Languages

Mac OS X: How to capture a packet trace

In this advanced article, learn how to capture a packet trace; for example, you may be asked to do this when troubleshooting a network connectivity issue.  These steps use Terminal and the the tcpdump command; if you are not familiar with using the Terminal, you may want to use for third-party software that can perform a packet trace instead.

First, follow these steps

  1. Log in to your Mac with an administrator account if you aren't already.
  2. Open System Profiler either by locating it in the Utilities folder (choose Go > Utilities while in the Finder), or by Option-clicking the Apple menu and choosing System Profiler.
  3. In System Profiler, select the Network interface that you need to capture the packet trace for (such as AirPort or Ethernet).
  4. Make note of the "BSD Device Name" of the interface.
  5. In the below example, the BSD Device Name for the AirPort interface is "en1", the BSD Device Name for Ethernet is "en0", and so forth.

Note: Mac Pro computers have two Ethernet ports; the BSD Device Names of en0 and en1 will be used for the Ethernet interfaces (your Ethernet cable could be connected to either).  If a Mac Pro also has an AirPort interface, the AirPort BSD Device Name will be en2.

Note: MacBook Air computers use a BSD Device Name of en0 for their AirPort interface.

The next set of steps to use depend on whether you use Mac OS X v10.5 or 10.6.

Follow these steps for OS X Lion and Mac OS X v10.6 Snow Leopard

  1. Make sure your Mac is using the network interface that you want to capture a trace for (you can check Network preferences), such as AirPort or Ethernet.
  2. Open Terminal (located in /Applications/Utilities).
  3. Type, or copy and paste, the appropriate Terminal command below depending on your network interface; press Return to execute the command. (Enter your admin password when prompted.)

    Note: These commands use the numeral 0, not the letter O.
    1. If you're using an AirPort network interface, type or paste this command (if you use a Mac Pro you may need to change en1 to en2 as noted above):

       

      sudo tcpdump -i en1 -s 0 -B 524288 -w ~/Desktop/DumpFile01.pcap

       

    2. If you're using an Ethernet network interface, type or paste this command (if you use a Mac Pro you may need to change en0 to en1 as noted above):

       

      sudo tcpdump -i en0 -s 0 -B 524288 -w ~/Desktop/DumpFile01.pcap

       

    3. If you're using a VPN interface, type or paste this command:

       

      sudo tcpdump -i ppp0 -s 0 -B 524288 -w ~/Desktop/DumpFile01.pcap

       

  4. Terminal should display "tcpdump: listening on…". Access the network function you want to capture for, and let it run to completion.
  5. Once the network function is completed, go back to Terminal and press Control-C to complete the packet trace capture.

A file named "DumpFile01.pcap" containing your captured packet trace will appear on the desktop. If you want to display its contents, use this command in Terminal:

 

tcpdump -s 0 -n -e -x -vvv -r ~/Desktop/DumpFile01.pcap

 

Note: For subsequent packet trace captures, increment the file name number, such as DumpFile02.pcap, DumpFile03.pcap, and so forth.

Follow these steps for Mac OS X v10.5 Leopard

  1. Make sure your Mac is using the network interface that you want to capture a trace for (you can check Network preferences), such as AirPort or Ethernet.
  2. Open Terminal (located in /Applications/Utilities).
  3. Type, or copy and paste, the appropriate Terminal command below depending on your network interface; press Return to execute the command. (Enter your admin password when prompted.)
    Note: These commands use the numeral 0, not the letter O.
    1. If you're using an AirPort network interface, type or paste this command (if you use a Mac Pro you may need to change en1 to en2 as noted above):

       

      sudo tcpdump -i en1 -s 0 -w ~/Desktop/DumpFile01.pcap

       

    2. If you're using an Ethernet network interface, type or paste this command (if you use a Mac Pro you may need to change en0 to en1 as noted above):

       

      sudo tcpdump -i en0 -s 0 -w ~/Desktop/DumpFile01.pcap

       

    3. If you're using a VPN or dial up (PPP) interface, type or paste this command:

       

      sudo tcpdump -i ppp0 -s 0 -w ~/Desktop/DumpFile01.pcap

       

  4. Terminal should display "tcpdump: listening on…". Access the network function you want to capture for, and let it run to completion.
  5. Once the network function is completed, go back to Terminal and press Control-C to complete the packet trace capture.

A file named "DumpFile01.pcap" containing your captured packet trace will appear on the desktop. If you want to display its contents, use this command in Terminal:

 

tcpdump -s 0 -n -e -x -vvv -r ~/Desktop/DumpFile01.pcap

 

Note: For subsequent packet trace captures, increment the file name number, such as DumpFile02.pcap, DumpFile03.pcap, and so forth.

Learn more

To help isolate an issue, for computer shown in the captured packet trace you should be able to describe the following:

  • The computer's role in the network activity.
  • The computer type and operating system version.
  • The computer's IP address.
  • The computer's media access control (MAC) address, which is also known as the Ethernet address, hardware address, or AirPort ID.
  • The time you started the capture and the time network events that caused the issue to happen or not happen.
  • If possible, note the destination IP address.

Note: If you are troubleshooting the connection between an AirPort base station and a broadband modem, be sure to restart the base station so that you capture its interactions with the ISP during the startup cycle. You can restart it by disconnecting and reconnecting its power supply, or by using AirPort Admin Utility. This is best done by connecting the base station, modem, and capturing computer to a Ethernet hub (not a switch). Be sure to set the capturing computer's IP address so that it does not take the DHCP lease that the base station will need. A manually assigned 169.254.x.x address should suffice.

Tip: tcpdump may inaccurately display the TCP checksum of packets sent by your Mac as "bad". This is because of TCP checksum offloading; packets sent by your Mac are captured before being handed to the network adapter, so they don't have the TCP checksum set correctly. This issue can be safely ignored.

See this developer article for more advanced information.

Last Modified: Jul 14, 2014
Helpful?
Yes
No
  • Last Modified: Jul 14, 2014
  • Article: HT3994
  • Views:

    1551
  • Rating:
    • 100.0

    (1 Responses)

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked