Nov 032014
I wouldn’t think I’d be writing something like this, but…..
Apple changed the default of tcpdump to writeout pcap-ng format,
which wireshark doens’t understand by default. Wasn’t sure what
was up, but a quick search didn’t get any hits… turns out the
-y flag is the key (at least, Mavericks+.)
$ sudo tcpdump -w /tmp/1
tcpdump: data link type PKTAP
tcpdump: listening on pktap, link-type PKTAP (Packet Tap), capture size 65535 bytes
^C68 packets captured
71 packets received by filter
0 packets dropped by kernel
$ sudo tcpdump -y RAW -w /tmp/2
tcpdump: data link type RAW
tcpdump: listening on pktap, link-type RAW (Raw IP), capture size 65535 bytes
^C873 packets captured
879 packets received by filter
0 packets dropped by kernel
$ sudo file /tmp/[12]
/tmp/1: data
/tmp/2: tcpdump capture file (little-endian) - version 2.4 (raw IP, capture length 65535)
$
tcpdump: data link type PKTAP
tcpdump: listening on pktap, link-type PKTAP (Packet Tap), capture size 65535 bytes
^C68 packets captured
71 packets received by filter
0 packets dropped by kernel
$ sudo tcpdump -y RAW -w /tmp/2
tcpdump: data link type RAW
tcpdump: listening on pktap, link-type RAW (Raw IP), capture size 65535 bytes
^C873 packets captured
879 packets received by filter
0 packets dropped by kernel
$ sudo file /tmp/[12]
/tmp/1: data
/tmp/2: tcpdump capture file (little-endian) - version 2.4 (raw IP, capture length 65535)
$
Amusingly Apple’s own file command doesn’t even recognize the new format.
Time to alias tcpdump until things get sorted out.
Not impressed with Apple’s documentation on this one.
Sorry, the comment form is closed at this time.