When debugging network related issues the CLI tool tcpdump
is a valuable assistant. I usually use a variation of this base command:
sudo tcpdump -A -i lo0 -n -s0 -v port 8080
- -A: Outputs the captured packed in ASCII. Since most of the time I use it for debugging web-apps or REST-interfaces this is a life-safer.
- -n: doesn’t convert addresses to names (which is of not much value when debugging localhost-traffic)
- -i lo0: select the interface whose traffic you’d like to capture (i.e.
lo0
for loopback interface a.k.a. localhost) - -s0: deactivate a fixed snapshot-length (or more precisely, fallback to the internal default) to not drop packages ‘cause of their size.
- port 8080: limit capturing to this port (also valuable since you’ll notice that there is a bunch of noise flying around)
- -v(vv): Varies verbosity of the output
Again, this is the usual base command I start with. There are a gazillion more options and tweaks at your disposal.
Write/Read a capture file
You can also write a dump-file for later use or to import that file into a GUI-tool like Wireshark.
sudo tcpdump -A -i en0 -w network.dump.pcap # write file
sudo tcpdump -r network.dump.pcap # read file
Capture traffic by host
When debugging beyond lo0
it’s also valuable to focus on just one specific network partner. For that you can use host
, src
and dst
respectively.
sudo tcpdump -A -i en0 host 192.168.178.24 # from and to
sudo tcpdump -A -i en0 dst 192.168.178.24 # only to
sudo tcpdump -A -i en0 src 192.168.178.24 # only from
There’s still more
Although this is just the tip of the iceberg most of the time it is already sufficient for my use cases.
But of course there’s more to reveal - you can find more (complex) examples in this excellent post at hackertarget.com. And to understand what you’re actually typing I recommend comparing the examples with the man-pages of tcpdump
.