PKTAP extensions to tcpdump in OS X

Posted on July 8, 2014 by dre

The tcpdump man page in OS X contains various references to something called PKTAP, such as in the documentation for the -k option:

 Control the display of packet metadata via an optional meta-
 data_arg argument. This is useful when displaying packet saved
 in the pcap-ng file format or with interfaces that support the
 PKTAP data link type.

 By default, when the metadata_arg optional argument is not spec-
 ified, any available packet metadata information is printed out.

 The metadata_arg argument controls the display of specific
 packet metadata information using a flag word, where each char-
 acter corresponds to a type of packet metadata as follows:

 I interface name (or interface ID)
 N process name
 P process ID
 S service class
 D direction
 C comment

 This is an Apple modification.

This sounds like fun, but my attempts to use this were foiled by the fact that none of my interfaces support the PKTAP data link type.

If I had searched the man page for other references to PKTAP, I would have learned that tcpdump can create a ‘virtual’ PKTAP interface that wraps a specified list of other interfaces. All those other interfaces are visible through this PKTAP interface, and all the associated metadata is available for viewing / filtering.

e.g. to view only packets sent or received from ssh processes, and also view the additional metadata (-k)

andre@flux [~] % sudo tcpdump -tknq -i pktap,en0 -Q "proc =ssh" 
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap,en0, link-type PKTAP (Packet Tap), capture size 65535 bytes
(en0, proc ssh:44637, svc BE, in) IP 173.255.247.120.4200 > 192.168.5.82.65047: tcp 180
(en0, proc ssh:44637, svc CTL, out) IP 192.168.5.82.65047 > 173.255.247.120.4200: tcp 0

To simply view all of the PKTAP metadata on all packets, try something like the following (substituting en0 for your active interface(s)):

sudo tcpdump -q -n -i pktap,en0 -k

The PACKET METADATA FILTER section of the man page describes the various filtering controls.

It seems like this PKTAP stuff is used by default when doing packet captures on iOS using the provided tools. Wireshark also supports PKTAP, and had a few words about Apple’s implementation :)

About dre

I like all kinds of food.
This entry was posted in OS X, Pro Tip, The More You Know. Bookmark the permalink.

One Response to PKTAP extensions to tcpdump in OS X

  1. Pingback: how do you capture process-specific loopback interface network traffic on OSX? « news-Knowlage FeeD

Leave a Reply