[TN#011] Capturing AFP network traffic
Author
Ralph Böhme
Published on
August 29, 2012
GUI Tool for packet capturing
You can use a nice program called CocoaPacketAnalyzer in order to capture AFP network traffic.
Step 1
Download and extract the program from the above link.
Step 2
Start it.
Step 3
Press “Capturing”.
Step 4
In the dialog window that opens, choose the active network interface. The first time, you may be asked to scan for interfaces.
Step 5
Enter “port 548” as the filter expression.
Step 6
When ready to do the actual trace, press “start.” When done with the trace, press “stop.” Minimize activities on the AFP volume and perform only necessary actions.
Step 7
Finally, choose “Save” from the “File” menu to save the trace to a file.
Editor’s note: Use the application that you download from the above link, rather than the one available in the App Store. The latter can only analyze pcap logs, and not capture them.
Using tcpdump with a ringbuffer
Another useful thing only available in Terminal with tcpdump is using a ringbuffer:
# tcpdump -s 0 -w afp.pcap -C 10 -W 2 port 548
This limits the captured data to two capture files (-W 2) with a size of 10 MB each (-C 10). This way for large amount of AFP traffic, only the last 10-20 MB will be saved and available for analysis.
