Ask Your Question
0

ChmodBPF "Permission denied" on MacOS 10.15.4 Catalina

asked 2020-05-08 23:41:48 +0000

JD50Garvin gravatar image

Wireshark 3.2.3 reports instead that I should "install ChmodBPF to fix this" but that doesn't work and is already installed. The executable gives up after 255 tries with:

/Library/Application\ Support/Wireshark/ChmodBPF/ChmodBPF ; exit; /Library/Application Support/Wireshark/ChmodBPF/ChmodBPF: line 35: /dev/bpf0: Permission denied

Then another 255 tries to:

chgrp: /dev/bpf0: Operation not permitted

edit retag flag offensive close merge delete

Comments

ChmodBPF must be run as root - and launchd should run it, as root, as a startup-time job, and the Wireshark install script should also run it as root, so you shouldn't need to run it.

What does ls -l /dev/bpf0 print? If it prints something such as

crw-rw----  1 root  access_bpf   23,   0 May  5 13:49 /dev/bpf0

then it did run and should already have set up your machine to allow everybody in the access_bpf group to capture traffic.

If it doesn't print that, what does

sudo launchctl list | egrep ChmodBPF

print?

Guy Harris gravatar imageGuy Harris ( 2020-05-09 01:55:12 +0000 )edit

Thanks for the hint! Listing /dev/bpf0 yields "no such file or directory." and egrep yields "- 0 org.wireshark.ChmodBPF" and I don't see /dev/bpf0 anywhere on the system, hidden or otherwise. I'm assuming the installer script cannot create /dev/pbf0?

JD50Garvin gravatar imageJD50Garvin ( 2020-05-09 02:11:14 +0000 )edit

I'm assuming the installer script cannot create /dev/bpf0?

Sort of. The BPF devices are supposed to be created "on demand" by attempts to open them, and the script tries to create a lot of them and give them the right permissions and ownership.

What happens if you run the command sudo tcpdump -i en0? It should print

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes

If it does, type control-C; at that point, there should at least be a /dev/bpf0 device.

Guy Harris gravatar imageGuy Harris ( 2020-05-09 06:51:04 +0000 )edit

That does give the result you show there, but WireShark still isn't finding it where it expects to find it or doesn't have permission to use it. (?)

JD50Garvin gravatar imageJD50Garvin ( 2020-05-09 12:11:35 +0000 )edit

I also get the permission issue and installing the ChmodBPF had gotten rid of the permission issue; however, it did not resolve the Wireshark not starting up after upgrading to MacOS 10.15.4. I believe the Wireshark folks is aware of the issue as I had seen a reference on their blog on April 24th regards the fix and that it was easy; however, I cannot find the blog post on blog.wireshark.org when I looked yesterday May 8th.`

Nolliwira gravatar imageNolliwira ( 2020-05-09 14:32:19 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-05-09 20:35:31 +0000

JD50Garvin gravatar image

I found I can enable Wireshark in Catalina (10.15.4) by entering the following commands in the Terminal app:

sudo chmod g+r /dev/bpf*

sudo chgrp admin /dev/bpf*

This information was provided indirectly while researching an open source Swift project called "Etherdump" at http://networkmom.net/etherdump/

edit flag offensive delete link more

Comments

Other than "access_bpf" other than "admin", and "g+rw" rather than "g+r", that's what ChmodBPF does if run as root.

So it is not at all clear what's going on here; others have not seen this problem, so it's not a general problem with Catalina.

Guy Harris gravatar imageGuy Harris ( 2020-05-09 22:59:34 +0000 )edit

I agree the installer should have worked. Perhaps there are extra hardware controls on root access from downloaded programs in the newer 16" MacBook Pro. I'll have to do some more reading!

JD50Garvin gravatar imageJD50Garvin ( 2020-05-10 01:45:51 +0000 )edit

Perhaps there are extra hardware controls on root access from downloaded programs in the newer 16" MacBook Pro.

I have not seen any of these problems on my newer 16" MacBook Pro, so that's unlikely to be the answer.

What does the command id print? Does it report you as being a member of group access_bpf?

Guy Harris gravatar imageGuy Harris ( 2020-05-10 04:06:09 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-05-08 23:41:48 +0000

Seen: 644 times

Last updated: May 09