How to Sniff Packets & Capture Packet Trace in Mac OS X the Easy Way

Apr 23, 2015 - 15 Comments

Packet sniffing in Mac OS X with Wireless Diagnostics packet capture utility The Mac includes a variety of powerful wireless network tools that offer many features which are helpful for administration and IT purposes, including the ability to sniff packets. Here we will demonstrate how to perform a packet trace in OS X easily by using the built-in Wi-Fi Diagnostics app. Using Wi-Fi Diagnostics Sniffer function is simple, and it requires no additional downloads nor does it require the usage of the command line.


Though capturing packets is really quite easy, this is mostly an advanced feature aimed at IT staff, network admins, systems administrators, and other more technically knowledgable user groups. Nonetheless, it’s easy to follow along, so a casual Mac user will be able to sniff packets and browse the capture file, though novice users may not be able to interpret the pcap / wcap file results.

How to Sniff Packets with Wireless Diagnostics in OS X

This process will automatically disconnect from any active wireless network and transmission on the Mac, instead dedicating the Macs wi-fi card to sniff wireless network traffic and to capture detected data into a packet transfer file.

  1. Option+Click on the Wi-Fi menu item in the OS X menu bar
  2. Choose “Open Wireless Diagnostics” from the list to open the wi-fi utility
  3. Open the Wireless Diagnostics app in OS X

  4. Ignore the splash screen and pull down the “Window” menu, choose “Sniffer” from the list of options in the Wireless Diagnostics menu
  5. Wireless Diagnostics Packet Sniffer in Mac OS X

  6. Select the Wi-Fi Channel and channel Width to sniff and capture packets for, using the wi-fi network stumbler tool can be helpful to identify which channels and widths to sniff network traffic for, then click “Start”
  7. Start packet sniffing on channels to capture packets in Mac OS X

  8. When satisfied with the length of the packet capture, or when sufficient network traffic has been sniffed, click on “Stop” to end the packet trace and to save the captured packet file to the Desktop of OS X

The captured packet file will appear on the desktop with a .wcap extension and include the time of the packet capture, the name should look something like “2017.04.20_17-27-12-PDT.wcap”.

Captured packets WCAP and PCAP files from the Mac OS X packets sniffer

Opening the WCAP / PCAP Capture File in Mac OS X

This file can be viewed from the command line with tcpdump, or with an app like WireShark. Browsing the packet capture file through the command line will look like the following:

Reading a pcap file in Mac OS X command line

If you want to, you can change the file extension from wcap to pcap and you’ll be able to open the output file in other apps too, including Cocoa Packet Analyzer (App Store link) as well. The screen shot below shows what this looks like in the CPA app:

Reading a captured packet trace PCAP WCAP file in Mac OS X With Cocoa packet Analyzer app

What you do with the capture file and its contents is up to you. We’re not going to cover interpreting the results or what you can do with the information found in the capture file in this specific walkthrough.

Why capture a packet trace, and what good does sniffing packets do?

There are many reasons and purposes for capturing packet traces, but perhaps the most common is for network troubleshooting purposes, either to identify a connectivity issue, or to better understand a particular networking issue. This is particularly true if you have a repetitive issue where network performance suffers, as it can help to identify the cause and narrow down the course of action to take to address by IT staff or a network administrator. There are more questionable purposes for packet sniffing as well, and because it captures the raw data that flows across a network, the type of information which could be gathered on unsecured wireless networks is potentially revealing. The latter reason is one of many which demonstrate why it’s so important to only join a secure wi-fi network. Most services use encryption to transfer data nowadays though, and most wireless networks are encrypted with WPA security, both of which alleviate much of the concern which may have once been warranted. This means packet sniffing and capturing network data is mostly reserved for legitimate purposes and network optimization, and it’s a fairly common task within large networked environments.

.

Related articles:

Posted by: Paul Horowitz in Mac OS, Tips & Tricks

15 Comments

» Comments RSS Feed

  1. Y says:

    I can’t sniff for channel width 40

  2. Jean Bernard Minster says:

    This sounds very nice, except that the PCAP files are empty and have a name starting with (NULL) on OSX Mojave. Better stick to WireShark or equivalent until a fix is implemented.

    • Matt Bakerpoole says:

      On OSX 10.14.5 the first file I captured was empty. The second file captured was a real trace. You can work around the (null) in the file name using a wild card and the find command to rename the file.

      find . -type f -name ‘*.pcap’ -exec sh -c ‘x=”{}”; mv “$x” “your_file_name_here.pcap”‘ \;

  3. Harish says:

    I have a issue starting sniffer. I am trying to capture the logs. When i click on windows diagnostics and under Windows -> Sniffer. I am selecting channel & width appropriately. But when i click on “Start” button, it asks for credentials. Once i authenticate it, pop up window goes away. But I could see sniffer is not starting because still i do see start button highlighting. Appreciate your help on this.

  4. daye says:

    How do you do the same thing for ethernet interface?

    • pablo says:

      It’s much harder to sniff ethernet because it’s not transmitting as broadly, you would need a direct tap into the ethernet connection to sniff packets for. You can capture your own ethernet packets from your own cabled connection, of course, but to get someone elses would be the challenge. Contrast to wi-fi which sends the radio signal literally everywhere so it is very easy to pick up data transmission – this is also why encryption matters greatly on wi-fi but not on ethernet!

      • daye says:

        I guess what I am asking is can we do the same thing on ethernet interface. I connect my ethernet to a dump switch to sniff the packets.

  5. Terry Carlson says:

    The headline (and the body of the article for that matter) is very misleading. If you have to have a certain version of OS X for this to work, then it should be so stated. E.G. “How to Sniff Packets & Capture Packet Trace in Mac OS X “Yosemite” the Easy Way”. Not all of us are running an up to date version of Mac software!

    • Tia says:

      You can capture packet traces in OS X Mavericks as well, and technically any version of OS X with tcpdump (not the wi-fi tool GUI). What antiquated version of system software are you running on your Mac if not OS X Yosemite or OS X Mavericks? I know there are some Snow Leopard holdouts still, but OS X Lion and OS X Mountain Lion should update to OS X Mavericks at least. OS X Yosemite, admittedly, is very buggy, so the ability to sniff packets this way is not a reason to upgrade alone. But OS X 10.11 and the future will surely include such a feature.

  6. Bing says:

    I can’t find the utility on my Mavericks. Is it only available on Yosemite?

    Thanks.

  7. Chaz says:

    If using Mavericks, it is under Window -> Utilities, and in the Utilities Window it is called “Frame Capture”. You can then use tools like KisMAC2 (0.3.4) or AirCrack-ng to attempt to get more info from your capture. Happy capturing!

  8. jeff s says:

    Doesn’t work for me. All I see is the options for assistant & utilities. Not sure if it makes a difference but I have wireshark already installed.

    • jeff s says:

      I did find sniffer under the utilities menu.

    • Paul says:

      Having Wireshark will let you read the WCAP output file, it won’t impact the sniffer function being there. Be sure to look under the “Windows” menu in Wireless Diagnostics to find it, the utility is in prior releases but Sniffer requires OS X 10.10.x or later

  9. Kassler says:

    You used to need Wireshark and other tools to packet trace in OS X, cool cool that we can use Wireless Diagnostics now instead.

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site