Diniz Martins
Jan 312 min
A packet trace is a record of traffic traveling across the network. It’s useful for investigating complex network problems related to both correctness and performance. Once you start a packet trace on a network interface, it records all traffic passing through that interface until you stop the trace. Packet traces are usually quite short — perhaps recording the traffic associated with one specific connection — but there are situations where you might want to run the trace for hours or even days.
Choose the Correct Interface
The first step in recording a packet trace on the Mac is to choose the correct interface. If you choose the wrong interface, you may end up recording an empty packet trace. For example, if you use the en0 interface on a Mac that has built-in Ethernet but is connected to the Internet over Wi-Fi, your packet trace will include all the traffic over the built-in Ethernet, that is, nothing.
Determine the correct interface name by running the networksetup command-line tool with the -listallhardwareports argument.
Record and Analyze a Packet Trace on a Mac
Working with packet traces usually involves recording a packet trace to a file and analyzing that file. It’s possible to do both steps at once, and it’s a good idea to do that when you’re just getting started. The following Terminal command starts a packet trace and prints information about each packet as it’s transferred.
When you run tcpdump in this way, you see something like this:
There’s a line of output for each packet seen on the network. On each line there’s a timestamp and a lot of information about that packet. This specific example shows the start of a connection from an SSH client at 192.168.1.187 to an SSH server listening on port 22 of 192.168.1.39.
Packet traces can be quite overwhelming. Rather than trying to interpret the packet trace in real time, use the -w option to write the trace to a file and then do your analysis later on.
Important
Even if your ultimate goal is to save a packet trace file, it’s often a good idea to start out by looking at real-time results from tcpdump, just to make sure that you’re capturing the right thing.