First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

ChmodBPF "Permission denied" on MacOS 10.15.4 Catalina

Wireshark 3.2.3 reports instead that I should "install ChmodBPF to fix this" but that doesn't work and is already installed. The executable gives up after 255 tries with:

/Library/Application\ Support/Wireshark/ChmodBPF/ChmodBPF ; exit; /Library/Application Support/Wireshark/ChmodBPF/ChmodBPF: line 35: /dev/bpf0: Permission denied

Then another 255 tries to:

chgrp: /dev/bpf0: Operation not permitted

JD50Garvin's avatar
1
JD50Garvin
asked 2020-05-08 23:41:48 +0000
edit flag offensive 0 remove flag close merge delete

Comments

ChmodBPF must be run as root - and launchd should run it, as root, as a startup-time job, and the Wireshark install script should also run it as root, so you shouldn't need to run it.

What does ls -l /dev/bpf0 print? If it prints something such as

crw-rw----  1 root  access_bpf   23,   0 May  5 13:49 /dev/bpf0

then it did run and should already have set up your machine to allow everybody in the access_bpf group to capture traffic.

If it doesn't print that, what does

sudo launchctl list | egrep ChmodBPF

print?

Guy Harris's avatar Guy Harris (2020-05-09 01:55:12 +0000) edit
more
  • delete

Thanks for the hint! Listing /dev/bpf0 yields "no such file or directory." and egrep yields "- 0 org.wireshark.ChmodBPF" and I don't see /dev/bpf0 anywhere on the system, hidden or otherwise. I'm assuming the installer script cannot create /dev/pbf0?

JD50Garvin's avatar JD50Garvin (2020-05-09 02:11:14 +0000) edit
more
  • delete

I'm assuming the installer script cannot create /dev/bpf0?

Sort of. The BPF devices are supposed to be created "on demand" by attempts to open them, and the script tries to create a lot of them and give them the right permissions and ownership.

What happens if you run the command sudo tcpdump -i en0? It should print

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes

If it does, type control-C; at that point, there should at least be a /dev/bpf0 device.

Guy Harris's avatar Guy Harris (2020-05-09 06:51:04 +0000) edit
more
  • delete

That does give the result you show there, but WireShark still isn't finding it where it expects to find it or doesn't have permission to use it. (?)

JD50Garvin's avatar JD50Garvin (2020-05-09 12:11:35 +0000) edit
more
  • delete

I also get the permission issue and installing the ChmodBPF had gotten rid of the permission issue; however, it did not resolve the Wireshark not starting up after upgrading to MacOS 10.15.4. I believe the Wireshark folks is aware of the issue as I had seen a reference on their blog on April 24th regards the fix and that it was easy; however, I cannot find the blog post on blog.wireshark.org when I looked yesterday May 8th.`

Nolliwira's avatar Nolliwira (2020-05-09 14:32:19 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

I found I can enable Wireshark in Catalina (10.15.4) by entering the following commands in the Terminal app:

sudo chmod g+r /dev/bpf*

sudo chgrp admin /dev/bpf*

This information was provided indirectly while researching an open source Swift project called "Etherdump" at http://networkmom.net/etherdump/

JD50Garvin's avatar
1
JD50Garvin
answered 2020-05-09 20:35:31 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Other than "access_bpf" other than "admin", and "g+rw" rather than "g+r", that's what ChmodBPF does if run as root.

So it is not at all clear what's going on here; others have not seen this problem, so it's not a general problem with Catalina.

Guy Harris's avatar Guy Harris (2020-05-09 22:59:34 +0000) edit
more
  • delete

I agree the installer should have worked. Perhaps there are extra hardware controls on root access from downloaded programs in the newer 16" MacBook Pro. I'll have to do some more reading!

JD50Garvin's avatar JD50Garvin (2020-05-10 01:45:51 +0000) edit
more
  • delete

Perhaps there are extra hardware controls on root access from downloaded programs in the newer 16" MacBook Pro.

I have not seen any of these problems on my newer 16" MacBook Pro, so that's unlikely to be the answer.

What does the command id print? Does it report you as being a member of group access_bpf?

Guy Harris's avatar Guy Harris (2020-05-10 04:06:09 +0000) edit
more
  • delete

I have the exact same issue on Mac OS Ventura 13.1. I've installed ChmodBPF to no avail, I still cannot access any interfaces with Wireshark. I'm running version 4.0.3. I've already checked and I am part of access_bpf.

Any ideas how I could solve this?

quas's avatar quas (2023-01-30 14:31:43 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer