Revision history [back]

Yesterday was the first time in a long time wireshark worked on macOS for me (after I unloaded and disabled org.wireshark.ChmodBPF using launchctl, or possibly because I stop using account w/ admin privilege). While I'm not really sure why it worked, after I tried sudo chmod g+r /dev/bpf* && sudo chgrp admin /dev/bpf* as mentioned here (or it could be something else entirely), I was able to capture traffic using wireshark.

But after reboot, it stopped working again, this time, even after I did the above or sudo chgrp access_bpf /dev/bpf* && sudo chmod g+rw /dev/bpf*, sudo tcpdump -i en0 is showing

tcpdump: en0: You don't have permission to capture on that device
((cannot open BPF device) /dev/bpf0: Permission denied)

and wireshark is back to not working as well (I reran the ChmodBPF package)

You don't have permission to capture on local interfaces.
You can fix this by installing ChmodBPF.

and also, access_bpf group is not showing up in System Perfenences (didn't look yeasterday).

​

ls -l /dev/bpf0 print (after I did sudo chgrp access_bpf /dev/bpf*)

crw-rw---- 1 root access_bpf  23,  0 Feb 8 08:50 /dev/bpf0

and sudo launchctl list | egrep ChmodBPF print

- 0 org.wireshark.ChmodBPF

as suggested here.

​

So does anyone know how to fix this?

BTW, wireshark can't monitor any of the interfaces, not just eth0, nor is this related to the Wi-Fi adapter.

Yesterday was the first time in a long time wireshark worked on macOS for me (after I unloaded and disabled org.wireshark.ChmodBPF using launchctl, or possibly because I stop using account w/ admin privilege). While I'm not really sure why it worked, after I tried sudo chmod g+r /dev/bpf* && sudo chgrp admin /dev/bpf* as mentioned here (or it could be something else entirely), I was able to capture traffic using wireshark.

But after reboot, it stopped working again, this time, even after I did the above or sudo chgrp access_bpf /dev/bpf* && sudo chmod g+rw /dev/bpf*, sudo tcpdump -i en0 is showing

tcpdump: en0: You don't have permission to capture on that device
((cannot open BPF device) /dev/bpf0: Permission denied)

and wireshark is back to not working as well (I reran the ChmodBPF package)

You don't have permission to capture on local interfaces.
You can fix this by installing ChmodBPF.

and also, access_bpf group is not showing up in System Perfenences (didn't look yeasterday).

​

ls -l /dev/bpf0 print (after I did sudo chgrp access_bpf /dev/bpf*)

crw-rw---- 1 root access_bpf  23,  0 Feb 8 08:50 /dev/bpf0

and sudo launchctl list | egrep ChmodBPF print

- 0 org.wireshark.ChmodBPF

as suggested here.

​

So does anyone know how to fix this?

BTW, wireshark can't monitor any of the interfaces, not just eth0, nor is this related to the Wi-Fi adapter.

Yesterday was the first time in a long time wireshark worked on macOS for me (after I unloaded and disabled org.wireshark.ChmodBPF using launchctl, or possibly because I stop using account w/ admin privilege). While I'm not really sure why it worked, after I tried sudo chmod g+r /dev/bpf* && sudo chgrp admin /dev/bpf* as mentioned here (or it could be something else entirely), I was able to capture traffic using wireshark.

But after reboot, it stopped working again, this time, even after I did the above or sudo chgrp access_bpf /dev/bpf* && sudo chmod g+rw /dev/bpf*, sudo tcpdump -i en0 is showing

tcpdump: en0: You don't have permission to capture on that device
((cannot open BPF device) /dev/bpf0: Permission denied)

and wireshark is back to not working as well (I reran the ChmodBPF package)

You don't have permission to capture on local interfaces.
You can fix this by installing ChmodBPF.

and also, access_bpf group is not showing up in System Perfenences (didn't look yeasterday).

​

ls -l /dev/bpf0 print (after I did sudo chgrp access_bpf /dev/bpf*)

crw-rw---- 1 root access_bpf  23,  0 Feb 8 08:50 /dev/bpf0

and sudo launchctl list | egrep ChmodBPF print

- 0 org.wireshark.ChmodBPF

as suggested here.

​

So does anyone know how to fix this?

BTW, wireshark can't monitor any of the interfaces, not just eth0, nor is this related to the Wi-Fi adapter.

[edit] So after few hours doing something else on that computer, I reopened wireshark, and now, everything works again, what's going on?

The only change I made is I switched from using Proxifer to proxy my network traffic to VPN (using the NordVPN IKE app), so is Proxifier doing something funny? But if it does, it still doesn't explain why it works sometimes (I don't think I have Proxifier opened by then).

Yesterday was the first time in a long time wireshark worked on macOS for me (after I unloaded and disabled org.wireshark.ChmodBPF using launchctl, or possibly because I stop using account w/ admin privilege). While I'm not really sure why it worked, after I tried sudo chmod g+r /dev/bpf* && sudo chgrp admin /dev/bpf* as mentioned here (or it could be something else entirely), entirely - see edit), I was able to capture traffic using wireshark.

But after reboot, it stopped working again, this time, even after I did the above or sudo chgrp access_bpf /dev/bpf* && sudo chmod g+rw /dev/bpf*, sudo tcpdump -i en0 is showing

tcpdump: en0: You don't have permission to capture on that device
((cannot open BPF device) /dev/bpf0: Permission denied)

and wireshark is back to not working as well (I reran the ChmodBPF package)

You don't have permission to capture on local interfaces.
You can fix this by installing ChmodBPF.

and also, access_bpf group is not showing up in System Perfenences (didn't look yeasterday).

​

ls -l /dev/bpf0 print (after I did sudo chgrp access_bpf /dev/bpf*)

crw-rw---- 1 root access_bpf  23,  0 Feb 8 08:50 /dev/bpf0

and sudo launchctl list | egrep ChmodBPF print

- 0 org.wireshark.ChmodBPF

as suggested here.

​

So does anyone know how to fix this?

BTW, wireshark can't monitor any of the interfaces, not just eth0, nor is this related to the Wi-Fi adapter.

[edit] So after few hours doing something else on it seems that computer, I reopened wireshark, and now, everything works again, what's going on?

The wireshark (and sudo tcpdump -i en0) will only change I made is I switched from using Proxifer to proxy my network traffic to work when I connect to an OpenVPN VPN connection (using the NordVPN IKE app), so is Proxifier doing something funny? But if it does, it still doesn't explain why it works sometimes (I don't think I have Proxifier opened by then).

[edit 2] Wireshark lost permission to capture any local interfaces after waking the computer from sleep after few hours. No log out or restart.app, in my case).

Yesterday was the first time in a long time wireshark worked on macOS for me (after I unloaded and disabled org.wireshark.ChmodBPF using launchctl, or possibly because I stop using account w/ admin privilege). While I'm not really sure why it worked, after I tried sudo chmod g+r /dev/bpf* && sudo chgrp admin /dev/bpf* as mentioned here (or it could be something else entirely - see edit), I was able to capture traffic using wireshark.

But after reboot, it stopped working again, this time, even after I did the above or sudo chgrp access_bpf /dev/bpf* && sudo chmod g+rw /dev/bpf*, sudo tcpdump -i en0 is showing

tcpdump: en0: You don't have permission to capture on that device
((cannot open BPF device) /dev/bpf0: Permission denied)

and wireshark is back to not working as well (I reran the ChmodBPF package)

You don't have permission to capture on local interfaces.
You can fix this by installing ChmodBPF.

and also, access_bpf group is not showing up in System Perfenences (didn't look yeasterday).

​

ls -l /dev/bpf0 print (after I did sudo chgrp access_bpf /dev/bpf*)

crw-rw---- 1 root access_bpf  23,  0 Feb 8 08:50 /dev/bpf0

and sudo launchctl list | egrep ChmodBPF print

- 0 org.wireshark.ChmodBPF

as suggested here.

​

So does anyone know how to fix this?

BTW, wireshark can't monitor any of the interfaces, not just eth0, nor is this related to the Wi-Fi adapter.

[edit] So it seems that wireshark (and sudo tcpdump -i en0) will only work when I connect to an OpenVPN VPN connection (using the NordVPN IKE app, in my case).

Yesterday was the first time in a long time wireshark worked on macOS for me (after I unloaded and disabled org.wireshark.ChmodBPF using launchctl, or possibly because I stop using account w/ admin privilege). While I'm not really sure why it worked, after I tried sudo chmod g+r /dev/bpf* && sudo chgrp admin /dev/bpf* as mentioned here (or it could be something else entirely - see edit), I was able to capture traffic using wireshark.

But after reboot, it stopped working again, this time, even after I did the above or sudo chgrp access_bpf /dev/bpf* && sudo chmod g+rw /dev/bpf*, sudo tcpdump -i en0 is showing

tcpdump: en0: You don't have permission to capture on that device
((cannot open BPF device) /dev/bpf0: Permission denied)

and wireshark is back to not working as well (I reran the ChmodBPF package)

You don't have permission to capture on local interfaces.
You can fix this by installing ChmodBPF.

and also, access_bpf group is not showing up in System Perfenences (didn't look yeasterday).

​

ls -l /dev/bpf0 print (after I did sudo chgrp access_bpf /dev/bpf*)

crw-rw---- 1 root access_bpf  23,  0 Feb 8 08:50 /dev/bpf0

and sudo launchctl list | egrep ChmodBPF print

- 0 org.wireshark.ChmodBPF

as suggested here.

​

So does anyone know how to fix this?

BTW, wireshark can't monitor any of the interfaces, not just eth0, nor is this related to the Wi-Fi adapter.

[edit] So it seems that wireshark (and sudo tcpdump -i en0) will only work when I connect to an OpenVPN VPN connection (using the NordVPN IKE app, in my case).