https://stackoverflow.com/questions/22314602
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianThe tcpdump man page on Mavericks says:
-i Listen on interface.
If the -D flag is supported, an interface number as printed by
that flag can be used as the interface argument.
On Darwin systems version 13 or later, when the interface is
unspecified, tcpdump will use a pseudo interface to capture
packets on a set of interfaces determined by the kernel
(excludes by default loopback and tunnel interfaces).
Alternatively, to capture on more than one interface at a time,
one may use "pktap" as the interface parameter followed by an
optional list of comma separated interface names to include.
For example, to capture on the loopback and en0 interface:
tcpdump -i pktap,lo0,en0
An interface argument of "all" or "pktap,all" can be used to
capture packets from all interfaces, including loopback and tun-
nel interfaces.
A pktap pseudo interface provides for packet metadata using the
default PKTAP data link type and files are written in the Pcap-
ng file format. The RAW data link type must be used to force to
use the legacy pcap-savefile(5) file format with a ptkap pseudo
interface. Note that captures on a ptkap pseudo interface will
not be done in promiscuous mode.
An interface argument of "iptap" can be used to capture packets
from at the IP layer. This capture packets as they are passed
to the input and output routines of the IPv4 and IPv6 protocol
handlers of the networking stack. Note that captures will not
be done in promiscuous mode.
so you need to specify an interface on which to capture.
Note that versions of OS X dating back to Lion, newer versions of FreeBSD/NetBSD/DragonFly BSD, and newer versions of many Linux distributions include libpcap 1.1.1 or later, which means that programs using libpcap to read capture files can read many pcap-ng files. Wireshark has also been able to read them for several releases.
