Do you want to capture packets without having to launch FrameSeer? If so, tcpdumpd may be just what you are looking for.
tcpdumpd is an installer package which installs a StartupItem in your Macintosh. Thereafter, each time your Macintosh restarts, tcpdump will be launched to capture all of the packets sent and received by your Macintosh.
tcpdumpd writes the packets it captures packets into the folder:
The name of each capture file includes a date and timestamp so you can easily work out when it was created. A new capture file is created each time your Macintosh restarts or when the current capture file fills up (50MB).
The capture files can be read by FrameSeer. Using tcpdumpd, you can capture packets while FrameSeer is not running but you can still use FrameSeer to inspect, decode and visualize the captured traffic at a later time.
tcpdumpd keeps a log of its own activities in:
tcpdumpd does not pretend to be a complete solution. You will be responsible for deleting the capture and log files when they are no longer needed. Note that if your Macintosh is attached to a very busy network, the capture files may consume a lot of space very quickly!
You can also tailor the tcpdumpd startup item to suit your own requirements. For example, if the only port opened through your firewall is “ssh” then you can add the following filter expression to restrict captures to just the ssh traffic:
/usr/sbin/tcpdump -i en0 -s 0 -w $TARGET -C 50 "((src port \ssh) or (dst port \ssh))" &
Note that the quotes around the filter expression are required. The parentheses surrounding the terms in the filter expression are optional but strongly recommended. You can obtain correctly-formed filter expressions from FrameSeer's log tab.
tcpdumpd respects the TCPDUMP keyword in /etc/hostconfig. If you add the following line to /etc/hostconfig:
then tcpdumpd will not launch during subsequent restarts.
You can also control tcpdumpd from the command-line as follows:
sudo SystemStarter start tcpdumpd
sudo SystemStarter stop tcpdumpd
sudo SystemStarted restart tcpdumpd
The restart command above is particularly useful if you want to use FrameSeer to inspect a file which is actively being written to by tcpdump. The restart command will quickly close-off the current file and start a new file.
tcpdumpd is “freeware”. You may install it on as many computers as you wish. You may modify it. You may redistribute it. No acknowledgement of LGOSystems Pty Ltd as the original author is required.
tcpdumpd is supplied “as is” without warranty of any kind as to correctness or fitness for purpose.
Installing and using tcpdumpd is entirely at your own risk.
Any modifications you may make to the tcpdumpd installer package and/or the files that the package installs on your computer are done entirely at your own risk.
Please note that the above should not be taken as suggesting that there is anything wrong with the tcpdumpd package. As far as LGOSystems Pty Ltd is aware, the package will install correctly and will behave correctly. However, the package has only received limited testing (specifically on Mac OS X 10.4.8, both PowerPC and Intel) so you should assure yourself that it meets your requirements before you actually rely upon it.