Capture a packet trace using Terminal in OS X

If you know how to read a packet trace, you may find it useful when diagnosing issues with a network connection.

Get the BSD device name of the network interface

  1. Log in to your Mac with an administrator account.
  2. Hold down the Option key, then choose Apple menu > System Information (or System Profiler).
  3. Select Network from the list on the left side of the System Information window. 
  4. Select the network interface (such as Wi-Fi or Ethernet) from the list of active services on the right side of the window.
  5. From the details section at the bottom of the window, find "BSD Device Name." In the example pictured, the BSD device name for Wi-Fi is en0.

System Information window

Capture the packet trace

  1. Open Terminal, which is in the Utilities folder of your Applications folder,.
  2. Type the following command, but replace BSDname with the BSD device name (such as en0, en1, or ppp0) from System Information: 

    sudo tcpdump -i BSDname -s 0 -B 524288 -w ~/Desktop/DumpFile01.pcap

  3. Press Return, then enter your administrator password when prompted.
  4. Terminal should say tcpdump: listening on... to incidate that it's listening for activity on that network interface.
  5. While Terminal is open, perform the network function that you want to test.
  6. When the network function is complete, return to Terminal and press Control-C to capture the packet trace. Terminal saves it to your desktop in a file named "DumpFile01.pcap." 
  7. To see the contents of the file, use this command in Terminal:

    tcpdump -s 0 -n -e -x -vvv -r ~/Desktop/DumpFile01.pcap

  8. To capture additional packet traces, modify the Terminal command to increment the number of the saved file (DumpFile02.pcap, DumpFile03.pcap, and so on).

Learn more

The Apple Developer website has more information about packet traces. When troubleshooting a network connection, you should know your computer's model, version of OS X, IP address (and the destination IP address), and media access control (MAC) address. You should also understand your computer's role in the network activity, as well as the time of each network event associated with the issue.

When troubleshooting the connection between an AirPort Base Station and a broadband modem, restart the base station and capture its interactions with the Internet service provider while it starts up. You can restart the base station using AirPort Utility, or by briefly unplugging it from power. While testing, it's best if the base station, modem, and capturing computer are connected to an Ethernet hub, not a switch. You should also manually assign the capturing computer's IP address so that it doesn't take the DHCP lease that the base station needs (a 169.254.x.x address should suffice).

The packet trace may show that the TCP checksum of packets sent by the Mac is "bad." This is because the packet trace is being captured at the link layer of the network stack, which is just before the physical network adapter where checksums are generated. This can be safely ignored.

Last Modified:
Helpful?

Additional Product Support Information

Start a Discussion

in Apple Support Communities
See all questions on this article See all questions I have asked
United States (English)