{"id":829,"date":"2014-07-08T18:05:00","date_gmt":"2014-07-09T01:05:00","guid":{"rendered":"https:\/\/dreness.com\/blog\/?p=829"},"modified":"2019-12-07T17:10:30","modified_gmt":"2019-12-08T00:10:30","slug":"pktap-extensions-to-tcpdump-in-os-x","status":"publish","type":"post","link":"https:\/\/dreness.com\/blog\/archives\/829","title":{"rendered":"PKTAP extensions to tcpdump in OS X"},"content":{"rendered":"<p>The tcpdump <a href=\"https:\/\/developer.apple.com\/library\/archive\/documentation\/Darwin\/Reference\/ManPages\/man1\/tcpdump.1.html\" target=\"_blank\" rel=\"noopener noreferrer\">man page<\/a> in OS X contains various references to something called PKTAP, such as in the documentation for the -k option:<\/p>\n<pre> Control the display of packet metadata via an optional meta-\r\n data_arg argument. This is useful when displaying packet saved\r\n in the pcap-ng file format or with interfaces that support the\r\n PKTAP data link type.\r\n\r\n By default, when the metadata_arg optional argument is not spec-\r\n ified, any available packet metadata information is printed out.\r\n\r\n The metadata_arg argument controls the display of specific\r\n packet metadata information using a flag word, where each char-\r\n acter corresponds to a type of packet metadata as follows:\r\n\r\n I interface name (or interface ID)\r\n N process name\r\n P process ID\r\n S service class\r\n D direction\r\n C comment\r\n\r\n This is an Apple modification.<\/pre>\n<p>This sounds like fun, but my attempts to use this were foiled by the fact that none of my interfaces support the <a href=\"http:\/\/www.tcpdump.org\/linktypes\/LINKTYPE_PKTAP.html\" target=\"_blank\" rel=\"noopener noreferrer\">PKTAP data link type<\/a>.<\/p>\n<p>If I had searched the man page for other references to PKTAP, I would have learned that tcpdump can create a &#8216;virtual&#8217; PKTAP interface that wraps a specified list of other interfaces. All those other interfaces are visible through this PKTAP interface, and all the associated\u00a0metadata is available for viewing \/ filtering.<\/p>\n<p>e.g. to view only packets sent or received from ssh processes, and also view the additional metadata (-k)<\/p>\n<pre>andre@flux [~] % sudo tcpdump -tknq -i pktap,en0 -Q \"proc =ssh\" \r\ntcpdump: data link type PKTAP\r\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode\r\nlistening on pktap,en0, link-type PKTAP (Packet Tap), capture size 65535 bytes\r\n(en0, proc ssh:44637, svc BE, in) IP 173.255.247.120.4200 &gt; 192.168.5.82.65047: tcp 180\r\n(en0, proc ssh:44637, svc CTL, out) IP 192.168.5.82.65047 &gt; 173.255.247.120.4200: tcp 0<\/pre>\n<p>To simply view all of the PKTAP metadata on all packets, try something like the following (substituting en0 for your active interface(s)):<\/p>\n<pre>sudo tcpdump -q -n -i pktap,en0 -k<\/pre>\n<p>The\u00a0PACKET METADATA FILTER section of the man page describes the various filtering controls.<\/p>\n<p>It seems like this PKTAP stuff is used by default when doing packet captures on iOS using the provided tools. Wireshark also supports PKTAP, and <a href=\"https:\/\/www.wireshark.org\/lists\/wireshark-bugs\/201404\/msg00005.html\" target=\"_blank\" rel=\"noopener noreferrer\">had a few words<\/a>\u00a0about Apple&#8217;s\u00a0implementation :)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The tcpdump man page in OS X contains various references to something called PKTAP, such as in the documentation for the -k option: Control the display of packet metadata via an optional meta- data_arg argument. This is useful when displaying &hellip; <a href=\"https:\/\/dreness.com\/blog\/archives\/829\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,14,13],"tags":[],"class_list":["post-829","post","type-post","status-publish","format-standard","hentry","category-os-x","category-pro-tip","category-the-more-you-know"],"_links":{"self":[{"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/posts\/829","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/comments?post=829"}],"version-history":[{"count":5,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/posts\/829\/revisions"}],"predecessor-version":[{"id":1247,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/posts\/829\/revisions\/1247"}],"wp:attachment":[{"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/media?parent=829"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/categories?post=829"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/tags?post=829"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}