Jtdcftul

I'm looking for a packet sniffer app that runs on MacOS in a GUI (I know I can accomplish some functionality with native CLI utilities like tcpdump).

Previously I used Packet Peeper, however it doesn't seem to run in MacOS 10.14 Mojave (the application opens and seems to run, but no window appears).

* Other questions have also mentioned PP as the solution, but they're all fairly old.

You probably are looking for Wireshark

1 - Wireshark

If you have brew installed it's trivial to install Wireshark via a Cask.

$ brew cask install wireshark

This will install both the GUI and CLI versions. The GUI version is called wireshark and should show up in Launcher. The CLI version should show up in your $PATH as tshark.

GUI

Invoking the GUI will show you a selection window from where you can select which network interface to analyze. NOTE: on my system we'll use en0.

A double click on en0 and you're in selecting packet data.

CLI

To use the CLI it's about as difficult.

$ tshark -i en0 | head

Capturing on 'Wi-Fi: en0'

137     1   0.000000 192.168.1.95 → 172.217.6.42 UDP 65 56557 → 443 Len=23

    2   0.111321 192.168.1.95 → 172.217.5.110 ICMP 70 Echo (ping) request  id=0x4300, seq=39758/20123, ttl=255

    3   0.118526 172.217.6.42 → 192.168.1.95 UDP 70 443 → 56557 Len=20

    4   0.150560  192.168.1.2 → 255.255.255.255 UDP 223 44779 → 7437 Len=173

    5   0.152892 192.168.1.87 → 192.168.1.255 BROWSER 241 Browser Election Request

    6   0.155246 192.168.1.10 → 192.168.1.255 BROWSER 239 Browser Election Request

    7   0.157628 192.168.1.69 → 192.168.1.255 BROWSER 243 Browser Election Request

    8   0.161358 192.168.1.95 → 172.217.5.110 ICMP 70 Echo (ping) request  id=0x4300, seq=40014/20124, ttl=1

    9   0.168584  192.168.1.2 → 192.168.1.95 ICMP 106 Time-to-live exceeded (Time to live exceeded in transit)

   10   0.194384 172.217.5.110 → 192.168.1.95 ICMP 78 Echo (ping) reply    id=0x4300, seq=39758/20123, ttl=47 (request in 2)

280 tshark: An error occurred while printing packets: Broken pipe.

NOTE: Wireshark has excellent tutorials and guides on line once you're past the install.

2 - tcpdump

If you want something even lighter, you can use tcpdump to capture all types of traffic, not just TCP.

$ tcpdump -i en0 -n | head

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes

20:01:20.630058 IP 192.168.1.95 > 172.217.5.110: ICMP echo request, id 17152, seq 21845, length 36

20:01:20.681163 IP 192.168.1.95 > 172.217.5.110: ICMP echo request, id 17152, seq 22101, length 36

20:01:20.688948 IP 192.168.1.2 > 192.168.1.95: ICMP time exceeded in-transit, length 64

20:01:20.728713 IP 172.217.5.110 > 192.168.1.95: ICMP echo reply, id 17152, seq 21845, length 36

20:01:20.732391 IP 192.168.1.95 > 172.217.5.110: ICMP echo request, id 17152, seq 22357, length 36

20:01:20.747365 IP 65.190.128.1 > 192.168.1.95: ICMP time exceeded in-transit, length 64

20:01:20.783439 IP 192.168.1.95 > 172.217.5.110: ICMP echo request, id 17152, seq 22613, length 36

20:01:20.803827 IP 174.111.103.48 > 192.168.1.95: ICMP time exceeded in-transit, length 36

20:01:20.820382 IP 192.168.1.2.44779 > 255.255.255.255.7437: UDP, length 173

20:01:20.834717 IP 192.168.1.95 > 172.217.5.110: ICMP echo request, id 17152, seq 22869, length 36

tcpdump: Unable to write output: Broken pipe

References

• Wireshark User’s Guide


• tshark man page


• tcpdump Examples — 50 Ways to Isolate Specific Traffic


• tcpdump tag from Unix & Linux Stackexchange Site