How can I have tcpdump write to file and standard output the appropriate data?
Here's a neat way to do what you want:
tcpdump -w - -U | tee somefile | tcpdump -r -
What it does:
-w -
tellstcpdump
to write binary data tostdout
-U
tellstcpdump
to write each packet to stdout as it is received, rather than buffering them and outputting in chunkstee
writes that binary data to a file AND to its ownstdout
-r -
tells the secondtcpdump
to get its data from itsstdin
Tcpdump with -w writing gibberish to file
tcpdump -w
writes the raw file, which is not meant for reading directly. You can read the file back with the tcpdump -r
option as suggested in the man page:
-r Read packets from file (which was created with the -w option). Standard input is used if file is ‘‘-’’.
-w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ‘‘-’’. See pcap-savefile(5) for a description of the file format.
Another option would be to redirect the output without using the -w option:
tcpdump -i eth0 -Z root > `date '+%m-%d-%y.%T.pcap'`
But if I remember correctly you don’t get exactly what would be written with the -w
option.
Write to another tcpdump file every minute
From the tcpdump
man page:
-G rotate_seconds If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous. If used in conjunction with the -C option, filenames will take the form of 'file count'.
Looking at the strftime
man page, you find all the documented conversion specifiers needed to create files in the format you've indicated.
Using the information from the various man pages, the following command should produce pcap files every minute that are named according to the format you indicated:
tcpdump -i eth0 -G 60 -w 'log_%d-%m_%Y__%H_%M.pcap'
Might I suggest a different naming convention though? The format you've chosen won't sort very well and clocks can drift over time, especially for long-running capture files; therefore, I'd recommend using an ISO 8601 format. For example:
tcpdump -i eth0 -G 60 -w 'log_%Y-%m-%dT%H_%M-04:00.pcap'
... or even simpler:
tcpdump -i eth0 -G 60 -w 'log_%FT%T-04:00.pcap'
NOTE -04:00 happens to be the current offset from UTC for my timezone. If you don't share pcap files with colleagues in different time zones, then you can omit the offset, but it can be useful so you might want to keep it anyway. You never know when you might want to share pcaps with colleagues across time zones in the future, and if they open your pcap file, they will have the information they need to easily time-shift the packet timestamps via Wireshark's Edit -> Time Shift ... feature so packet timestamps are relative to the time zone in which the capture file was taken rather than their own time zone. In this way, everyone is referencing the same time regardless of their own time zone and confusion can be avoided.
tcpdump suppress console output in script & write to file
The output you're seeing is written to stderr
, not stdout
, so you can redirect it to /dev/null
if you don't want to see it. For example:
tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether proto 0x88cc' > /tmp/test.txt 2> /dev/null
How to capture packages via both eth0 and lo at the same time?
Assuming your kernel supports it, you can run tcpdump -i any
, but that will capture on all interfaces, and not just on the lo
and eth0
interfaces. Also, according to the tcpdump
man page, "... captures on the ''any'' device will not be done in promiscuous mode.", so if you need to place the NIC in promiscuous mode in order to capture your traffic of interest, this solution may not work for you. In that case, you could:
- Start 2 separate instances of
tcpdump
, one capturing onlo
and the other capturing oneth0
. If you write the packets to separate files, you can use a tool such asmergecap
to merge them together afterward. - Use
dumpcap
ortshark
instead, either of which can capture on multiple interfaces.
Related Topics
Shell Script to Check If a Paragraph/Stream of Lines Exist in a File
Linux: Getting Umask of an Already Running Process
How to Find Which Yocto Project Recipe Populates a Particular File on an Image Root Filesystem
Clean Way of Launching a Shell Script in Background from Jenkins
Systemctl Status Shows Inactive Dead
Add Double Quotes Around Fields in Awk Script Output
Write-Through Ram Disk, or Massive Caching of File System
How to Obtain the Mdns.Service File Needed for Building Mdns in Yocto
Python Module Import Error for One User But Not the Other
Grabbing Specific Sections of Text from a String
What's the Reason Docker Ubuntu Official Image Would Exit Immediately When You Run/Start It
How to Understand "Cmpl $0X0, -0X30(%Rbp)"/"Je ..."
Why Is Cpu-Cycles Much Less Than CPU Current Frequency
How to Reconfigure Oracle 10G Xe on Linux
Linux "Free -M": Total, Used and Free Memory Values Don't Add Up