Using unix terminal to capture a packet trace.

How to capture a packet trace

Recently I have been doing a lot more network troubleshooting rather than working on my Macs! Not a total loss in the sense that it has brought me back to the basics of using UNIX commands in Terminal and how to capture a packet trace. This post might be more advanced for some but I feel that it holds good information when trouble shooting a connection issue on your network, home or company. The case that I ran into needing to use this was on a network primarily using Apple products ranging from Mac Pro, PowerMac, MacBooks, PowerBooks and mobile devices. The issue I was having was a MacBook Pro network issue seeming to originate from a timeout error from the switch resulting in it not picking up IP, Subnet, Router and DNS info. We started running PING tests to capture packet traces to see how fast the lines were working to eliminate a timeout issue from the switch. The steps I am about to outline uses the Terminal and the the tcpdump command; if you are not familiar with using the Terminal, you may want to use for third-party software that can perform a packet trace instead. Check out CPA – Cocoa Packet Analyzer

Running Mac OS X 10.6 do the following:

  1. 1. Open System Profiler either by locating it in the Utilities folder (choose Go > Utilities while in the Finder), or by Option-Clicking the Apple Menu > System Profiler.
  2. 2. Once launched select the Network interface; here you will determine which connection (AirPort/Ethernet) you will need to capture the packet trace.
  3. 3. Make note of the Berkeley Unix Device Name of the interface. For example the BSD Device Name for the AirPort interface could be “en1”, the BSD Device Name for Ethernet is “en0”, and so forth.

Active Services

System Profiler

If you are running Mac OS X 10.6 Snow Leopard follow these steps – they will be different for Mac OS X 10.5.

  1. 1. Make sure your Mac is connected using a network interface. You can check this under the Apple Menu > System Preferences > Network preferences), such as AirPort or Ethernet.
  2. 2. Launch Terminal (/Applications/Utilities/
  3. 3. Copy or type the following Terminal command. Adjust the command based on your network interface; press Return to execute the command.
  4. 4. You will be prompted for your admin password.
  5. 5. Terminal should display “tcpdump: listening on…”. Access the network function you want to capture for, and let it run.
  6. 6. Once the network function is completed, go back to Terminal and press Control-C to complete the packet trace capture.

AirPort Network Example:
sudo tcpdump -i en1 -s 0 -B 524288 -w ~/Desktop/AirportDump1.pcap

Ethernet Network Example:
sudo tcpdump -i en0 -s 0 -B 524288 -w ~/Desktop/EthernetDump1.pcap

VPN Interface Example:
sudo tcpdump -i ppp0 -s 0 -B 524288 -w ~/Desktop/VPNDump1.pcap

Diagram of the tcpdump command options:
[-i] Sets a the interface from which you want to capture packets from. For example -i en0 = first Ethernet interface.
[-s] The number of data bytes to be sent; default is 56 or 64 ICMP data bytes. (This can be increased.)
[-B 524288] Increases the packet capture buffer size to 512 KB.
[-w] write a file
[.pcap] Packet Capture library

A file named “DumpFile01.dmp” containing your captured packet trace will appear on the desktop. If you want to display its contents, use this command in Terminal:

tcpdump -s 0 -n -e -x -vvv -r ~/Desktop/[Type]Dump1.pcap

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Mac Users Guide Forum

    It Seem There Is Something Wrong With BBLD Configuration, Please Check It.