# How to fix "The capture session could not be initiated on interface" (You don't have permission to capture on that device)

I had thought that the installer had got around this problem, but it is back.

Problem: Whenever I try and capture traffic on and interface, I get a message like "The capture session could not be initiated on interface 'en0' (You don't have permission to capture on that device")

Attempted Solution:Checked out the uninstall script I found at https://github.com/srozzo/wireshark-u... and when I was satisfied that it seemed to do the jobs listed in the installer Read me first.rft file, I completely uninstalled Wireshard using the command (as root)

 bash -c "\$(curl -sL https://raw.github.com/srozzo/wireshark-uninstall-osx/master/uninstall.sh)"


Environment: I have attemtpted this on two computers:

Computer #1: MacOS 10.12.6 - MacBook Pro 15" 2016 (No in-built ethernet interface, only wifi and USB Ethernet)

Computer #2: MacOS 10.13.3 - Mac Mini Mid 2011 (Inbuilt Gigebit Ethernet adapter and WiFi)

Other Information: While running the uninstall script, a message appeared

 /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist: Could not find specified service


however, that may have been because the script tried to remove more devices than necessary.

I also noticed that after doing the new install, my bfd divices appeared as

sh-3.2# ls -lh /dev/bpf*
crw-------  1 root  wheel   23,   0 22 Feb 08:47 /dev/bpf0
crw-------  1 root  wheel   23,   1 22 Feb 08:47 /dev/bpf1
crw-------  1 root  wheel   23,   2 10 Mar 14:21 /dev/bpf2
crw-------  1 root  wheel   23,   3 10 Mar 14:21 /dev/bpf3
crw-------  1 root  wheel   23,   4 22 Feb 08:48 /dev/bpf4


whereas I expected them to have rw group permissions. I changed the permissions viz:

sh-3.2# chmod g+rw /dev/bpf*
sh-3.2# ls -lh /dev/bpf*
crw-rw----  1 root  wheel   23,   0 22 Feb 08:47 /dev/bpf0
crw-rw----  1 root  wheel   23,   1 22 Feb 08:47 /dev/bpf1
crw-rw----  1 root  wheel   23,   2 10 Mar 14:21 /dev/bpf2
crw-rw----  1 root  wheel   23,   3 10 Mar 14:21 /dev/bpf3
crw-rw----  1 root  wheel   23,   4 22 Feb 08:48 /dev/bpf4


but this did not improve the situation.

My Question Does anyone know how to How to fix "The capture session could not be initiated on interface" (You don't have permission to capture on that devi and get Wireshark running on macOS?

[Edit: Added two graphics in response to suggestions below]

edit retag close merge delete

/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist: Could not find specified service

When you installed Wireshark, you did leave "Set capture permissions on startup" checked, rather than un-checking it, right?

( 2018-06-12 17:09:20 +0000 )edit

Correct. I did leave "Set capture permissions on startup" checked, rather than un-checking it. See edit above. Thanks for responding anyway.

( 2018-06-13 11:18:49 +0000 )edit

While running the uninstall script, a message appeared

 /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist: Could not find specified service


however, that may have been because the script tried to remove more devices than necessary.

No, that wouldn't cause it - that's not a device, that's a file.

The most likely reason for that error would be that the service did not, in fact, exist; that would certainly explain why that service, whose purpose is to, at boot time, pre-create a lot of BPF devices and make all the BPF devices in existence after that owned by group access_bpf and be group readable and writable, isn't, in fact, doing that.

After installing Wireshark, what does

ls -l /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist


print? If it doesn't print

-rwxr-xr-x  1 root  wheel  {size} {month} {day} {time or year} /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist


(for some values ...(more)

( 2018-06-13 18:44:52 +0000 )edit

Sort by » oldest newest most voted

I found the answer to my issue at https://josephhall.org/nqb2/index.php...

For me on OSX 10.11.6 with a previously working Wireshark install, I could see there were no local interfaces listed.

I tried a reinstall over the top and then a delete and reinstall - neither worked.

I could not see any created access_bpf group having been created. I checked the permissions on the /dev/bpf* files and they were without group permissions anyway.

I could see no /Library/StartupItems script to alter the permissions.

I could not access the /Library/Wireshark directory which had : drwx------ 3 504 wheel 102 8 Jul 2016 Wireshark

I couldn't find the ChmodBPF script in the Wireshark DMG.

So as a "sort it out now and get on with life" fix I did: sudo chmod o+r /dev/bpf*

(as suggested by the article I posted) and then restarted Wireshark. I was then able to see the local interfaces.

So perhaps something is wrong with the current Wireshark builds?

Raza

more

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I am unsure if your situation is the same as mine, but I installed Wireshark previously under a different userid. I needed to go into users and groups and add the userid I am now using to the access_bpf group. once I did that and restarted Wireshark (no reboot or logoff/logon required) it was able to find and access the interfaces fine.

more

I checked. (See edit above) I have permissions to the access_bpf group. Thanks for the suggestion anyway.

( 2018-06-13 11:20:11 +0000 )edit