Use tcpdump to capture in a pcap file (wireshark dump)


tcpdump is a command line network sniffer, used to capture network packets. When you have only command line terminal access of your system, this tool is very helpful to sniff network packets. It has so many options:

tcpdump

tcpdump man page

When you create a pcap file using tcpdump it will truncate your capture file to shorten it and you may not able to understand that. I am writing this post, so that you can create a pcap file effectively. You can use following command to capture the dump in a file:

tcpdump -s 0 port ftp or ssh -i eth0 -w mycap.pcap

In above command

-s 0 will set the capture byte to its maximum i.e. 65535, after this capture file will not truncate.

-i eth0 is using to give Ethernet interface, which you to capture. Default is eth0, if you not use this option.

port ftp or ssh is the filter, which will capture only ftp and ssh packets. You can remove this to capture all packets.

-w mypcap.pcap will create that pcap file, which will be opened using wireshark.

Wireshark

wireshark.org

Now I think, you can play with the command as per your need.

6 thoughts on “Use tcpdump to capture in a pcap file (wireshark dump)

  1. Pingback: How to convert Tcpdump output file to a Pcap format?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s