BPF permission denied when not connected to an OpenVPN connection
Yesterday was the first time in a long time wireshark worked on macOS for me (after I unloaded and disabled org.wireshark.ChmodBPF using launchctl, or possibly because I stop using account w/ admin privilege). While I'm not really sure why it worked, after I tried sudo chmod g+r /dev/bpf* && sudo chgrp admin /dev/bpf* as mentioned here (or it could be something else entirely - see edit), I was able to capture traffic using wireshark.
But after reboot, it stopped working again, this time, even after I did the above or sudo chgrp access_bpf /dev/bpf* && sudo chmod g+rw /dev/bpf*, sudo tcpdump -i en0 is showing
tcpdump: en0: You don't have permission to capture on that device
((cannot open BPF device) /dev/bpf0: Permission denied)
and wireshark is back to not working as well (I reran the ChmodBPF package)
You don't have permission to capture on local interfaces.
You can fix this by installing ChmodBPF.
and also, access_bpf group is not showing up in System Perfenences (didn't look yeasterday).
ls -l /dev/bpf0 print (after I did sudo chgrp access_bpf /dev/bpf*)
crw-rw---- 1 root access_bpf 23, 0 Feb 8 08:50 /dev/bpf0
and sudo launchctl list | egrep ChmodBPF print
- 0 org.wireshark.ChmodBPF
as suggested here.
So does anyone know how to fix this?
BTW, wireshark can't monitor any of the interfaces, not just eth0, nor is this related to the Wi-Fi adapter.
[edit] So it seems that wireshark (and sudo tcpdump -i en0) will only work when I connect to an OpenVPN VPN connection (using the NordVPN IKE app, in my case).
macOS version?
macOS 10.15.7
Now that it's working, does the
access_bpfgroup show up in System Preferences > Users and Groups?I didn't check when it's working, but after waking the computer up from sleep, wireshark has lost the permission to capture, and I didn't see the
access_bpfgroup in System Preferences.What does the command
dscl . -read /Groups/access_bpfprint?