«
»

Getting Wireshark running on OS X Snow Leopard 10.6

WiresharkWireshark is every fly fisher who’s missing the fall brown run’s ubergeek’s favorite network protocol analyzer, both because it kicks main butt, and it’s free. With the recent upgrade to Snow Leopard, I finally found a need to upgrade. Then the trouble started (i.e. Wireshark didn’t work anymore). After doing a little research and scanning the support boards, I’ve got it running error free. But as the tips I used to get it that way are spread across the interwebs, I’m assembling the step-by-step here for the rest of you streamer-obsessed knuckleheads who are breaking fly rods over their knees as we speak Wireshark/Snow Leopard users who have just as little time on their hands as I do right now.

Step 1

Download Wireshark from here. Mount the .dmg file.

Step 2

Drag the Wireshark application icon to the handy dandy Applications alias the fine developers at Wireshark provided for you in that disk image. Then, open up the Utilities folder in the disk image, and drag the ChmodBPF folder into the StartupItems alias sitting below it. After that, open up a new finder window and navigate to /usr/local/bin. Open up the Command Line folder in the disk image (under /Utilities) and drag those contents over to /usr/local/bin. You’ll probably have to authenticate at that point, so do so.

Step 3

Open up a terminal window and type in the following commands:

cd /Library/StartupItems
sudo chown -R root:wheel ChmodBPF

You’ll probably be asked to enter an su password. Do so. Then exit terminal.

Step 4

Go to Applications and click on Wireshark. When the application opens you’ll probably see a another window open up along with it containing a bunch of errors. Close that window. Next, select Edit then Preferences from the Wireshark application window. Select Name Resolution, and click the Edit button next to “SMI (MIB and PIB paths”. Click the new button, and enter /usr/share/snmp/mibs/ in the little Directory Path popup window. Click Apply, and then Close.

Step 5

Exit Wireshark and reboot.

All should be well in network protocol analyzer-ville.

Editor’s note: special thanks to Nick Kleinschmidt and Dan Hale for helping out here.

Posted in Office | Tags: , , ,
Feed on comments or trackback from your site | AddThis Share

Related posts

66 comments

  1.   Matt Dunn comments:
       October 21st, 2009 at 8:40 am

    dude, I heard on facebook that there is going to be a fishing report here

  2.   Yanikikdon comments:
       October 27th, 2009 at 3:14 pm

    Thanks a lot for this article, it helps me ! (Nice website)

  3.   Installing Wireshark on Mac OS X 10.6 Snow Leopard | JosteinB pings back:
       October 29th, 2009 at 9:04 am

    [...] Michael Gracie has scavenged the net for a solution, and found [...]

  4.   Tweets that mention Getting Wireshark running on OS X Snow Leopard 10.6 | Michael Gracie -- Topsy.com pings back:
       October 31st, 2009 at 11:27 pm

    [...] This post was mentioned on Twitter by Sam Hunt, toberl. toberl said: How to get #Wireshark working on Snow Leopard http://bit.ly/oOt3c [...]

  5.   Ami comments:
       November 6th, 2009 at 8:01 am

    Not working.
    The Wireshark opens the X11 application and then quits himself.
    What else can I do?

  6.   Michael Gracie comments:
       November 6th, 2009 at 8:13 am

    Don’t really know, Ami. The only thing I can suggest is to remove and reinstall, making sure you have the latest versions of everything (including X11).

  7.   Rednectar comments:
       November 8th, 2009 at 3:23 am

    Nice work – that stupid error window that came up every time had me stumped – but you fixed it. Nice one. Now all I have to do is figure out how to make it see the VMware Fusion virtual interfaces – anyone with any ideas?

  8.   Michael Gracie comments:
       November 8th, 2009 at 9:06 am

    Red…Can’t take credit for actually fixing that prob. I just found the fix buried deep in a forum and made it more prominent (if you can call this post prominent) :-)

    Glad it worked out. Wish I knew anything about VMware.

  9.   Eric comments:
       November 8th, 2009 at 6:41 pm

    Hi,
    I have just installed WS on my mac and applied the fix suggested here.
    For some reasons, no interface is showing when going to “Capture > Interface…”
    If I run “wireshark -i en0″ from the command line, it just crashes with an “Illegal Instruction” error.
    Wondering if you have already come across this error?
    Thanks.

  10.   Michael Gracie comments:
       November 8th, 2009 at 6:52 pm

    Did you install as prescribed above, or just apply the fix from step 4. Everything moved to the right places?

    I couldn’t get interfaces to show until I discovered step 3.

  11.   Eric comments:
       November 8th, 2009 at 7:30 pm

    he he he, I’ve just realised I installed WS PPC instead of the Intel version. Now everything looks fine and dandy.
    Many thanks!

  12.   Dan comments:
       November 16th, 2009 at 3:28 pm

    thanks for the advice. however i’m having trouble locating /usr/local/bin…where would this be? thanks!

  13.   Michael Gracie comments:
       November 16th, 2009 at 3:34 pm

    @Dan – should be able to see from terminal – /usr starts at the root level. You might want to log in “su”. If you are trying from Finder, you’ll need to show hidden folders – you can use TinkerTool or Onyx to do that.

  14.   Dan comments:
       November 16th, 2009 at 10:52 pm

    OK, I got to usr/local, but there’s no bin folder. should I create one?

  15.   Michael Gracie comments:
       November 17th, 2009 at 12:37 am

    Sooner or later something else will wind up needing it, so go ahead. Just make sure you’re logged in su when you do so.

  16.   Dan comments:
       November 17th, 2009 at 9:50 am

    After 3 days of confusion, you’ve helped me a ton here Michael. I’m up and running perfectly, and even learned a few things about the command line while I was at it. Thanks a million.

  17.   Michael Gracie comments:
       November 17th, 2009 at 10:06 am

    You’re welcome, Dan. Glad you got it working!

  18.   Louis Munro comments:
       November 17th, 2009 at 7:58 pm

    I had figured out most of this on my own except for the wheel group at step 3.
    It took a reboot for the chown to take effect for me.

    Thanks a lot!

  19.   Paul G. comments:
       November 25th, 2009 at 6:16 pm

    Michael, I just wanted to say THANK YOU. :)

    This worked like a charm for me and now I can continue from grad research, this will be cited accordingly. :) Much appreciated!!

  20.   Michael Gracie comments:
       November 27th, 2009 at 4:03 pm

    Paul – You’re welcome!

  21.   hb comments:
       December 6th, 2009 at 10:57 am

    I’d suggest changing the text on point 5:
    “Exit Wireshark and restart.”
    to
    “Exit Wireshark and restart COMPUTER”
    or
    “Exit Wireshark and reboot”

    It didn’t work for me till I thought … “hm… doesn’t the startup item need to be _started_ first ?”.

    Thanks a bunch for the writeup!

  22.   Michael Gracie comments:
       December 6th, 2009 at 3:03 pm

    hb – Good idea. Done. Thanks!

  23.   Rednectar comments:
       December 8th, 2009 at 5:26 am

    Slightly off topic – I’m trying to get two instances of wireshark running simultaneously. Easy to do in Linux or PC, but in OS-X? Do I need to play with the command line or is there a simple way? Sorry – all new to this Mac thing (after a 20year hiatus)

  24.   Chris Denesha comments:
       December 17th, 2009 at 8:18 am

    Thank you! I needed that help on fixing the security, now it is working like a charm!

    chris

  25.   Installer Wireshark sous Mac OS X 10.6 pings back:
       December 22nd, 2009 at 3:45 pm

    [...] http://michaelgracie.com/2009/10/13/getting-wireshark-running-on-os-x-snow-leopard-10.6/ [...]

  26.   pat comments:
       January 2nd, 2010 at 10:49 am

    Hello

    Thank’s al ot for your help with these tutorial

    Regard

  27.   Matt H comments:
       January 18th, 2010 at 12:41 pm

    Forgive my ignorance – but i’m trying to use Wireshark to learn a little about network protocols.
    I’ve just upgraded my MacBook to 10.6.
    I can’t find any folder called /usr/local/bin.
    Any suggestions?

  28.   Michael Gracie comments:
       January 18th, 2010 at 12:47 pm

    Matt – Are you able to view hidden folders? Just asking, because it is hidden. If that’s the case you’ll need a tool like Onyx or TinkerTool to view the hidden folders first.

    If it just plain doesn’t exist, create it. At the minimum, /usr/local should be there. Put bin under that.

  29.   Chris Denesha comments:
       January 23rd, 2010 at 12:37 am

    Matt/Michael – The installation instructions state the location of the Command Line folder can be ‘$HOME/bin, /usr/local/bin, /opt/wireshark/bin or any other location that makes sense (preferably one that’s in your PATH).’ I used /usr/bin, since it was in the PATH variable when I ran the command ‘set’ at the command line.

    Also, with the Snow Leopard Finder (not sure about previous versions), you can use Go -> Go to Folder and put in /usr and see the folder structure without other utilities..

    chris

  30.   Ryan Aslett comments:
       February 3rd, 2010 at 1:20 pm

    To clear up some confusion, navigating to /usr/local/bin in the Finder is only possible if
    A. You have altered your finder to show all files by typing this into terminal: defaults write com.apple.Finder AppleShowAllFiles YES
    and
    B. /usr/local/bin exists, which it didnt for me.

    how about this instead:

    Execute from the terminal:
    sudo cp -R /Volumes/Wireshark/Utilities/Command\ Line/ /usr/local/fin

    That will create /usr/local/bin if it doesnt exist, and doesnt require seeing too much in finder (I like being able to see hidden files, but hate seeing all the ._DS_Store garbage)

  31.   Ryan Aslett comments:
       February 3rd, 2010 at 8:35 pm

    er whoops: that should read

    sudo cp -R /Volumes/Wireshark/Utilities/Command\ Line/ /usr/local/bin

    *bin* not fin. artifact from my test..

  32.   ulilo comments:
       February 19th, 2010 at 5:54 am

    Michael, thanks for to help !!!

  33.   Raul, Lugones comments:
       February 22nd, 2010 at 2:30 pm

    Thank you very much. Five steps and it worked fine for me.

  34.   Chris M comments:
       February 24th, 2010 at 8:44 pm

    People, there must be a better way!

  35.   Jctail comments:
       February 25th, 2010 at 4:54 pm

    I’m a tard and I figured it out thanks to the clear and precise instructions. Thanks again!

  36.   Jon C comments:
       March 1st, 2010 at 2:25 pm

    Doesn’t work for me. I get same symptom as another listed – X11 opens but Wireshark terminates before I can change preferences as instructed. Anyone else see this behavior and have a clue?

  37.   Eric A comments:
       March 1st, 2010 at 4:52 pm

    I still had Wireshark crashing immediately on execution until I found a bug report that advised deleting ~/.fontconfig/. Now it works.

  38.   Jon C comments:
       March 2nd, 2010 at 1:32 pm

    Eric, Your advise worked! Thanks.

  39.   Gurts comments:
       March 3rd, 2010 at 1:20 pm

    Eric and Jon: Could you please tell me where I find ~/.fontconfig/.
    I am having the same problem and want to try your solution.

  40.   mark comments:
       March 3rd, 2010 at 11:31 pm

    Wireshark did not work when I first installed it. This guide worked for me after following all steps and THEN rebooting.

    FYI.. to view /usr/local/bin/, you have to enable ‘hidden folders’

    at the terminal, type: defaults write com.apple.finder AppleShowAllFiles -bool true
    then, killall Finder

    to hide files again, replace true with false

  41.   eromitlab comments:
       March 29th, 2010 at 12:54 pm

    Wow! I figured the permissions part out, but the paths is where I sorta missed the boat. Glad you found the solution and shared it! I have a lab for school that requires WireShark and I was getting a little panicked when I couldn’t load in an interface last night after installing the software.

    Thanks a bunch!!

  42.   Peter Nilsson comments:
       March 31st, 2010 at 2:56 pm

    Thank you, for those advice, it helped me to get it running.
    Once again, thank you.

  43.   Jon C comments:
       March 31st, 2010 at 4:31 pm

    Gurts,

    It’s hidden. See http://www.tipstrs.com/tip/1052/Show-hidden-files-in-the-Mac-finder for instructions on showing hidden files in the Finder. Once you do that, .fontconfig will appear in your user folder. For example, on my machine it’s in /Users/jon

    Hope this helps.

    Jon

  44.   Geoff comments:
       April 1st, 2010 at 1:10 am

    I know I”m doing something stupid, but I’ve installed Wireshark 1.2.6 twice now, done all the magic incantations (which I wouldn’t have had a clue about but for the above), and I still can’t get any interfaces to show. The Network Preferences show that an IP address has been allocated, and that the Mac is (theoretically) on a duplex GbE connection, but Wireshark still won’t play.

    regards
    Geoff
    (whose last Mac ran OS8 and who’s just had a twelve-year Windows break before buying his latest one)

  45.   Geoff comments:
       April 1st, 2010 at 1:11 am

    Should have said I’m running Snow Leopard 10.6.2
    Geoff

  46.   DJEphoric comments:
       April 7th, 2010 at 8:09 pm

    Thanks for this info… it helped me install wireshark in a jam quickly.

  47.   Paolo comments:
       April 13th, 2010 at 1:42 am

    Thanks, really useful!

  48.   Guy Argo comments:
       April 15th, 2010 at 11:34 am

    Thanks – worked like a charm!

  49.   Bob Printis comments:
       April 19th, 2010 at 3:49 pm

    This is great! Worked well. Thanks for the help.

  50.   Vincent R. comments:
       May 2nd, 2010 at 10:45 am

    Hey you forgot something :
    https://www.wireshark.org/lists/wireshark-users/200909/msg00168.html

    I didn’t even have to respect step 4 and step 5. It works just like that.

  51.   Jalise comments:
       May 9th, 2010 at 3:56 am

    Hi

    I get this error message after completing the tasks as per your guide notes (on Snow Leopard 10.6.3)

    “/Library/StartupItems/ChmodBPF” has not been started because it does not have the proper security settings.

    When I launch Wireshark it fires up X11 and then both disappear.

    The information panel on the folder has my name in the permissions and I have tried all three of the options; read only, read-write, write to Public and all three generate the same error message at start up.

    Wonder if you have any suggestions
    thanks and regards
    ja

  52.   Adam Dennis comments:
       May 18th, 2010 at 9:30 pm

    Legend!

    Thanks heapz.

  53.   Configuring Wireshark on Mac OS X Snow Leopard « Peanut's Study Blog pings back:
       May 20th, 2010 at 7:58 am

    [...] Wireshark on Mac OS X Snow Leopard Here’s a link to get wireshark installed and working on Snow [...]

  54.   Matt Dorn comments:
       May 23rd, 2010 at 8:57 pm

    To do this without having to reboot, add step 3 the following line:

    sudo /sbin/SystemStarter start ChmodBPF

    As per this posting: http://www.wireshark.org/lists/wireshark-users/200909/msg00168.html

  55.   Cameron comments:
       June 3rd, 2010 at 4:15 pm

    I don’t have a folder /usr/local/bin/. Now what? I’m running v 10.6.3.

  56.   Michael Gracie comments:
       June 3rd, 2010 at 4:21 pm

    Sure you just can’t see it? It is hidden by default. If you are positive, just create /local/bin/ under /usr. Or you can just create a folder under /usr called /whatever and go from there.

  57.   Cameron comments:
       June 3rd, 2010 at 7:33 pm

    I’m new to OSX. (obvious, right?) :) How can I “unhide” it?

  58.   Cameron comments:
       June 3rd, 2010 at 7:40 pm

    Disregard. I googled it and found out how to show all folders. I still don’t have a /usr/local/bin. I will try your earlier recommendations.

  59.   Cameron comments:
       June 3rd, 2010 at 7:53 pm

    Now I cannot create folders in /usr/ or any other hidden folder it seems.

  60.   Michael Gracie comments:
       June 3rd, 2010 at 8:45 pm

    Cameron, not a problem that you’re unfamiliar with the OS. But, you are starting to stray into territory (user permissions, etc.) that is beyond the scope of this tutorial. The best suggestion I can offer is finding someone who can sit with you for an hour and explain the UNIX guts of your Mac – otherwise you are going to run into these issues constantly.

  61.   Cameron comments:
       June 4th, 2010 at 11:46 am

    I agree. Unfortunately I am usually the tutor not the student, so finding a mentor familiar with unix may prove a challenge. Perhaps I will look for a book or video tutorial. At any rate, thanks anyway. I’ll be back for this tutorial once I figure out the permissions thing.

  62.   J.W. comments:
       June 14th, 2010 at 4:02 pm

    Just found your article the other night when I was reading through Laura Chappell’s new Wireshark Network Analysis book. This worked wonders. Thanks

  63.   Ian comments:
       July 18th, 2010 at 8:20 am

    Thanks for this – worked a charm!

  64.   Bill Sodeman comments:
       July 29th, 2010 at 5:27 pm

    Nice tipsheet. Exactly what I needed to know!

  65.   Casey IT» Blog Archive » Getting Wireshark 1.2 to work on Snow Leopard pings back:
       August 5th, 2010 at 8:47 am

    [...] needs a couple of tweaks in order to run on Mac OS X 10.6. The  steps are detailed in this post. The directions assume there is already a /usr/local/bin directory on the system. You may have to [...]

  66.   Homer comments:
       August 30th, 2010 at 5:44 am

    Thanks! The information helps my wireshark work immediately.

Leave a comment