Wireshark-users: Re: [Wireshark-users] MacOSX installation and /dev/bpf permissions

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 13 Feb 2011 12:26:39 -0800
On Feb 13, 2011, at 10:57 AM, Ray Wilson wrote:

> Sudo works to. Changing the device file is awkward. Cheers.

If by "sudo works too" you mean "running Wireshark as root works too", well, having a program of over two million lines run as root could be awkward, too, if a bug causes it to do something it shouldn't:

	http://anonsvn.wireshark.org/wireshark/trunk/doc/README.packaging

"WIRESHARK CONTAINS OVER TWO MILLION LINES OF SOURCE CODE. DO NOT RUN
THEM AS ROOT."

The right ways to handle this are either to

	1) make dumpcap set-UID root

or

	2) use the ChmodBPF startup item (which is on the install dmg, but can't be drag-installed for various obscure reasons)

both of which may be awkward, but you only have to do them once.

Perhaps it's time to bite the bullet and use a regular installer package; yeah, it goes against the Religion Of Drag-Installs on OS X, but Wireshark has special requirements (i.e., it needs to somehow arrange that it have the privileges needed to capture traffic), and an installer package might be simpler overall.