How to Read .cap Packet Capture File on Mac OS X with tcpdump
Whether performing a packet trace or sniffing and capturing packets from a network, the result is usually the creation of a .cap capture file. That .cap, pcap, or wcap packet capture file is created regardless of what you’re using to sniff a network, a fairly common task among network administrators and security professionals. Perhaps the easiest way to open, read, and interpret a .cap file is using the built-in tcpdump utility on a Mac or Linux machine.
Assuming you have already captured a packet trace for a network connection and created a created a captured packet file with a .cap, .pcap, or .wcap extension from tcpdump, wireshark, airport, Wireless Diagnostics Sniffer tool, or whatever other network utility you’re using, all you need to do to view the .cap file is launch Terminal in OS X * and then type the following command string, adjusting the syntax as necessary:
tcpdump -r /path/to/packetfile.cap
Most of the time a .cap file is quite large so it’s best to pipe the .cap file into less or more for scanning, we’ll use less:
tcpdump -r /path/to/packetfile.cap | less
For example, let’s say there’s a capture file located at /tmp/airportSniff8471xEG.cap which was generated from monitoring a local wi-fi network with the fantastic airport command line utility , the syntax would be:
tcpdump -r /tmp/airportSniff8471xEG.cap | less
The file can be easily scanned, interpreted, read, moved around in, searched, or whatever else you’re looking to do with it. We won’t cover specifics about the type of data contained in the .cap files and what to do with it in this walkthrough, but even if you’re not in systems or network administration it can still be an insightful if not interesting experience.
If you’ve ever tried to use cat on a .cap file you know it results in a bunch of gibberish which will bork up the Terminal often requiring a Terminal reset to clear the gibberish on screen.
While there are many third party apps to interpret and read .cap files, with the ability to do so natively built into the command line there is generally little reason to get another app for just simply scanning a captured packet file.
* We’re obviously focusing on reading .cap files in Mac OS X here, but the tcpdump command exists on just about every version of Linux out there too, making this a nearly universal command line utility for many varieties of unix. Just something to keep in mind.