How to fix BPF device permissions on Mac OS to use tcpdump

Asked 22/8, 2019 at 17:55 Answered 14/9, 2022 at 10:10

I may have done something to change my device permissions because I am getting the error: "tcpdump: en0: You don't have permission to capture on that device". The TCP portion is irrelevant because I am having an issue using bpf devices. I attempted to restore the permissions to defaults and I set them to what's shown below, but I am still getting issues sudo or not.

I have reset permissions and restarted multiple times. Also, my laptop was replaced and the hard drive was the only thing that was transferred.

zjam@ZimSec:~$ tcpdump -i en0

tcpdump: en0: You don't have permission to capture on that device
((cannot open BPF device) /dev/bpf0: Permission denied
)
zjam@ZimSec:~$ sudo tcpdump -i en0

tcpdump: en0: You don't have permission to capture on that device
((cannot open BPF device) /dev/bpf0: Permission denied)

0 crw-rw----   1 root  access_bpf      23,   0 Aug 22 13:27 bpf0

0 crw-rw----   1 root  access_bpf      23,   1 Aug 22 13:22 bpf1

0 crw-rw----   1 root  access_bpf      23,   2 Aug 22 13:22 bpf2

0 crw-rw----   1 root  access_bpf      23,   3 Aug 22 13:22 bpf3

Mac Version 10.14.6

Firebird answered 22/8, 2019 at 17:55 Comment(0)

came on this problem today. found me in group chmodbf by command line example above, but could not run tcpdump. Same error.

Turns out I had to launch wireshark first and do security prompts in wireshark an then download ChmodBPF tool from a link in wireshark window.

Blandina answered 3/7, 2020 at 14:58 Comment(0)

My colleague has same problem, and we solve this problem by following check list.

It looks like you has installed wireshark on your mac, So /dev/bpf0 has group access_bpf, It is changed by ChmodBPF, So you must ensure you are in the bpf_access group.

$ id
uid=501(gasolwu) gid=20(staff) groups=20(staff),501(access_bpf),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),701(com.apple.sharepoint.group.1)

Make sure System Integration Protection is enabled on your system, If not, Reboot your system to recovery mode, and enable SIP with command csrutil enable, then reboot again.
```
$ csrutil status
System Integrity Protection status: enabled.
```
If you have installed 3rd party firewall application like Little Snitch, You must turn off network filtering or re-renable it, and try again.

We fix this issue on 3rd step, Hope it helps.

Whipsaw answered 23/9, 2019 at 7:51 Comment(1)

Hi, if you're not in the bfp access group, how can you access to it? thanks c: – Requirement 20/11, 2022 at 18:54

I had the same issue and for some reason the ChmodBPF program did not add the access_bpf group, resulting in all the /dev/bpf* files remaining in wheel, which isn't listed in my groups.

$ ls -l /dev/bpf*
crw-rw----  1 root  wheel  0x17000000 Sep  9 14:24 /dev/bpf0
crw-rw----  1 root  wheel  0x17000001 Sep  9 14:25 /dev/bpf1
...
$ groups                                                                                                   
staff everyone localaccounts _appserverusr admin _appserveradm _lpadmin com.apple.sharepoint.group.1 _appstore _lpoperator _developer _analyticsusers com.apple.access_ftp com.apple.access_screensharing com.apple.access_ssh com.apple.access_remote_ae

Replacing the group for /dev/bpf* from wheel to staff fixed it:

$ sudo chgrp staff /dev/bpf*
$ ls -l /dev/bpf*
crw-rw----  1 root  staff  0x17000000 Sep  9 14:24 /dev/bpf0
crw-rw----  1 root  staff  0x17000001 Sep  9 14:25 /dev/bpf1
...

Workout answered 14/9, 2022 at 10:10 Comment(0)

Recommended topics

Hot tags