Create Wireshark-readable file with tcpdump
Sometimes, it’s necessary to capture packets with tcpdump on a machine without running X-Windows installation.
But most people are not such cracks, that they can read the confusing output on the console (me included).
To get a better overview, i prefer Wireshark (former known as Ethereal).
With the following tcpdump-flags, you can create a file in .pcap format readable by Wireshark, which you can transfer to another system (perhaps to your PC).
tcpdump -s0 -w <file> -i <interface> [filter]Example: bash-3.1# tcpdump -V tcpdump version 3.8.3 libpcap version 0.8.3 Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -y datalinktype ] [ expression ] bash-3.1# tcpdump -s0 -w ldap.tcpdump -i hme0 port 389 tcpdump: listening on hme0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C21 packets captured 164 packets received by filter 0 packets dropped by kernel bash-3.1# bash-3.1# bash-3.1# ls -la ldap.tcpdump -rw-r--r-- 1 root other 2322 Oct 24 10:50 ldap.tcpdump bash-3.1#
For a deeper overview of the different tcpdump options, you can consult the manpage.
Very nice page.
Every day I’m on this Page.
I’m sure you can read the output on the console very well….
regards Chris