Tuesday, June 21, 2011

Using tcpdump in Mac OS X

This is just notes taken for personal use on which options used in tcpdump command:
# sudo tcpdump -i en0 -vvv -K -n -s 0 -w ~/Desktop/DumpFile.dmp

or without -K option:
# sudo tcpdump -i en0 -vvv -n -s 0 -w ~/Desktop/DumpFile.dmp
If you want to stop it from capturing, just press control-c. And to view the file:
# sudo tcpdump -s 0 -n -e -x -vvv -r ~/Desktop/DumpFile.dmp

Here's options explanation using in command above:
-i     interface
-vvv     even more verbose output
-K     don't attempt to verify TCP, UDP and IP checksums
-n     don't convert addressed to names
-s     snaplen settings. setting snaplen to 0 means use the required length to catch whole packets
-w     write the raw packets to file rather than parsing and printing them out
-x     when parsing and printing, in addition to printing header of each packet, print the data of each packet (minus its link level header) in hex
-r     read packets from file

No comments:

Post a Comment

Hi, for all of those who already put comments on my blog post, thanks.. really appreciate it. And for those who have not, just put your comments here :)