Running Wireshark on Mac OSX
You will need to have X11 installed as part of your OSX installation to run Wireshark on your
When downloading the Mac OSX version of Wireshark from www.wireshark.org, you will
receive a folder with the Winshark executable (placed in your /Applications directory) along
with a folder called "Utilities", which contains two folders, one called "Command Line" and the
other called "Startup." To connect Wireshark to a network NIC, you will need (for the Mac OSX
environment) to install a startup folder in the /LibraryStartupitems folder. That folder is the
folder "Startup" in the Winshark Utilities folder. I have renamed the "Startup" folder (which
contains a script file "ChmodBPF") to be "ChmodBPF" to more easily identify it in the Mac OS
You will need to do the following
1. The "/Library/Startupitems" folder permissions are R/W for the "system" (i.e., the root).
You will need to change permissions in this folder to add the (renamed) ChmodBPF
folder. Open a terminal (go to /Applications/Utilities and click on "terminal"). Enter the
following commands to change the ownership of the Startupitems folder.
sudo chown admin /Library/Startupitems
Here, "admin" is my "administration" login name. I downloaded Winshark while logged
in as "admin."
You can then copy the Wireshark "Startup" folder (which I renamed ChmodBPF) into
the /Library/startupitems folder.
2. The supplied ChmodBPF script file did not work with my setup. Working in the
terminal window, go to the Library/Startupitems/ChmodBPF" folder using
and open the contained ChmodBPF script file with the Unix vi editor, i.e.
Delete the lines in the file not included in my script file below and change the instructions
(not preceded by a "#" - which indicates a comment line) to those shown in my script file
below. You can delete the line that you are on by typing "dd", delete a character by
typing "x", and delete a word by typing "dw".
To add text, place the cursor (using the arrow keys to move to the desired point) and type
"i" (the command for "insert"). What you then type is added to the text. When finished
typing what you want, you need to click on the escape ("esc") key to exit the text adding
When done, simply type ":wq". To verify that the file was correctly changed, you can
display the file using
3. When you restart the computer, it will tell you that permissions are incorrectly set for the
files in /Applications/Startupitems and ask if you want to fix them. Say "yes" and all will
4. Now that you have the script file in the startup folder, you need to tell the system to run
the startup file. Open "System Preferences", click on "Accounts" and select the "admin"
account. The top of the window displays two options - "Password" and "Login Items."
Select the latter and a window will open that allows you to add items to be opened
automatically. Click on the "+" and select
/Library/Startupitems/ChmodBPF/ChmodBPF. Next time you log in, you will have
permissions for the NIC interfaces.
5. NOTE: In my setup, my normal login has administration (the box for "Allow user to
administer this computer") has been checked. This makes me a member of the "admin"
group and the setting in Step 4 for the "admin" account also runs the startup when I log in
with my usual login name. Therefore, the instruction in the script file below says to
change the owner to admin. If your login is not part of the admin group, change the user
from "admin" to your login name in the script below.
6. You will then need to restart your computer to give you permissions for the NIC ports.
When restarting, you may find that you need to enter your password. Do this, and after
restarting launch /Applications/Wireshark.app. Click on "capture" and then on "options."
The "Interface" should show one of your Mac network interfaces (wired TCP/IP is en0)
and the physical address/IP address for that port. Deselect "Hide capture info dialog" and
then click Start. You should now see the packets being captured and can proceed to look
at the details within the packets.
# $Id: ChmodBPF 24640 2008-03-15 18:31:52Z gerald $
# Unfortunately, Mac OS X's devfs is based on the old FreeBSD
# one, not the current one, so there's no way to configure it
# to create BPF devices with particular owners or groups.
# This startup item will make it owned by the admin group,
# with permissions rw-rw----, so that anybody in the admin
# group can use programs that capture or send raw packets.
# Change this as appropriate for your site, e.g. to make
# it owned by a particular user without changing the
# so only that user and the super-user can capture or send raw
# packets, or give it the permissions rw-r-----, so that
# only the super-user can send raw packets but anybody in the
# admin group can capture packets.
sudo chown admin /dev/bpf*
sudo chmod go+rw /dev/bpf*
# End of File