tcpdump

You're clearly not providing the right switches to tcpdump. Since you omit the actual command you are using, you're asking everyone to work blindly to solve your issue.

Instead, please post the actual command you're trying to use. I'm sure someone will see the problem from there.

Any luck with this one? I bet you tried it already. sudo tcpdump -v -i en0 -s 0 port 80

If you're not sure which interface is active, you could run the following:
<pre style="border: 1px solid #ddd; padding-left: .75ex; padding-top: .25em; padding-bottom: .25em; margin-top: .5em; margin-bottom: .5em; margin-left: 1ex; max-width: 60ex; overflow: auto; font-size: 10px; font-family: Monaco, 'Courier New', Courier, monospace; color: #444; background: #eee; line-height: normal">netstat -rnfinet | sed -n 's/^default.* //p'</pre>

Or just try this:
<pre style="border: 1px solid #ddd; padding-left: .75ex; padding-top: .25em; padding-bottom: .25em; margin-top: .5em; margin-bottom: .5em; margin-left: 1ex; max-width: 60ex; overflow: auto; font-size: 10px; font-family: Monaco, 'Courier New', Courier, monospace; color: #444; background: #eee; line-height: normal">sudo tcpdump -Xns0 -i`netstat -rnfinet | sed -n 's/^default.* //p'`</pre>

The X option displays hex and ascii data.

Jeffrey, try en1 yet this am as suggested by etresoft and what about firewall's?

As etresoft pointed out, you have to make sure you specify the right interface to capture on. Obviously the man pages have a lot info. Try 'man pcap-filter' for the tcpdump filter syntax.

I really don't know tcpdump, but Doug's command generated quite a bit of data for me. It seems to look for any TCP activity involving port 80, so just firing up Safari generated lots of output. I did have to change "en0" to "en1" to use my wireless interface instead of the ethernet.

(How are you doing that code insertion, BTW?)

Anything enclosed in back tick characters (`) is evaluated first. (Incidentally I just discovered that php treats back ticks the same way. Cool!)

And that gives a syntax error.

That makes sense to me since you appear to have multiple default routes. My mac only returns one.

What I'm actually looking for is the url that's being sent to the http server. Is there a command parameter to capture that?

You may see the url if you use the -A option with your tcpdump command. If you don't mind compiling from source another similar program is tcpflow. It reassembles the packets which makes it easier to look at.