How to fix BPF device permissions on Mac OS to use tcpdump

Question

I may have done something to change my device permissions because I am getting the error: "tcpdump: en0: You don't have permission to capture on that device". The TCP portion is irrelevant because I am having an issue using bpf devices. I attempted to restore the permissions to defaults and I set them to what's shown below, but I am still getting issues sudo or not.

I have reset permissions and restarted multiple times. Also, my laptop was replaced and the hard drive was the only thing that was transferred.

zjam@ZimSec:~$ tcpdump -i en0

tcpdump: en0: You don't have permission to capture on that device
((cannot open BPF device) /dev/bpf0: Permission denied
)
zjam@ZimSec:~$ sudo tcpdump -i en0

tcpdump: en0: You don't have permission to capture on that device
((cannot open BPF device) /dev/bpf0: Permission denied)

0 crw-rw----   1 root  access_bpf      23,   0 Aug 22 13:27 bpf0

0 crw-rw----   1 root  access_bpf      23,   1 Aug 22 13:22 bpf1

0 crw-rw----   1 root  access_bpf      23,   2 Aug 22 13:22 bpf2

0 crw-rw----   1 root  access_bpf      23,   3 Aug 22 13:22 bpf3

Mac Version 10.14.6

Answer 1

I had the same issue and for some reason the ChmodBPF program did not add the access_bpf group, resulting in all the /dev/bpf* files remaining in wheel, which isn't listed in my groups.

$ ls -l /dev/bpf*
crw-rw----  1 root  wheel  0x17000000 Sep  9 14:24 /dev/bpf0
crw-rw----  1 root  wheel  0x17000001 Sep  9 14:25 /dev/bpf1
...
$ groups                                                                                                   
staff everyone localaccounts _appserverusr admin _appserveradm _lpadmin com.apple.sharepoint.group.1 _appstore _lpoperator _developer _analyticsusers com.apple.access_ftp com.apple.access_screensharing com.apple.access_ssh com.apple.access_remote_ae

Replacing the group for /dev/bpf* from wheel to staff fixed it:

$ sudo chgrp staff /dev/bpf*
$ ls -l /dev/bpf*
crw-rw----  1 root  staff  0x17000000 Sep  9 14:24 /dev/bpf0
crw-rw----  1 root  staff  0x17000001 Sep  9 14:25 /dev/bpf1
...

Answer 2

came on this problem today. found me in group chmodbf by command line example above, but could not run tcpdump. Same error.

Turns out I had to launch wireshark first and do security prompts in wireshark an then download ChmodBPF tool from a link in wireshark window.

Answer 3

My colleague has same problem, and we solve this problem by following check list.

1. It looks like you has installed wireshark on your mac, So /dev/bpf0 has group access_bpf, It is changed by ChmodBPF, So you must ensure you are in the bpf_access group.

   $ id
   uid=501(gasolwu) gid=20(staff) groups=20(staff),501(access_bpf),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),701(com.apple.sharepoint.group.1)
   

2. Make sure System Integration Protection is enabled on your system, If not, Reboot your system to recovery mode, and enable SIP with command csrutil enable, then reboot again.

   $ csrutil status
   System Integrity Protection status: enabled.
   

3. If you have installed 3rd party firewall application like Little Snitch, You must turn off network filtering or re-renable it, and try again.

We fix this issue on 3rd step, Hope it helps.