Re: No interfaces, no /dev directory (MacOS X)

[Guy Harris <guy () alum mit edu>]

On Sep 5, 2011, at 7:17 PM, Steven Ross wrote:

> No interfaces running as admin in Mac OS x 10.5.8 (PPC). I read the Readme in the download and the wiki telling me 
> about the script to set up permissions on boot (and I did reboot):
> http://wiki.wireshark.org/CaptureSetup/CapturePrivileges
>
> I do see interfaces and capturing works fine if I run as root.
>
> I have the ChmodBPF script in the StartupItems, placed there by the Wireshark installer. Running the ChmodBPF script 
> directly gives an error:
> line 35: $1: unbound variable
> Line 35 is simply:  RunService "$1"

It's a startup item, no a script to be run by itself.  You need to run it with SystemStarter:

        sudo SystemStarter start ChmodBPF

In order for it to be run, /Library/StartupItems/ChmodBPF, and all the files under it, must be owned by user "root" and 
group "wheel", and must not have group or other write privileges.

> I believe it breaks because I do not have a /dev folder.

You may not have a /dev folder, in the sense of something that the Finder will show you, but you definitely have a /dev 
directory, in the sense that, for example, "ls /dev" from a Terminal window will show you the contents of that 
directory.

> There is a hidden /dev alias,

> From the point of view of all the stuff Apple put on top of UNIX, it might be an alias; from the point of view of 
> UNIX, it's a directory:

        $ ls -ld /dev
        dr-xr-xr-x  3 root  wheel  4194 Aug 18 18:51 /dev

> which appears to point to a volume,

> From the UNIX point of view, /dev has a file system mounted on it:

        $ df /dev
        Filesystem 512-blocks Used Available Capacity  Mounted on
        devfs             220  220         0   100%    /dev

which might cause the Finder to show it as something like a volume

> but actually goes nowhere.

Nope:

        $ cd /dev
        $ ls
        auditpipe               ptytc                   ttyr9
        autofs                  ptytd                   ttyra
        autofs_control          ptyte                   ttyrb
        autofs_nowait           ptytf                   ttyrc
        bpf0                    ptyu0                   ttyrd
        bpf1                    ptyu1                   ttyre
        bpf2                    ptyu2                   ttyrf
        bpf3                    ptyu3                   ttys0

(your results, in terms of what "ls" shows, may vary).

> Do I need to install Xcode to get the /dev folder?

No.  Mac OS X is a UN*X, so it has /dev as a standard feature, and won't work without it.

> Any other reason why it wouldn't work in admin, but does in root?

Because, in *BSD and Mac OS X, in order to capture network traffic, an application or library needs to open a BPF 
device, and, in Mac OS X, the BPF devices, by default, are owned by root, group wheel, and only openable by the owner.

The Wireshark 1.6.x installer will install the ChmodBPF startup item, attempt to add you to the group access_bpf, and 
run the startup item, which should make the BPF devices that exist, at the time it's run, owned by group access_bpf and 
readable and writable by the group.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe