Both Mac OS X and Linux provide a command-line packet capture utility (tcpdump) that will intercept and display the contents of packets sent and received on a network interface.

You should first determine the interface to include in the tcpdump command line by running the following command in a Terminal window:

ifconfig -a

The output of this command will list all network interfaces:

dhcp-78:~ Janice$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
inet6 fe80::20a:95ff:fede:79f4%en0 prefixlen 64 scopeid 0x4
inet netmask 0xffffff00 broadcast
ether 00:0a:95:de:79:f4
media: autoselect (100baseTX ) status: active
supported media: none autoselect 10baseT/UTP 10baseT/UTP
10baseT/UTP <full-duplex,hw-loopback> 100baseTX
100baseTX 100baseTX <full-duplex,hw-loopback>
lladdr 00:0a:95:ff:fe:de:79:f4
media: autoselect status: inactive
supported media: autoselect

For example, to capture and display all ICMP packets to and from a specific host on interface en0, use the following command, substituting with the host IP address. If you wish to save the collected data packets for later analysis, you can write them to a file using the second form. To stop collecting packets, press Control-C.

tcpdump -i en0 -s 0 -v icmp and host
tcpdump -i en0 -s 65535 -v -w somefile icmp and host

On Mac OSX, the ethernet interface is generally en0; on Linux, it's generally eth0. Use the "ifconfig -a" command described above to be sure.

The filter for the packets can use several terms separated by and, including:

icmp or udp or tcp
port ###
host ip-address or DNS name
src ip-address or DNS name
dst ip-address or DNS name

Additional information on running tcpdump can be obtained by typing the following command from a Terminal window:

man tcpdump