How to: Securely configure Mac OS X for network packet sniffing with Wireshark

If you’re anything like me, you often run into a computer problem or five that could be diagnosed more quickly by taking a peek at activity on the network. The best general purpose tool for inspecting network activity has gotta be Wireshark. It’s an industry-standard, open source packet sniffer that you can use for fun and profit.

Installing Wireshark is easy enough since various installers are probably already available for your system. Some builds for Mac OS X, however, expect you to run Wireshark from an admin user account in order to actually capture network packets. Although it seems the official Wireshark package recently lifted the requirement of an admin user, its Mac OS X readme used to say:

On Mac OS X, the BPF devices live on devfs, but the OS X version of devfs is based on an older (non-default) FreeBSD devfs, and that version of devfs cannot be configured to set the permissions and/or ownership of those devices.

Therefore, we supply a “startup item” for OS X that will change the ownership of the BPF devices so that the “admin” group owns them, and will change the permission of the BPF devices to rw-rw—-, so that all users in the “admin” group – i.e., all users with “Allow user to administer this computer” turned on – have both read and write access to them.

Using your computer day-to-day as an admin user is generally a very bad idea because it means one wrong click has a much greater chance of causing problems. Instead, I use a “standard” account and would recommend you do the same. Moreover, if you’re using an unofficial Wireshark package on Mac OS X, such as one obtained through MacPorts (as I am), then you may not even have Wireshark’s startup item. This will likely result in a common “no capture interfaces available” error in Wireshark itself.

Most of the solutions on the Web will also just tell you to chmod the /dev/bpf* devices. That’ll work, but you’ll have to chmod them after every reboot. To fix that, you can mimic Wireshark’s own startup item with a Mac OS X launchd job. Here’s one minimally modified from a MacPorts patch for this issue:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>org.macports.wireshark-chmodbpf</string>
	<key>Program</key>
	<string>/bin/sh</string>
	<key>ProgramArguments</key>
	<array>
		<string>/bin/sh</string>
		<string>-c</string>
		<string>/usr/sbin/chown root:wireshark /dev/bpf*; /bin/chmod g+r /dev/bpf*</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>KeepAlive</key>
	<dict>
		<key>SuccessfulExit</key>
		<false/>
	</dict>
</dict>
</plist>

Save the above property list as a file named org.macports.wireshark-chmodbpf.plist (or something equally meaningful to you) and place it in your Mac’s /Library/Documents/LaunchDaemons folder. Unlike the original MacPorts patch and the old Wireshark package, this job changes the group ownership of /dev/bpf* to a group named wireshark.1

All you have to do is create a group named “wireshark” on your Mac, and add any user you want to give packet sniffing permissions to it. Once that’s done, load the launchd job by opening the Terminal and running the following command as an administrator:

sudo launchctl -w load /Library/LaunchDaemons/org.macports.wireshark-chmodbpf.plist

This way, only users in the “wireshark” group will be able to read from the BPF devices in Mac OS X, and you can still use your Mac as a non-admin user while packet sniffing.

  1. As of this writing, the official Wireshark package for Mac OS X will create a group named access_bpf for this purpose, basically equivalent to what I’ve named my wireshark group. []