Packet capture is one of the most powerful troubleshooting techniques for diagnosing network issues, investigating security incidents, and understanding how applications talk to remote services. macOS includes everything you need out of the box, and Wireshark adds a polished GUI for deep analysis. This guide walks through capturing packets with tcpdump, using the macOS-specific pktap interface, and opening the results in Wireshark.
Before You Begin
You will need:
- Administrator access on the Mac doing the capture (required for raw socket access)
- The Terminal application from
/Applications/Utilities - Homebrew if you plan to install Wireshark (
brew.sh) - Authorization to capture traffic on the network you are analyzing
Tools Available on macOS
macOS ships with a complete packet capture stack:
tcpdump— command-line capture tool, preinstalled at/usr/sbin/tcpdump- BPF (Berkeley Packet Filter) — the kernel framework tcpdump uses, exposed through
/dev/bpf*devices pktap— a macOS-only pseudo-interface that adds per-packet process metadataairport— hidden utility for putting the Wi-Fi card into monitor mode- Wireshark — optional GUI installed via Homebrew:
brew install --cask wireshark
The Wireshark cask also installs ChmodBPF, a launch daemon that grants capture permissions to non-root users in the access_bpf group.
Step 1: List Available Interfaces
Before capturing, identify which interface carries the traffic you want to inspect. Run:
ifconfig
Or ask tcpdump directly:
sudo tcpdump -D
Common macOS interface names:
| Interface | Purpose |
|---|---|
en0 | Primary Wi-Fi on laptops, Ethernet on desktops |
en1 | Secondary network interface (often Thunderbolt) |
lo0 | Loopback (localhost traffic) |
awdl0 | Apple Wireless Direct Link (AirDrop, Handoff) |
utun0+ | VPN tunnel interfaces |
pktap | Pseudo-interface with per-process metadata |
bridge0 | Internet Sharing bridge |
If you are unsure which interface is active, check System Settings > Network or run route get default | grep interface.
Step 2: Run a Basic Capture
Save all traffic on the Wi-Fi interface to a file:
sudo tcpdump -i en0 -w capture.pcap
Press Control + C to stop. The .pcap file can be opened in Wireshark.
For a live view without saving, use numeric addresses (-n) and a filter:
sudo tcpdump -i en0 -n 'port 443'
Useful tcpdump Flags
| Flag | Purpose |
|---|---|
-i <iface> | Interface to capture on |
-w <file> | Write raw packets to a pcap file |
-r <file> | Read packets from an existing pcap |
-n | Do not resolve hostnames or ports |
-v / -vv | Verbose decoding |
-s 0 | Capture full packet (default on modern macOS) |
-C <MB> | Rotate files at size |
-W <count> | Number of rotated files to keep |
-k P | Show process metadata (pktap only) |
Step 3: Write BPF Filters
tcpdump accepts BPF filter expressions to capture only the traffic you care about. This keeps files small and easier to analyze.
| Expression | Matches |
|---|---|
host 1.2.3.4 | Traffic to or from an IP |
src 1.2.3.4 | Packets from a source IP |
dst 1.2.3.4 | Packets to a destination IP |
port 443 | Any traffic on port 443 |
portrange 8000-9000 | Traffic on a port range |
tcp / udp / icmp | By protocol |
tcp port 22 and host server.local | Combined expression |
not port 22 | Exclude SSH (useful when capturing over SSH) |
Example — capture only DNS queries for one minute:
sudo tcpdump -i en0 -w dns.pcap 'udp port 53'
Combine with and, or, and not for more complex filters.
Step 4: See Which Process Sent Each Packet
This is the killer feature of macOS packet capture. The pktap pseudo-interface aggregates all physical interfaces and tags each packet with the originating process.
sudo tcpdump -i pktap -k P -n
The -k P flag tells tcpdump to display process name and PID alongside each packet. Use it to answer questions like "which app is hitting this API endpoint?" without guessing.
You can combine it with normal BPF filters:
sudo tcpdump -i pktap -k P -n 'port 443'
Step 5: Capture Wi-Fi in Monitor Mode
Normal captures only see traffic your Mac itself sends or receives. To sniff other devices' Wi-Fi traffic (with authorization), use the airport utility to put the card into monitor mode on a specific channel:
sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en0 sniff 6
This captures channel 6 and writes to /tmp/airportSniffXXXXXX.pcap. Press Control + C to stop. Your Wi-Fi disconnects while sniffing is active — reconnect from the menu bar when done. Open the resulting file in Wireshark to inspect 802.11 frames and management traffic.
Step 6: Analyze With Wireshark
Open a capture file from Terminal:
open -a Wireshark capture.pcap
Or double-click the file in Finder after installing Wireshark. Once loaded, use the display filter bar at the top to narrow down what you see (display filters differ from BPF filters):
| Display Filter | Shows |
|---|---|
http | HTTP requests and responses |
tls.handshake | TLS handshake packets only |
ip.addr == 1.2.3.4 | Traffic involving a specific IP |
tcp.port == 443 | TCP traffic on port 443 |
dns | DNS queries and responses |
tcp.analysis.flags | TCP retransmissions, duplicates, etc. |
Right-click any packet and choose Follow > TCP Stream to see the full conversation as a single scrollable view — invaluable for debugging HTTP, SMTP, and other plaintext protocols.
Troubleshooting
tcpdump: en0: Permission denied
You forgot sudo, or the BPF devices are locked down. Run with sudo, or reinstall Wireshark to re-enable the ChmodBPF helper: brew reinstall --cask wireshark.
Capture file is empty or very small
You are likely on the wrong interface. Run route get default | grep interface to see which interface actually carries outbound traffic, then retry. On laptops switched between Wi-Fi and Ethernet, en0 may be inactive.
pcap_loop: Interrupted system call or buffer drops
The BPF buffer is too small for your traffic volume. Increase it with -B 4096 (kilobytes) on the tcpdump command line, or apply a tighter filter so fewer packets hit the buffer.
Capture file grows enormous
Use rotation: sudo tcpdump -i en0 -w cap.pcap -C 100 -W 10 keeps ten 100 MB files in a rolling buffer.
Wireshark says "The file is not a capture file in a known format"
Make sure tcpdump finished cleanly (Control + C, not kill -9). Truncated files may still be readable with editcap -F pcap input.pcap output.pcap.
Security and Privacy
Packet captures can contain highly sensitive data — passwords in cleartext protocols, session cookies, internal hostnames, personal information, and more. Follow these rules:
- Only capture on systems you own or have explicit written authorization to troubleshoot
- Store .pcap files securely and delete them when you are finished
- Never share raw captures without sanitizing with
editcaportcpreplay - Be aware of local laws — unauthorized packet capture can violate wiretap and computer-misuse statutes
- Wi-Fi monitor mode captures other users' traffic and is particularly sensitive; get authorization in writing before sniffing any shared network