How to Have Tcpdump Write to File and Standard Output the Appropriate Data

  • Home
  • Languages
  • Linux
  • How to Have Tcpdump Write to File and Standard Output the Appropriate Data

How can I have tcpdump write to file and standard output the appropriate data?

Here's a neat way to do what you want:

tcpdump -w - -U | tee somefile | tcpdump -r -

What it does:

  • -w - tells tcpdump to write binary data to stdout
  • -U tells tcpdump to write each packet to stdout as it is received, rather than buffering them and outputting in chunks
  • tee writes that binary data to a file AND to its own stdout
  • -r - tells the second tcpdump to get its data from its stdin

Tcpdump with -w writing gibberish to file

tcpdump -w writes the raw file, which is not meant for reading directly. You can read the file back with the tcpdump -r option as suggested in the man page:

-r Read packets from file (which was created with the -w option). Standard input is used if file is ‘‘-’’.

-w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ‘‘-’’. See pcap-savefile(5) for a description of the file format.

Another option would be to redirect the output without using the -w option:

tcpdump -i eth0 -Z root > `date '+%m-%d-%y.%T.pcap'`

But if I remember correctly you don’t get exactly what would be written with the -w option.

Write to another tcpdump file every minute

From the tcpdump man page:


-G rotate_seconds If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous. If used in conjunction with the -C option, filenames will take the form of 'file count'.

Looking at the strftime man page, you find all the documented conversion specifiers needed to create files in the format you've indicated.

Using the information from the various man pages, the following command should produce pcap files every minute that are named according to the format you indicated:

tcpdump -i eth0 -G 60 -w 'log_%d-%m_%Y__%H_%M.pcap'

Might I suggest a different naming convention though? The format you've chosen won't sort very well and clocks can drift over time, especially for long-running capture files; therefore, I'd recommend using an ISO 8601 format. For example:

tcpdump -i eth0 -G 60 -w 'log_%Y-%m-%dT%H_%M-04:00.pcap'

... or even simpler:

tcpdump -i eth0 -G 60 -w 'log_%FT%T-04:00.pcap'

NOTE -04:00 happens to be the current offset from UTC for my timezone. If you don't share pcap files with colleagues in different time zones, then you can omit the offset, but it can be useful so you might want to keep it anyway. You never know when you might want to share pcaps with colleagues across time zones in the future, and if they open your pcap file, they will have the information they need to easily time-shift the packet timestamps via Wireshark's Edit -> Time Shift ... feature so packet timestamps are relative to the time zone in which the capture file was taken rather than their own time zone. In this way, everyone is referencing the same time regardless of their own time zone and confusion can be avoided.

tcpdump suppress console output in script & write to file

The output you're seeing is written to stderr, not stdout, so you can redirect it to /dev/null if you don't want to see it. For example:

 tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether proto 0x88cc' > /tmp/test.txt 2> /dev/null

How to capture packages via both eth0 and lo at the same time?

Assuming your kernel supports it, you can run tcpdump -i any, but that will capture on all interfaces, and not just on the lo and eth0 interfaces. Also, according to the tcpdump man page, "... captures on the ''any'' device will not be done in promiscuous mode.", so if you need to place the NIC in promiscuous mode in order to capture your traffic of interest, this solution may not work for you. In that case, you could:

  • Start 2 separate instances of tcpdump, one capturing on lo and the other capturing on eth0. If you write the packets to separate files, you can use a tool such as mergecap to merge them together afterward.
  • Use dumpcap or tshark instead, either of which can capture on multiple interfaces.

Related Topics

Shell Script to Check If a Paragraph/Stream of Lines Exist in a File

Linux: Getting Umask of an Already Running Process

"Unexplainable" Core Dump

How to Find Which Yocto Project Recipe Populates a Particular File on an Image Root Filesystem

Clean Way of Launching a Shell Script in Background from Jenkins

Sqlplus: Error While Loading Shared Libraries: Libsqlplus.So: Cannot Open Shared Object File: No Such File or Directory

Systemctl Status Shows Inactive Dead

Add Double Quotes Around Fields in Awk Script Output

Write-Through Ram Disk, or Massive Caching of File System

How to Obtain the Mdns.Service File Needed for Building Mdns in Yocto

Python Module Import Error for One User But Not the Other

Grabbing Specific Sections of Text from a String

What's the Reason Docker Ubuntu Official Image Would Exit Immediately When You Run/Start It

How to Understand "Cmpl $0X0, -0X30(%Rbp)"/"Je ..."

Why Is Cpu-Cycles Much Less Than CPU Current Frequency

How to Reconfigure Oracle 10G Xe on Linux

Linux "Free -M": Total, Used and Free Memory Values Don't Add Up

Changing Contents of a File Through Shell Script


Leave a reply



Submit