I wouldn’t think I’d be writing something like this, but…..
Apple changed the default of tcpdump to writeout pcap-ng format,
which wireshark doens’t understand by default. Wasn’t sure what
was up, but a quick search didn’t get any hits… turns out the
-y flag is the key (at least, Mavericks+.)
$ sudo tcpdump -w /tmp/1
tcpdump: data link type PKTAP
tcpdump: listening on pktap, link-type PKTAP (Packet Tap), capture size 65535 bytes
^C68 packets captured
71 packets received by filter
0 packets dropped by kernel
$ sudo tcpdump -y RAW -w /tmp/2
tcpdump: data link type RAW
tcpdump: listening on pktap, link-type RAW (Raw IP), capture size 65535 bytes
^C873 packets captured
879 packets received by filter
0 packets dropped by kernel
$ sudo file /tmp/[12]
/tmp/1: data
/tmp/2: tcpdump capture file (little-endian) - version 2.4 (raw IP, capture length 65535)
$
tcpdump: data link type PKTAP
tcpdump: listening on pktap, link-type PKTAP (Packet Tap), capture size 65535 bytes
^C68 packets captured
71 packets received by filter
0 packets dropped by kernel
$ sudo tcpdump -y RAW -w /tmp/2
tcpdump: data link type RAW
tcpdump: listening on pktap, link-type RAW (Raw IP), capture size 65535 bytes
^C873 packets captured
879 packets received by filter
0 packets dropped by kernel
$ sudo file /tmp/[12]
/tmp/1: data
/tmp/2: tcpdump capture file (little-endian) - version 2.4 (raw IP, capture length 65535)
$
Amusingly Apple’s own file command doesn’t even recognize the new format.
Time to alias tcpdump until things get sorted out.
Not impressed with Apple’s documentation on this one.