How-To: Monitor your network on your Mac with Wireshark – Snow Leopard Tutorial
Wireshark is an amazing utility that lets you view and analyze captured packet data from your network. It has become a must-have for many institutions and their admins.
It features support for inspection and decryption of literally hundreds of protocols, with more being added constantly. It supports live capture, and also allows you to save, export, and compress data for further analysis later offline. It’s display filters are top notch, as well as it’s UI.
Best of all, Wireshark is available for absolutely free, no strings attached. It’s quite amazing the work that goes into this program, and networking aficionados all over the world continue to develop this killer network utility.
One drawback though, for some, is the process of actually getting it running properly in 10.6. I had trouble myself, and felt I needed to share the process I used to get it up and running in Snow Leopard.
Let me just share my setup first of all. I’m running Snow Leopard on a MacBook Pro (late 2009), with a 2.26 GHz Intel Core 2 Duo processor and the standard allotment of 2 GB of RAM. Your individual results may vary if you’re coming at this from a different operating system. Feel free to leave a comment if you’ve got a different setup and this isn’t working for you, and I’d be glad to help you out as best I can. So without much further ado:
Things you’ll need to get started (with this tutorial):
Administrator privileges on a Mac running OS 10.6
Wireshark (FREE – get it HERE)
The information you’ll need is in this here video. However, I’ve outlined the major steps needed to do it below the video. Again, feel free to leave any variation of “this didn’t work for me.” in the comments.
1.) Download, Mount, Copy Wireshark to Applications folder
2.) Copy CHModBPF folder into StartupItems directory
3.) Show hidden files and folders
4.) Navigate to /usr/local – if no /bin exists, you’ll need to create one¦
5.) Enter Terminal and type the line: cd /usr/local
6.) Hit enter and type: sudo mkdir “bin”
7.) From the Command Line folder that is in the disk image, copy all of the binary files themselves into /usr/local/bin
8.) In Terminal, enter the following line and hit enter: cd /Library/StartupItems
9.) Then: sudo chown -R root:wheel ChmodBPF
10.) Open Wireshark and navigate to Edit>Preferences>Name Resolution>SMI (MIB and PIB Paths) and click Edit
11.) Click New and enter: usr/share/snmp/mibs
12.) Click OK, then Apply, then reboot your Mac.
Once your machine comes back up, you should be good to go!
Disclaimer: We do not endorse using Wireshark or any other network monitoring utility for illegal purposes.
or you could just:
1) install macports
2) sudo port install wireshark
3) sudo wireshark
all done.
Or you could just:
1) Install Homebrew
2) brew install wireshark
3) wireshark
Homebrew is MUCH less bloated than MacPorts; specifically targeted and optimized for Intel-based OSX Leopard+.
“Just”? Both MacPorts and HomeBrew require Xcode. Xcode is not preinstalled on the OS, and therefore an unnecessary step for most users. Installing 2 applications to get one to work is a poor approach at best.
How much more complicated can you make this? If you think you are providing a service by letting people learn something from your website, you’ve failed. You’ve successfully showed us how smart you are, now why not walk us through this in a bit more detail. If you understand “Show hidden files and folders” and “if no /bin exists you need to create one” then you don’t need this article.
. . . Or, you could just download KisMac.
@Kelly
When I did this walk-though, I didn’t want to make any assumptions about prior knowledge to the OS or the program at all. Wireshark as it stands now doesn’t work under Snow Leopard without these steps. It isn’t complicated at all. This can be done in under five minutes, but for someone with no prior experience, they might need a little explaining. Personally, I like to know why I’m doing what I’m doing.
Also, if you have ever used Wireshark, you’d know that KisMac and Wireshark are not similar, in functionality or user interface. Sure this tutorial may be elementary and needlessly detailed for you, but for an average or new Mac user, perhaps not.
By the time you’re done with these instructions, you could have done a documentation-free Xcode install and setup Macports or Homebrew. Then you don’t have to worry about version control.
But seriously, who needs Wireshark and doesn’t have Xcode installed anyways?
@Elmak, I agree that Homebrew is a great solution (from what I’ve read), but I haven’t spent too much time fooling around with it¦
Are you people seriously complaining that there is too much detail in a tutorial? If not enough detail was given, then others would complain there wasn’t enough detail.
BTW, the majority of the time I’ve needed to run a packet capture is from one of my users machines. I am not going to install Xcode on their machine just so I can troubleshoot a single issue.
In my opinion it’s much easy to use Cocoa Packet analyzer….
http://www.tastycocoabytes.com/cpa/
that’s really a fantastic post ! added to my favourite blogs list.. I have been reading your blog last
couple of weeks and enjoy every bit. Thanks.
had been messing with this instal off and on for a couple weeks, then i found your tutorial here. It’s running now .. thank-you
Thanks for these steps,, I was searching on how to make capture on this app
I followed all steps and it works fine with me, but when I saved what I captured on the desktop and then wanted to open it the app crashes
any idea how to fix this problem
How exactly can i create a local folder in the usr folder, i do not have one.
How much more complicated can you make this?
d’oh Jersey and the others: How much more stupid can you ask?
What’s that complaining about complicated explanations? It’s absolutely straightforward, contains valuable time-saving info and helps people. Don’t you read (you probably sneered and didn’t bother) that other people spent a considerable amount of time trying to get WS to run?
And oh, “xcode” and “MacPorts” and “Fink”, phew, gimme a break….
If not enough detail was given, then others would complain there wasn't enough detail. Food Diet and Health
Hi, I just want to thank you.
I the Readme of Wireshark it wasn’t clear what to do. Again thank you.
Very usefull.
I followed both these instructions and similar instructions elsewhere, but both fail at the part where Wireshark gets opened. If I try it from a bash window in X I get:
/Applications/Wireshark.app/Contents/Resources/bin/wireshark: line 83: /Applications/Wireshark.app/Contents/Resources/bin/wireshark-bin: Bad CPU type in executable
Any suggestions would be appreciated.
I followed the instructions. got to step 10
10.) Open Wireshark and navigate to Edit>Preferences>Name Resolution>SMI (MIB and PIB Paths) and click Edit
I go to name resulotion but there is no edit button instead when I move the cursor over SMI(MIB and PIB Path)
it says “support for this feature was not compiled in this version of wireshark”
I downloaded this from the link that you have provided in your tutorial (from wireshark.org and I made sure again that I have the right version..
Hi Guys, I just found a pretty nice site for unlock / jailbreak/ iphone 3g 3gs and iphone4 jailbreak.
http://www.anysim.net
Thank u Anysim Team for fast Support.
Did everybody now when the update ios 4.3 for iphone4 comes?
hey… same as sam.
Got to step 10 but it says “support for this feature was not compiled in this version of wireshark”
There have been some rumors going about that Apple has pulled AirPrint from the final release of iOS 4.2. Apparently, a rumor came about yesterday claiming that Apple has axed the feature from the iOS 4.2 final release because of some unforeseen circumstances. Distraught by the speculated exemption of the features, a customer decided to shoot Steve Jobs a letter about it to get a further understanding of the matter. Steve replied saying that AirPrint has not been cut from the final version of the anticipated software update.
http://www.bmw-eba.de.tl
http://www.iphonee3gs.com
http://www.ohnezinsen.de.tl
All was good up to this: wireshark is not starting, so, editing is a no go. any suggestion? uninstall and start over?
Have the same problem as Keliel. “Support for this feature was not compiled into this version of WebShark.”
If you want to save your network use ProteMac Meter – monitoring all your activity.
http://www.protemac.com/Meter/
i got the same problem the guys above: can’t change the SMI path.
anyone got over it?
[...] toujours aucun paquets dans mes interfaces… Une petite recherche m'a fait découvrir un article dont un des commentaires proposait d'utiliser homebrew, un système que l'on peut qualifier de [...]
Like the Bailey Button, the Ugg bailey button boot met logo chestnut is a tall boot made from genuine twin-face sheepskin. We’ve updated this traditional style with three wooden UGG® logo buttons and elastic band closure. The Ugg bailey button fancy boot can either be worn up or cuffed down adding a little variety depending on your style.
Was Just was carrying out homework and shocked by the info you wrote. Look at specifically what I wished very. This rocks!