Here is the complete guide, because so many ‘complete guides’ were missing a step or two that I needed.
1) Download the DMG from http://www.wireshark.org/download.html. Unpack it.
2) Drag the Wireshark icon onto to the Applications alias.
3) Open the Utilities folder.
4) Drag the contents of the Command Line folder to /usr/local/bin
5) Drag the ChmodBPF folder onto the StartupItems alias.
Path is /Library/StartupItems/ChmodBPF if the alias does not work
(you can use finder, click go, click “Go To Folder”)
(this files changes the permissions of /dev/bpf* in order to capture from interfaces, by dragging it here it does this every time you reboot)
6) If you’re running as an admin user you will see a list of network interfaces in Wireshark in the “Interface List”. That’s good and you’re ready to start capturing packets.
However, if you don’t see any available interfaces, you’re probably running as a non-admin. If you plan on running as a non-admin when you use Wireshark in the future, you need to make one more change. The problem here is that theChmodBPF start-up item we installed earlier (that changes permissions on/dev/bpf*) only works for users in the admin group. So, we need a way of allowing the user you’re running as to at least read stuff in /dev/bpf*.A simple solution, and you can do this to check and see if you can capture with this change is to simply do sudo chmod o+r /dev/bpf*. That works, but it allowsany user on your machine to sniff packets. A better solution is to just add a line to the ChmodBPF script to chown (change the owner of) those things to the user you want to run as:
- Open the
ChmodBPFscript, which is located in/Library/StartupItems/ChmodBPF/ChmodBPF, in a text editor. - Add a
chownline so that the file looks like this: - But replace
foobarhere with the user you want to run Wireshark under. - Save the file.
...
chgrp admin /dev/bpf*
chmod g+rw /dev/bpf*
chown foobar:admin /dev/bpf*
}
...
7) If you’re doing a fresh Wireshark install on Snow Leopard (Mac OS X 10.6), it appears that the ownership of the ChmodBPF files needs to be changed. So, fire up the terminal and do the following:
cd /Library/StartupItems
sudo chown -R root:wheel ChmodBPF8.) Now double check the security settings in your startup error, you may have get an error like this if you forgot to do so
"Insecure Startup Items folder detected.
Items in the Startup Items folder ("/Library/
StartupItems/") have not been started because the
folder does not have the proper security settings."
so open up a terminal, go to /Library/StartupItems/
do a ls -l and make sure then everything is set to the same permission 755 which will look like
drwxr-xr-x
you can always change the permissions of everything in the folder by doing this
sudo chown -R root:wheel /Library/StartupItems
sudo chmod -R 0755 /Library/StartupItems
if you see an @ symbol you need to do a ls -l@ and look for com.apple.quarantine, this means that OS X has quarantined this file because it has not given permission to run it yet (untrusted). Just like when you download a new app from the internet for the first time OS X will ask you with a prompt “blah is an application downloaded from ther Internet. Are you sure you want to open it?” you will need to do this here, only via the command line.
Remote the quarantine with this command
xattr -r -d com.apple.quarantine file-path
so in our case
xattr -r -d com.apple.quarantine /Library/StartupItems/ChmodBPF
9) Restart your computer, make sure there are no errors, run Wireshark and make sure you can see interfaces to capture from. Email me or comment below to fix any problems with this how to.
Hi Sean! I am a student of Computer Information Systems. I just installed Wireshark and was trying to follow your instructions but got stuck on this step:
4) Drag the contents of the Command Line folder to /usr/local/bin
I opened the Utilities folder as you mentioned in step 3, but then don’t find the Command Line folder you mention. Can you please help me? Thanks,
BTW, nice web site!
Lourdes.
You don’t even have to use the command line if you are lazy 🙂 We actually need to create that folder. Click on Finder (by default on the bottom left of your dock). Click that, then go in the menu, then click “Go to folder” then put in /usr/local. Then create the folder bin, and drag the contents from the Wireshark dmg….. which I just opened and it looks like Wireshark has automated a lot of this process, just try installing the newest version and let me know if that works?
Hi! I went into the /usr/local folder and found out that a bin folder already existed there and inside the bin I found Wireshark (which says is a “Unix executable file”) . Does this means that I don’t need to do step 4) “Drag the contents of the Command Line folder to /usr/local/bin”?
Also, step 5 was already done. I am going to reboot my Mac and see if it works, even though I haven’t done any changes after I installed Wireshark.
Thank you very much for your help!!!
It is not working. It is still not showing any interfaces. Thanks,
In step 6) 3, how do I find out what is my user id so I can replace foobar with it? Thank you!
It works! Thank you so much for your help!