How-To: Monitor your network on your Mac with Wireshark – Snow Leopard Tutorial
Wireshark is an amazing utility that lets you view and analyze captured packet data from your network. It has become a must-have for many institutions and their admins.
It features support for inspection and decryption of literally hundreds of protocols, with more being added constantly. It supports live capture, and also allows you to save, export, and compress data for further analysis later offline. It’s display filters are top notch, as well as it’s UI.
Best of all, Wireshark is available for absolutely free, no strings attached. It’s quite amazing the work that goes into this program, and networking aficionados all over the world continue to develop this killer network utility.
One drawback though, for some, is the process of actually getting it running properly in 10.6. I had trouble myself, and felt I needed to share the process I used to get it up and running in Snow Leopard.
Let me just share my setup first of all. I’m running Snow Leopard on a MacBook Pro (late 2009), with a 2.26 GHz Intel Core 2 Duo processor and the standard allotment of 2 GB of RAM. Your individual results may vary if you’re coming at this from a different operating system. Feel free to leave a comment if you’ve got a different setup and this isn’t working for you, and I’d be glad to help you out as best I can. So without much further ado…
Things you’ll need to get started (with this tutorial):
Administrator privileges on a Mac running OS 10.6
Wireshark (FREE – get it HERE)
The information you’ll need is in this here video. However, I’ve outlined the major steps needed to do it below the video. Again, feel free to leave any variation of “this didn’t work for me.” in the comments.
1.) Download, Mount, Copy Wireshark to Applications folder
2.) Copy CHModBPF folder into StartupItems directory
3.) Show hidden files and folders
4.) Navigate to /usr/local – if no /bin exists, you’ll need to create one…
5.) Enter Terminal and type the line: cd /usr/local
6.) Hit enter and type: sudo mkdir “bin”
7.) From the Command Line folder that is in the disk image, copy all of the binary files themselves into /usr/local/bin
8.) In Terminal, enter the following line and hit enter: cd /Library/StartupItems
9.) Then: sudo chown -R root:wheel ChmodBPF
10.) Open Wireshark and navigate to Edit>Preferences>Name Resolution>SMI (MIB and PIB Paths) and click Edit
11.) Click New and enter: usr/share/snmp/mibs
12.) Click OK, then Apply, then reboot your Mac.
Once your machine comes back up, you should be good to go!
Disclaimer: We do not endorse using Wireshark or any other network monitoring utility for illegal purposes.
or you could just:
1) install macports
2) sudo port install wireshark
3) sudo wireshark
all done.
Or you could just:
1) Install Homebrew
2) brew install wireshark
3) wireshark
Homebrew is MUCH less bloated than MacPorts; specifically targeted and optimized for Intel-based OSX Leopard+.
“Just”? Both MacPorts and HomeBrew require Xcode. Xcode is not preinstalled on the OS, and therefore an unnecessary step for most users. Installing 2 applications to get one to work is a poor approach at best.
How much more complicated can you make this? If you think you are providing a service by letting people learn something from your website, you’ve failed. You’ve successfully showed us how smart you are, now why not walk us through this in a bit more detail. If you understand “Show hidden files and folders” and “if no /bin exists you need to create one” then you don’t need this article.
. . . Or, you could just download KisMac.
@Kelly
When I did this walk-though, I didn’t want to make any assumptions about prior knowledge to the OS or the program at all. Wireshark as it stands now doesn’t work under Snow Leopard without these steps. It isn’t complicated at all. This can be done in under five minutes, but for someone with no prior experience, they might need a little explaining. Personally, I like to know why I’m doing what I’m doing.
Also, if you have ever used Wireshark, you’d know that KisMac and Wireshark are not similar, in functionality or user interface. Sure this tutorial may be elementary and needlessly detailed for you, but for an average or new Mac user, perhaps not.
By the time you’re done with these instructions, you could have done a documentation-free Xcode install and setup Macports or Homebrew. Then you don’t have to worry about version control.
But seriously, who needs Wireshark and doesn’t have Xcode installed anyways?
@Elmak, I agree that Homebrew is a great solution (from what I’ve read), but I haven’t spent too much time fooling around with it…
Are you people seriously complaining that there is too much detail in a tutorial? If not enough detail was given, then others would complain there wasn’t enough detail.
BTW, the majority of the time I’ve needed to run a packet capture is from one of my users machines. I am not going to install Xcode on their machine just so I can troubleshoot a single issue.
In my opinion it’s much easy to use Cocoa Packet analyzer….
http://www.tastycocoabytes.com/cpa/
that’s really a fantastic post ! added to my favourite blogs list.. I have been reading your blog last
couple of weeks and enjoy every bit. Thanks.