How do I make tcpdump to write to file for each packet it captures?

3

1

I'm running the following version of tcpdump:

  • tcpdump version 4.0.0
  • libpcap version 1.0.0

I want to make tcpdump write to a file for each packet it captures. Currently, I could only see the captured packets if I quit tcpdump.

tcpdump -i em1 -w /tmp/pkts.pcap -s 1500

I need to quit to be able to open /tmp/pkts.pcap - until then I assume tcpdump is buffering. Is there a way to make tcpdump write to the file immediately instead of buffering?

sudurais

Posted 2011-04-21T00:41:17.237

Reputation: 217

"there is -U option but it doesnt work in 4.0.0 i suppose" So I assume you tried it and it didn't do what you expected? (If you didn't try it, try it before supposing that it doesn't work.) – None – 2014-10-31T18:00:59.347

You probably could make it write to a file immediately, but the best case scenario is this: If you opened the file when tcpdump was still running you would not see the results that were written to the file after you opened it (closing and reopen the file would let you see more recent results). Worst case scenario is that tcpdump takes complete control of the file and does not allow you access to read it until tcpdump has finished. If you cannot live with either of these scenarios then you may want to look at another (more robust) solution like Wireshark

– ubiquibacon – 2011-04-21T00:52:38.917

@typoking: thanks. wireshark would be better way.. So, no way to tweak tcpdump. there is -U option but it doesnt work in 4.0.0 i suppose.. – sudurais – 2011-04-21T03:13:04.590

You could try using the tail command in a separate session to view the growing log file: eg: tail -f logfilename – Linker3000 – 2011-04-21T06:18:09.003

Answers

5

Use the -U option in combination with the -woption and check if you have a version of libcap that supports pcap_dump_flush(). From the man page (version 4.3.0-1):

   -U     If  the  -w  option  is  not  specified,  make  the  printed packet output ``packet-
          buffered''; i.e., as the description of the contents of each packet is  printed,  it
          will be written to the standard output, rather than, when not writing to a terminal,
          being written only when the output buffer fills.

          If the -w option is specified, make the saved raw packet output ``packet-buffered'';
          i.e.,  as  each  packet is saved, it will be written to the output file, rather than
          being written only when the output buffer fills.

          The -U flag will not be supported if tcpdump was built  with  an  older  version  of
          libpcap that lacks the pcap_dump_flush() function.

agtoever

Posted 2011-04-21T00:41:17.237

Reputation: 5 490

1pcap_dump_flush() was introduced in libpcap 0.8, and the -U flag was introduced in tcpdump 3.8, so libpcap 1.0.0/tcpdump 4.0.0 have support for them. – None – 2014-10-31T18:00:00.257

Asked: 2011-04-21T00:41:17.237

Viewed: 15 927 times

Active: 2015-03-11T01:53:21.213