top of page

MacOS | Recording a Packet Trace

A packet trace is a record of traffic traveling across the network. It’s useful for investigating complex network problems related to both correctness and performance. Once you start a packet trace on a network interface, it records all traffic passing through that interface until you stop the trace. Packet traces are usually quite short — perhaps recording the traffic associated with one specific connection — but there are situations where you might want to run the trace for hours or even days.

Choose the Correct Interface

The first step in recording a packet trace on the Mac is to choose the correct interface. If you choose the wrong interface, you may end up recording an empty packet trace. For example, if you use the en0 interface on a Mac that has built-in Ethernet but is connected to the Internet over Wi-Fi, your packet trace will include all the traffic over the built-in Ethernet, that is, nothing.

Determine the correct interface name by running the networksetup command-line tool with the -listallhardwareports argument.

$ networksetup -listallhardwareports

Hardware Port: Ethernet

Device: en0

Ethernet Address: 54:45:5b:01:ca:89

Hardware Port: Wi-Fi

Device: en1

Ethernet Address: 78:a1:3c:02:2b:da

Record and Analyze a Packet Trace on a Mac

Working with packet traces usually involves recording a packet trace to a file and analyzing that file. It’s possible to do both steps at once, and it’s a good idea to do that when you’re just getting started. The following Terminal command starts a packet trace and prints information about each packet as it’s transferred.

sudo tcpdump -i en0 -n

When you run tcpdump in this way, you see something like this:

17:49:26.500970 IP > Flags [S], seq 3769365868, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1478872373 ecr 0,sackOK,eol], length 0

17:49:26.503325 IP > Flags [S.], seq 405178393, ack 3769365869, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 72353448 ecr 1478872373,sackOK,eol], length 0

17:49:26.503413 IP > Flags [.], ack 1, win 4117, options [nop,nop,TS val 1478872375 ecr 72353448], length 0

17:49:26.504887 IP > Flags [.], ack 1, win 4117, options [nop,nop,TS val 72353449 ecr 1478872375], length 0

17:49:26.526134 IP > Flags [P.], seq 1:22, ack 1, win 4117, options [nop,nop,TS val 72353470 ecr 1478872375], length 21

17:49:26.526228 IP > Flags [.], ack 22, win 4117, options [nop,nop,TS val 1478872396 ecr 72353470], length 0

There’s a line of output for each packet seen on the network. On each line there’s a timestamp and a lot of information about that packet. This specific example shows the start of a connection from an SSH client at to an SSH server listening on port 22 of

Packet traces can be quite overwhelming. Rather than trying to interpret the packet trace in real time, use the -w option to write the trace to a file and then do your analysis later on.

sudo tcpdump -i en0 -w trace.pcap


Even if your ultimate goal is to save a packet trace file, it’s often a good idea to start out by looking at real-time results from tcpdump, just to make sure that you’re capturing the right thing.

35 views0 comments

Recent Posts

See All

Cyrillic Alphabet

Exploring the Cyrillic Alphabet: A Beginner's Guide Have you ever come across the Cyrillic alphabet and wondered what it's all about? Maybe you've seen it on Russian websites, or perhaps you've notice

DNS Guard

Absolutely everything is connected to the internet these days, from TV to smart light bulbs, from mobile devices to smart cars. Given those ads and ad trackers are everywhere on the Internet, a browse

Cyber Security Interview, Q&A

Can you explain the difference between symmetric and asymmetric encryption? When would you use one over the other? Answer: Symmetric encryption uses a single key to both encrypt and decrypt data, whil


bottom of page