Network Fortius wrote:
I am not sure why you would prefer a permanent change to /dev/bpf* than
a temporary (running as - sudo) root-enabled option?!?
Well, for one thing, the less stuff that runs as root, the better, in
general.
(Note, BTW, that Wireshark does not ever open any device for capturing
in 1.0 and later. Neither does TShark in 1.0 and later. Instead, all
the work of capturing is done by dumpcap; that way, on platforms where
you need to run with a privileged account in order to capture traffic,
the code that runs with privileges is a relatively small program rather
than a very large program with a ton of dissectors and taps and, in the
case of Wireshark, a GUI completely with run-time-loadable theme modules.)
I do not think that devfs is persistent between reboots, on the
macosx?!?
It's not persistent across reboots in OS X or FreeBSD.
The newer devfs in FreeBSD can be configured, however, to make /dev/bpf*
owned by a particular user or group and to give it particular
permissions. (I'll have to dig up the steps for doing that; it's not
entirely obvious how to do it or, at least, it wasn't entirely obvious
to me.)
OS X's devfs doesn't support that. However, you can, at least, arrange
to have a startup item to make the BPF devices that exist at boot time
owned by a particular user or group and to have particular permissions.
That startup item is present in the later releases of libpcap; it's
also in the .dmg of Wireshark, but it's not owned by root in that .dmg,
so it can't just be dragged and dropped to /Library/StartupItems. (It's
also a startup item, rather than a launchd daemon, and startup items are
deprecated; I'll look at making it run as a launchd daemon - given that
the exec* calls in OS X, as in all other modern UN*Xes, transparently
execute #! scripts, there's no reason I can see why a script couldn't be
launched by launchd.)