[tonywebster]

This is a fresh OS X install on a test machine :/

[tptacek]

I don't know what to tell you. Normal users can't tcpdump loopback on OSX, or anywhere else.

    > $ ls -l /dev/bpf*                                                                      
    crw-------  1 root  wheel   23,   0 Feb 29 07:59 /dev/bpf0
    crw-------  1 root  wheel   23,   1 Feb 29 07:59 /dev/bpf1
    crw-------  1 root  wheel   23,   2 Mar  2 11:11 /dev/bpf2
    crw-------  1 root  wheel   23,   3 Mar  2 10:07 /dev/bpf3
    crw-------  1 root  wheel   23,   4 Feb 29 08:11 /dev/bpf4

[tshtf]

Works for me too on OS X. sudo is not needed to run tcpdump for any interfaces.

$ ls -l /dev/bpf*

crw-rw---- 1 root access_bpf 23, 0 Mar 1 09:18 /dev/bpf0

Edit: Wireshark is installed

[tptacek]

Did you install Wireshark? Did you let it reconfigure your system? Is your current user in the "access_bpf" group?

Later

Yes. Your system is misconfigured. Don't let Wireshark do that.

[pvg]

It looks like Wireshark will happily keep your system permanently misconfigured. To fix it, disable

/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist

This actually seems like a much crummier thing than the 1Password non-thing.