Both Mac OS X and Linux provide a command-line packet capture utility (tcpdump) that will intercept and display the contents of packets sent and received on a network interface.
You should first determine the interface to include in the tcpdump command line by running the following command in a Terminal window:
ifconfig -a
The output of this command will list all network interfaces:
dhcp-78:~ Janice$ ifconfig -a
lo0: flags=8049 mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
gif0: flags=8010 mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863 mtu 1500
inet6 fe80::20a:95ff:fede:79f4%en0 prefixlen 64 scopeid 0x4
inet 192.168.1.78 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:0a:95:de:79:f4
media: autoselect (100baseTX ) status: active
supported media: none autoselect 10baseT/UTP 10baseT/UTP
10baseT/UTP 100baseTX
100baseTX 100baseTX
fw0: flags=8863 mtu 2030
lladdr 00:0a:95:ff:fe:de:79:f4
media: autoselect status: inactive
supported media: autoselect
For example, to capture and display all ICMP packets to and from a specific host on interface en0, use the following command, substituting with the host IP address. If you wish to save the collected data packets for later analysis, you can write them to a file using the second form. To stop collecting packets, press Control-C.
tcpdump -i en0 -s 0 -v icmp and host
tcpdump -i en0 -s 65535 -v -w somefile icmp and host
On Mac OSX, the ethernet interface is generally en0; on Linux, it's generally eth0. Use the "ifconfig -a" command described above to be sure.
The filter for the packets can use several terms separated by and, including:
icmp or udp or tcp
port ###
host ip-address or DNS name
src ip-address or DNS name
dst ip-address or DNS name
Additional information on running tcpdump can be obtained by typing the following command from a Terminal window:
man tcpdump
