Wireshark-users: Re: [Wireshark-users] Error when trying to run wireshark-chmodbpf 1.0.2
From: Guy Harris <gharris@xxxxxxxxx>
Date: Thu, 14 Jan 2021 22:18:52 -0800
On Jan 14, 2021, at 5:59 PM, Kok-Yong Tan <ktan@xxxxxxxxxxxxxxxxxxx> wrote:

> The wireshark-chmodbpf script stops at /dev/bpf1.

How do you know that it stops at /dev/bpf1?

The *messages* stop at /dev/bpf1, but those are *not* progress messages, those are error messages from the shell.

 The script does *not* print a message for every single BPF device it tries to create (by opening it), so if it *succeeds* in opening, for example, /dev/bpf2, it will *not* print anything about /dev/bpf2, so the fact that it only prints messages about /dev/bpf0 and /dev/bpf1 doesn't mean it stops at /dev/bpf1.

In fact...

> However, there appears to be /dev/bpf0 through /dev/bpf10 in existence when I do a “ls -lu /dev/bpf*” but nothing beyond bpf10.  
> 
> crw-r-----  1 root  access_bpf   23,   0 Jan 14 16:57 /dev/bpf0
> crw-r-----  1 root  access_bpf   23,   1 Jan 14 16:57 /dev/bpf1
> crw-r-----  1 root  access_bpf   23,  10 Jan 14 16:57 /dev/bpf10
> crw-r-----  1 root  access_bpf   23,   2 Jan 14 20:50 /dev/bpf2
> crw-r-----  1 root  access_bpf   23,   3 Jan 14 20:50 /dev/bpf3
> crw-r-----  1 root  access_bpf   23,   4 Jan 14 20:50 /dev/bpf4
> crw-r-----  1 root  access_bpf   23,   5 Jan 14 20:50 /dev/bpf5
> crw-r-----  1 root  access_bpf   23,   6 Jan 14 20:50 /dev/bpf6
> crw-r-----  1 root  access_bpf   23,   7 Jan 14 20:50 /dev/bpf7
> crw-r-----  1 root  access_bpf   23,   8 Jan 14 20:50 /dev/bpf8
> crw-r-----  1 root  access_bpf   23,   9 Jan 14 20:50 /dev/bpf9

...the existence of those devices, and the fact that they're all owned by the access_bpf group, indicates that it did *not* stop at /dev/bpf1!