View only the network traffic that exits the mac

Question

Created Aug ’23

Replies 2

Boosts 0

Participants 2

Hi,
I'm using tcpdump and Wireshark to inspect the network packets that are received and sent from my mac. I'm inspecting the traffic from WiFi interface, but the problem is that the tools display also the traffic that don't exit the system, e.g. the ones that are blocked by the firewall.
Is it possible to somehow see the traffic that for sure left the mac?

e.g.

make a UDP or TCP connection to a remote address, ADDR_1.
start sending/receiving packets
block all the traffic, received & sent, to the ADDR_1 using e.g. pf rules
Wireshark & tcpdump will still show for some time(probably until TCP timeout) the outgoing traffic to ADDR_1, even if the packets are not leaving the mac because are blocked by the firewall. In this case, is it possible to filter out this packets so they are not displayed by the tools?

Thanks

Boost

Answer 1

Hoffman OP

Aug ’23

For testing purposes, connecting via wired to a managed switch and mirroring the switchport is probably the easiest approach. With that, you can see all of the packet departures and without involving the host software or apps.

Within macOS, it's probably possible to use pfctl for this logging if not also for port mirroring, but I don't have a way to test either right now.

pfctl manages one of the macOS firewalls, so it's good at blocking stuff.

https://www.openbsdhandbook.com/pf/logging/

1

Answer 2

smaryus OP

Aug ’23

Thanks for the suggestions.
I've tried in the past with an external router and it works fine. But in my case I need to run this directly on my mac, in "real-time", not to have the special external setup.

I'll have a look with the pfctl, but might also be complicated. because I'm already modifying this from another app, and I need to add extra things for the logging.

0