Learning Center
Plans & pricing Sign in
Sign Out



  • pg 1
									                            Running Wireshark on Mac OSX
You will need to have X11 installed as part of your OSX installation to run Wireshark on your
When downloading the Mac OSX version of Wireshark from, you will
receive a folder with the Winshark executable (placed in your /Applications directory) along
with a folder called "Utilities", which contains two folders, one called "Command Line" and the
other called "Startup." To connect Wireshark to a network NIC, you will need (for the Mac OSX
environment) to install a startup folder in the /LibraryStartupitems folder. That folder is the
folder "Startup" in the Winshark Utilities folder. I have renamed the "Startup" folder (which
contains a script file "ChmodBPF") to be "ChmodBPF" to more easily identify it in the Mac OS
/Library/Startupitems folder.
You will need to do the following
   1. The "/Library/Startupitems" folder permissions are R/W for the "system" (i.e., the root).
      You will need to change permissions in this folder to add the (renamed) ChmodBPF
      folder. Open a terminal (go to /Applications/Utilities and click on "terminal"). Enter the
      following commands to change the ownership of the Startupitems folder.

             sudo chown admin /Library/Startupitems

       Here, "admin" is my "administration" login name. I downloaded Winshark while logged
       in as "admin."

       You can then copy the Wireshark "Startup" folder (which I renamed ChmodBPF) into
       the /Library/startupitems folder.
   2. The supplied ChmodBPF script file did not work with my setup. Working in the
      terminal window, go to the Library/Startupitems/ChmodBPF" folder using

           cd /Library/Startupitems/ChmodBPF

       and open the contained ChmodBPF script file with the Unix vi editor, i.e.

           vi ChmodBPF

       Delete the lines in the file not included in my script file below and change the instructions
       (not preceded by a "#" - which indicates a comment line) to those shown in my script file
       below. You can delete the line that you are on by typing "dd", delete a character by
       typing "x", and delete a word by typing "dw".

       To add text, place the cursor (using the arrow keys to move to the desired point) and type
       "i" (the command for "insert"). What you then type is added to the text. When finished
       typing what you want, you need to click on the escape ("esc") key to exit the text adding

       When done, simply type ":wq". To verify that the file was correctly changed, you can
   display the file using

        more ChmodBPF

3. When you restart the computer, it will tell you that permissions are incorrectly set for the
   files in /Applications/Startupitems and ask if you want to fix them. Say "yes" and all will
   be fine.
4. Now that you have the script file in the startup folder, you need to tell the system to run
   the startup file. Open "System Preferences", click on "Accounts" and select the "admin"
   account. The top of the window displays two options - "Password" and "Login Items."
   Select the latter and a window will open that allows you to add items to be opened
   automatically. Click on the "+" and select
   /Library/Startupitems/ChmodBPF/ChmodBPF. Next time you log in, you will have
   permissions for the NIC interfaces.
5. NOTE: In my setup, my normal login has administration (the box for "Allow user to
   administer this computer") has been checked. This makes me a member of the "admin"
   group and the setting in Step 4 for the "admin" account also runs the startup when I log in
   with my usual login name. Therefore, the instruction in the script file below says to
   change the owner to admin. If your login is not part of the admin group, change the user
   from "admin" to your login name in the script below.
6. You will then need to restart your computer to give you permissions for the NIC ports.
   When restarting, you may find that you need to enter your password. Do this, and after
   restarting launch /Applications/ Click on "capture" and then on "options."
   The "Interface" should show one of your Mac network interfaces (wired TCP/IP is en0)
   and the physical address/IP address for that port. Deselect "Hide capture info dialog" and
   then click Start. You should now see the packets being captured and can proceed to look
   at the details within the packets.

    #! /bin/sh
    # $Id: ChmodBPF 24640 2008-03-15 18:31:52Z gerald $
    # Unfortunately, Mac OS X's devfs is based on the old FreeBSD
    # one, not the current one, so there's no way to configure it
    # to create BPF devices with particular owners or groups.
    # This startup item will make it owned by the admin group,
    # with permissions rw-rw----, so that anybody in the admin
    # group can use programs that capture or send raw packets.
    # Change this as appropriate for your site, e.g. to make
# it owned by a particular user without changing the
# so only that user and the super-user can capture or send raw
# packets, or give it the permissions rw-r-----, so that
# only the super-user can send raw packets but anybody in the
# admin group can capture packets.

sudo chown admin /dev/bpf*
sudo chmod go+rw /dev/bpf*

# End of File

To top