Sometimes you need a powerful sniffer on your system. Every Mac and every Linux system got it. You just have to use it.
The only thing you have to know, are a few flags.
-i en0: Listen on this interface.
-n: Don’t resolve hostnames.
-nn: Don’t resolve hostnames or port names.
-X: Show the contents in both hex and ASCII.
-XX: Same as
-X, but also shows the ethernet header.
-v, -vv, -vvv: Increase the amount of packet information you get back.
-c: Get n packets and then stop.
-S: Print absolute sequence numbers.
-e: Get the ethernet header as well.
-q: Show less protocol information.
-E: Decrypt IPSEC traffic by providing an encryption key.
-s: Set the snaplength, i.e. the amount of data that is being captured in bytes
If you just want to see some traffic on the interface:
tcpdump -ni en0
If you want get a lot of information:
tcpdump -i en0 -nnvvvXSs 1514
Of course there are some other options. You can record the traffic into a file, read it from a file.
tcpdump -i en1 -n -w file.pcap
This file you can now open directly with ⇒Wireshark, which greatly simplifies analysis of the output.
You can also set filters on the command line to get only specific packets.
tcpdump -i en1 -nnvvS tcp and src 10.0.5.1 and dst port 5222
The filter criteria for tcpdump are the same as for all other libpcap based software. More details in this paper: ⇒<pcap filter expression>