Wireshark-bugs: [Wireshark-bugs] [Bug 11659] On OS X using psuedo interface pktap can result in
Date: Fri, 30 Oct 2015 19:36:34 +0000

Comment # 1 on bug 11659 from
(In reply to Jim Young from comment #0)
> 1 - Start a capture on OS X's hidden "pktap" interface using sudo tcpdump,
> sudo dumpcap -i pktap, sudo tshark -i pktap or even sudo Wireshark -i pktap.

The problem is that you're running programs that give up privileges (for good
reason) as root, so what they can do when they start isn't the same as what
they can do later.

The short-term workaround is "don't do that"; the long-term fix is to have
libpcap run a helper process to perform some functions, including opening and
closing devices, with that process possibly being appropriately privileged
either by virtue of set-UID or some other form of privileges assigned to the
process or by virtue of being run through some "ask the user for permission to
run it with special privileges and then do so" or something else.  That would
clean up a whole *bunch* of annoyances.  (Npcap, as an option, already uses UAC
to do that on Windows.)  The helper process would be run in a controlled
environment (if possible, *no* environment variables from the user's session,
or file descriptors from any process run by the user, provided to it, etc.),
limited in its function, and audited out the wazoo.

It is probably *not* a good idea to run TShark/Wireshark as root.  To quote
doc/README.packaging:

> WIRESHARK CONTAINS OVER TWO MILLION LINES OF SOURCE CODE. DO NOT RUN
> THEM AS ROOT.

> Interestingly the bleeding edge version of tcpdump/libpcap from tcpdump.org
> does not generate this error message when OS X is in the state where the two
> capture processes have been stopped and pktap0 interface is visible.

The bleeding-edge version of libpcap does not do anything to create or destroy
pktap devices, as it has no code to support the pktap mechanism.  I'd like to
add support for it, so that, for example, you could capture on an "any" device
on OS X, but 1) I'd want to do the aforementioned privilege separation first
and 2) I'd need to do something other than copy over Apple's APSL-licensed
code, as I really don't want to add any licensing curveballs into libpcap,
whether it's GPLed code and its virality, LGPLed code and its LGPLness (which
might make Apple and maybe other downstreams nervous) or APSL/CDDL/other
license-with-patent-clauses licenses (which might make various people nervous.)

I'll look at trying to figure out what the hang issue is, and whether there's
anything we can do about it, but, at least for now, it's probably best to do
your capturing with Apple's tcpdump, run as root, and then read those captures
in Wireshark.


You are receiving this mail because:
  • You are watching all bug changes.