Wireshark-users: Re: [Wireshark-users] Wireshark Macbook Air USB assistance
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 26 Jan 2010 19:05:55 -0800
On Jan 26, 2010, at 6:16 PM, John C wrote:

>   That corrected the issue - thank you for the helpful information.

If you're running Leopard, "man tcpdump" should give the full story; if you're running Snow Leopard, "man pcap" should give the full story.  Look for the section that starts with "Reading packets from a network interface may require that you have special privileges:"; the key part is

       Under BSD (this includes Mac OS X):
              You  must  have  read  access to /dev/bpf* on systems that don't
              have a cloning BPF device, or to /dev/bpf on  systems  that  do.
              On  BSDs  with  a  devfs  (this  includes  Mac OS X), this might
              involve more than just having somebody  with  super-user  access
              setting  the  ownership  or  permissions on the BPF devices - it
              might involve configuring devfs to set the ownership or  permis-
              sions  every  time the system is booted, if the system even sup-
              ports that; if it doesn't support that, you might have  to  find
              some other way to make that happen at boot time.

On OS X Leopard and later, a "way to make that happen at boot time" is to install the attached "chmod_bpf" script in /usr/local/bin (make sure it has execute permission), install the attached "org.tcpdump.chmod_bpf.plist" file in /Library/LaunchDaemons (make sure it's owned by root, group wheel), and then do "sudo launchctl load /Library/LaunchDaemons/org.tcpdump.chmod_bpf.plist".  That will arrange that the BPF devices be owned by root, group admin, and have read/write permission for group admin, so all administrative users will be able to run tcpdump, Wireshark, TShark, dumpcap, etc. without having to have root privileges, and that this will be done at boot time for every reboot.

If you want to limit that privilege to yourself, change the "chmod_bpf" script to run the chown command rather than the chgrp command, and not run the chmod command.

(For Tiger and earlier systems, unpack the attached tar file in the /Library/StartupItems directory and then use the appropriate command to run the ChmodBPF startup item; edit the ChmodBPF script in that startup item to change what privileges are required for capture.)

Attachment: chmod_bpf
Description: Binary data

Attachment: org.tcpdump.chmod_bpf.plist
Description: Binary data

Attachment: tarfile
Description: Binary data