Capturing packets from an interface and writing them to a file can be done like this:
$ sudo tcpdump -i en0 -s 0 -w my_capture.pcap
To capture packets from a VMWare Fusion VM using vmnet-sniffer you can do this:
sudo /Applications/VMware\ Fusion.app/Contents/Library/vmnet-sniffer -e -w my_capture.pcap vmnet8
bro -r my_capture.pcap local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }"
bro -r my_capture.pcap local file-extraction/plugins/extract-all-files.zeek
NOTE: We have enabled a script to download ALL files (which could get pretty big depending on what network you run this on 😉)
Add the following to your bash
or zsh
profile
alias zeek='docker run --rm -v `pwd` :/pcap:rw blacktop/zeek $@'