Capturing with tcpdump for viewing with Wireshark

Linux specific questions/information are gathered here. The main thrust of topics are applied to Centos/RedHat(RH)/Debian/Ubuntu/Gentoo distributives

Capturing with tcpdump for viewing with Wireshark

Postby lik » Sun Feb 13, 2011 12:14 pm

There are occasions when you want to capture packets using tcpdump rather than wireshark, especially when you want to do a remote capture and do not want the network load associated with running Wireshark remotely (not to mention all the X traffic polluting your capture).

However, the default tcpdump parameters result in a capture file where each packet is truncated, because most versions of tcpdump, will, by default, only capture the first 68 or 96 bytes of each packet.

To ensure that you capture complete packets, use the following command:
Code: Select all
tcpdump -i <interface> -s 65535 -w <some-file>

You will have to specify the correct interface and the name of a file to save into. In addition, you will have to terminate the capture with ^C when you believe you have captured enough packets.
Posts: 497
Joined: Wed Dec 15, 2010 3:21 am

Return to Linux specific


  • Related topics
    Last post