Today was one of those days. I’ve got Wireshark installed on my Macs, and I’ve had Wireshark installed on all my Macs for years (decades, back to when it was called Etherial). Today after upgrading to macOS 13.2 I decided to do a bit of home network research and fired up the latest version of Wireshark, 4.0.3. That’s when I got the error you see below. I did a fair amount of internet research (i.e. “googling”) and finally constructed a solution that works for me. First my solution, then a partial explanation of what might be happening.

My solution consists of creating the following zsh alias:

alias wireshark='sudo /Library/Application\ Support/Wireshark/ChmodBPF/ChmodBPF && Wireshark'

When I open a shell (iTerm in my case) and type in wireshark I’ll get a prompt for my password, then Wireshark will start and execute correctly.

Why is this happening? Somehow, someway, the script ChmodBPF is not executing with proper permissions to create Wireshark pseudo devices, /dev/bp*. The script is supposed to execute every time I log in, and create many of those pseudo devices (256 on my machine) that Wireshark then uses. I don’t have a deep knowledge of Wireshark so I don’t know what Wireshark is doing with all those devices.

Because of ChmodBPF’s failure, only four pseudo devices were created, and they all had root:wheel ownership, not my username:admin. That then caused Wireshark to fail to properly work.

I discovered a lot of half-assed solutions, such as changing permissions directly on the pseudo devices. Running the script as sudo came from reading a thread on Wireshark’s GitLab issue wiki: https://gitlab.com/wireshark/wireshark/-/issues/18734 . It should be pointed out that if you reboot your Mac that the devices are wiped out, and you’re going to have to run the script as sudo again, at least once. I just combined everything into a terminal alias. I live in the terminal so it doesn’t bother me.