Unexpected ChmodBPF and Wireshark Entries in Mac. Is this something I should be concerned about?

Hello Barney-15E,

Thank you very much for your reply.

I'm not sure what that means. There's nothing "insecure" about Wireshark or its subcomponents.

Or, do you mean you weren't tricked into installing something by downloading software from one of the "reputable" software aggregation sites?

Exactly, I did not install any software from one of the "reputable" software aggregation sites.

Open the launchd plist and see where it points.

This is the text contained in /Library/LaunchDaemons/org.wireshark.ChmodBPF.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>org.wireshark.ChmodBPF</string>

<key>RunAtLoad</key>

<true/>

<key>Program</key>

<string>/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF</string>

</dict>

</plist>

This is the text contained in /Library/Application Support/Wireshark/ChmodBPF/ChmodBPF

#! /bin/zsh

# shellcheck shell=bash

#

# Unfortunately, macOS's devfs is based on the old FreeBSD

# one, not the current one, so there's no way to configure it

# to create BPF devices with particular owners or groups. BPF

# devices on macOS are also non-cloning, that is they can

# be created on demand at any time. This startup item will

# pre-create a number of BPF devices, then make them owned by

# the access_bpf group, with permissions rw-rw----, so that

# anybody in the access_bpf group can use programs that capture

# or send raw packets.

#

# Change this as appropriate for your site, e.g. to make

# it owned by a particular user without changing the permissions,

# so only that user and the super-user can capture or send raw

# packets, or give it the permissions rw-r-----, so that

# only the super-user can send raw packets but anybody in the

# admin group can capture packets.

#

# Pre-create BPF devices. Set to 0 to disable.

FORCE_CREATE_BPF_MAX=256

SYSCTL_MAX=$( sysctl -n debug.bpf_maxdevices )

if [ "$FORCE_CREATE_BPF_MAX" -gt "$SYSCTL_MAX" ] ; then

FORCE_CREATE_BPF_MAX=$SYSCTL_MAX

fi

syslog -s -l notice "ChmodBPF: Forcing creation and setting permissions for /dev/bpf0-$(( FORCE_CREATE_BPF_MAX - 1))"

CUR_DEV=0

while [ "$CUR_DEV" -lt "$FORCE_CREATE_BPF_MAX" ] ; do

# Try to do the minimum necessary to trigger the next device.

read -r -n 0 < /dev/bpf$CUR_DEV > /dev/null 2>&1

CUR_DEV=$(( CUR_DEV + 1 ))

done

chgrp access_bpf /dev/bpf*

chmod g+rw /dev/bpf*

Oooh. Unsigned code. Scary stuff. Probably 95% of the code on a standard macOS installation is unsigned.

What you have found on the internet is designed do scare you into buying into the FUD. You do need to change your behavior as you have managed to install something without knowing that you did.

Effective defenses against malware and ot… - Apple Community

Thanks a lot for this link, it's helpful! I think I'm already applying all those guide lines. I've never used an antivirus on Mac or neither a clean up app. I just installed trusted software and gave permission in trusted situations, for example to RME Sound card drivers.

Delete the launchd plists and the folder in Application Support and follow the advice in the linked User Tip.

I'll do that and I will monitoring the computer behaviour.

Thanks again for your time Barney-15E. I really appreciate it!

Old Toad wrote:

ChmodBPF is associated with Wireshark which is is computer software that is used for capturing and analyzing data packets, it is a powerful cyber security tool and is widely used by cyber security engineers for troubleshooting network problems.

Did you install any anti-virus software or have someone work on your MBP for any reason?

https://discussions.apple.com/content/attachment/51782baf-819d-4272-9e5a-4b7846d6b17a

Hello Old Toad,

Thanks a lot for your reply.

I've never installed any anti-virus software and no one worked on my MBP.

Hello Barney-15E,

Thanks a lot for your reply.

I'm the only person having physical access to my computer. To the best of my knowledge, all the software I have installed on my computer is secure.

I also find it strange that the only files present are in the LaunchDaemons and Application Support folders. The application itself, Wireshark, does not appear to be installed.

ChmodBPF is indicated as "item from unidentified developer" in my "Login Items" / "Allow in the Background" list.

Doing some research I've found this page https://www.sentinelone.com/blog/how-malware-persists-on-macos/ where I was reading:

"Don’t just assume labels you recognize are benign either. Some legitimate LaunchDaemons point to unsigned code that could itself be replaced by something malicious. For example, the popular networking program Wireshark uses a LaunchDaemon,

/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist

that executes unsigned code at the path:

/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF"

And these are the only two files that seem related to Wireshark that I can find on my computer.

I was trying to figure out what are the reasonable actions to do now. For example, erase the whole hard disk and reinstall MacOs. Or use an application to search for suspicious software.

Thanks a lot for your help!

Nicola