3

How can I see traffic while I am capturing it with tcpdump.

When I use -w, it doesn't show the packets during the capture.

sudo tcpdump -i enp2s0 -w test.pcap
tcpdump: listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C6 packets captured
7 packets received by filter
0 packets dropped by kernel
Olivier Lasne
  • 221
  • 2
  • 6

4 Answers4

9

So after a bit of experiment, the anwser if the following :

sudo tcpdump -i enp2s0 -U -w - | tee test.pcap | tcpdump -r -

-w - : write to standard output.

-U : write packets as soon as they arrive. Don't wait until the buffer is full.

Tee will write to the file, and tcpdump -r - read the packets from standard input.

Olivier Lasne
  • 221
  • 2
  • 6
2

To attach a new process to an ongoing dump, try:

tail -F -n+0 $dumpfile | tcpdump -r -

kernelkode
  • 21
  • 1
2

-w option is to write the tcpdump output to a file. you can remove that option if you want to print on your terminal.

Sithter
  • 91
  • 5
2

Since you are using the option -w, the packets are being saved to the file and not displayed at the standard output. Here from the tcpdumup manpage:

https://www.tcpdump.org/manpages/tcpdump.1.html

-w file
    Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''. 
    This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received. Use the -U flag to cause packets to be written as soon as they are received. 
    The MIME type application/vnd.tcpdump.pcap has been registered with IANA for pcap files. The filename extension .pcap appears to be the most commonly used along with .cap and .dmp. Tcpdump itself doesn't check the extension when reading capture files and doesn't add an extension when writing them (it uses magic numbers in the file header instead). However, many operating systems and applications will use the extension if it is present and adding one (e.g. .pcap) is recommended. 
    See pcap-savefile(5) for a description of the file format.  

If you want to do both at the same time, here is a way to achieve that:

How can I have tcpdump write to file and standard output the appropriate data?

Diamond
  • 8,791
  • 3
  • 22
  • 37