Skip to content

Instantly share code, notes, and snippets.

@tomkinsc

tomkinsc/OSX_Native_Packet_Capture.md

Last active September 21, 2015 17:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tomkinsc/8d9d30a3d80808f08653 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tomkinsc/8d9d30a3d80808f08653 to your computer and use it in GitHub Desktop.
Download ZIP
Why use Wireshark on OSX, when much of the same functionality is built in? Native packet sniffing using Mac OSX (as of 10.10.5): These examples use tcpdump to print any packets on port 80 (http) or 443(https) related to processes named "Python"
Raw
OSX_Native_Packet_Capture.md

Print packets sans output:

sudo tcpdump -s0 -i pktap,en0 -k NP -Q "proc =Python" port 443 or 80

Print packets with output in ASCII:

sudo tcpdump -A -s0 -i pktap,en0 -k NP -Q "proc =Python" port 443 or 80

Print packets with output in hex and ASCII:

sudo tcpdump -X -s0 -i pktap,en0 -k NP -Q "proc =Python" port 443 or 80

Argument info:

  • -A = ASCII printing
  • -s0 = size of packet to capture, 0=65535
  • -i = interface to listen on (note here that en0 is specified as a PKTAP-wrapped interface so we get process name, etc.)
  • -k = metadata fields to print, N=process name, K=PID (as processName:PID)
  • -X Print content as both hex and ascii
  • -Q = filter expression. Can have multiple sub-expressions grouped within parentheses
  • port = port to include packets from, multiple can be specified with "or"

More info:

https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/tcpdump.1.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment