1. In the EDR Console, select the OSX sensor and select the "Go Live" button. Once connected to the sensor, in the Go Live terminal window:
execfg ifconfig
execfg tcpdump -nni <interface name> -c <number of packets expected> -vw <full path to collection file> host <IP address of interest> and port <port of interest> Example: execfg tcpdump -nni en0 -c 20 -vw /tmp/dumpfile.pcap host 172.16.48.120 and port 443c. Get (pull) the packet capture file from the sensor to the local administrator's endpoint.
get <full path of pcap file> Example: get /tmp/dumpfile.pcapd. Remove the packet capture file.
execfg rm -f /tmp/dumpfile.pcape. Detach the Live Response session.
detach session list session close <session number of the OSX sensor>
2. Remotely connect to the sensor (perhaps SSH) and from the Terminal run:
tcpdump -nni <interface name> -vw <full path to collection file> host <IP address of interest> and port <port of interest> Example: tcpdump -nni en0 -vw /tmp/dumpfile.pcap host 172.16.48.120 and port 443