BPF permission denied when not connected to an OpenVPN connection

asked 2021-02-07 20:16:56 +0000

two86 gravatar image

updated 2021-02-10 00:05:45 +0000

Yesterday was the first time in a long time wireshark worked on macOS for me (after I unloaded and disabled org.wireshark.ChmodBPF using launchctl, or possibly because I stop using account w/ admin privilege). While I'm not really sure why it worked, after I tried sudo chmod g+r /dev/bpf* && sudo chgrp admin /dev/bpf* as mentioned here (or it could be something else entirely - see edit), I was able to capture traffic using wireshark.

But after reboot, it stopped working again, this time, even after I did the above or sudo chgrp access_bpf /dev/bpf* && sudo chmod g+rw /dev/bpf*, sudo tcpdump -i en0 is showing

tcpdump: en0: You don't have permission to capture on that device
((cannot open BPF device) /dev/bpf0: Permission denied)

and wireshark is back to not working as well (I reran the ChmodBPF package)

You don't have permission to capture on local interfaces.
You can fix this by installing ChmodBPF.

and also, access_bpf group is not showing up in System Perfenences (didn't look yeasterday).

ls -l /dev/bpf0 print (after I did sudo chgrp access_bpf /dev/bpf*)

crw-rw---- 1 root access_bpf  23,  0 Feb 8 08:50 /dev/bpf0

and sudo launchctl list | egrep ChmodBPF print

- 0 org.wireshark.ChmodBPF

as suggested here.

So does anyone know how to fix this?

BTW, wireshark can't monitor any of the interfaces, not just eth0, nor is this related to the Wi-Fi adapter.

[edit] So it seems that wireshark (and sudo tcpdump -i en0) will only work when I connect to an OpenVPN VPN connection (using the NordVPN IKE app, in my case).

edit retag flag offensive close merge delete

Comments

macOS version?

grahamb gravatar imagegrahamb ( 2021-02-07 20:24:03 +0000 )edit

macOS 10.15.7

two86 gravatar imagetwo86 ( 2021-02-07 23:13:27 +0000 )edit

Now that it's working, does the access_bpf group show up in System Preferences > Users and Groups?

Guy Harris gravatar imageGuy Harris ( 2021-02-08 01:14:14 +0000 )edit

I didn't check when it's working, but after waking the computer up from sleep, wireshark has lost the permission to capture, and I didn't see the access_bpf group in System Preferences.

two86 gravatar imagetwo86 ( 2021-02-08 22:33:51 +0000 )edit

What does the command dscl . -read /Groups/access_bpf print?

Guy Harris gravatar imageGuy Harris ( 2021-02-09 04:27:48 +0000 )edit

I actually found out yesterday that wireshark will only work when I'm connected to an OpenVPN VPN (not sure about other protocols), but I keep getting Service Unavailable when trying to post my comment.

 dsAttrTypeNative:record_daemon_version: 6930000
AppleMetaNodeLocation: /Local/Default
GeneratedUID: 86508194-740C-4BAD-A562-85C1F502BBE4
GroupMembers: B1BAC0D6-46F6-40CA-8B24-97F9F1B2F52B CE6DBCE6-C98C-4392-A5C4-926E57A7F400
GroupMembership: REMOVED
PrimaryGroupID: 101
RealName:
BPF device access ACL
RecordName: access_bpf
RecordType: dsRecTypeStandard:Groups
two86 gravatar imagetwo86 ( 2021-02-09 23:54:40 +0000 )edit

So what happens if, when you're not connected to a VPN, you run the command

sudo dseditgroup -q -o edit -a {your user name} -t user access_bpf

where {your user name} is the user name as which you log in?

Does that clear up the problem?

Guy Harris gravatar imageGuy Harris ( 2021-02-10 05:21:11 +0000 )edit

Nope, the minute I close the OpenVPN connection, wireshark loses the bpf permission.

two86 gravatar imagetwo86 ( 2021-02-10 23:50:52 +0000 )edit