Another freeware IP sniffer is MacSniffer, downloadable from Brian Hill.

Unlike ethereal, this program is native OS X and does not require the X11 package. It is a graphical front-end to the tcpdump command line utility.

The downside is that there is no manual, the output is not as clear, and the program requires a bit of experimenting to figure out. The man page for tcpdump is not much help. Here are some points to remember:

• All the options and preferences only apply to the next capture, after you press the Start button.
• The first time you press Start, you are asked for the admin password.
• If you want to look at only IP traffic, not all Ethernet traffic, you can just type ip into the Filter Expression text box before pressing Start.
• Alternatively, you can select "Filter Library" from the pull-down menu, press the "+" button to create a new filter, double-click on the new filter, and enter details in the window that pops up. Then save and close your way out. Select your new filter from the pull-down menu in the main window before pressing Start.
• The format of addresses in the dump is a bit strange. For IP traffic they looks like these examples:

  10.109.33.12.16832
  www.apple.com.http
  ns1.myispname.net.domain
  10.1.1.205.ntp
  

  The number or text after the last period is the TCP or UDP port. Well-known ports (below 1023) are given names, such as http for port 80, domain for 53, etc. See iana.org for the complete list.
  
  [ Reply to This | # ]