How can i get on my iMAC read access to BPF devices in /dev/bpf*

You need to be a little more specific about what it is you're trying to do.

Normally you don't access /dev/bpf* devices directly. If all you want to do is launch wireshark via AppleScript then you can do that via a do shell script command, but it isn't clear whether that's what you're really asking.

The Wireshark dumpcap executable needs write access to the devices. The developers stupidly recommend that users change the permissions of those devices so they don't have to run WS as root. The right approach is to make dumpcap SUID root, but only executable by authorized users. See the link above.

That only works if they intend to use dumpcap from the command line to dump the packet capture to a file which will be analyzed off-line. It doesn't allow the Wireshark GUI to capture interactively - no capture interfaces will be listed.

In fact, I suspect the only way your method would fully work would be to make similar changes to some of the binary files inside the Wireshark.app bundle.

I've also tested it and it doesn't work for me. Perhaps it's a version specific thing - I'm running the Development Build, not the Stable Build. Whatever the reason, however, it doesn't work for me.

Aha! I see now, you're using the MacPorts (or is it Fink?) version of Wireshark.

Here's an interesting thing...any app launched from /Applications holds only the permissions of the user launching the app, regardless of the owner (presumably because anyone, including "root" can install applications into /Applications). In fact, you could "chown -R root:wheel /Applications/*" and it would make no difference - every app will launch with your permissions only (it's easy to verify, find an app owned by root, launch it and then check in Activity Monitor).

So, anyone who has installed Wireshark from the "native .dmg" by drag-and-dropping won't be able to use the suid trick because the OS will ignore the suid permissions. They'll have to modify the devfs permissions for the bpf devices. The suid method will only work for Macports and Fink installations (assuming that it works for executables in /sw as well as /opt).

Learned something new today! Thanks.

...any app launched from /Applications holds only the permissions of the user launching the app, regardless of the owner (presumably because anyone, including "root" can install applications into /Applications).

It has nothing to do with where the application is installed. Any executable runs with the permissions of the user who runs it. The only exception is a binary executable with the SUID or SGID bit set, and then only if it's on the root device, and only if it's not an Aqua application. The SG/UID bits are ignored otherwise.

So, anyone who has installed Wireshark from the "native .dmg" by drag-and-dropping won't be able to use the suid trick because the OS will ignore the suid permissions.

Sorry, I don't understand this at all. Wireshark invokes dumpcap as a child process to capture packets. If dumpcap is installed anywhere on the root device as SUID root, then it will run as root regardless of who invokes it.

The suid method will only work for Macports and Fink installations...

That's not correct. There are many SUID or SGID executables in a default installation of the Mac OS, and none of them comes from MacPorts or Fink.

Oh, for $&#^$*%...oh course, I knew all of that. But got so caught up in thinking I figured out "the problem" that I forgot what I knew...

$*%&^

Still, doesn't answer why I've never been able to use suid on dumpcap to make Wireshark work. ANd I did try it again earlier before posting in the first place just to be certain - without playing with the bpf devices in the devfs, Wireshark doesn't "see" any interfaces, regardless of the settings on dumpcap. Now maybe it could still spawn a working dumpcap process...but without being able to select an interface in the GUI, that doesn't do much good.

Have to play around with it some more, I guess...

Don't. Do this instead.

No, it works fine, I use it that way myself; otherwise I wouldn't have suggested it.

I just tested again with version 1.4.6, and it works for me.

$ ls -le /opt/local/bin/dumpcap

-rwsr--r--+ 2 root wheel 66856 Apr 18 22:36 /opt/local/bin/dumpcap

0: user:my_user_name allow execute

Wich simpler ways are there?

There is no simpler way. If this is too technical, then Wireshark isn't for you.