Homebrew Wireshark

by



Error when installing wireshark using homebrew. GitHub Gist: instantly share code, notes, and snippets.

The official Mac build uses 5.2.4; if Homebrew doesn't have that, you could try using tools/macos-setup.sh to install the required and optional libraries manually. Issue 10881 in the issue tracker discusses the compatibility issues of going from pre-5.3 Lua to 5.3. Hey guys, was curious if there is anyone here that uses Homebrew, I had upgraded to Wireshark 3.1.0 via the cask command in brew, then they released an update that put it back to version 3.0.3, which I had initially. Standard package: Wireshark is available via the default packaging system on that platform. Vendor / Platform Sources; Alpine / Alpine Linux: Standard package: Apple / macOS: Homebrew MacPorts Fink: Arch Linux / Arch Linux: Standard package: Canonical / Ubuntu: Standard package Latest stable PPA: Debian / Debian GNU/Linux: Standard package. Four Reasons to Use Cipher for Avionics Testing Wireshark is the de facto industry standard packet analyzer for network analysis, troubleshooting, and communications protocol development. It’s open source, and best of all, it’s free for anyone to download and use. So why should an avionics software designer or a flight test engineer want to pay.

Instructions for a supported install of Homebrew are on the homepage.

This script installs Homebrew to its preferred prefix (/usr/localfor macOS Intel, /opt/homebrew for Apple Silicon) so thatyou don’t need sudo when youbrew install. It is a careful script; it can be run even if you have stuffinstalled in /usr/local already. It tells you exactly what it will do beforeit does it too. You have to confirm everything it will do before it starts.

macOS Requirements

  • A 64-bit Intel CPU or Apple Silicon CPU 1
  • macOS Mojave (10.14) (or higher) 2
  • Command Line Tools (CLT) for Xcode: xcode-select --install,developer.apple.com/downloads orXcode3
  • A Bourne-compatible shell for installation (e.g. bash or zsh) 4

Git Remote Mirroring

You can set HOMEBREW_BREW_GIT_REMOTE and/or HOMEBREW_CORE_GIT_REMOTE in your shell environment to use geolocalized Git mirrors to speed up Homebrew’s installation with this script and, after installation, brew update.

The default Git remote will be used if the corresponding environment variable is unset.

Alternative Installs

Linux or Windows 10 Subsystem for Linux

Wireshark

Check out the Homebrew on Linux installation documentation.

Untar anywhere

Just extract (or git clone) Homebrew wherever you want. Just avoid:

  • Directories with names that contain spaces. Homebrew itself can handle spaces, but many build scripts cannot.
  • /tmp subdirectories because Homebrew gets upset.
  • /sw and /opt/local because build scripts get confused when Homebrew is there instead of Fink or MacPorts, respectively.

However do yourself a favour and install to /usr/local on macOS Intel, /opt/homebrew on macOS ARM,and /home/linuxbrew/.linuxbrew on Linux. Some things maynot build when installed elsewhere. One of the reasons Homebrew justworks relative to the competition is because we recommend installinghere. Pick another prefix at your peril!

Multiple installations

Create a Homebrew installation wherever you extract the tarball. Whichever brew command is called is where the packages will be installed. You can use this as you see fit, e.g. a system set of libs in /usr/local and tweaked formulae for development in ~/homebrew.

Uninstallation

Uninstallation is documented in the FAQ.

1 For 32-bit or PPC support seeTigerbrew.

2 10.14 or higher is recommended. 10.9–10.13 aresupported on a best-effort basis. For 10.4-10.6 seeTigerbrew.

Wireshark

3 Most formulae require a compiler. A handfulrequire a full Xcode installation. You can install Xcode, the CLT, or both;Homebrew supports all three configurations. Downloading Xcode may require anApple Developer account on older versions of Mac OS X. Sign up for freehere.

4 The one-liner installation method found onbrew.sh requires a Bourne-compatible shell (e.g. bash orzsh). Notably, fish, tcsh and csh will not work.

Do you have a secure Wi-Fi network and a computer running macOS?Do you want to monitor the traffic of the devices connected to this network?Look no further, here’s how to do this step by step using Wireshark!

Wireshark is a very popular network protocol analyzer which understands many different network protocols out of the boxand shows their data packets in a powerful GUI.The following instructions are based on macOS Mojave 10.14.6 running Wireshark 3.2.2 and may not work without changesfor other versions of these software.

Disclaimer:Monitoring other people’s network traffic is a very bad idea and may be forbidden or even illegal in your case!Therefore, you may only apply these instructions if you own the Wi-Fi network and all its connected devices and youare the only user and no legal impediments whatsoever apply!

Installing Wireshark

I recommend to use Homebrew for this step because it makes installing and updating Wireshark reallysimple.In case you don’t already use it, Homebrew is a very popular package manager for macOS.Follow the instructions on their home page for installation.Once Homebrew is installed, you can install Wireshark in Terminal using

Wireshark provides an integrated update feature via the menu item Help » Check for Updates....However, this doesn’t work for me because nothing ever happens, so I simply upgrade it using

If you ever need to uninstall Wireshark, you can do that using (you guessed it)

Any configuration data is saved in your home directory and will be preserved on re-installation or un-installation.

Obtaining The Wi-Fi Secret

Assuming that your Wi-Fi network is secured using WPA-Personal aliasWPA-PSK,it is protected by a pre-shared key or even a password from which the pre-shared key gets derived.You need to copy this secret into the clipboard from which you will paste it into the Wireshark configuration later.

Further assuming that your Mac is already connected to this network, its secret is stored in the keychain.Otherwise, please connect your Mac to this network first.

In Terminal, launch the keychain management GUI using

In the search box on the top right of the keychain window, enter the name of your Wi-Fi network, i.e. its SSID.In my case it’s FRITZ!Box 7530 CT:

Right click on the list item, select Copy Password To Clipboard and enter your password in the upcoming dialog box.

Configuring The Wi-Fi Secret In Wireshark

In Terminal, launch Wireshark using

After startup, the main window shows you all the interfaces from which you may capture network traffic:

Ignore this for now and select the menu item Wireshark » Preferences... instead.In the dialog, unfold the Protocols item and scroll down to IEEE 802.11 for Wi-Fi:

Click on the Edit... button to launch the following dialog:

Homebrew

Click on the + button to start entering the secret.In the Key type column, select wpa-psk or wpa-pwd, depending on if your secret is a pre-shared key or a password,respectively.If you are not sure, select wpa-psk first, paste the secret in the clipboard into the form using command-v and checkif the dialog accepts it.Otherwise, select wpa-pwd and repeat.You can enter secrets for multiple Wi-Fi networks, allowing you to monitor them all concurrently.Once done, close all dialogs.

Capturing The Wi-Fi Network Traffic

Now that you have configured the secret for your Wi-Fi network, you can start monitoring the traffic of all connecteddevices.Select the menu item Capture » Options... to launch the following dialog:

In here, select the list item representing your Wi-Fi interface and double click on the column Link-layer Header.In the popup menu, select the list item Per-Packet Information.This will prevent a lot of false positive network error messages later. Most importantly, make sure to check the box Monitor or otherwise you will only ever see network traffic which isintended for your local computer.After clicking Start, Wireshark starts monitoring all packets from all Wi-Fi networks on the current channel withinthe reach of your computer’s antenna - not just your network.In the following capture, the beacon packets are from three different Wi-Fi networks on the current channel:

Initially, Wireshark shows 802.11 protocol packets only, so you won’t see packets from other protocols like ICMP, TCP orHTTP.This is because with WPA2, the 802.11 protocol packets are actually encrypted with a session key which gets derived fromthe pre-shared key, which in turn may be derived from the password. Wireshark has to learn the session key first by observing the exchange of a sequence of packets known as theEAPOL handshake.It will do so automatically for any secure Wi-Fi network who’s secrets you have configured.So all you have to do is to trigger the EAPOL handshake between the access point and the connected device, and theeasiest way to do this is to switch its Wi-Fi interface off and on again.

Homebrew Wireshark

Homebrew wireshark

In the preceding capture, first I have set the display filter to eapol || http.Then I have switched the Wi-Fi interface of my iPad off and on again, which triggers the initial four EAPOL messages.Then I have used Safari on my iPad to browse my blog’s home page at http://illegalexception.schlichtherle.de.

Note that the iPad and the web server exchange HTTP packets using both IPv4 and IPv6 addresses.This is not very efficient because it implies that there is no persistent TCP connection between the two hosts.As you can see, Wireshark is a very effective tool for analyzing issues like this.

Caveats

  • Obviously, you will not be able to read the plain text of any encrypted network protocols like HTTPS or SSH.
  • You may need to trigger the EAPOL handshake several times before Wireshark will be able to decrypt all data packets.
  • Sometimes the monitoring computer may get disconnected from the Internet.You can easily fix this by stopping the monitoring and switching the Wi-Fi interface off and on again.

Summary

This mini tutorial showed you how to obtain the Wi-Fi secret from the keychain, configure Wireshark with it, start themonitoring and trigger the authentication handshake to make Wireshark learn about the session key for the connecteddevices.

Homebrew Wireshark

When monitoring a secure Wi-Fi network, you need to configure the monitoring tool with the pre-shared key or thepassword for decrypting the data packets.This is because in monitor mode the interface driver will deliver the raw 802.11 packets to the application, leaving itto deal with all the necessary processing, including the decryption.In non-monitor mode however, it’s the interface driver’s responsibility to process each 802.11 packet which is intendedfor the local host, thereby filtering, decrypting and converting the packets to plain old Ethernet (802.3) packetsbefore delivering them to the application.