«
»

Getting Wireshark running on OS X Snow Leopard 10.6

WiresharkWireshark is every fly fisher who’s missing the fall brown run’s ubergeek’s favorite network protocol analyzer, both because it kicks main butt, and it’s free. With the recent upgrade to Snow Leopard, I finally found a need to upgrade. Then the trouble started (i.e. Wireshark didn’t work anymore). After doing a little research and scanning the support boards, I’ve got it running error free. But as the tips I used to get it that way are spread across the interwebs, I’m assembling the step-by-step here for the rest of you streamer-obsessed knuckleheads who are breaking fly rods over their knees as we speak Wireshark/Snow Leopard users who have just as little time on their hands as I do right now.

Step 1

Download Wireshark from here. Mount the .dmg file.

Step 2

Drag the Wireshark application icon to the handy dandy Applications alias the fine developers at Wireshark provided for you in that disk image. Then, open up the Utilities folder in the disk image, and drag the ChmodBPF folder into the StartupItems alias sitting below it. After that, open up a new finder window and navigate to /usr/local/bin. Open up the Command Line folder in the disk image (under /Utilities) and drag those contents over to /usr/local/bin. You’ll probably have to authenticate at that point, so do so.

Step 3

Open up a terminal window and type in the following commands:

cd /Library/StartupItems
sudo chown -R root:wheel ChmodBPF

You’ll probably be asked to enter an su password. Do so. Then exit terminal.

Step 4

Go to Applications and click on Wireshark. When the application opens you’ll probably see a another window open up along with it containing a bunch of errors. Close that window. Next, select Edit then Preferences from the Wireshark application window. Select Name Resolution, and click the Edit button next to “SMI (MIB and PIB paths”. Click the new button, and enter /usr/share/snmp/mibs/ in the little Directory Path popup window. Click Apply, and then Close.

Step 5

Exit Wireshark and reboot.

All should be well in network protocol analyzer-ville.

Editor’s note: special thanks to Nick Kleinschmidt and Dan Hale for helping out here.

Posted in Office | Tags: , , ,
Feed on comments or trackback from your site | AddThis Share

Related posts

31 comments

  1.   Matt Dunn comments:
       October 21st, 2009 at 8:40 am

    dude, I heard on facebook that there is going to be a fishing report here

  2.   Yanikikdon comments:
       October 27th, 2009 at 3:14 pm

    Thanks a lot for this article, it helps me ! (Nice website)

  3.   Installing Wireshark on Mac OS X 10.6 Snow Leopard | JosteinB pings back:
       October 29th, 2009 at 9:04 am

    [...] Michael Gracie has scavenged the net for a solution, and found [...]

  4.   Tweets that mention Getting Wireshark running on OS X Snow Leopard 10.6 | Michael Gracie -- Topsy.com pings back:
       October 31st, 2009 at 11:27 pm

    [...] This post was mentioned on Twitter by Sam Hunt, toberl. toberl said: How to get #Wireshark working on Snow Leopard http://bit.ly/oOt3c [...]

  5.   Ami comments:
       November 6th, 2009 at 8:01 am

    Not working.
    The Wireshark opens the X11 application and then quits himself.
    What else can I do?

  6.   Michael Gracie comments:
       November 6th, 2009 at 8:13 am

    Don’t really know, Ami. The only thing I can suggest is to remove and reinstall, making sure you have the latest versions of everything (including X11).

  7.   Rednectar comments:
       November 8th, 2009 at 3:23 am

    Nice work – that stupid error window that came up every time had me stumped – but you fixed it. Nice one. Now all I have to do is figure out how to make it see the VMware Fusion virtual interfaces – anyone with any ideas?

  8.   Michael Gracie comments:
       November 8th, 2009 at 9:06 am

    Red…Can’t take credit for actually fixing that prob. I just found the fix buried deep in a forum and made it more prominent (if you can call this post prominent) :-)

    Glad it worked out. Wish I knew anything about VMware.

  9.   Eric comments:
       November 8th, 2009 at 6:41 pm

    Hi,
    I have just installed WS on my mac and applied the fix suggested here.
    For some reasons, no interface is showing when going to “Capture > Interface…”
    If I run “wireshark -i en0″ from the command line, it just crashes with an “Illegal Instruction” error.
    Wondering if you have already come across this error?
    Thanks.

  10.   Michael Gracie comments:
       November 8th, 2009 at 6:52 pm

    Did you install as prescribed above, or just apply the fix from step 4. Everything moved to the right places?

    I couldn’t get interfaces to show until I discovered step 3.

  11.   Eric comments:
       November 8th, 2009 at 7:30 pm

    he he he, I’ve just realised I installed WS PPC instead of the Intel version. Now everything looks fine and dandy.
    Many thanks!

  12.   Dan comments:
       November 16th, 2009 at 3:28 pm

    thanks for the advice. however i’m having trouble locating /usr/local/bin…where would this be? thanks!

  13.   Michael Gracie comments:
       November 16th, 2009 at 3:34 pm

    @Dan – should be able to see from terminal – /usr starts at the root level. You might want to log in “su”. If you are trying from Finder, you’ll need to show hidden folders – you can use TinkerTool or Onyx to do that.

  14.   Dan comments:
       November 16th, 2009 at 10:52 pm

    OK, I got to usr/local, but there’s no bin folder. should I create one?

  15.   Michael Gracie comments:
       November 17th, 2009 at 12:37 am

    Sooner or later something else will wind up needing it, so go ahead. Just make sure you’re logged in su when you do so.

  16.   Dan comments:
       November 17th, 2009 at 9:50 am

    After 3 days of confusion, you’ve helped me a ton here Michael. I’m up and running perfectly, and even learned a few things about the command line while I was at it. Thanks a million.

  17.   Michael Gracie comments:
       November 17th, 2009 at 10:06 am

    You’re welcome, Dan. Glad you got it working!

  18.   Louis Munro comments:
       November 17th, 2009 at 7:58 pm

    I had figured out most of this on my own except for the wheel group at step 3.
    It took a reboot for the chown to take effect for me.

    Thanks a lot!

  19.   Paul G. comments:
       November 25th, 2009 at 6:16 pm

    Michael, I just wanted to say THANK YOU. :)

    This worked like a charm for me and now I can continue from grad research, this will be cited accordingly. :) Much appreciated!!

  20.   Michael Gracie comments:
       November 27th, 2009 at 4:03 pm

    Paul – You’re welcome!

  21.   hb comments:
       December 6th, 2009 at 10:57 am

    I’d suggest changing the text on point 5:
    “Exit Wireshark and restart.”
    to
    “Exit Wireshark and restart COMPUTER”
    or
    “Exit Wireshark and reboot”

    It didn’t work for me till I thought … “hm… doesn’t the startup item need to be _started_ first ?”.

    Thanks a bunch for the writeup!

  22.   Michael Gracie comments:
       December 6th, 2009 at 3:03 pm

    hb – Good idea. Done. Thanks!

  23.   Rednectar comments:
       December 8th, 2009 at 5:26 am

    Slightly off topic – I’m trying to get two instances of wireshark running simultaneously. Easy to do in Linux or PC, but in OS-X? Do I need to play with the command line or is there a simple way? Sorry – all new to this Mac thing (after a 20year hiatus)

  24.   Chris Denesha comments:
       December 17th, 2009 at 8:18 am

    Thank you! I needed that help on fixing the security, now it is working like a charm!

    chris

  25.   Installer Wireshark sous Mac OS X 10.6 pings back:
       December 22nd, 2009 at 3:45 pm

    [...] http://michaelgracie.com/2009/10/13/getting-wireshark-running-on-os-x-snow-leopard-10.6/ [...]

  26.   pat comments:
       January 2nd, 2010 at 10:49 am

    Hello

    Thank’s al ot for your help with these tutorial

    Regard

  27.   Matt H comments:
       January 18th, 2010 at 12:41 pm

    Forgive my ignorance – but i’m trying to use Wireshark to learn a little about network protocols.
    I’ve just upgraded my MacBook to 10.6.
    I can’t find any folder called /usr/local/bin.
    Any suggestions?

  28.   Michael Gracie comments:
       January 18th, 2010 at 12:47 pm

    Matt – Are you able to view hidden folders? Just asking, because it is hidden. If that’s the case you’ll need a tool like Onyx or TinkerTool to view the hidden folders first.

    If it just plain doesn’t exist, create it. At the minimum, /usr/local should be there. Put bin under that.

  29.   Chris Denesha comments:
       January 23rd, 2010 at 12:37 am

    Matt/Michael – The installation instructions state the location of the Command Line folder can be ‘$HOME/bin, /usr/local/bin, /opt/wireshark/bin or any other location that makes sense (preferably one that’s in your PATH).’ I used /usr/bin, since it was in the PATH variable when I ran the command ’set’ at the command line.

    Also, with the Snow Leopard Finder (not sure about previous versions), you can use Go -> Go to Folder and put in /usr and see the folder structure without other utilities..

    chris

  30.   Ryan Aslett comments:
       February 3rd, 2010 at 1:20 pm

    To clear up some confusion, navigating to /usr/local/bin in the Finder is only possible if
    A. You have altered your finder to show all files by typing this into terminal: defaults write com.apple.Finder AppleShowAllFiles YES
    and
    B. /usr/local/bin exists, which it didnt for me.

    how about this instead:

    Execute from the terminal:
    sudo cp -R /Volumes/Wireshark/Utilities/Command\ Line/ /usr/local/fin

    That will create /usr/local/bin if it doesnt exist, and doesnt require seeing too much in finder (I like being able to see hidden files, but hate seeing all the ._DS_Store garbage)

  31.   Ryan Aslett comments:
       February 3rd, 2010 at 8:35 pm

    er whoops: that should read

    sudo cp -R /Volumes/Wireshark/Utilities/Command\ Line/ /usr/local/bin

    *bin* not fin. artifact from my test..

Leave a comment