Menu

Michael Gracie

Getting Wireshark running on OS X Snow Leopard 10.6

WiresharkWireshark is every fly fisher who’s missing the fall brown run’s ubergeek’s favorite network protocol analyzer, both because it kicks main butt, and it’s free. With the recent upgrade to Snow Leopard, I finally found a need to upgrade. Then the trouble started (i.e. Wireshark didn’t work anymore). After doing a little research and scanning the support boards, I’ve got it running error free. But as the tips I used to get it that way are spread across the interwebs, I’m assembling the step-by-step here for the rest of you streamer-obsessed knuckleheads who are breaking fly rods over their knees as we speak Wireshark/Snow Leopard users who have just as little time on their hands as I do right now.

Step 1

Download Wireshark from here. Mount the .dmg file.

Step 2

Drag the Wireshark application icon to the handy dandy Applications alias the fine developers at Wireshark provided for you in that disk image. Then, open up the Utilities folder in the disk image, and drag the ChmodBPF folder into the StartupItems alias sitting below it. After that, open up a new finder window and navigate to /usr/local/bin. Open up the Command Line folder in the disk image (under /Utilities) and drag those contents over to /usr/local/bin. You’ll probably have to authenticate at that point, so do so.

Step 3

Open up a terminal window and type in the following commands:

cd /Library/StartupItems
sudo chown -R root:wheel ChmodBPF

You’ll probably be asked to enter an su password. Do so. Then exit terminal.

Step 4

Go to Applications and click on Wireshark. When the application opens you’ll probably see a another window open up along with it containing a bunch of errors. Close that window. Next, select Edit then Preferences from the Wireshark application window. Select Name Resolution, and click the Edit button next to “SMI (MIB and PIB paths”. Click the new button, and enter /usr/share/snmp/mibs/ in the little Directory Path popup window. Click Apply, and then Close.

Step 5

Exit Wireshark and reboot.

All should be well in network protocol analyzer-ville.

Editor’s note: special thanks to Nick Kleinschmidt and Dan Hale for helping out here.

UPDATE: Please note that these instructions applied to Wireshark Version 1.2.2 (SVN Rev 29910), and several comments have suggested that newer versions of Wireshark may no longer support libSMI. For this issue I can only suggest checking the Wireshark user guide and/or the wiki.

Comments

Matt Dunn says:

dude, I heard on facebook that there is going to be a fishing report here

Yanikikdon says:

Thanks a lot for this article, it helps me ! (Nice website)

[…] Michael Gracie has scavenged the net for a solution, and found […]

[…] This post was mentioned on Twitter by Sam Hunt, toberl. toberl said: How to get #Wireshark working on Snow Leopard http://bit.ly/oOt3c […]

Ami says:

Not working.
The Wireshark opens the X11 application and then quits himself.
What else can I do?

Don’t really know, Ami. The only thing I can suggest is to remove and reinstall, making sure you have the latest versions of everything (including X11).

Rednectar says:

Nice work – that stupid error window that came up every time had me stumped – but you fixed it. Nice one. Now all I have to do is figure out how to make it see the VMware Fusion virtual interfaces – anyone with any ideas?

Red…Can’t take credit for actually fixing that prob. I just found the fix buried deep in a forum and made it more prominent (if you can call this post prominent) 🙂

Glad it worked out. Wish I knew anything about VMware.

Eric says:

Hi,
I have just installed WS on my mac and applied the fix suggested here.
For some reasons, no interface is showing when going to “Capture > Interface…”
If I run “wireshark -i en0” from the command line, it just crashes with an “Illegal Instruction” error.
Wondering if you have already come across this error?
Thanks.

Did you install as prescribed above, or just apply the fix from step 4. Everything moved to the right places?

I couldn’t get interfaces to show until I discovered step 3.

Eric says:

he he he, I’ve just realised I installed WS PPC instead of the Intel version. Now everything looks fine and dandy.
Many thanks!

Dan says:

thanks for the advice. however i’m having trouble locating /usr/local/bin…where would this be? thanks!

@Dan – should be able to see from terminal – /usr starts at the root level. You might want to log in “su”. If you are trying from Finder, you’ll need to show hidden folders – you can use TinkerTool or Onyx to do that.

Dan says:

OK, I got to usr/local, but there’s no bin folder. should I create one?

Sooner or later something else will wind up needing it, so go ahead. Just make sure you’re logged in su when you do so.

Dan says:

After 3 days of confusion, you’ve helped me a ton here Michael. I’m up and running perfectly, and even learned a few things about the command line while I was at it. Thanks a million.

You’re welcome, Dan. Glad you got it working!

Louis Munro says:

I had figured out most of this on my own except for the wheel group at step 3.
It took a reboot for the chown to take effect for me.

Thanks a lot!

Paul G. says:

Michael, I just wanted to say THANK YOU. 🙂

This worked like a charm for me and now I can continue from grad research, this will be cited accordingly. 🙂 Much appreciated!!

Paul – You’re welcome!

hb says:

I’d suggest changing the text on point 5:
“Exit Wireshark and restart.”
to
“Exit Wireshark and restart COMPUTER”
or
“Exit Wireshark and reboot”

It didn’t work for me till I thought … “hm… doesn’t the startup item need to be _started_ first ?”.

Thanks a bunch for the writeup!

hb – Good idea. Done. Thanks!

Rednectar says:

Slightly off topic – I’m trying to get two instances of wireshark running simultaneously. Easy to do in Linux or PC, but in OS-X? Do I need to play with the command line or is there a simple way? Sorry – all new to this Mac thing (after a 20year hiatus)

Chris Denesha says:

Thank you! I needed that help on fixing the security, now it is working like a charm!

chris

pat says:

Hello

Thank’s al ot for your help with these tutorial

Regard

Matt H says:

Forgive my ignorance – but i’m trying to use Wireshark to learn a little about network protocols.
I’ve just upgraded my MacBook to 10.6.
I can’t find any folder called /usr/local/bin.
Any suggestions?

Matt – Are you able to view hidden folders? Just asking, because it is hidden. If that’s the case you’ll need a tool like Onyx or TinkerTool to view the hidden folders first.

If it just plain doesn’t exist, create it. At the minimum, /usr/local should be there. Put bin under that.

Chris Denesha says:

Matt/Michael – The installation instructions state the location of the Command Line folder can be ‘$HOME/bin, /usr/local/bin, /opt/wireshark/bin or any other location that makes sense (preferably one that’s in your PATH).’ I used /usr/bin, since it was in the PATH variable when I ran the command ‘set’ at the command line.

Also, with the Snow Leopard Finder (not sure about previous versions), you can use Go -> Go to Folder and put in /usr and see the folder structure without other utilities..

chris

Ryan Aslett says:

To clear up some confusion, navigating to /usr/local/bin in the Finder is only possible if
A. You have altered your finder to show all files by typing this into terminal: defaults write com.apple.Finder AppleShowAllFiles YES
and
B. /usr/local/bin exists, which it didnt for me.

how about this instead:

Execute from the terminal:
sudo cp -R /Volumes/Wireshark/Utilities/Command\ Line/ /usr/local/fin

That will create /usr/local/bin if it doesnt exist, and doesnt require seeing too much in finder (I like being able to see hidden files, but hate seeing all the ._DS_Store garbage)

Ryan Aslett says:

er whoops: that should read

sudo cp -R /Volumes/Wireshark/Utilities/Command\ Line/ /usr/local/bin

*bin* not fin. artifact from my test..

ulilo says:

Michael, thanks for to help !!!

Thank you very much. Five steps and it worked fine for me.

Chris M says:

People, there must be a better way!

Jctail says:

I’m a tard and I figured it out thanks to the clear and precise instructions. Thanks again!

Jon C says:

Doesn’t work for me. I get same symptom as another listed – X11 opens but Wireshark terminates before I can change preferences as instructed. Anyone else see this behavior and have a clue?

Eric A says:

I still had Wireshark crashing immediately on execution until I found a bug report that advised deleting ~/.fontconfig/. Now it works.

Jon C says:

Eric, Your advise worked! Thanks.

Gurts says:

Eric and Jon: Could you please tell me where I find ~/.fontconfig/.
I am having the same problem and want to try your solution.

mark says:

Wireshark did not work when I first installed it. This guide worked for me after following all steps and THEN rebooting.

FYI.. to view /usr/local/bin/, you have to enable ‘hidden folders’

at the terminal, type: defaults write com.apple.finder AppleShowAllFiles -bool true
then, killall Finder

to hide files again, replace true with false

eromitlab says:

Wow! I figured the permissions part out, but the paths is where I sorta missed the boat. Glad you found the solution and shared it! I have a lab for school that requires WireShark and I was getting a little panicked when I couldn’t load in an interface last night after installing the software.

Thanks a bunch!!

Peter Nilsson says:

Thank you, for those advice, it helped me to get it running.
Once again, thank you.

Jon C says:

Gurts,

It’s hidden. See http://www.tipstrs.com/tip/1052/Show-hidden-files-in-the-Mac-finder for instructions on showing hidden files in the Finder. Once you do that, .fontconfig will appear in your user folder. For example, on my machine it’s in /Users/jon

Hope this helps.

Jon

Geoff says:

I know I”m doing something stupid, but I’ve installed Wireshark 1.2.6 twice now, done all the magic incantations (which I wouldn’t have had a clue about but for the above), and I still can’t get any interfaces to show. The Network Preferences show that an IP address has been allocated, and that the Mac is (theoretically) on a duplex GbE connection, but Wireshark still won’t play.

regards
Geoff
(whose last Mac ran OS8 and who’s just had a twelve-year Windows break before buying his latest one)

Geoff says:

Should have said I’m running Snow Leopard 10.6.2
Geoff

DJEphoric says:

Thanks for this info… it helped me install wireshark in a jam quickly.

Paolo says:

Thanks, really useful!

Guy Argo says:

Thanks – worked like a charm!

Bob Printis says:

This is great! Worked well. Thanks for the help.

Vincent R. says:

Hey you forgot something :
https://www.wireshark.org/lists/wireshark-users/200909/msg00168.html

I didn’t even have to respect step 4 and step 5. It works just like that.

Jalise says:

Hi

I get this error message after completing the tasks as per your guide notes (on Snow Leopard 10.6.3)

“/Library/StartupItems/ChmodBPF” has not been started because it does not have the proper security settings.

When I launch Wireshark it fires up X11 and then both disappear.

The information panel on the folder has my name in the permissions and I have tried all three of the options; read only, read-write, write to Public and all three generate the same error message at start up.

Wonder if you have any suggestions
thanks and regards
ja

Adam Dennis says:

Legend!

Thanks heapz.

[…] Wireshark on Mac OS X Snow Leopard Here’s a link to get wireshark installed and working on Snow […]

Matt Dorn says:

To do this without having to reboot, add step 3 the following line:

sudo /sbin/SystemStarter start ChmodBPF

As per this posting: http://www.wireshark.org/lists/wireshark-users/200909/msg00168.html

Cameron says:

I don’t have a folder /usr/local/bin/. Now what? I’m running v 10.6.3.

Sure you just can’t see it? It is hidden by default. If you are positive, just create /local/bin/ under /usr. Or you can just create a folder under /usr called /whatever and go from there.

Cameron says:

I’m new to OSX. (obvious, right?) 🙂 How can I “unhide” it?

Cameron says:

Disregard. I googled it and found out how to show all folders. I still don’t have a /usr/local/bin. I will try your earlier recommendations.

Cameron says:

Now I cannot create folders in /usr/ or any other hidden folder it seems.

Cameron, not a problem that you’re unfamiliar with the OS. But, you are starting to stray into territory (user permissions, etc.) that is beyond the scope of this tutorial. The best suggestion I can offer is finding someone who can sit with you for an hour and explain the UNIX guts of your Mac – otherwise you are going to run into these issues constantly.

Cameron says:

I agree. Unfortunately I am usually the tutor not the student, so finding a mentor familiar with unix may prove a challenge. Perhaps I will look for a book or video tutorial. At any rate, thanks anyway. I’ll be back for this tutorial once I figure out the permissions thing.

J.W. says:

Just found your article the other night when I was reading through Laura Chappell’s new Wireshark Network Analysis book. This worked wonders. Thanks

Ian says:

Thanks for this – worked a charm!

Nice tipsheet. Exactly what I needed to know!

[…] needs a couple of tweaks in order to run on Mac OS X 10.6. The  steps are detailed in this post. The directions assume there is already a /usr/local/bin directory on the system. You may have to […]

Homer says:

Thanks! The information helps my wireshark work immediately.

mootoh says:

needs a reboot or logout/login between step2 and step3.

Thanks for the good article!

gustavo says:

thanks for you time an for these tips

gbr8 says:

What can I do, when /usr/local/bin not exist?? I tryed open it from terminal: open -a Finder /usr/local/bin . Terminal sayed /usr/local/bin does not exist.

Johnny.P says:

FYI: If “wireshark-bin requires version 42.0.0 or later, but libpng12.0.dylib provides version 36.0.0” then

You have to re-install the last major update to Snow Leopard, 10.6.4. You can get the combo from http://support.apple.com/downloads I believe. This will update those libs to newer versions. Running software update won’t do it.

If you notice the X11 installer actually tells you to re-apply the last combo at the end of its installation.

Cameron says:

Michael-

Ref my comments on June 3rd and 4th. I taught myself some Linux and now I understand the commands from your tutorial (and many others). I was able to install Wireshark, create /usr/local/bin (as root), and change the ownership of ChmodBPF (again as root). In the 64-bit version of Wireshark (for 10.6.4) the MIB and PIB paths option was not supported, but Wireshark seems to capture just fine without it.

Thanks again for the tutorial and for telling me to go learn some Unix. I needed that advice to be a successful PC to Mac (and Linux) convert!

Cameron –

Glad it worked out, and that you’ve attained some useful new skills in the process.

And…you’re welcome!

MG

Nick says:

When I open up wireshark, another program called x11 opens, and it wont let me access wireshark whatsoever. I can’t even access the preferences. I thought it might be in the x11 pref. but it wasn’t. I’ve done all the other steps, and have no idea what I’m doing wrong.

Nick – Have you waited a couple of minutes to see if WS pops up?

I’ve noticed that my launch is taking quite a long time nowadays, and it’s not isolated to Wireshark – any program requiring X11 is doing it. So it might be 10.6.5 causing the issue.

Nick says:

it’s been open for about 10 minutes now. a terminal-like window in x11 popped up titled “xterm” and its asking for some kind of input…. it says “bash-3.2$”
I need wireshark for school, so I’ve been using it through a virtual machine of windows. it works alright, but it’s kind of a pain to work through the firewall, and having to open windows every time just for wireshark. Also, when I start my computer, an error message pops up saying the the startup object chmodbpf is unstable…I’m guessing this is related?

Yes it is related. Without getting into what OS X version you’re running, whether you’re logging in as an admin user, have tweaked permissions for whatever reason, whether any other X11 apps run ok, etc. etc. I’d say delete everything (including the application, the startup item, and the application support folder). Repair permissions, and then start over.

PS: Just so you know, when the terminal starts and shows a bash prompt, that means X11 is up and is awaiting a command to run the software. Type “wireshark” then hit return to see if the app runs from there.

Nick says:

okay, I’ve got it installed, but there is no interface, and when I go to name resolution, there is no edit button next to SMI. It says N/A beside it.

btw, yesterday I zeroed out my hard drive, and reinstalled mac osx (There were problems other than just wireshark). The system is completely updated, and everything’s fresh and unchanged.

Nick says:

I fixed the no interface problem (I forgot that I hadn’t executed the startupItem). I have about 6 interfaces now…not sure why, when I used it in windows 7 there was only 2 (the mac network card and the parallels virtual card). But there’s still no edit button next to the SMI field.

Not sure about your hardware, but I have four interfaces on this MacBook Pro. Click on Capture to see what, if any, has an IP address.

Nick says:

okay, out of the 6 interfaces, 3 have ip addresses. and one has a “::1” instead. my main interface is “en1”, since it has my ip address. there’s also an “en0”, which also works. But “en0” has no ip address, it just says “unknown”.

So I’m alright now since I can actually use it, although I am curious to what the other interfaces are… and why the smi edit is grayed out.

Thank you for your time, it’s very much appreciated.

“::1” is the loopback address (I think). I suspect the rest might be for ethernet, firewire, maybe bluetooth?

Nevertheless, I run on en1, which is the only one active most of the time. Glad you got it working.

Ari says:

I have the same problem as Nick. I have no EDIT next to the SMI, it’s say N/A.

Also, no interfaces showing up at all.

I am running the 64 bit version of WS, so from reading a post above, no SMI setting is okay.

Why no interfaces?

I appreciate anyone and everyone’s response.

Have you executed the startupItem?

at pont 4 you says “Select Name Resolution, and click the Edit button next to SMI (MIB and PIB paths. Click the new button, and enter /usr/share/snmp/mibs/ in the little Directory Path popup window.”, but I haven’t the Edit button next to “SMI …”

Andrew Carney says:

Same here, looks like it isn’t built into this version or something stupid like that. I really just need to figure out hidden RTSP on my Mac and it’s got to be harder then rocket science. For windows there’s like 20 different free programs that are plug and play and just copy into the clipboard the link for the current active RTSP stream but Mac… OH NO, all command line hardcore type stuff that I can’t figure out 🙁

Peter Mueller says:

Hi Michael, thanks for puttting this together.
I carefully followed the instructions and still had sadness (wireshark dies within seconds of starting).
I checked the console and saw the following message:
org.wireshark.Wireshark[193] /Applications/Wireshark.app/Contents/Resources/bin/wireshark: line 83: /Applications/Wireshark.app/Contents/Resources/bin/wireshark-bin: Bad CPU type in executable
I had the bright idea of checking ‘About this mac’, and voila – my ancient mini runs Intel Core Duo — I needed to go back and install the *32bit* version of wireshark.

peter says:

I have no edit button in prefs -> Name Resolution ->next to SMI (MIB and PIB paths). It says “Support for this feature was not compiled into this vesion” N/A. I followed all the instructions + installed the correct version (1.4.2 64bit snow leopard). And still no interface….

StRiKeR says:

I had ChmodBPF Startup error. (“Insecure Startup Item disabled. – “/Library/StartupItems/ChmodBPF”). I don’t know what is Wireshark but I did what you told then I removed Wireshark now I don’t have any error messages anymore. It works. Thank you. 🙂

Josh says:

for me, once I get to “Preferences > Name Resolution” there is no “Edit” button next to “SMI (MIB and PIB) modules and paths”, just an “N/A” why?

Check the “UPDATE” above.

Tony says:

When I go into WS Prefs to “Name Resolution”, the “SMI (MIB and PIB) says “N/A” and there’s no way to edit it.
Any ideas?

Wireshark + OSX 10.6.6 = Success says:

So a lot of people have been having trouble running Wireshark on OSX 10.6.6, having no interfaces, and when applying the CHmodBPF, they get login errors. Not to fear! Here is how I fixed it. Install Wireshark via Macports, and when starting up Wireshark, run it with “sudo”, so your start command is “sudo wireshark”. Enter password, and all fixed! You don’t even need to keep the CHmodBPF folder in the startupitems folder for it to work.

Happy sniffing!

Everett says:

Thanks for the suggestion! I tried it and it worked like a champ! I was having trouble with libpng12.0.dylib.

However… I’m just odd and don’t like having all those extra dependencies installed just so I could have Wireshark. So I grabbed the official installer from Wireshark.org, stripped the libpng12.0.dylib from a package found at http://ethan.tira-thompson.org/Mac_OS_X_Ports.html and was almost ready to go when I hit another library error with libfreetype6.0.dylib which I pulled from FreeType 2.4.4.

Hope that helps someone else!

@Michael Gracie – Thanks for this page, it was a life saver!

Fritz says:

Thanks a bunch for this info. I had previously gotten Wireshark to work by installing via MacPorts, but when I tried to Macport it to this machine, it returned a borked checksum on some dependency that I’m too lazy to track down. Your instructions worked great (after I figured out the missing /usr/local/bin thing), and now I have a better idea of how it all works than I would’ve if I’d installed via Macports.

[…] had a terrible time trying to get Wireshark running on Snow Leopard. I found a basic guide, which never quite worked for me. After much frustration, I eventually realized that Wireshark is […]

RandomGod says:

1.44 x64 on 10.6.6 is working without Step 4!
Big THX for the Tips

Gomi says:

Everett I´m trying to fix the library error with libfreetype6.0.dylib but I don´t know how to get it or even install it. Are there any executable package to install it? Please help me I need wireshark for Network protocol school classes.

Look here: http://hintsforums.macworld.com/archive/index.php/t-36107.html

Gomi says:

Thanks so much Michael, great job with this page. I´ll try as soon as I can

Michelle says:

Hi Michael, I am running OSX 10.6.7. I have the same problem about not having /usr/local which Dan asked about in post November 16, 2009 at 3:28 pm. If I force my finder to display hidden files and folders via the terminal command: “defaults write com.apple.finder AppleShowAllFiles TRUE” , I still do not have /usr/local… but I do I have /usr/bin.

So in 10.6.7 is “/usr/bin” the equivalent to /usr/local/bin or could you please tell me what I am doing incorrectly or where my understanding errs?

Thanks in advance, Michelle

You’re not doing anything wrong. After unhiding your otherwise hidden folders, just create the /usr/local/bin directory you need.

Gwilym says:

Thanks alot Michael!

Works for me on 10.6.7

I did have to create the user/local/bin folder in the terminal so I am very grateful for your recent reply to Michelle!

Thanks again.
Gwilym

Sharone says:

Hi Michael, thanx for posting this great article. I downloaded Wireshark and I’ve not managed to get past the startup window. just a quick that’s been bugging me for weeks. I get to /Library and can’t find /StartupItems in there. And as you might have guessed it, ChmodBPF file is missing. Please point me in the right direction.
Appreciated!

OS 10.6.6

Not sure what you mean by “startup screen” – can you elaborate? As for the rest, /Library/StartupItems should be right under Macintosh HD – if you are looking in the /Library folder under your user account you’re looking in the wrong place. And you have to put the ChmodBPF in there yourself.

Sharone says:

Sorry, I meant the Wireshark.app startup screen. Thanx for the response, Michael. I’ll definitely try this.

[…] Getting Wireshark running on OS X Snow Leopard is a little bit troublesome, but follow the steps here will do […]

Stephan says:

I’m having trouble figuring out how to use the Remote Capture feature on Mac 10.7.2. I’m using WireShark 1.6.4. Any advice would be greatly appreciated!

Kate Winchester says:

Hi,
I managed to download Wireshark, I’m using Mac 10.6.8
I dragged the Wireshark application icon to Applications. Then, when I open up the Utilities folder I can’t see ChmodBPF folder or StartupItems alias. What I’m I doing wrong?
Thanks so much for your help in advance!

This is an old tutorial, Kate, at least by technology standards. The Utilities folder isn’t even included in the latest Wireshark package for OS X (s/b 1.10.7).

Run the package installer and you should be fine right there.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.