Create Wireshark-readable file with tcpdump

Sometimes, it’s necessary to capture packets with tcpdump on a machine without running X-Windows installation.
But most people are not such  cracks, that they can read the confusing output on the console (me included).

To get a better overview, i prefer Wireshark (former known as Ethereal).

With the following tcpdump-flags, you can create a file in .pcap format readable by Wireshark, which you can transfer to another system (perhaps to your PC).

tcpdump -s0 -w <file> -i <interface> [filter]
Example:
bash-3.1# tcpdump -V
tcpdump version 3.8.3
libpcap version 0.8.3
Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
                [ -E algo:secret ] [ -F file ] [ -i interface ] [ -r file ]
                [ -s snaplen ] [ -T type ] [ -w file ] [ -y datalinktype ]
                [ expression ]

bash-3.1# tcpdump -s0 -w ldap.tcpdump -i hme0 port 389
tcpdump: listening on hme0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
21 packets captured
164 packets received by filter
0 packets dropped by kernel
bash-3.1#
bash-3.1#
bash-3.1# ls -la ldap.tcpdump
-rw-r--r--   1 root     other       2322 Oct 24 10:50 ldap.tcpdump
bash-3.1#

For a deeper overview of the different tcpdump options, you can consult the manpage.

1 comment to Create Wireshark-readable file with tcpdump

  • Christian

    Very nice page. :-)
    Every day I’m on this Page.

    I’m sure you can read the output on the console very well….

    regards Chris

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>