On Jan 23, 2008, at 6:26 PM, Kelly Martin wrote:
I built the latest Ethereal
The latest Ethereal is called "Wireshark". :-)
the quick-and-easy way using Mac Ports on my core 2 duo Leopard mac.
It starts fine in X11 but crashes continually when starting to
monitor en1 (the built-in WiFi) as user root. I don't recall the
crash report at the moment but am wondering if this is a well-known
bug already.
There is a well-known bug in which Wireshark crashes when you run it
on Leopard:
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1953
You can pick up an updated version of the X server that will clear up
the problem; the bug indicates where to get it.
Also, when running as a regular user, Wireshark does not have
sufficient privileges to monitor this device - yet if I run it as
root, it gives me a warning that this might be dangerous (and
indeed, I suspect it might in some cases). Is there another
suggested way to run Wireshark on OS X, perhaps only as an admin-but-
not-root user?
sudo chgrp admin /dev/bpf*
sudo chmod g+rw /dev/bpf*
and then run Wireshark as any user in the admin group (i.e., any user
given admin privileges). Similar tricks work on other BSD-flavored
UN*Xes.
Note that:
In OS X, /dev is managed by devfs, so whatever you do to /dev/bpf*
gets forgotten on a reboot, and has to be redone; there's a startup
item in the libpcap source (and, I think, in Andreas Fink's binary
packages) that you can use to change the BPF device permissions when
the system starts. Unfortunately, that will only affect the 4 BPF
devices that show up when the system starts, not any that are created
on opening after that.
In FreeBSD, /dev is managed by devfs, so whatever you do to /dev/bpf*
gets forgotten on a reboot; you can configure devfs's rules to set the
permissions on BPF devices:
http://www.wireshark.org/lists/wireshark-users/200709/msg00156.html
(OS X's devfs is based on an old old FreeBSD one, rather than the
Shiny New configurable one).
I am confused.
I also have some FreeBSD and NetBSD virtual machines that I could
install wireshark on. Anyone know if VMWare or Parallels would allow
me to run in promiscuous or similar wireless modes so wireshark
could do its magic?
VMWare Fusion will give your virtual machine a virtual Ethernet
interface, not a virtual wireless interface; it can go into
promiscuous mode, but I don't think that'll put the host's interface
into promiscuous mode. I think you should be able to plug a USB
wireless adapter into your machine and tell Fusion to grab it and give
it to the virtual machine, in which case its driver should be able to
put it into promiscuous or monitor mode. (I haven't tried that yet.)
I can't speak for Parallels, but the answer is probably the same.
