[bugzilla-daemon@xxxxxxxxxxxxx]

Bug ID	11659
Summary	On OS X using psuedo interface pktap can result in message: pcap_cleanup_pktap_interface: ioctl(SIOCIFDESTROY) fail - Operation not permitted
Product	Wireshark
Version	unspecified
Hardware	x86
OS	Mac OS X 10.10
Status	UNCONFIRMED
Severity	Normal
Priority	Low
Component	Extras
Assignee	bugzilla-admin@wireshark.org
Reporter	jyoung@gsu.edu

Build Information:
Wireshark 2.1.0-313-g2014eb0 (v2.1.0rc0-313-g2014eb0 from unknown)

Copyright 1998-2015 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
libz 1.2.5, with GLib 2.36.0, with SMI 0.4.8, without c-ares, without ADNS,
with
Lua 5.2, with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP,
with QtMultimedia, without AirPcap.

Running on Mac OS X 10.10.5, build 14F1021 (Darwin 14.5.0), with locale C, with
libpcap version 1.5.3 - Apple version 47, with libz 1.2.5, with GnuTLS 2.12.19,
with Gcrypt 1.5.0.
Intel(R) Core(TM) i7-4980HQ CPU @ 2.80GHz (with SSE4.2)

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).

--
I'll preface this report by stating that I suspect the root cause for
triggering the following error message will likely have to be fixed by Apple. 
But Wireshark likely should try to defend itself from hanging when encountering
this condition.

Under certain scenarios use of the OS X "pktap0" interface by Wireshark or
tcpdump will trigger an error message when a capture is stopped.

Wireshark's and tshark's version of the error message is:

> Unknown message from dumpcap, try to show it as a string: pcap_cleanup_pktap_interface: ioctl(SIOCIFDESTROY) fail - Operation not permitted

While dumpcap's and tcpdump's version is simply:

> pcap_cleanup_pktap_interface: ioctl(SIOCIFDESTROY) fail - Operation not permitted

After dismissing the error message window in Wireshark you can usually save the
newly created "pktap0" capture file.  But afterwards Wireshark itself will
usually lock up and must be killed to exit.  If Wireshark is still responsive
after closing the capture file no new capture can be started so Wireshark must
be restarted.   Upon restarting Wireshark will stall during its "initializing
..." step.

This condition appears to be triggered by a specific sequence of events.  

1 - Start a capture on OS X's hidden "pktap" interface using sudo tcpdump, sudo
dumpcap -i pktap, sudo tshark -i pktap or even sudo Wireshark -i pktap.

OS X's version of tcpdump defaults to opening the hidden "pktap" interface if
no interface is explicitly selected, but you must be running sudo to do so. 
(See man page snippit below.)  Once a sudo process has opened up the hidden
"pktap" interface, a new "pktap0" interface will become visible that can be
opened like any other interface. 

2 - While the first capture process is running start a second capture process
using tcpdump -i pktap0, dumpcap -i pktap0, tshark -i pktap0 or Wireshark (and
select the now visable OS X "pktap0" interface).  

At this point there are now two concurrent captures running; the first running
sudo using the pktap interface, and the second NOT running sudo using the
pktap0 interface. 

3 - Stop the first capture process (the one started with sudo that was
capturing on the hidden pktap interface).

The second capture process will continue to successfully capture newly arriving
packets on the pktap0 interface.

4 - Stop the second capture process.

At this point the error message listed above will be displayed.  Apparently the
non-sudo process does not have permission to properly "clean up" the pktap0
interface.

Subsequent attempts to list the available interfaces using tcpdump -D and
dumpcap -D will successfully list all the available interfaces (including the
pktap0 interface) after first displaying the error message.

Attempts to do same with tshark -D or wireshark -D will result in no interface
list and just the error message.

You can resume capturing on the pktap0 interface with tcpdump, dumpcap or
tshark by using the -i pktap0 option, but attempts to start wireshark -i pktap0
will cause Wireshark to hang on startup with the status message: "Please wait
while Wireshark is initializing ..."

One way to get the pktap interface out of the this state (which will allow you
to resume using wireshark) is to request an interface list while running sudo. 
Any of the following commands can be used to clear the pktap interface: sudo
tcpdump -D, sudo dumpcap -D, sudo tshark -D, and even sudo wireshark -D.  

Note that the list of interfaces displayed by sudo wireshark -D command will
include the "pktap0" interface, but if you immediately do another wireshark -D
(or even sudo wireshark -D) there will no longer be a "pktap0" interface
listed.

One might ask, what is this hidden "pktap" interface?

Apple includes a modified version of tcpdump with OS X.  Tcpdump on more recent
versions of OS X (apparently starting with Mavericks (10.9) supports a pseudo
interface called pktap.  The man page for tcpdump on OS X 10.10.5 reports the
following:

<snip>
> -i   Listen on interface.
>
>      If the -D flag is supported, an interface number as  printed  by
>      that flag can be used as the interface argument.
>
>      On  Darwin  systems  version  13 or later, when the interface is
>      unspecified, tcpdump will use  a  pseudo  interface  to  capture
>      packets  on  a  set  of  interfaces  determined  by  the  kernel
>      (excludes by default loopback and tunnel interfaces).
>
>      Alternatively, to capture on more than one interface at a  time,
>      one  may  use  "pktap" as the interface parameter followed by an
>      optional list of comma separated  interface  names  to  include.
>      For example, to capture on the loopback and en0 interface:
>
>             tcpdump -i pktap,lo0,en0
>
>      An  interface  argument  of  "all" or "pktap,all" can be used to
>      capture packets from all interfaces, including loopback and tun-
>      nel interfaces.
>
>      A  pktap pseudo interface provides for packet metadata using the
>      default PKTAP data link type and files are written in the  Pcap-
>      ng file format.  The RAW data link type must be used to force to
>      use the legacy pcap-savefile(5) file format with a ptkap  pseudo
>      interface.   Note that captures on a ptkap pseudo interface will
>      not be done in promiscuous mode.
<snip>

Interestingly the bleeding edge version of tcpdump/libpcap from tcpdump.org
does not generate this error message when OS X is in the state where the two
capture processes have been stopped and pktap0 interface is visible.

---

      You are receiving this mail because:

• You are watching all bug changes.