Ask Your Question
0

Can't capture now, but could before. MacOS Catalina

asked 2020-10-23 15:54:11 +0000

mkworkplay gravatar image

I am a new Mac user (part of my problem :/ ) and I downloaded wireshark a month or so ago and I could capture packets no problem. Picked it back up again and now I can't capture. I had to update wireshark, and if I remember correctly, a pop up asked me about root permission or something. I clicked "NO" and I think this is my problem. I don't know what else could have changed.
I have uninstalled and reinstalled wireshark twice now, and apparently didn't install all the parts because I still can't capture packets. I've read the documentation, and it doesn't help me. What am I missing? How can I go back and give myself the ability to permission to capture packets again?
MacOS Catalina v10.15.7 Wireshark Version 3.2.7 (v3.2.7-0-gfb6522d84a3a)

edit retag flag offensive close merge delete

Comments

Is this wired or wireless?

Bob Jones gravatar imageBob Jones ( 2020-10-23 19:20:21 +0000 )edit

Does this file exist (best shown in Terminal)? /Applications/Wireshark.app/Contents/MacOS/dumpcap

And if so, what output does it generate when starting from Terminal?

Jaap gravatar imageJaap ( 2020-10-23 19:37:52 +0000 )edit

I have the same problem. I have put details here: link text

Any thoughts?

Tom

Tom Wells gravatar imageTom Wells ( 2020-11-09 23:52:10 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-10-24 07:10:46 +0000

Guy Harris gravatar image

updated 2020-10-24 07:11:57 +0000

I had to update wireshark, and if I remember correctly, a pop up asked me about root permission or something. I clicked "NO" and I think this is my problem.

The Wireshark 3.2.x disk image is a drag-install image, so you won't get the pop-up at installation time.

If, however, you haven't installed the "ChmodBPF' component in the image, if you start up Wireshark 3.2.7, there will be, on the main Wireshark screen, above the list of network devices, a message "You don't have permission to capture. You can install ChmodBPF to fix this". "install ChmodBPF to fix this" is in blue and is underlined; this indicates that you can click on it and, if you do, it will start up the ChmodBPF installer; run the installer, by clicking "Continue" and continuing through the process.

If you haven't installed ChmodBPF, and you try to start a capture, you will get a pop-up that says

The capture session could not be initiated on interface 'XXX' (You don't have permission to capture on that device).

Please check to make sure that you have sufficient permissions.

If you installed Wireshark using the package from wireshark.org, Try re-installing it and checking the box for the "Set capture permissions on startup" item.

There's no "Yes" vs. "No" choice for that pop-up, there's only an "OK" choice. (Ignore the last paragraph of the pop-up; it's out of date. I'll look at fixing that - along with the incorrect capitalization of "try".)

What you should do is, as per the above, start up Wireshark 3.2.7 and click on the "Install ChmodBPF to fix this" link; that will start the ChmodBPF installer - run through the installation process.

(This is not unique to Catalina; you need ChmodBPF on all versions of macOS, even the versions that were called "Mac OS X" or "OS X" when they were released.)

edit flag offensive delete link more

Comments

Thank you everyone for your responses.

@Bob my laptop isn't wired, I tried the Wi-Fi: en0. It's the only one showing activity.

@Jaap I went to About Wireshark>Folders>Program and found that file there. I x2 clicked the dumpcap executable and it shows this, with continuous packets running:

/Applications/Wireshark.app/Contents/MacOS/dumpcap ; exit;
Capturing on 'Wi-Fi: en0'
File: /var/folders/2y/6wkydwg56xzbxm5v0b7qqclc0000gn/T//wireshark_Wi-Fi_20201024093800_2WQ7Ok.pcapng
Packets: 154

@Guy I do have the ChmodBPF file, and have reinstalled it several times. I did a search and have a ChmodBPF folder, and inside is a Unix executable chmodBPF. I don't get that message you're referring to. Here is a small excerpt of what happens when I x2 click on the chmodBPF:

/Library/Application\ Support/Wireshark/ChmodBPF/ChmodBPF ; exit;
/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF: line 35: /dev/bpf0: Resource busy
/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF: line ...
(more)
mkworkplay gravatar imagemkworkplay ( 2020-10-24 07:44:33 +0000 )edit

here is the error pop up I get after trying to capture

Do you get that error when you start the capture, or after you stop the capture?

Guy Harris gravatar imageGuy Harris ( 2020-10-26 01:00:59 +0000 )edit

after I stop it. Once I realize that it's not capturing anything, I click the red stop box and then this pops up.

mkworkplay gravatar imagemkworkplay ( 2020-10-26 10:54:20 +0000 )edit

Are you using Wireless Diagnostics within Catalina to capture packets on WiFi? Steps:

  1. Make sure WiFi is on, but Disconnect from your WiFi network

  2. Search for wireless diagnostics on you Mac and then open

  3. Choose the WiFi channel and bandwidth you want to capture

  4. Capture packets

  5. Stop the capture. Usually the PCAP file is stored in the /var/tmp directory

  6. Go to the stored location and then you can view your capture.

Amato_C gravatar imageAmato_C ( 2020-11-10 20:08:23 +0000 )edit

fter I stop it. Once I realize that it's not capturing anything, I click the red stop box and then this pops up.

So you double-click on en0 (or whatever interface you're using), or start a capture on it from the Capture > Options dialog, and that dialog does NOT pop up shortly after you try to start the capture, with the capture not even starting, so you don't have the opportunity to stop?

And it says something such as

The capture session could not be initiated on interface 'en0' (You don't have permission to capture on that device).

Please check to make sure you have sufficient permissions.

If you installed Wireshark using the package from wireshark.org, Try re-installing it and checking the box for the "Set capture permissions on startup" item.

and offers you only an "OK" button to click?

If it doesn't ...(more)

Guy Harris gravatar imageGuy Harris ( 2020-11-10 20:22:08 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-10-23 15:54:11 +0000

Seen: 5,187 times

Last updated: Nov 09 '20