Ask Your Question
0

How to fix "The capture session could not be initiated on interface" (You don't have permission to capture on that device)

asked 2018-03-10 04:52:49 +0000

updated 2018-06-13 11:17:52 +0000

I had thought that the installer had got around this problem, but it is back.

Problem: Whenever I try and capture traffic on and interface, I get a message like "The capture session could not be initiated on interface 'en0' (You don't have permission to capture on that device") image description

Attempted Solution:Checked out the uninstall script I found at https://github.com/srozzo/wireshark-u... and when I was satisfied that it seemed to do the jobs listed in the installer Read me first.rft file, I completely uninstalled Wireshard using the command (as root)

 bash -c "$(curl -sL https://raw.github.com/srozzo/wireshark-uninstall-osx/master/uninstall.sh)"

Then re-run the installer using the latest version download. (v 2.4.5)

Environment: I have attemtpted this on two computers:

Computer #1: MacOS 10.12.6 - MacBook Pro 15" 2016 (No in-built ethernet interface, only wifi and USB Ethernet)

Computer #2: MacOS 10.13.3 - Mac Mini Mid 2011 (Inbuilt Gigebit Ethernet adapter and WiFi)

Other Information: While running the uninstall script, a message appeared

 /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist: Could not find specified service

however, that may have been because the script tried to remove more devices than necessary.

I also noticed that after doing the new install, my bfd divices appeared as

sh-3.2# ls -lh /dev/bpf*
crw-------  1 root  wheel   23,   0 22 Feb 08:47 /dev/bpf0
crw-------  1 root  wheel   23,   1 22 Feb 08:47 /dev/bpf1
crw-------  1 root  wheel   23,   2 10 Mar 14:21 /dev/bpf2
crw-------  1 root  wheel   23,   3 10 Mar 14:21 /dev/bpf3
crw-------  1 root  wheel   23,   4 22 Feb 08:48 /dev/bpf4

whereas I expected them to have rw group permissions. I changed the permissions viz:

sh-3.2# chmod g+rw /dev/bpf*
sh-3.2# ls -lh /dev/bpf*
crw-rw----  1 root  wheel   23,   0 22 Feb 08:47 /dev/bpf0
crw-rw----  1 root  wheel   23,   1 22 Feb 08:47 /dev/bpf1
crw-rw----  1 root  wheel   23,   2 10 Mar 14:21 /dev/bpf2
crw-rw----  1 root  wheel   23,   3 10 Mar 14:21 /dev/bpf3
crw-rw----  1 root  wheel   23,   4 22 Feb 08:48 /dev/bpf4

but this did not improve the situation.

My Question Does anyone know how to How to fix "The capture session could not be initiated on interface" (You don't have permission to capture on that devi and get Wireshark running on macOS?

[Edit: Added two graphics in response to suggestions below] Capture Permissions at installation User permissions ater install

edit retag flag offensive close merge delete

Comments

/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist: Could not find specified service

When you installed Wireshark, you did leave "Set capture permissions on startup" checked, rather than un-checking it, right?

Guy Harris gravatar imageGuy Harris ( 2018-06-12 17:09:20 +0000 )edit

Correct. I did leave "Set capture permissions on startup" checked, rather than un-checking it. See edit above. Thanks for responding anyway.

rednectar gravatar imagerednectar ( 2018-06-13 11:18:49 +0000 )edit

While running the uninstall script, a message appeared

 /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist: Could not find specified service

however, that may have been because the script tried to remove more devices than necessary.

No, that wouldn't cause it - that's not a device, that's a file.

The most likely reason for that error would be that the service did not, in fact, exist; that would certainly explain why that service, whose purpose is to, at boot time, pre-create a lot of BPF devices and make all the BPF devices in existence after that owned by group access_bpf and be group readable and writable, isn't, in fact, doing that.

After installing Wireshark, what does

ls -l /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist

print? If it doesn't print

-rwxr-xr-x  1 root  wheel  {size} {month} {day} {time or year} /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist

(for some values ...(more)

Guy Harris gravatar imageGuy Harris ( 2018-06-13 18:44:52 +0000 )edit

3 Answers

Sort by ยป oldest newest most voted
0

answered 2018-06-12 03:59:53 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I am unsure if your situation is the same as mine, but I installed Wireshark previously under a different userid. I needed to go into users and groups and add the userid I am now using to the access_bpf group. once I did that and restarted Wireshark (no reboot or logoff/logon required) it was able to find and access the interfaces fine.

edit flag offensive delete link more

Comments

I checked. (See edit above) I have permissions to the access_bpf group. Thanks for the suggestion anyway.

rednectar gravatar imagerednectar ( 2018-06-13 11:20:11 +0000 )edit
0

answered 2018-06-27 08:00:33 +0000

I found the answer to my issue at https://josephhall.org/nqb2/index.php...

For me on OSX 10.11.6 with a previously working Wireshark install, I could see there were no local interfaces listed.

I tried a reinstall over the top and then a delete and reinstall - neither worked.

I could not see any created access_bpf group having been created. I checked the permissions on the /dev/bpf* files and they were without group permissions anyway.

I could see no /Library/StartupItems script to alter the permissions.

I could not access the /Library/Wireshark directory which had : drwx------ 3 504 wheel 102 8 Jul 2016 Wireshark

I couldn't find the ChmodBPF script in the Wireshark DMG.

So as a "sort it out now and get on with life" fix I did: sudo chmod o+r /dev/bpf*

(as suggested by the article I posted) and then restarted Wireshark. I was then able to see the local interfaces.

So perhaps something is wrong with the current Wireshark builds?

Raza

edit flag offensive delete link more
-1

answered 2020-11-17 02:21:54 +0000

updated 2020-11-17 09:57:58 +0000

Jaap gravatar image

Solution

  • Run the application from the terminal with the following command:
  • deleted command *see below
  • Wireshark should open and packet capture should work now.
edit flag offensive delete link more

Comments

Sigh. Please do NOT advocate running Wireshark as root, there are over 3 million lines of code in there, exposed to whatever traffic comes over the wire. Doing so is risky and unnecessary.

See the wiki page on Security for more info.

grahamb gravatar imagegrahamb ( 2020-11-17 08:39:24 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-03-10 04:52:49 +0000

Seen: 43,947 times

Last updated: Nov 17 '20