I would like to monitor traffic between two processes running on OSX El Capitan. The server is listening on 127.0.0.1 so i believe i need to monitor the lo0 loopback interface.
I'm trying to use the tcpdump program supplied by Apple to do this with the following command, as per https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/tcpdump.1.html:
sudo tcpdump -i pktap,lo0 -v ./DumpFile01.pcap
but this fails with:
tcpdump: data link type PKTAP
tcpdump: listening on pktap,lo0, link-type PKTAP (Packet Tap), capture size 262144 bytes
tcpdump: pktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_add_if_info: pcap_compile_nopcap() failed
It appears to be Apple's version of tcpdump:
tcpdump --version
tcpdump version 4.7.3 -- Apple version 66
libpcap version 1.5.3 - Apple version 54
From the tcpdump man page above and https://dreness.com/blog/archives/829 i think i should be able to run the following to see the packets for a given process:
tcpdump -i pktap,lo0 -Q "proc =myserver"
Has anybody had success with this? I would try the latest tcpdump, but i understand from the man page that "-Q" is an Apple extension.
sudo tcpdump -i pktap,lo0 -v ./DumpFile01.pcap
That tcpdump command says "capture on lo0 with pktap, print text output in verbose mode, and use the string "./DumpFile01.pcap" as a capture filter". -v means "print in verbose mode"; did you mean -w, which means "write in binary form to the file whose name comes after the -w flag"?
"./DumpFile01.pcap" is not a valid capture filter; unfortunately, Apple's libpcap is buggy (Apple bug 21698116), and, if you're capturing with pktap, its error message for invalid capture filters is the not-very-informative "pktap_filter_packet: pcap_add_if_info(lo0, 0) failed: pcap_add_if_info: pcap_compile_nopcap() failed". (I told them how to fix it in the bug; hopefully they'll fix it in 10.12 Big Sur or whatever it's called, even if they don't get around to fixing it in 10.11.x.)
If you want to monitor traffic on lo0, and have tcpdump print its interpretation of the traffic on the terminal (rather than saving it to a binary pcap file for later interpretation by tcpdump or Wireshark or whatever; neither tcpdump nor Wireshark can read, as a capture, printed output from tcpdump), then do
sudo tcpdump -i pktap,lo0 -v
If you want the printed interpretation saved to a text file (again, you cannot feed that text file to tcpdump or Wireshark as a capture), do
sudo tcpdump -i pktap,lo0 -v >PrintedCapture.txt
If you want to save the raw packet data to a binary capture file for later interpretation by tcpdump or Wireshark or whatever, do:
sudo tcpdump -i pktap,lo0 -w ./DumpFile01.pcap
(-w, not -v).
And, yes, -Q is an Apple extension. -k is another Apple extension to print packet metadata such as process names if you're capturing with pktap.