How to Sniff Packets & Capture Packet Trace in Mac OS X the Easy Way
The Mac includes a variety of powerful wireless network tools that offer many features which are helpful for administration and IT purposes, including the ability to sniff packets. Here we will demonstrate how to perform a packet trace in OS X easily by using the built-in Wi-Fi Diagnostics app. Using Wi-Fi Diagnostics Sniffer function is simple, and it requires no additional downloads nor does it require the usage of the command line.
Though capturing packets is really quite easy, this is mostly an advanced feature aimed at IT staff, network admins, systems administrators, and other more technically knowledgable user groups. Nonetheless, it’s easy to follow along, so a casual Mac user will be able to sniff packets and browse the capture file, though novice users may not be able to interpret the pcap / wcap file results.
How to Sniff Packets with Wireless Diagnostics in OS X
This process will automatically disconnect from any active wireless network and transmission on the Mac, instead dedicating the Macs wi-fi card to sniff wireless network traffic and to capture detected data into a packet transfer file.
- Option+Click on the Wi-Fi menu item in the OS X menu bar
- Choose “Open Wireless Diagnostics” from the list to open the wi-fi utility
- Ignore the splash screen and pull down the “Window” menu, choose “Sniffer” from the list of options in the Wireless Diagnostics menu
- Select the Wi-Fi Channel and channel Width to sniff and capture packets for, using the wi-fi network stumbler tool can be helpful to identify which channels and widths to sniff network traffic for, then click “Start”
- When satisfied with the length of the packet capture, or when sufficient network traffic has been sniffed, click on “Stop” to end the packet trace and to save the captured packet file to the Desktop of OS X
The captured packet file will appear on the desktop with a .wcap extension and include the time of the packet capture, the name should look something like “2017.04.20_17-27-12-PDT.wcap”.
Opening the WCAP / PCAP Capture File in Mac OS X
This file can be viewed from the command line with tcpdump, or with an app like WireShark. Browsing the packet capture file through the command line will look like the following:
If you want to, you can change the file extension from wcap to pcap and you’ll be able to open the output file in other apps too, including Cocoa Packet Analyzer (App Store link) as well. The screen shot below shows what this looks like in the CPA app:
What you do with the capture file and its contents is up to you. We’re not going to cover interpreting the results or what you can do with the information found in the capture file in this specific walkthrough.
Why capture a packet trace, and what good does sniffing packets do?
There are many reasons and purposes for capturing packet traces, but perhaps the most common is for network troubleshooting purposes, either to identify a connectivity issue, or to better understand a particular networking issue. This is particularly true if you have a repetitive issue where network performance suffers, as it can help to identify the cause and narrow down the course of action to take to address by IT staff or a network administrator. There are more questionable purposes for packet sniffing as well, and because it captures the raw data that flows across a network, the type of information which could be gathered on unsecured wireless networks is potentially revealing. The latter reason is one of many which demonstrate why it’s so important to only join a secure wi-fi network. Most services use encryption to transfer data nowadays though, and most wireless networks are encrypted with WPA security, both of which alleviate much of the concern which may have once been warranted. This means packet sniffing and capturing network data is mostly reserved for legitimate purposes and network optimization, and it’s a fairly common task within large networked environments.