How to Read .cap Packet Capture File on Mac OS X with tcpdump

May 1, 2015 - Leave a Comment

Reading captured packet files in OS X

Whether performing a packet trace or sniffing and capturing packets from a network, the result is usually the creation of a .cap capture file. That .cap, pcap, or wcap packet capture file is created regardless of what you’re using to sniff a network, a fairly common task among network administrators and security professionals. Perhaps the easiest way to open, read, and interpret a .cap file is using the built-in tcpdump utility on a Mac or Linux machine.


Assuming you have already captured a packet trace for a network connection and created a created a captured packet file with a .cap, .pcap, or .wcap extension from tcpdump, wireshark, airport, Wireless Diagnostics Sniffer tool, or whatever other network utility you’re using, all you need to do to view the .cap file is launch Terminal in OS X * and then type the following command string, adjusting the syntax as necessary:

tcpdump -r /path/to/packetfile.cap

Most of the time a .cap file is quite large so it’s best to pipe the .cap file into less or more for scanning, we’ll use less:

tcpdump -r /path/to/packetfile.cap | less

For example, let’s say there’s a capture file located at /tmp/airportSniff8471xEG.cap which was generated from monitoring a local wi-fi network with the fantastic airport command line utility , the syntax would be:

tcpdump -r /tmp/airportSniff8471xEG.cap | less

network-sniffing-captured-packets-cap-file

The file can be easily scanned, interpreted, read, moved around in, searched, or whatever else you’re looking to do with it. We won’t cover specifics about the type of data contained in the .cap files and what to do with it in this walkthrough, but even if you’re not in systems or network administration it can still be an insightful if not interesting experience.

reading-cap-file-tcpdump

If you’ve ever tried to use cat on a .cap file you know it results in a bunch of gibberish which will bork up the Terminal often requiring a Terminal reset to clear the gibberish on screen.
While there are many third party apps to interpret and read .cap files, with the ability to do so natively built into the command line there is generally little reason to get another app for just simply scanning a captured packet file.

read-captured-packet-cap-file

* We’re obviously focusing on reading .cap files in Mac OS X here, but the tcpdump command exists on just about every version of Linux out there too, making this a nearly universal command line utility for many varieties of unix. Just something to keep in mind.

.

Related articles:

Posted by: Paul Horowitz in Command Line, Mac OS, Tips & Tricks

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site