Cocoa Packet Analyzer

A native macOS packet analyzer.

PCAP capture, plugin-based protocol dissection, and macOS-native UI — fully rewritten in Swift.

Download 2.5.0 Learn more

Universal binary · macOS 26 or later · notarized

CocoaPacketAnalyzer main window
Features

Built for the way you analyze.

Capture

Capture network traffic using Ethernet or Wi-Fi interfaces.

Analyze

A variety of network protocol analyzers to display and filter your trace files are included.

QuickLook

Preview packet traces in Finder - a QuickLook extension is included just for it.

Enhance

Creating analyzer plugins using the Cocoa bundles plugin technology should be straightforward.

Dark Mode

Supporting all appearance modes of macOS.

Print

Bring your traces to paper.

Notarized

Releases are notarized by Apple. Beta builds might not be.

Localization

English, German and basic Japanese localizations are included.

Screens

From capture to conversation.

New capture sheet

Start a capture

Pick an interface, set SnapLen, toggle promiscuous or Wi-Fi monitor mode, and drop in a tcpdump-compatible filter expression. The daemon compiles the BPF program before a single packet is copied to user space.

Capture to file or switch to live capturing from the same sheet — your default mode is remembered in Settings.

Live capture document window

Live capturing

In live mode packets are dissected as they arrive. The toolbar shows a real-time traffic monitor with packet count and elapsed time while the packet list, protocol detail tree, and hex view all update continuously.

PCAP filter builder

PCAP filter builder

A structured editor covering every category from the tcpdump manpage — hosts, networks, ports, VLAN, MPLS, 802.11, byte comparisons, and raw primitives. Each keystroke is validated against a dead pcap handle, so invalid filters never reach the capture daemon.

Wrap rows in NOT, combine them with AND/OR, and nest sub-groups with explicit parentheses.

Document window: sidebar, packet list, details, and hex view

The document window

Four coordinated panes: a recents sidebar, a sortable packet list with analyzer-contributed columns, an outline view with the protocol dissection tree, and a hex view that highlights the bytes behind the selected header.

Protocol color coding in the packet list makes traffic patterns obvious at a glance.

Toolbar filter with token pills
Filter dropdown with sectioned autocomplete and rich editor popovers

Filter and find

The toolbar search field is a single entry point for filtering: a token-style query builder, a sectioned autocomplete dropdown, rich-editor popovers for dates, protocols and grouped expressions, and a saved-query library — all without leaving the document window.

Toggle Open result in new document to route the filtered subset into its own window, ready to save as a standalone .pcap.

Follow TCP Stream window

Follow TCP stream

Reassemble any bidirectional TCP conversation and switch between four view modes: Conversation (speech bubbles with packet numbers and flags), ASCII transcript, side-by-side hex dump, and a parsed HTTP request/response view.

The stream popup walks every conversation detected in the trace.

Protocol statistics bar chart with file metadata

Protocol statistics

Get a one-look summary of any trace: a bar chart of protocol distribution next to the file's metadata — link type, packet count, byte totals, and capture time span.

Open it from the Data Sources Manager or the document sidebar, and send it straight to the printer when you need a paper copy for a report.

Downloads

Get CocoaPacketAnalyzer.

Version 2.5.0

The latest release. Universal binary.

Requires macOS 26 or later. Fifteen new protocol analyzers, PCAP Filter Builder, Follow TCP Stream, token-based filter toolbar, and protocol statistics.

Download Release notes

Version 2.1.4

Previous release. Universal binary.

For Macs running macOS 10.14.6 – 15.7.4. Not compatible with macOS 26.

Download Release notes

CPAPlugIn DevKit

Documentation and an example analyzer for building your own protocol plugin. Compatible with CPA 2.x.

Download DevKit

Version 1.90

Legacy build. Requires Intel Mac running macOS 10.12 or higher.

Download

Version 1.51

Legacy build for older macOS releases.

Download

Version 1.11

Legacy build for the oldest supported macOS.

Download
FAQ

Frequently asked questions.

The ethernet and wifi interfaces that come with your Mac should just work fine!

Ethertypes: ARP, IP (v4/v6), PPP, PPPoED/S, 802.1Q VLAN, MPLS

Linktypes: Loopback, PPP, LinuxSLL, IEEE802.11-RadioTap

Analyzer plugIns for the following protocols are included:

IP-Protocols: IP (v4/v6), TCP, UDP, ICMP (v4/ v6), IGMP, MPLSinIP, L2TP, Mobility

PPP-Protocols: IP, LCP, IPCP (v4/v6), CCP, PAP, CHAP

PPPoE Discovery and Sessionstages

Port based protocol detection: DHCPv6, L2TP, RADIUS, ESP

Promiscuous mode can be enabled in the capture preferences. Most interfaces in Apple Computers should support it.

Monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first. Monitor mode only applies to wireless networks. Not all wifi interfaces support it. It can be enabled in the capture preferences.

Monitor and promiscuous mode wont work if both are enabled.

Please download the "development kit", instructions on how to create an analyzer plugin are found in the HowTo-file. See the small "TestPlugIn" project which covers the basic settings. For additional infos feel free to contact me! Its updated for CPA 2 now!

Yes — CocoaPacketAnalyzer 2.5.0 requires macOS 26 or later. Earlier systems (macOS 10.14.6 – 15.7.4) can stay on 2.1.4.