Updated today to Catalina 10.15.2 Launched Wireshark 3.0.7 and no en0 or en1 interfaces shown and no apparent way to add them. Downloaded and installed Version 3.2.0rc1 (v3.2.0rc1-0-g84fad90e808b) with no change. Anyone with any ideas? Thanks much!
This appears to be a libpcap issue, not a Wireshark issue, given that, in this question, somebody found that Apple's tcpdump, linked with Apple's libpcap, reported "tcpdump: SIOCGIFMEDIA on llw0 failed: Device power is off" for a tcpdump -D command.
tcpdump -Dand Wireshark's interface list use the same libpcap routine, and that code, at least in the tcpdump.org version of libpcap, will, on macOS, do an SIOCGIFMEDIA on all devices it finds, and give up if it gets an error other than a small set of errors.
That set currently doesn't include EPWROFF ("Device power is off"), so that will cause an attempt to find all devices to fail with that error if that's what device llw0 reports.
I've just checked in a change to tcpdump.org's libpcap to treat EPWROFF as meaning "I don't know if this device is connected" rather than as an error; I have also reported an error to Apple, telling them to pick up that change, as I assume they picked up that code from the tcpdump.org libpcap (they haven't open-sourced their libpcap in a while, so I don't know that for certain). I included a patch for the change made to tcpdump.org's libpcap; if they pick it up for a future Catalina release, that should fix the problem.
It appears, from opensource.apple.com, that 10.15 shipped with libpcap 1.8.1, which did not have the SIOCGIFMEDIA code; 10.15.3 apparently (based on the output of tcpdump --version) ships with libpcap 1.9.1, which does have the problem. That's why updating to 10.15.2 or 10.15.3 causes the problem to show up.
In any case, it appears that turning the Wi-Fi off can sometimes produce this; it did not do so when I tried it on my MacBook Pro running 10.15.3.
This looks like a bug in Catalina 10.15.2 when you have Wi-Fi turned off. Try turn Wi-Fi on and start Wireshark again.
Any idea what device "llw0" is? This suggests from "id=511 level=255 0x100=MAGICWAKE mod=11/07/2019 21:51 description=llw0 owner=IOSkywalkNetworkBSDClient" that it's part of the Skywalk subsystem, for which Apple has added a libpcap module in their version of libpcap.
Wow! Yes, it's a bug. I normally don't use Wi-Fi. Turning it on and relaunching Wireshark -- it all works and all the interfaces show up. Go figure!
Thanks so much for revealing this weirdness! Now, back to dealing with mDNS floods. Gotta love Bonjour.
Oh, wish I had seen this before... BTW, there is another fix that does not involve wifi, using terminal to launch wireshark accept -i en4 (replace en4 with whatever interface ur usb or ethernet is). If you dont know the interface ID, you can run networksetup -listallhardwareports
Has anyone logged this bug? I can't see it on the wireshark bug database
Good catch!
Comments
What does "ls -l /dev/bpf*" print?
What does "tcpdump -D" print?
For the bpf* directory search, I get /dev/bpf0 thru /bpf255
For the "tcpdump -D", I get: tcpdump: SIOCGIFMEDIA on llw0 failed: Device power is off
But did all the devices have permissions "rw-rw----", and are they all owned by the "access_bpf" group? If not, that would mean that no interfaces would be shown, not even "lo0".
And did it show "lo0" as an interface, even though it didn't show "en0" or "en1"?
To answer your question, this is what they all show:
That being said, it seems Stig had the answer. Thank you for your interest, tho. Much appreciated.