Saving a packet trace in Mac OS X

If you need to get a packet trace and you don't already have a favorite utility for doing so, you can use the tcpdump command line tool. All versions of Mac OS X include this tool, as do many other Unix-style platforms. Note: The BSD subsystem must be installed in order to use tcpdump.

1. Log in with an administrator account.
   
   
2. Open Terminal (/Applications/Utilities).
   
   
3. To start the trace, you will type a command, followed by the Return key. The command you choose needs to match the way your computer connects to the Internet.

   For built-in Ethernet, type:

   sudo tcpdump -i en0 -vvv -n -s 0 -w ~/Desktop/DumpFile.dmp

   Note: Both "en0" and "-s 0" include a zero, not the letter O.

   For AirPort, type:

   sudo tcpdump -i en1 -vvv -n -s 0 -w ~/Desktop/DumpFile.dmp

   Note: "-s 0" includes a zero (0), not the letter O.

   For a VPN connection or a dial-up modem (PPP), type:

   sudo tcpdump -i ppp0 -vvv -n -s 0 -w ~/Desktop/DumpFile.dmp

   Note: Both "ppp0" and "-s 0" include a zero, not the letter O.
   

4. When prompted for a password, enter the one for your administrator account. You'll see a message in Terminal such as "tcpdump: listening on en0..." which lets you know the computer is actively capturing network traffic.
   
   
5. Now, perform the network activities that involve the issue you're trying to capture packets for.

   Note: If you are troubleshooting the connection between an AirPort base station and a broadband modem, be sure to restart the base station so that you capture its interactions with the ISP during the startup cycle. You can restart it by unplugging and replugging its power supply, or by using AirPort Admin Utility. This is best done by connecting the base station, modem, and capturing computer to a "dumb" Ethernet hub (not a switch). Be sure to set the capturing computer's IP address so that it does not take the DHCP lease that the base station will need. A manually assigned 169.254.x.x address should suffice.

6. When you're ready to stop capturing packets, click the Terminal window to bring it to the foreground.
   
   
7. Press Control-C.

For each relevant computer shown in the trace, describe the following:

• The computer's role in the network activity.
• The system type and operating system version.
• The computer's IP address.
• The computer's media access control (MAC) address, which is also known as the Ethernet address, hardware address, or AirPort ID.
• The time you started the capture and the time network events occurred causing your issue to happen or not happen.
• If possible, note the destination IP address.

Tip: In computers with additional network interfaces, such as an added Ethernet card or USB network adapter, you may need to use the System Profiler utility, which can give you a list of all configured network interfaces. Ports have identifiers such as "en0", "en1", and "ppp0" in the commands above. To capture for the desired port, substitute its identifier into the command.

Mac OS X 10.5 Leopard

Leopard introduces the "-K" option for checksums in addition to "-vvv". For Leopard, add -K after -vvv if your ethernet hardware can perform TCP checksums, such as:

sudo tcpdump -i en0 -vvv -K -n -s 0 -w ~/Desktop/DumpFile.dmp