Using unix terminal to capture a packet trace.

How to capture a packet trace

Recently I have been doing a lot more network troubleshooting rather than working on my Macs! Not a total loss in the sense that it has brought me back to the basics of using UNIX commands in Terminal and how to capture a packet trace. This post might be more advanced for some but I feel that it holds good information when trouble shooting a connection issue on your network, home or company. The case that I ran into needing to use this was on a network primarily using Apple products ranging from Mac Pro, PowerMac, MacBooks, PowerBooks and mobile devices. The issue I was having was a MacBook Pro network issue seeming to originate from a timeout error from the switch resulting in it not picking up IP, Subnet, Router and DNS info. We started running PING tests to capture packet traces to see how fast the lines were working to eliminate a timeout issue from the switch. The steps I am about to outline uses the Terminal and the the tcpdump command; if you are not familiar with using the Terminal, you may want to use for third-party software that can perform a packet trace instead. Check out CPA – Cocoa Packet Analyzer

Running Mac OS X 10.6 do the following:

  1. 1. Open System Profiler either by locating it in the Utilities folder (choose Go > Utilities while in the Finder), or by Option-Clicking the Apple Menu > System Profiler.
  2. 2. Once launched select the Network interface; here you will determine which connection (AirPort/Ethernet) you will need to capture the packet trace.
  3. 3. Make note of the Berkeley Unix Device Name of the interface. For example the BSD Device Name for the AirPort interface could be “en1”, the BSD Device Name for Ethernet is “en0”, and so forth.

Active Services

System Profiler

If you are running Mac OS X 10.6 Snow Leopard follow these steps – they will be different for Mac OS X 10.5.

  1. 1. Make sure your Mac is connected using a network interface. You can check this under the Apple Menu > System Preferences > Network preferences), such as AirPort or Ethernet.
  2. 2. Launch Terminal (/Applications/Utilities/
  3. 3. Copy or type the following Terminal command. Adjust the command based on your network interface; press Return to execute the command.
  4. 4. You will be prompted for your admin password.
  5. 5. Terminal should display “tcpdump: listening on…”. Access the network function you want to capture for, and let it run.
  6. 6. Once the network function is completed, go back to Terminal and press Control-C to complete the packet trace capture.

AirPort Network Example:
sudo tcpdump -i en1 -s 0 -B 524288 -w ~/Desktop/AirportDump1.pcap

Ethernet Network Example:
sudo tcpdump -i en0 -s 0 -B 524288 -w ~/Desktop/EthernetDump1.pcap

VPN Interface Example:
sudo tcpdump -i ppp0 -s 0 -B 524288 -w ~/Desktop/VPNDump1.pcap

Diagram of the tcpdump command options:
[-i] Sets a the interface from which you want to capture packets from. For example -i en0 = first Ethernet interface.
[-s] The number of data bytes to be sent; default is 56 or 64 ICMP data bytes. (This can be increased.)
[-B 524288] Increases the packet capture buffer size to 512 KB.
[-w] write a file
[.pcap] Packet Capture library

A file named “DumpFile01.dmp” containing your captured packet trace will appear on the desktop. If you want to display its contents, use this command in Terminal:

tcpdump -s 0 -n -e -x -vvv -r ~/Desktop/[Type]Dump1.pcap

Using unix terminal sudo chown and chgrp

Mac OS X Command Line

Using unix terminal ‘sudo [chown] and [chgrp]’

With a recent upgrade to Mac OS X 10.6 I was reminded of a problem that might happen if you migrate files from a previous system or if you have a second hard drive forcing you to correct OS X operating system by running with sudo [chown] and [chgrp] using Terminal. I have experienced this issue before when installing Mac OS X versions 10.0, 10.1, 10.2, 10.3 10.4 and 10.5. Mine was related to my second hard drive that I use for backing up video and image files. After the update I wanted to sort some Desktop items on my primary drive to the second drive (Macintosh HD2). A dialog appeared asking me to Authenticate. Once you Authenticate you will have to keep doing this for every item you move to this drive. This is a common issue and occurs even through your primary user (you) might still have the same short name, password or user level assigned. There are two things you can do to repair this.

Ignore Ownership
Using unix terminal sudo chown and chgrp
If your second drive requires you to Authenticate and you are the primary user of the drive you can have the drive ignore the ownership the the volume. Simply:

  1. 1. Select the drive.
  2. 2. Type Apple+I or go the the Finder menu and Select > Get Info.
  3. 3. At the bottom of the Info Inspector you will see a and check the check box for “Ignore ownership on this volume”.

Change Ownership with Command Line
If this doesn’t solve your issue you can also reassign permissions via command line. This works the best if you are the primary user of you Mac. To change Permission with Terminal you will have to Launch Terminal from the Applications > Utilities Folder. Next you will issue the following commands:

1. To change Owner

[ComputerName]:~ [username]$ sudo chown -R [username] /Volumes/[Hard Drive Name or Folder Path]

You will get the following response:

WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type “man sudo” for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Enter your Password to Authenticate

2. To change Group

[ComputerName]:~ [username]$ sudo chgrp -R admin /Volumes/[Hard Drive Name or Folder Path]

You might be prompted for you password again but since you are doing this in the same session it might just approve and return you to your [ComputerName] and [username]. That’s it! Test it by dragging a file to the drive. If you have done this to a folder on your primary drive you might want to Repair Permissions using Applications > Utilities > Disk Utility. Click on Repair Permissions.

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Mac Users Guide Forum

    It Seem There Is Something Wrong With BBLD Configuration, Please Check It.