ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online

Wireshark-bugs: [Wireshark-bugs] [Bug 3980] No HTTP Requests seen in Wireshark recording on Snow

Date: Thu, 3 Sep 2009 19:57:21 -0700 (PDT)

--- Comment #2 from Guy Harris <guy@xxxxxxxxxxxx>  2009-09-03 19:57:19 PDT ---
If by "tcpdump yields the same results" you mean that tcpdump doesn't see HTTP
requests, just responses, then this isn't a Wireshark problem, it's a
SnowLeopard bug.


    1) the only packets you're not seeing are packets being sent by the machine
running Wireshark;

    2) dumpcap isn't set-UID root and you're not running Wireshark or tcpdump
as root, and you changed the ownership and permissions of the /dev/bpf* devices
so that you can capture traffic when you're not running as root;

    3) the non-root users who have permission to access the /dev/bpf* devices
have read, but not write, access to /dev/bpf*;

then this is a known bug - and you should file another bug against it at the
Apple Developer Connection bug reporter site (and add the bug number it assigns
to the bug to this bug).

The workaround is to give the users in question write permission as well - for
example, if "ls -l /dev/bpf*' reports something such as

crw-r-----  1 root  admin   23,   0 Sep  3 18:45 /dev/bpf0
crw-r-----  1 root  admin   23,   1 Sep  3 18:45 /dev/bpf1
crw-r-----  1 root  admin   23,   2 Aug  7 17:15 /dev/bpf2
crw-r-----  1 root  admin   23,   3 Aug  7 17:15 /dev/bpf3

do "sudo chmod g+w /dev/bpf*" so that the admin group gets write permission as

(The bug is that, if you open a BPF device for reading but not writing, you
don't see outgoing traffic.)

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.