Wireshark-bugs: [Wireshark-bugs] [Bug 11659] On OS X using psuedo interface pktap can result in

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Fri, 30 Oct 2015 20:48:42 +0000

Comment # 2 on bug 11659 from 
Hello Guy,

As I writing the initial description I could not help think of the old joke:

> Patient says to Doctor: "It hurts when I do this."
> Doctor says to Patient: "Don't do that."

And I concur that it is NOT a good idea to to run TShark/Wireshark as root.  As
a general rule I do not sudo dumpcap, tshark or Wireshark.  In this case I made
an exception as I was simply trying to document what can get us into this state
and what's needed to get us out of this state (short or a reboot!).  It's
possible to get into this state simply by using OS X's tcpdump.  I was
surprised and perhaps a bit annoyed that we have to "sudo tcpdump" in order to
use the documented but hidden OS X pktap and iptap interfaces but not the
visible interfaces (like en0).

I believe I had actually seen this particular Wireshark initializing hang quite
some time ago on a coworker's system, but at the time I could not figure out
how he got his system into that state.  If I recall correctly we ultimately
rebooted his OS X system and that restored normal Wireshark functionality.

In my case, to help identify the source of some outbound packets, I opted to
use OS X's sudo tcpdump because I wanted to use the pktap interface in order to
have the pcapng process info blocks saved to the tcpdump created capture file. 
I happened to have a copy of Qt Wireshark open at the Welcome screen when I
started the "sudo tcpdump -w mycap.pcapng" process.  That's when I spotted the
previously unseen "pktap0" interface.  Rather than watch the packets in real
time with Wireshark capturing on the "en0" interface (as I had been doing) I
instead selected the "pktap0" interface.  When I finally felt I had captured
the packets I had been looking for I stopped the "tcpdump" process first and
then the Wireshark capture.  That's when I triggered this issue. In several
earlier tests I had stopped capturing in Wireshark first and then tcpdump. 
When stopping Wireshark first I did not trigger the issue.

FWIW: Its actually pretty neat to see the pktap0 interface dynamically show up
and disappear in Qt Wireshark's Welcome screen each time "sudo tcpdump" command
is started and stopped!

You are receiving this mail because:
  • You are watching all bug changes.