Wireshark-users: Re: [Wireshark-users] Gtk-WARNING **: cannot open display:
From: Guy Harris <[email protected]>
Date: Tue, 13 Feb 2007 11:39:06 -0800
Robert D. wrote:
My google searching discovers this is pervasive. None the less, I can't
seem to solve it on my system.

If I type: sudo wireshark in Terminal (and give password) then I get:

(wireshark:528): Gtk-WARNING **: cannot open display:
What if you do

	echo $DISPLAY

in Terminal?

If it doesn't print:

:0.0

then you need to do either

	DISPLAY=:0.0; export DISPLAY

if you're using a Bourne-compatible shell (bash, ksh) or

	setenv DISPLAY :0.0

if you're using a C-shell-compatible shell (tcsh).

If you do that in your .login or .profile, it'll happen automatically.

If I navigate waaaaay down the tree in
opt/local/var/db/dports/software/wireshark/0.99.5_0+darwin_8/opt/local/share

and double click the unix executable Wireshark, then it runs but
obviously hasn't the ability to find the network points.
"Obviously"?  Why?  Because it's not running as root?  If so, note Luis 
Ontanon's comment.  The libpcap source tree has an OS X startup item 
that sets the permissions on the BPF devices for you, so you don't have 
to do it after every rebooth; I've attached it (it's a bzipped tarball; 
extract it into /System/Library/StartupItems, so that there's a ChmodBPF 
directory under /System/Library/StartupItems).
One time, shortly after re-installing X-11 this morning, I was able to
do a sudo wireshark and have it run corectly AND locate the various
network points.

When I discovered that none of my running programs could get to the
Internet anymore, I suspected Wireshark had intercepted the en1 path
No, it doesn't intercept the en1 path.  However, on some Intel-processor 
notebooks, with the standard libpcap, Wireshark will end up opening the 
"monitor mode" version of en1, which causes it to de-associate from 
whatever network you're associated with.
I think Andreas Fink's Wireshark package for OS X:

	http://www.finkconsulting.com/page7.php

is built with a version of libpcap that avoids this. (The Fink and DarwinPorts packages, as far as I know, are built with the standard libpcap in OS X.)

Attachment: ChmodBPF.tar.bz2
Description: Binary data