On Dec 20, 2010, at 10:06 AM, Michael Tüxen wrote:
> sudo chmod uog+r /dev/bpg*
> is your friend...
...and
sudo chmod og+rw /dev/bpf*
is even friendlier. :-) (The "f" rather than "g" in "bpf" is required; the "u" in "uog" isn't necessary, as the user read and write permissions are set by default; the "rw" rather than "r" isn't required on, I think, 10.6.3 or later, but a bug in earlier 10.6.x releases requires, in those releases, that the BPF device be opened for writing in order to see packets that your machine is sending, and that requires that you give write permission - which, for better or worse, means that it allows *sending* of raw network packets).
To arrange that this happen even after a reboot - /dev/bpf* are on devfs, which is an in-memory file system, so changes to permissions don't persist across a reboot - install the ChmodBPF startup item that comes on the Wireshark dmg.
Note that
sudo chmod uog+rw /dev/bpf*
allows any processes run by any user to capture network traffic. If you want to allow only processes run by you, or root, to do so, do
sudo chown {your account's "short name"} /dev/bpf*
and if you want to allow only processes run by an administrator account, or root, to do so, do
sudo chgrp admin /dev/bpf*
sudo chmod g+rw /dev/bpf*
If you're on 10.6.3 or later, and you don't want to grant permission to *send* raw network packets (Wireshark doesn't currently support sending raw network packets, and permission to use BPF to send or receive packets is *not* necessary for normal network operations), just use "r" instead of "rw".