Wireshark-users: Re: [Wireshark-users] No interfaces, no /dev directory (MacOS X)
On Sep 5, 2011, at 7:17 PM, Steven Ross wrote:
> No interfaces running as admin in Mac OS x 10.5.8 (PPC). I read the Readme in the download and the wiki telling me about the script to set up permissions on boot (and I did reboot):
> http://wiki.wireshark.org/CaptureSetup/CapturePrivileges
>
> I do see interfaces and capturing works fine if I run as root.
>
> I have the ChmodBPF script in the StartupItems, placed there by the Wireshark installer. Running the ChmodBPF script directly gives an error:
> line 35: $1: unbound variable
> Line 35 is simply: RunService "$1"
It's a startup item, no a script to be run by itself. You need to run it with SystemStarter:
sudo SystemStarter start ChmodBPF
In order for it to be run, /Library/StartupItems/ChmodBPF, and all the files under it, must be owned by user "root" and group "wheel", and must not have group or other write privileges.
> I believe it breaks because I do not have a /dev folder.
You may not have a /dev folder, in the sense of something that the Finder will show you, but you definitely have a /dev directory, in the sense that, for example, "ls /dev" from a Terminal window will show you the contents of that directory.
> There is a hidden /dev alias,
From the point of view of all the stuff Apple put on top of UNIX, it might be an alias; from the point of view of UNIX, it's a directory:
$ ls -ld /dev
dr-xr-xr-x 3 root wheel 4194 Aug 18 18:51 /dev
> which appears to point to a volume,
From the UNIX point of view, /dev has a file system mounted on it:
$ df /dev
Filesystem 512-blocks Used Available Capacity Mounted on
devfs 220 220 0 100% /dev
which might cause the Finder to show it as something like a volume
> but actually goes nowhere.
Nope:
$ cd /dev
$ ls
auditpipe ptytc ttyr9
autofs ptytd ttyra
autofs_control ptyte ttyrb
autofs_nowait ptytf ttyrc
bpf0 ptyu0 ttyrd
bpf1 ptyu1 ttyre
bpf2 ptyu2 ttyrf
bpf3 ptyu3 ttys0
(your results, in terms of what "ls" shows, may vary).
> Do I need to install Xcode to get the /dev folder?
No. Mac OS X is a UN*X, so it has /dev as a standard feature, and won't work without it.
> Any other reason why it wouldn't work in admin, but does in root?
Because, in *BSD and Mac OS X, in order to capture network traffic, an application or library needs to open a BPF device, and, in Mac OS X, the BPF devices, by default, are owned by root, group wheel, and only openable by the owner.
The Wireshark 1.6.x installer will install the ChmodBPF startup item, attempt to add you to the group access_bpf, and run the startup item, which should make the BPF devices that exist, at the time it's run, owned by group access_bpf and readable and writable by the group.