Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Need help-not showing interfaces in drop down list on Mac

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 13 May 2008 07:44:42 -0700
Network Fortius wrote:
I am not sure why you would prefer a permanent change to /dev/bpf* than a temporary (running as - sudo) root-enabled option?!?

Well, for one thing, the less stuff that runs as root, the better, in general.

(Note, BTW, that Wireshark does not ever open any device for capturing in 1.0 and later. Neither does TShark in 1.0 and later. Instead, all the work of capturing is done by dumpcap; that way, on platforms where you need to run with a privileged account in order to capture traffic, the code that runs with privileges is a relatively small program rather than a very large program with a ton of dissectors and taps and, in the case of Wireshark, a GUI completely with run-time-loadable theme modules.)

I do not think that devfs is persistent between reboots, on the macosx?!?

It's not persistent across reboots in OS X or FreeBSD.

The newer devfs in FreeBSD can be configured, however, to make /dev/bpf* owned by a particular user or group and to give it particular permissions. (I'll have to dig up the steps for doing that; it's not entirely obvious how to do it or, at least, it wasn't entirely obvious to me.)

OS X's devfs doesn't support that. However, you can, at least, arrange to have a startup item to make the BPF devices that exist at boot time owned by a particular user or group and to have particular permissions. That startup item is present in the later releases of libpcap; it's also in the .dmg of Wireshark, but it's not owned by root in that .dmg, so it can't just be dragged and dropped to /Library/StartupItems. (It's also a startup item, rather than a launchd daemon, and startup items are deprecated; I'll look at making it run as a launchd daemon - given that the exec* calls in OS X, as in all other modern UN*Xes, transparently execute #! scripts, there's no reason I can see why a script couldn't be launched by launchd.)