How to get Wireshark running in Mac OS X Yosemite

The other day I was playing with network simulator called GNS3.

GNS3 is a hardware emulation package (or as recondite geeks like to say “hypervisor”) that lets you setup and connect virtual appliances like Cisco routers and switches.  It’s great because you can setup complete networks, Windows 2012 Active Directory domain controllers, web servers or really any network topology your incandescent mind can dream up.  And the entire network environment is insular.  It doesn’t interfere with your production network.  So you can test and break things without any worries.   GNS3 is a great tool.  It’s free and can keep you entertained for hours.

I’ve used GNS3 on my Windows 8.1 machine but never on my Mac.

So I’m new to this whole thing – but I figured I share what I learned today.

After setting up the app, I realized if I right clicked a virtual ethernet cable (the black lines that connect the devices) a pop-up would sprout telling me that I could start a capture.

Start a packet capture in GNS3

Intrigued, I realized that I could capture packets between my virtual devices and analyze the protocols!  This really got me going because I knew it would help me understand how the protocols worked and really grasp the fundamentals of TCP/IP networking.

So what did I do?

Well, GNS3 doesn’t ship with a protocol analyzer so I needed to get my own.

Wireshark is my favorite on the PC so I went on the hunt for an version available for Mac.  wireshark.org had exactly what I needed.

Wireshark for Mac

I quickly grabbed the DMG, dumped it in my Applications folder (Shift + Command + a) and fired up the app.

The blue dorsal fin icon began to bounce in the Dock as if to say “Look at me! Look at Me!” but then something unexpected happened…

I was greeted with a screen asking me where something called X11 was located?

Mac OS X Where is X11

What the heck is X11 and why didn’t this happen on my PC?

I did some Googling and discovered X11 is the thing that makes UNIX pretty.  It’s the graphical user interface (GUI) for UNIX apps.  Back in the late 90s when I left the dark and austere world of MS-DOS for Windows 95, UNIXphiles where dragging and minimizing windows in a system called X-Windows (or sometimes X11).

WireShark needs the X11 interface to run.  I needed to get this X11 thing.

Fortunately this turned out to be super easy.  There’s a nifty little program called XQuartz that lets Mac users run applications that need the X11 environment. To run WireShark all I needed to do was download and install XQuartz.

The installer breezed through the first 5/8ths of the process but then seemed to hang on Running package scripts where it ironically said I had about a minute remaining in the install time.

Don’t you hate it when that happens?  The installer makes you wait until 99%.  There’s a single pixel of space between it and the 100% mark but then it just gives up and says “Ha, I was just kidding! I’m going to make you wait even longer”

Man that was one looooong minute.  It was probably stuck here for 15 full minutes.  I actually thought the application froze but it was really just moving at a glacial pace.

Installing XQuartz in Mac OS X Yosemite

Once the second ice age passes, click the WireShark icon and wait an equally long time for it to startup.  For some reason it took my poor Macbook Air an eternity to start the app.

If that happens to you, press Command + q to quit Wireshark then the second time it starts up you should see the Where is X11? window again.

But this time we have it – we know exactly where X11 is – we just need to know where to look.

Click Browse and scroll down to X11 in the Utilities folder.

Where is XQuartz?

After clicking Choose in the bottom right corner of the Finder, you’ll see Wireshark attempt to startup but it still needs a little help.  The XQuartz icon should automatically leap into your dock after you attempt to open Wireshark (Command + Shift, “wireshark”)

It’ll still take a while for the application to startup the first time; however I expedited the process by closing and reopening the application three times before it caught on.

Don’t worry, If you installed XQuartz, Wireshark will load you just have to wait about five minutes before it opens on the initial load.

Wireshark for Mac in action

Thank God this was only the case for the initial start.  Subsequent starts opened appreciably quicker.

Now back in GNS3, it’s really easy to capture traffic in your virtual lab.

Start all your devices (or all relevant devices) by click the Play button and then right click the link and choose Start Capture.  A new Wireshark instance will spawn.

Right now it looks empty because my Virtual PC isn’t doing anything.

Wireshark capturing traffic in GNS3

But we can spit out a few pings to change that!

Pinging stuff in GNS3

Wow look at that.

You can actually see the ICMP echo replies and responses in the output when I ping my default gateway of 10.0.0.1.

There you go.

This may sound stupid but I literally spent hours trying to figure out how to get Wireshark working on my Mac.  I didn’t want you to share my discomfiting journey so I figured I owed it to you…. I figured it was my duty to share how I did this.

I hope it helps!  Cheers.

About

Connect with Vonnie on Twitter

Posted in Mac OS X 10.10 Yosemite Tagged with: , ,
  • Thanks for taking the time and write about it, it’s really helpful if you are lost and don’t know how to do. I’ve already done this before read the post, but it’s good have it well explained.

    I’ve downloaded the new BETA version of wireshark, (development release 1.99), without XQUARTZ installed, and IT WORKS !

    Just my 2 cents.

    • Thanks. Saved me from having to download XQUARTZ and more thanks to the article author for such details that led to this comment 😀

  • Bymynishus

    I installed xquartz but it doesn’t create an X11.app in my utilities folder. Just an XQartz.app in there. Clicking that gives me an xterm so I assume X11 is installed… somewhere. But searching my computer doesn’t find an X11.app though there are a lot of support files in /opt

    Pointing Wireshark to XQuartz ends in failure as it just opens a terminal screen when you start Wireshark.

    Wireshark 2.0.1 doesn’t work without XQuartz like it seems to work for the other users here.