Catalina 10.15.4 and Wireshark
After Catalina upgrade, Wireshark stop working or stop capturing ... what's the fix?
1 Answer
- Sort by
oldest newest most voted
0
The device is a Mac Mini with WIFI but never used. I capture on the Ethernet port
Try turning on WiFi and then the wired capture devices may become available. My new Macbook Pro does not behave this but my upgraded Macbook Airs do need this.
Comments
That's messed up. Apple doesn't seem to have any A team members working on packet capture any more.
Please see if that can be reproduced with tcpdump (use the -i flag to capture on specific devices) and then file a report on it with Feedback Assistant or the Feedback Assistant Web site.
Not Apple's fault ... Wireshark is aware of it and should/must fix it.
Not Apple's fault
Pro tip: submit evidence when you make claims
Some commands from a MacBook Air, after upgrading. Turn off WiFi from the menu:
bobkj@bobkjs-MacBook-Air % ifconfig en0
en0: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
options=400<CHANNEL_IO>
ether 8c:29:37:e8:5f:7c
nd6 options=201<PERFORMNUD,DAD>
media: autoselect (<unknown type>)
status: inactive
bobkj@bobkjs-MacBook-Air % tcpdump -D
tcpdump: SIOCGIFMEDIA on llw0 failed: Device power is off
Turn WiFi on:
bobkj@bobkjs-MacBook-Air % ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=400<CHANNEL_IO>
ether 8c:29:37:e8:5f:7c
inet6 fe80::3a:ee49:e8df:f369%en0 prefixlen 64 secured scopeid 0x4
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
bobkj@bobkjs-MacBook-Air % tcpdump -D
1.en0 [Up, Running]
2.p2p0 [Up, Running]
3.awdl0 [Up, Running]
4.llw0 [Up, Running]
5.utun0 [Up, Running]
6.utun1 [Up, Running]
7.utun2 [Up, Running]
8 ...
Ok, that mess, which was the result of Apple being weird. The master branch of libpcap fixes this, and I passed that fix on to Apple via Feedback Assistant.
In any case, the reader will note that Bob Jones' test did not involve Wireshark at all, so it is clearly not anything to do with Wireshark; about the only way it could be fixed in the Wireshark release would be to build with libpcap from the master branch rather than with the libpcap that comes with macOS, which would introduce its own risks (that's not a release, it's "whatever somebody last checked in"), so I wouldn't recommend it (and I'm probably the "somebody" in "whatever somebody last checked in" :-)). So the Wireshark developers are "aware" of it in the sense that they're aware that it's broken in macOS, but aren't in much of ...
Your Answer
Please start posting anonymously - your entry will be published after you log in or create a new account.
This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.
Comments
"Catalina upgrade" meaning "upgrade from an earlier release of Catalina to 10.15.4", or "upgrade from a pre-Catalina release of macOS to Catalina"?
On what device are you trying to capture? If it's a Wi-Fi device, are you trying to capture in monitor mode? If so, what model of Mac do you have?
Yes, I had upgraded Catalina from an earlier release where Wireshark was working great. The device is a Mac Mini with WIFI but never used. I capture on the Ethernet port with Mikrotik providing the sniffer tool and feed. It worked great until the Catalina upgrade and was waiting on some 2TB USB3 flash drive to arrive ... the drives arrived a day before the upgrade. I also get the permission error another member mentioned.
What do the commands
ls -l /dev/bpf*andidprint?