Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

cobra521

macrumors regular
Original poster
Dec 14, 2016
206
67
FL
I now have Wireshark version 3.4.0 and Catalina version 10.15.7

When I try to open Wireshark, I get the following box:

Screen Shot 2020-11-07 at 6.33.21 AM.png


This has been going on for some time.

Is there something simple and permanent I can do to get Wireshark to open every time?

Right now, the only way I can run it is to open Terminal and run this command: sudo chown username:admin bp*

After that it runs OK until I reboot or shut down.

Tom
 

svenmany

macrumors demi-god
Jun 19, 2011
231
110
I'm on the same versions as you and have no problem running Wireshark.

On my computer I see that all the /dev/bp* are owned by root.access_bpf. Perhaps on boot, the ownership of all the /dev/bp* are set back to that.

My user id is in the access_bpf group. Is your user id in the access_bpf group? (I use Directory Utility to see that group membership.)
 
Comment

cobra521

macrumors regular
Original poster
Dec 14, 2016
206
67
FL
sven,

Thank you.

Using Directory Utility I can select "Directory Editor," click on "access_bpf" and see that my username is in the "Group Membership" "Name" column.

So I guess the answer to this question is yes. Wireshark still gives me the error message.

I tried looking at hidden files using Finder and was not able to find "access_bpf." I did do cd /dev followed by ls -l bp* and got five files listed. Each of them showed the owner is root, I think, as the first line showed:

"crw--------- 1 root wheel 23, 0 Nov 8 13:42 bpf0"

The other four were similar except for the date and/or time and of course the numeric digit at the end of the filename.

I'm relatively uneducated in this aspect of MacOS, so perhaps I need another nudge...

Tom
 
Comment

svenmany

macrumors demi-god
Jun 19, 2011
231
110
Perhaps we can puzzle through this together, until someone with actual knowledge chimes in. :)

I think you're saying that you expected to find "access_bpf" somewhere as a file. That is a user group and I'm not sure if it's represented anywhere in the file system. That's not to say that a bunch of non-file things can be found in the file system. For example, everything under "/dev" is actually a device. I believe that "bpf" refers to "Berkeley Packet Filter", those devices allow you to monitor traffic on network interfaces (assuming you have permission to read those devices).

My bf* entries have permissions and ownership that allow me to do that.

crw-rw---- 1 root access_bpf 23, 99 Nov 7 09:50 bpf0

This says that access_bpf is the group that owns that device. The second "rw" represents the permissions granted to "access_bpf" for that device; read and write is granted. Since I'm in the access_bpf group, I inherit the permissions to read from and write to those devices.

Every time my computer boots, /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist runs. This just executes /Library/Application Support/Wireshark/ChmodBPF/ChmodBPF, which sets the permissions and ownership for me.

I think that was installed at some point after first running Wireshark. Can you check and see if you have that plist file?
 
Comment

cobra521

macrumors regular
Original poster
Dec 14, 2016
206
67
FL
sven,

Both of those files are present: /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist and /Library/Application Support/Wireshark/ChmodBPF/ChmodBPF.

I'm guessing that there's something missing that should be present to execute that file when the Mac boots - is there a way to do this?

Tom
 
Comment

cobra521

macrumors regular
Original poster
Dec 14, 2016
206
67
FL
sven,

Thank you.

I found the same file instruction, so I did (I think) exactly what it said to do. When I clicked on the executable, it appeared to run and then said it completed. Alas, no change for the Wireshark error.

I think I'll uninstall Wireshark, re-download and reinstall it and report back.

Tom
 
Comment

cobra521

macrumors regular
Original poster
Dec 14, 2016
206
67
FL
sven,

Well, I deleted everything from the Mac using drag-and drop for the app, and used terminal rm commands for the chmod items. Then downloaded and installed a fresh copy of Wireshark. I ran the delete pkgs first for the path and chmod items, next ran the install pkgs for path and chmod.

Guess what? same error as the original post in this thread...

Sigh,

Tom
 
Comment

svenmany

macrumors demi-god
Jun 19, 2011
231
110
Have you ever used launchctl (at the command line) to disable any services? I have a bunch of entries in /var/db/com.apple.xpc.launchd/disabled.501.plist. (my user id is 501 - called "UniqueID" Directory Utility). Do you?

The fact that the permissions and ownership of the bpf* files are wrong seems to suggest a problem running that script from LaunchDaemons. I do see that the script calls "syslog -s". The syslog man page basically says to read "man 8 syslogd". I'll try to figure out a bit later where that log message ends up. I'd really like to know if that script is being executed for you.

-- EDIT --

Did you reboot after reinstalling? I hope that the chmod installation does run the script itself, but maybe it just installs the script, counting on a reboot to actually run it.
 
Last edited:
Comment

cobra521

macrumors regular
Original poster
Dec 14, 2016
206
67
FL
sven,

Never used launchctrl.

I did just use Console to look at the install log for chmodBPF, and this is what I found:

ChmodBPF 1.1 Installation Log

2020-11-09 13:52:21-05 2019-Mac-Pro Installer[4473]: Opened from: /Applications/Wireshark.app/Contents/Resources/Extras/Install ChmodBPF.pkg

2020-11-09 13:52:21-05 2019-Mac-Pro Installer[4473]: Package Authoring Error: <background_scaling> has an unsupported MIME type: X-NSObject/NSNumber

2020-11-09 13:52:21-05 2019-Mac-Pro Installer[4473]: Package Authoring Error: <background_alignment> has an unsupported MIME type: X-NSObject/NSNumber

2020-11-09 13:52:21-05 2019-Mac-Pro Installer[4473]: Package Authoring Error: <layout-direction> has an unsupported MIME type: X-NSObject/NSNumber

2020-11-09 13:52:22-05 2019-Mac-Pro Installer[4473]: Failed to load specified background image

2020-11-09 13:52:22-05 2019-Mac-Pro Installer[4473]: Product archive /Applications/Wireshark.app
/Contents/Resources/Extras/Install ChmodBPF.pkg trustLevel=350

2020-11-09 13:52:22-05 2019-Mac-Pro Installer[4473]: External component packages (1) trustLevel=350

2020-11-09 13:52:22-05 2019-Mac-Pro Installer[4473]: Could not load resource readme: (null)

2020-11-09 13:52:22-05 2019-Mac-Pro Installer[4473]: Could not load resource license: (null)


No idea what it means except it looks as though it failed?

Tom
 
Comment

cobra521

macrumors regular
Original poster
Dec 14, 2016
206
67
FL
sven,

I also should mention that if I open Terminal and enter

cd /dev
sudo chown username:admin bp*

that Wireshark works fine until a shutdown or reboot.

Tom
 
Comment

svenmany

macrumors demi-god
Jun 19, 2011
231
110
I reran the installer and got the same log errors as you, so I don't think that's relevant. I'm not a mac programmer, but it looks like some it relates to errors in UI presentation.

So, you set the ownership to username:admin and Wireshark works. That makes perfect sense; you've taken ownership of the bp* files and can read them. (since owner permissions say read is enabled - the first "rw" in directory listing).

Then you reboot. Something in the OS is setting the ownership back to root:wheel. That's probably an automatic permission fix for the sake of securing the OS. I believe you said you see

"crw--------- 1 root wheel 23, 0 Nov 8 13:42 bpf0"

after boot. You shouldn't be able to read the bp* devices at that point because only the owner has read/write access and the owner is root (which isn't you).

After this OS adjustment, the computer goes on to run all the launch scripts in LaunchDaemons. We count on one of those, ChmodBP, to set the permissions and ownership suitable to running Wireshark. That script is either not running or failing in some way.

Earlier in this thread you said you only have 5 bp* files. I have 256, all created by the ChmodBP script. That also suggests there's something wrong when trying to run the script.

Have you tried to run the script /Library/Application Support/Wireshark/ChmodBPF/ChmodBPF yourself to see if it gives any errors? You'd have to sudo run it.
 
Comment

cobra521

macrumors regular
Original poster
Dec 14, 2016
206
67
FL
sven,

I can access the directory chmodBPF (small c) and ls gives me a file in it called ChmodBPF (capital C).

If I type ChmodBPf I get zsh: command not found

If I type sudo ChmodBPF I get sudo: ChmodBPF: command not found

Trying with lowercase c gives the same error.

Tom
 
Comment

cobra521

macrumors regular
Original poster
Dec 14, 2016
206
67
FL
OK

Tried to execute using Finder.

/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF:36: resource busy: /dev/bpf0
followed by
:36: permission denied: /dev/bpf5

followed by
:36: no such file or directory: /dev/bpf6
:36: no such file or directory: /dev/bpf7
:36: no such file or directory: /dev/bpf8
:36: no such file or directory: /dev/bpf9
.
.
.
:36: no such file or directory: /dev/bpf255
chgrp: /dev/bpf0: Operation not permitted
chgrp: /dev/bpf1: Operation not permitted
chgrp: /dev/bpf2: Operation not permitted
chgrp: /dev/bpf3: Operation not permitted
chgrp: /dev/bpf4: Operation not permitted
chgrp: /dev/bpf5: Operation not permitted
chmod: Unable to change file mode on /dev/bpf0: Operation not permitted
chmod: Unable to change file mode on /dev/bpf1: Operation not permitted
chmod: Unable to change file mode on /dev/bpf2: Operation not permitted
chmod: Unable to change file mode on /dev/bpf3: Operation not permitted
chmod: Unable to change file mode on /dev/bpf4: Operation not permitted
chmod: Unable to change file mode on /dev/bpf5: Operation not permitted

Completely at sea over this...

I next took the command line that Finder used, put sudo in front of it and got essentially the same first line of output (
/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF:36: resource busy: /dev/bpf0)

and then

[Process completed]


Tom
 
Comment

svenmany

macrumors demi-god
Jun 19, 2011
231
110
The sudo attempt you made last was what I intended. Sorry that I caused you time and effort by not being more explicit.

I feel that I'm out of my depth as to the nature and functioning of the bpf devices. I also feel I'm just flailing about; debugging together in this forum feels like programming with punch cards.

However, after you ran that last sudo command, does Wireshark still fail? What is the output of "ls -l bpf*"?
 
Comment

cobra521

macrumors regular
Original poster
Dec 14, 2016
206
67
FL
sven,

Not to worry. In another lifetime I was a programmer, although I admit freely not Linux LOL

Here's the result of ls (attached) as an abbreviated text file. It looks like there are 256 files now, similar to yours.

Alas, if I reboot, same error until I run the chmod command in Terminal.

Don't worry too much about this - it's an annoyance, not a show stopper!

Tom
 

Attachments

  • bpf ls.txt
    1.9 KB · Views: 36
Comment

svenmany

macrumors demi-god
Jun 19, 2011
231
110
Hi Tom,

Thanks for letting me off the hook. :)

So the script works fine, it's just not being triggered on boot. At which point I say - "WHAT THE HECK". Let's cross our fingers and hope that someone with some tidbit of information chimes in.
 
Comment

cobra521

macrumors regular
Original poster
Dec 14, 2016
206
67
FL
sven,

I found the Wireshark site and signed up for their forum. I noticed that a number of inquiries sounded exactly like mine, so I added a note to a recent thread there, included a link to this thread, and have fingers crossed.

I'll post here if any answers come through. So far there it looks a lot like what you've taken me through, with about the same result LOL

Tom
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.