Wireshark-dev: Re: [Wireshark-dev] Problems capturing on Mac OS X

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 7 Feb 2011 10:14:01 -0800
On Feb 6, 2011, at 2:22 PM, Matthew Lucas wrote:

> I'm trying to run wireshark on my 2008 MacBook Pro, running Mac OS 10.6.6. I'm an admin user and I've copied the ChmodBPF folder to /Library/StartupItems and restarted my machine to cause it to run. On restart I got the following error:
> 
> {"Insecure Startup Item disabled." message}

That probably means that it's not owned by user root and group wheel; unfortunately, the drag-install process doesn't cause the startup item to be given the right ownership.  (The dmg is probably mounted with the "make it look as if everything on the file system is owned by the person who mounted it" option, and the Finder's copy preserves the ownership.)

You'd need to open up Terminal and do

	sudo chown -R root:wheel /Library/StartupItems/ChmodBPF

> When I navigate to /Library/StartupItems/ChmodBPF/ and run the ChmodBPF script, I get the following: 
> 
> Last login: Sun Feb  6 21:45:06 on ttys000
> /Library/StartupItems/ChmodBPF/ChmodBPF ; exit;
> Matts-MacBook-Pro:~ matt$ /Library/StartupItems/ChmodBPF/ChmodBPF ; exit;
> /Library/StartupItems/ChmodBPF/ChmodBPF: line 35: $1: unbound variable
> logout

You need to open up Terminal and run it as

	sudo SystemStarter ChmodBPF start

> Having read through all the documentation, it appears that the files that require permission change are in /dev - however I have no such folder. I've unhidden the hidden files and folders, and I've tried Go->Go to Folder->/dev to which I get the response "The folder can't be found". I certainly haven't deleted it, and from what I've read, I would imagine I would be having some fairly severe difficulties if I had, so it must have been intentionally moved or removed, presumably by Apple and presumably with a point update. So the question is, is all of this compatible with 10.6.6, and if it's not, is there something I can do manually to resolve it? Or have I simply done something wrong?

There are folders, and there are directories.

"Folders" are what the OS X GUI shows you.  "Directories" are what are in the file system name space; a "folder" is a directory that the GUI's willing and able to display.

For better or worse, "/dev" is a directory but not a folder; the GUI hides it from you.  If you open up Terminal, you can see that it exists (if it didn't exist, then

	1) a huge amount of code in OS X would fail

and

	2) Apple couldn't use the word "UNIX" in connection with OS X):

$ ls /dev
auditpipe		ptyta			ttyr6
autofs			ptytb			ttyr7
autofs_control		ptytc			ttyr8
autofs_nowait		ptytd			ttyr9
bpf0			ptyte			ttyra
bpf1			ptytf			ttyrb
bpf2			ptyu0			ttyrc
bpf3			ptyu1			ttyrd

	...