Many new Wireshark users on Mac OS X run into an issue where no interfaces show up when trying to begin packet capture. If you attempt to manually input an interface (such as en0) this error will occur:

The capture session could not be initiated ((no devices found) /dev/bpf0: Permission denied).

To have the interfaces show up properly you’ll need to widen the permissions on the Berkeley packet filter (BPF). By default they look like this:

crw-------  1 root  wheel   23,   0 Jan 31 13:47 /dev/bpf0

We need the filter to be readable by non-root, so open Terminal.app and run this command:

sudo chmod 644 /dev/bpf*

Unfortunately every time you reboot this will reset, but if you are a frequent user of Wireshark you can add the ChmodBPF StartupItem to alter them automatically (available in the Utilities folder on the Wireshark disk image). To install you’ll need to follow two steps.

First, drag the ChmodBPF folder to the StartupItems alias in the same folder (or drag it to /Library/StartupItems directly). Type your password to authenticate and move the folder into the correct location.

The second requirement is only for 10.6+ users. Starting with Snow Leopard the security permissions of StartupItems are being enforced. Scripts that do not have the proper owner and group will receive this error:

Insecure Startup Item disabled. – “/Library/StartupItems/ChmodBPF” has not been started because it does not have the proper security settings

The proper security settings are ownership of the scripts by root and group of wheel.¹ To set them:

sudo chown -R root:wheel ChmodBPF