tcpdump - macOS

Overview

tcpdump is a command-line tool that captures and analyzes network traffic on macOS systems. It allows you to monitor and troubleshoot network issues, identify performance bottlenecks, and detect security vulnerabilities.

Syntax

tcpdump [options] [expression]

Options/Flags

  • -i interface: Network interface to monitor.
  • -s snaplen: Packet size to capture in bytes (default: 68).
  • -c count: Number of packets to capture (default: unlimited).
  • -w file: Write packets to a file for later analysis.
  • -G n: Capture packets in groups of n (default: 1).
  • -nn: Don’t resolve hostnames and ports (faster capture).
  • -vv: Verbose output with additional details.
  • -X: Print packets in hex and ASCII format.
  • -t: Print a timestamp with each packet.
  • -S: Use absolute timestamps (seconds since epoch).

Examples

Capture all traffic on interface en0:

tcpdump -i en0

Capture the first 100 packets on interface en1:

tcpdump -i en1 -c 100

Save packets to a file:

tcpdump -i en0 -w capture.pcap

Capture only TCP packets:

tcpdump -i en0 tcp

Filter packets by destination port:

tcpdump -i en0 dst port 80

Common Issues

  • “Permission denied” error: Ensure you have sufficient privileges to run tcpdump (e.g., sudo).
  • No packets captured: Check the network interface and ensure it’s active.
  • Large capture file: Use a packet capture limit (-c) or periodically rotate the capture file to avoid excessive storage usage.

Integration

  • tcpdump | wireshark: Pipe capture output to Wireshark for advanced analysis.
  • tcpdump | tshark -r file: Process saved capture files using TShark.
  • tcpreplay -i file: Replay captured packets for testing or debugging.
  • netstat: Display network statistics and connections.
  • ifconfig: Configure and inspect network interfaces.
  • ping: Test network connectivity.
  • traceroute: Trace the route packets take to a destination.