diff --git a/wireshark-chmodbpf b/wireshark-chmodbpf
new file mode 100755
index 0000000..8564790
--- /dev/null
+++ sbin/wireshark-chmodbpf
@@ -0,0 +1,41 @@
+#! /bin/zsh
+# shellcheck shell=bash
+
+#
+# Unfortunately, macOS's devfs is based on the old FreeBSD
+# one, not the current one, so there's no way to configure it
+# to create BPF devices with particular owners or groups. BPF
+# devices on macOS are also non-cloning, that is they can
+# be created on demand at any time. This startup item will
+# pre-create a number of BPF devices, then make them owned by
+# the access_bpf group, with permissions rw-rw----, so that
+# anybody in the access_bpf group can use programs that capture
+# or send raw packets.
+#
+# Change this as appropriate for your site, e.g. to make
+# it owned by a particular user without changing the permissions,
+# so only that user and the super-user can capture or send raw
+# packets, or give it the permissions rw-r-----, so that
+# only the super-user can send raw packets but anybody in the
+# admin group can capture packets.
+#
+
+# Pre-create BPF devices. Set to 0 to disable.
+FORCE_CREATE_BPF_MAX=256
+
+SYSCTL_MAX=$( sysctl -n debug.bpf_maxdevices )
+if [ "$FORCE_CREATE_BPF_MAX" -gt "$SYSCTL_MAX" ] ; then
+	FORCE_CREATE_BPF_MAX=$SYSCTL_MAX
+fi
+
+syslog -s -l notice "ChmodBPF: Forcing creation and setting permissions for /dev/bpf0-$(( FORCE_CREATE_BPF_MAX - 1))"
+
+CUR_DEV=0
+while [ "$CUR_DEV" -lt "$FORCE_CREATE_BPF_MAX" ] ; do
+	# Try to do the minimum necessary to trigger the next device.
+	read -r -n 0 < /dev/bpf$CUR_DEV > /dev/null 2>&1
+	CUR_DEV=$(( CUR_DEV + 1 ))
+done
+
+chgrp @BPF_GROUP@ /dev/bpf*
+chmod g+r /dev/bpf*