No Interfaces Available In Wireshark Mac OS X

Posted by on January 31, 2010 Leave a comment (13) Go to comments

Many new Wireshark users on Mac OS X run into an issue where no interfaces show up when trying to begin packet capture. If you attempt to manually input an interface (such as en0) this error will occur:

The capture session could not be initiated ((no devices found) /dev/bpf0: Permission denied).

To have the interfaces show up properly you’ll need to widen the permissions on the Berkeley packet filter (BPF). By default they look like this:

crw-------  1 root  wheel   23,   0 Jan 31 13:47 /dev/bpf0

We need the filter to be readable by non-root, so open Terminal.app and run this command:

sudo chmod 644 /dev/bpf*

Unfortunately every time you reboot this will reset, but if you are a frequent user of Wireshark you can add the ChmodBPF StartupItem to alter them automatically (available in the Utilities folder on the Wireshark disk image). To install you’ll need to follow two steps.

First, drag the ChmodBPF folder to the StartupItems alias in the same folder (or drag it to /Library/StartupItems directly). Type your password to authenticate and move the folder into the correct location.

The second requirement is only for 10.6+ users. Starting with Snow Leopard the security permissions of StartupItems are being enforced. Scripts that do not have the proper owner and group will receive this error:

Insecure Startup Item disabled. – “/Library/StartupItems/ChmodBPF” has not been started because it does not have the proper security settings

The proper security settings are ownership of the scripts by root and group of wheel.1 To set them:

sudo chown -R root:wheel ChmodBPF
  1. The correct settings for startup items can be found in this Apple KB article
Posts,
Leave a comment ?

13 Comments.

  1. Rob March 23, 2010 at 10:14 am

    I had tried so many things before landing on your suggestion above.
    IT WORKS !!!!
    Thanks.

  2. melody May 3, 2010 at 5:27 am

    thanx very much!!!!

  3. melody May 3, 2010 at 9:25 am

    Will ChmodBPF is come from ?please!

  4. Alex June 6, 2010 at 5:02 am

    Thank you very much works !

  5. Bennett November 11, 2010 at 5:11 pm

    Thanks for publishing this – this worked for me

  6. iPeony January 6, 2011 at 5:34 am

    Thank you so muchhh!!!!!!

  7. Aaron January 17, 2011 at 1:43 pm

    Great write-up! Now I don’t need to chown everytime I run Wireshark!

  8. Aaron January 17, 2011 at 1:43 pm

    Great write-up! Now I don’t need to chown the bpf* every time I need to run Wireshark!

  9. Miguel Gonzalez March 5, 2011 at 9:22 pm

    Thank you, Paul. My macbook is a leftover from the wife and can’t say I’m proficient but reading your instructions fixed the error message and got wireshark running.

  10. Gefragt.ch March 15, 2011 at 4:08 am

    Thank you.
    I tried many things, but this did really help me.

  11. banger May 5, 2011 at 8:28 am

    thanks this worked fine for me as well

  12. marc May 29, 2011 at 8:19 am

    hi
    how i can read the packets in real letters?
    thanx

  13. gajini August 10, 2011 at 12:12 pm

    thanks…its worked perfect

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">