Sometimes you need a powerful sniffer on your system. Every Mac and every Linux system got it. You just have to use it.

tcpdump

The only thing you have to know, are a few flags.

• -i en0 : Listen on this interface.
• -n : Don’t resolve hostnames.
• -nn : Don’t resolve hostnames or port names.
• -X : Show the contents in both hex and ASCII.
• -XX : Same as -X, but also shows the ethernet header.
• -v, -vv, -vvv : Increase the amount of packet information you get back.
• -c : Get n packets and then stop.
• -S : Print absolute sequence numbers.
• -e : Get the ethernet header as well.
• -q : Show less protocol information.
• -E : Decrypt IPSEC traffic by providing an encryption key.
• -s : Set the snaplength, i.e. the amount of data that is being captured in bytes

Example:

If you just want to see some traffic on the interface:

tcpdump -ni en0

If you want get a lot of information:

tcpdump -i en0 -nnvvvXSs 1514

Of course there are some other options. You can record the traffic into a file, read it from a file.

tcpdump -i en1 -n -w file.pcap

This file you can now open directly with ⇒Wireshark, which greatly simplifies analysis of the output.

You can also set filters on the command line to get only specific packets.

tcpdump -i en1 -nnvvS tcp and src 10.0.5.1 and dst port 5222

The filter criteria for tcpdump are the same as for all other libpcap based software. More details in this paper: ⇒<pcap filter expression>