5

While running tcpdump without providing any interface

tcpdump -nS,

I'm getting tcpdump: cannot use data link type PKTAP error so I tried providing the Interface option in the command

tcpdump -i eth0 or even eth1

then I get the following error

tcpdump: eth1: No such device exists

(BIOCSETIF failed: Device not configured)

I even tried looking up on the Internet but i'm not getting any solution ...

Any help ??

user3143451
  • 61
  • 1
  • 8
  • This is presumably OS X (probably Mavericks). Is this the tcpdump that comes with OS X, or did you build tcpdump from source? If you built it from source, what does `tcpdump -h` print? –  Feb 16 '14 at 23:05
  • yes it's the tcpdump that came from Mac OSX and this is what I get when i type `tcpdump -h` `tcpdump version 4.3.0 -- Apple version 56 libpcap version 1.5.3` – user3143451 Feb 18 '14 at 10:10
  • I guess it's the issue with the OS itself because when I manually installed TCPDUMP separately it works just fine ... Any reason on why PKTAP issue is occurring ... – user3143451 Feb 18 '14 at 11:33

2 Answers2

4

I can't speak to your problem with PKTAP, but I can speak to the "No such device exists" - eth0 is a Linux-ism, and MacOS isn't Linux. You almost certainly want en0, en1, etc. "ifconfig -a" is your friend or, if you have it installed, "tshark -D".

guestuser
  • 41
  • 2
  • 2
    Or `tcpdump -D`. ("`-D`" was originally a WinDump addition to tcpdump; tcpdump picked it up from WinDump, and TShark picked it up from tcpdump.) –  Nov 04 '14 at 11:03
0

Any reason on why PKTAP issue is occurring

It's probably occurring because you installed your own version of libpcap, which does not know about the DLT_PKTAP link-layer header type, and Apple's tcpdump is somehow using your version rather than their own version (Apple's version does know about it) and, therefore, failing because, when its version of tcpdump is run without a -i argument, it uses an OS mechanism to capture on all devices, and that mechanism supplies packets with DLT_PKTAP headers and the DLT_PKTAP link-layer header type.