How to use TCPDUMP

10:24 AM

This command line tool is included with all versions of Mac OS X, and is also available on many other Unix platforms. To get started, try the following command.

sudo tcpdump -i en0 -s 0 -w DumpFile.dmp


The sudo command causes tcpdump to run with privileges, which is necessary to access promiscuous mode.

The -i en0 option tells tcpdump to capture packets on the first Ethernet interface. You need to select an interface; there is no default. For a list of interfaces, type ifconfig -a. Mac OS X 10.1 and later provide packet capture support on PPP, so you can also specify a PPP interface here (for example, -i ppp0).

The -s 0 option requests the full packet rather than just the first 68 bytes.

The -w DumpFile.dmp parameter tells tcpdump to dump the packets to a file called DumpFile.dmp.

In response to this command, tcpdump will begin to capture packets and put them in the DumpFile.dmp file. When you want to stop capturing, interrupt tcpdump by typing ^C. You can then display the contents of the packets as text using the following command.

tcpdump -s 0 -n -e -x -vvv -r DumpFile.dmp


The -n option means that addresses are not converted to domain names, which speeds things up considerably.

The -e option causes tcpdump to display the link-level header for each packet.

The -x option causes the contents of the packet to also be displayed in hex.

The -vvv option makes tcpdump's output as verbose as possible.

By specifying -r DumpFile.dmp option you tell tcpdump to read packets from the file DumpFile.dmp rather than from a network interface. Note that you don't need privileges to do this, so running tcpdump using sudo is not required.

You can also combine these steps, as shown below, but if you do this you don't get a high-fidelity record of the packets that you captured.

sudo tcpdump -i en0 -s 0 -n -e -x -vvv

You Might Also Like

0 comments

Popular Posts

Like us on Facebook