New elements of the command line are explained below.

The -n option means that addresses are not converted to domain names, which speeds things up considerably.
The -e option causes tcpdump to display the link-level header for each packet.
The -x option causes the contents of the packet to also be displayed in hex.
The -vvv option makes tcpdump’s output as verbose as possible.

By specifying -r DumpFile.dmp option you tell tcpdump to read packets from the file DumpFile.dmp rather than from a network interface. Note that you don’t need privileges to do this, so running tcpdump using sudo is not required.

You can also combine these steps, as shown below, but if you do this you don’t get a high-fidelity record of the packets that you captured.

sudo tcpdump -i en0 -s 0 -n -e -x -vvv

You can learn about tcpdump from the online manual and from the book TCP/IP Illustrated, Volume 1, The Protocols, W Richard Stevens, Addison-Wesley, 1994, ISBN 0-201-63346-9. That book is also an excellent introduction to TCP/IP protocols in general.

Note: Mention of third party sites and third party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance, or use of these vendors or products.

Miscellaneous Notes

Some of these tools have problems with packets being transferred to or from the trace machine (the machine running the tool). In general I recommend that your trace machine be separate from the machines whose network traffic you’re tracing. If you don’t follow this advice, please note the following anomalies.

EtherPeek on traditional Mac OS is unable to see packets being sent by the trace machine.

On Mac OS X, both EtherPeek and tcpdump will display bad IP checksums for packets being sent by the trace machine.

You should consult the documentation that comes with your tool for accurate and up-to-date information about its limitations.

If you use a separate trace machine, make sure that you connect all of the machines via a passive hub rather than a switch. Virtually all 10/100 hubs are actually switches, so you’ll probably have to dig through your boxes of old stuff for a 10 Mbit/s-only passive hub (or specifically look for a 10/100 hub that only switches between the different speed segments, for example the SMC-EZ58xxDS range).

If you send a packet trace to DTS, please include the following:

The name and version of the tool you used to capture the packet trace.

The system type and OS version of the trace machine.

If you’ve used either EtherPeek or tcpdump to capture your packet trace, you can send us the packet trace file in its native format. Otherwise, please include a copy of the packet trace in both its native format and, if that native format isn’t text, a text export of the trace as well. That way we’re guaranteed to be able to read your packet trace.

For each relevant machine shown in the trace, please describe the following:

The machine’s role in the network conversation.

The system type and OS version.

The machine’s IP address.

The machine’s hardware address (also known as the Ethernet address or MAC address).