User profile for user: LGardener
LGardener Author
User level: Level 1
9 points

tcpdump on wireless only shows traffic to and from iMac running tcpdump

Hello,

I'm trying to run tcpdump to see traffic on my wireless network.
So far, I'm only able to see packets that are to, or from, the iMac
that is running tcpdump.

I have NOT been able to get tcpdump to show me traffic between other
devices on my network, such as an iPod Touch and the outside
world. I'd like to be able to see DNS, HTTP, and SMTP traffic
so I can troubleshoot a device on my network that collects production
data from a solar photovoltaic system and is supposed to email reports
to me periodically. Recently the reports stopped arriving.

If I run this tcpdump command as root I see lots of traffic, but all the
packets are either from my iMac or addressed to it.

# tcpdump -i en1

If I run tcpdump with the arguments “host 10.0.1.3” which is
the IP address of the iPod Touch.
I'll see packets that are exchanged between it and the iMac,
but nothing between 10.0.1.3 and the outside world.
Here's what tcpdump looks like if I ping the iPod Touch from the
iMac and also browse the web on the iPod:

# tcpdump -i en1 host 10.0.1.3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
00:29:32.021824 ARP, Request who-has 10.0.1.3 tell 10.0.1.2, length 28
00:29:32.227498 ARP, Reply 10.0.1.3 is-at 90:84:0d:3a:32:9c (oui Unknown), length 28
00:29:32.227525 IP 10.0.1.2 > 10.0.1.3: ICMP echo request, id 33391, seq 0, length 64
00:29:32.229182 IP 10.0.1.3 > 10.0.1.2: ICMP echo reply, id 33391, seq 0, length 64
00:29:33.021892 IP 10.0.1.2 > 10.0.1.3: ICMP echo request, id 33391, seq 1, length 64
00:29:33.146741 IP 10.0.1.3 > 10.0.1.2: ICMP echo reply, id 33391, seq 1, length 64
00:29:34.021939 IP 10.0.1.2 > 10.0.1.3: ICMP echo request, id 33391, seq 2, length 64
00:29:34.068533 IP 10.0.1.3 > 10.0.1.2: ICMP echo reply, id 33391, seq 2, length 64

The ping traffic shows up as ICMP packets, but there's no sign of HTTP traffic.

My impression from what I’ve read on the web is that others have been able to do
packet sniffing of the “in-use” Airport network using tcpdump on Mac OS X and that
tcpdump automatically puts the interface in the required mode (promiscuous?).

I don’t know what I’m missing.

Thanks for any advice.

Model Name: iMac
Model Identifier: iMac10,1
Processor Name: Intel Core 2 Duo
Processor Speed: 3.06 GHz

System Version: Mac OS X 10.6.2 (10C2234)
Kernel Version: Darwin 10.2.0

Software Versions:
Menu Extra: 6.2 (620.24)
configd plug-in: 6.2 (620.15.1)
System Profiler: 6.0 (600.9)
Network Preference: 6.2 (620.24)
AirPort Utility: 5.4.2 (542.23)
IO80211 Family: 3.1 (310.6)
Interfaces:
en1:
Card Type: AirPort Extreme (0x168C, 0x8F)
Firmware Version: Atheros 9280: 2.1.9.5
Locale: FCC
Country Code: US
Supported PHY Modes: 802.11 a/b/g/n
Supported Channels: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 36, 40, 44, 48, 52, 56,
60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 149, 153, 157, 161, 165
Wake On Wireless: Supported
Status: Connected
Current Network Information:

PHY Mode: 802.11n
Channel: 2
Network Type: Infrastructure
Security: WPA2 Personal

iMac Intel Core 2 Duo 3.06GHz, Mac OS X (10.6.2)

Posted on May 10, 2010 8:49 PM

Reply
5 replies
User profile for user: William-Boyd-Jr
William-Boyd-Jr
User level: Level 6
10,581 points

May 11, 2010 8:30 PM in response to LGardener

LGardener wrote:
“Reading packets from a network interface may require that you have special privileges; see the pcap (3PCAP) man page for details.” The pcap(3) manpage says on Mac OS X “You must have read access to /dev/bpf*.” Since I’m running tcpdump as root I assume that is covered.


sudo tcpdump -i en1 host 10.0.1.3


The privilege requirement makes sense and would presumably be satisfied by either "sudo" or running as root.

I may be able to try tomorrow what you're doing on my 10.5.8 system to see how that behaves. Trying it under 10.6 won't be possible for me until I migrate my Mac, which won't happen until next week at the earliest.
Reply
User profile for user: William-Boyd-Jr
William-Boyd-Jr
User level: Level 6
10,581 points

May 11, 2010 5:46 AM in response to LGardener

LGardener wrote:
I'm trying to run tcpdump to see traffic on my wireless network.
So far, I'm only able to see packets that are to, or from, the iMac
that is running tcpdump.


What you want is known as "promiscuous mode". On Mac OS X 10.5.8 that seems to be the default. I'm not running a 10.6 Mac (yet), so I can't check what the tcpdump behavior is on that system. Try "man tcpdump" to see what it tells you about that.
Reply
User profile for user: LGardener
LGardener Author
User level: Level 1
9 points

May 11, 2010 12:07 PM in response to William-Boyd-Jr

William Boyd, Jr. wrote:
LGardener wrote:
I'm trying to run tcpdump to see traffic on my wireless network.
So far, I'm only able to see packets that are to, or from, the iMac
that is running tcpdump.


What you want is known as "promiscuous mode". On Mac OS X 10.5.8 that seems to be the default. I'm not running a 10.6 Mac (yet), so I can't check what the tcpdump behavior is on that system. Try "man tcpdump" to see what it tells you about that.


Thank you William.

Here’s my take on what the tcpdump manpage on Mac OS X 10.6.2 has to say related to promiscuous mode:

“Reading packets from a network interface may require that you have special privileges; see the pcap (3PCAP) man page for details.” The pcap(3) manpage says on Mac OS X “You must have read access to /dev/bpf*.” Since I’m running tcpdump as root I assume that is covered.

If you run tcpdump with the arguments “-i any” captures will not be done in promiscuous mode. I’m not using “-i any” so that does not apply.

“-p Don't put the interface into promiscuous mode.” This implies that the default
mode is promiscuous.

The tpcdump and pcap manpages also discuss monitor mode for wireless, but I don’t think that is what I’m after since I only want packets from my “associated network.” I’m not trying to get packets from other networks in the area, that is ones with different SSIDs.

Can anyone who is running 10.6.2 confirm that tcpdump supports promiscuous mode on a wireless LAN. My orginal note outlined a way to test this, in my case using an iMac to run tcpdump and another device, an iPod touch, to generate some (HTTP) network traffic by browsing the web. The question is does tcpdump capture the packets going to and from the second device (iPod Touch) and the external web server. On my network the iPod Touch has address 10.0.1.3 so I could run tcpdump on the iMac and limit the capture to packets that are going to or from the iPod using this command:

sudo tcpdump -i en1 host 10.0.1.3

While this tcpdump command was running I browsed the web on the iPod Touch. What I wanted and expected to see was a bunch of HTTP packets, but none appeared.

Thanks for any input or advice.
Reply
User profile for user: William-Boyd-Jr
William-Boyd-Jr
User level: Level 6
10,581 points

Jul 10, 2010 8:12 AM in response to LGardener

Apologies for not following through on my earlier offer. I've since migrated to OS X 10.6.4. I just now tried that tcpdump command. On en1 I only saw a couple of ARP packets if I specify the "host" parameter for my iPod touch, but lots of traffic if I omit that. I did see traffic on en0, but that surprised me, as I would have expected my Time Capsule's switch to hide that traffic from me.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

tcpdump on wireless only shows traffic to and from iMac running tcpdump

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up