5

By examining my wireless router configuration I can see there's 2 IPs assigned:

  • 192.168.1.100 -> laptop (Macbook Air OSX 10.8.2, where I runtcpdump)

  • 192.168.1.101 -> ipad

But then if I run:

sudo tcpdump -i en0 host 192.168.1.101

I can't seem to get significant traffic to or from my iPad. tcpdump seems to be capturing some packages from time to time but doing some wireless activity (e.g. browsing the web) generates no entries at all. Note that I have wifi security (WEP/WPA) disabled for this test.

Any idea what may I be doing wrong here?

EDIT: ifconfig en0

ifconfig en0 output, as asked:

en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    ether 98:fe:94:45:36:8a 
    inet6 fe80::9afe:94ff:fe45:368a%en0 prefixlen 64 scopeid 0x4 
    inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
    media: autoselect
    status: active

EDIT: ifconfig (all)

full ifconfig output (note that it's a macbook air with no ethernet port):

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    inet 127.0.0.1 netmask 0xff000000 
    inet6 ::1 prefixlen 128 
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    ether 98:fe:94:45:36:8a 
    inet6 fe80::9afe:94ff:fe45:368a%en0 prefixlen 64 scopeid 0x4 
    inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
    media: autoselect
    status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
    ether 0a:fe:94:45:36:8a 
    media: autoselect
    status: inactive

EDIT: about promiscuous mode

For the ones saying that my macbook-air wireless port can't be put into promiscuous mode (ifconfig en0 prmoisc yields bad value), I can tell you that following the steps described here I can put my airport on promiscuous mode. I just want to be able to do it with tcpdump.

Improve this question
5
  • Have you configured the interface for promiscuous mode? ifconfig en0 promisc or show us the output of ifconfig en0. By the way, this appears off topic for Server Fault. (faq) Your question might be better received on Super User or Ask Different.
    – Aaron Copley
    Commented Jan 25, 2013 at 14:53
  • doing that returns ifconfig: promisc: bad value
    – Pablo Fernandez
    Commented Jan 27, 2013 at 1:23
  • It's a MacBook Air. I've read online that it does support promiscuous mode
    – Pablo Fernandez
    Commented Jan 30, 2013 at 13:35
  • Plus it is set to promiscuous mode by using other tools like wireshark or airport.
    – Pablo Fernandez
    Commented Jan 30, 2013 at 14:10
  • @AaronCopley en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500, doesn't that means it support and is using promiscuous mode?
    – John Siu
    Commented Jan 31, 2013 at 6:42

2 Answers 2

Reset to default
8
+50

Try with -I (uppercase i) and -n

sudo tcpdump -In -i en0 host 192.168.1.101

OS X tcpdump(1) quote

-I Put the interface in "monitor mode"; this is supported only on IEEE 802.11 Wi-Fi interfaces, and supported only on some operating systems.

-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.

-n is used because dns properly will not work if there is not wifi connection.

PS1: Wifi interface has to be on

PS2: Wifi connection properly will be lost, eg, no web surfing when capturing

PS3: -I is for WiFi

Improve this answer
4
  • Does this help or no effect?
    – John Siu
    Commented Feb 3, 2013 at 23:31
  • Isn't monitor mode fundamentally different from promiscuous mode? How is it that when using tcpdump on OSX monitor mode serves the function of promiscuous mode?
    – Brannon
    Commented Mar 8, 2015 at 1:02
  • Because Wi-Fi adapters, if they support promiscuous mode at all, don't all support it in a fashion that's actually useful. And that has nothing to do with OS X; it's the case on all OSes I know of, including Linux and *BSD and Windows (at least according to the Microsoft documentation I've read, Windows Wi-FI drivers should refuse requests to put them into promiscuous mode!)
    – user164970
    Commented Apr 3, 2015 at 22:16
  • 1
    Actually, -I is for "I can't find a single-letter option that would make sense for monitor mode, as -m and -M already have meanings assigned to them." :-) (Yes, "I can't", as I'm the person who added the option to tcpdump and the relevant APIs to libpcap.) Support for multi-letter options was added to tcpdump after that, and in versions with that support, you can also say −−monitor−mode.
    – user164970
    Commented Apr 3, 2015 at 22:19
-5

From here:

https://stackoverflow.com/questions/6591375/ifconfig-and-interfaces

By default, en0 and en1 are your physical network connections (wired and wireless LAN).

You've essentially configured your ethernet connection as promiscuous, not your wireless connection. Change your tcpdump to use your en1 interface instead. Make sure you configure it to be promiscuous as well.

Improve this answer
3
  • I don't have a en1 interface
    – Pablo Fernandez
    Commented Jan 27, 2013 at 14:50
  • Will copy the full output of my ifconfig command (I don't have an ethernet port, it's a macbook air that only has wifi. en0 is the wifi interface)
    – Pablo Fernandez
    Commented Jan 27, 2013 at 15:14
  • Your answer is totally wrong, please remove it or I'll have to downvote it.
    – Pablo Fernandez
    Commented Jan 30, 2013 at 14:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .