Running]
8 ...
(more)
Bob Jones gravatar imageBob Jones ( 2020-05-14 19:58:36 +0000 )edit

Ok, that mess, which was the result of Apple being weird. The master branch of libpcap fixes this, and I passed that fix on to Apple via Feedback Assistant.

In any case, the reader will note that Bob Jones' test did not involve Wireshark at all, so it is clearly not anything to do with Wireshark; about the only way it could be fixed in the Wireshark release would be to build with libpcap from the master branch rather than with the libpcap that comes with macOS, which would introduce its own risks (that's not a release, it's "whatever somebody last checked in"), so I wouldn't recommend it (and I'm probably the "somebody" in "whatever somebody last checked in" :-)). So the Wireshark developers are "aware" of it in the sense that they're aware that it's broken in macOS, but aren't in much of ...(more)

Guy Harris gravatar imageGuy Harris ( 2020-05-14 20:10:51 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-05-08 00:46:23 +0000

Seen: 1,165 times

Last updated: May 09 '20