tcpdump promiscuous mode on OSX 10.8

Question

By examining my wireless router configuration I can see there's 2 IPs assigned:

192.168.1.100 -> laptop (Macbook Air OSX 10.8.2, where I runtcpdump)
192.168.1.101 -> ipad

But then if I run:

sudo tcpdump -i en0 host 192.168.1.101

I can't seem to get significant traffic to or from my iPad. tcpdump seems to be capturing some packages from time to time but doing some wireless activity (e.g. browsing the web) generates no entries at all. Note that I have wifi security (WEP/WPA) disabled for this test.

Any idea what may I be doing wrong here?

EDIT: ifconfig en0

ifconfig en0 output, as asked:

en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    ether 98:fe:94:45:36:8a 
    inet6 fe80::9afe:94ff:fe45:368a%en0 prefixlen 64 scopeid 0x4 
    inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
    media: autoselect
    status: active

EDIT: ifconfig (all)

full ifconfig output (note that it's a macbook air with no ethernet port):

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    inet 127.0.0.1 netmask 0xff000000 
    inet6 ::1 prefixlen 128 
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    ether 98:fe:94:45:36:8a 
    inet6 fe80::9afe:94ff:fe45:368a%en0 prefixlen 64 scopeid 0x4 
    inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
    media: autoselect
    status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
    ether 0a:fe:94:45:36:8a 
    media: autoselect
    status: inactive

EDIT: about promiscuous mode

For the ones saying that my macbook-air wireless port can't be put into promiscuous mode (ifconfig en0 prmoisc yields bad value), I can tell you that following the steps described here I can put my airport on promiscuous mode. I just want to be able to do it with tcpdump.

Have you configured the interface for promiscuous mode? ifconfig en0 promisc or show us the output of ifconfig en0. By the way, this appears off topic for Server Fault. ([faq]) Your question might be better received on [su] or [apple.se]. — Aaron Copley, Jan 25 '13 at 14:53
It's a MacBook Air. I've read online that it does support promiscuous mode — Pablo Fernandez, Jan 30 '13 at 13:35
Plus it is set to promiscuous mode by using other tools like wireshark or airport. — Pablo Fernandez, Jan 30 '13 at 14:10
@AaronCopley en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500, doesn't that means it support and is using promiscuous mode? — John Siu, Jan 31 '13 at 06:42

score 8 · Accepted Answer · edited Jun 12 '20 at 13:48

8

Try with -I (uppercase i) and -n

sudo tcpdump -In -i en0 host 192.168.1.101

OS X tcpdump(1) quote

-I Put the interface in "monitor mode"; this is supported only on IEEE 802.11 Wi-Fi interfaces, and supported only on some operating systems.

-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.

-n is used because dns properly will not work if there is not wifi connection.

PS1: Wifi interface has to be on

PS2: Wifi connection properly will be lost, eg, no web surfing when capturing

PS3: -I is for WiFi

edited Jun 12 '20 at 13:48

Community

1

answered Jan 30 '13 at 20:18

John Siu

5,407

Does this help or no effect? – John Siu Feb 03 '13 at 23:31
Isn't monitor mode fundamentally different from promiscuous mode? How is it that when using tcpdump on OSX monitor mode serves the function of promiscuous mode? – Brannon Mar 08 '15 at 01:02
Because Wi-Fi adapters, if they support promiscuous mode at all, don't all support it in a fashion that's actually useful. And that has nothing to do with OS X; it's the case on all OSes I know of, including Linux and *BSD and Windows (at least according to the Microsoft documentation I've read, Windows Wi-FI drivers should refuse requests to put them into promiscuous mode!) – Apr 03 '15 at 22:16
1

Actually, -I is for "I can't find a single-letter option that would make sense for monitor mode, as -m and -M already have meanings assigned to them." :-) (Yes, "I can't", as I'm the person who added the option to tcpdump and the relevant APIs to libpcap.) Support for multi-letter options was added to tcpdump after that, and in versions with that support, you can also say −−monitor−mode. – Apr 03 '15 at 22:19

score -5 · Answer 2 · edited May 23 '17 at 12:41

-5

From here:

https://stackoverflow.com/questions/6591375/ifconfig-and-interfaces

By default, en0 and en1 are your physical network connections (wired and wireless LAN).

You've essentially configured your ethernet connection as promiscuous, not your wireless connection. Change your tcpdump to use your en1 interface instead. Make sure you configure it to be promiscuous as well.

edited May 23 '17 at 12:41

Community

1

answered Jan 27 '13 at 01:56

Marcos Velazquez

687

I don't have a en1 interface – Pablo Fernandez Jan 27 '13 at 14:50
Will copy the full output of my ifconfig command (I don't have an ethernet port, it's a macbook air that only has wifi. en0 is the wifi interface) – Pablo Fernandez Jan 27 '13 at 15:14
Your answer is totally wrong, please remove it or I'll have to downvote it. – Pablo Fernandez Jan 30 '13 at 14:09

tcpdump promiscuous mode on OSX 10.8

2 Answers2

Linked