KB0013 - Creating pcap Files with tcpdump for Wireshark Analysis

KB0013 - Creating pcap Files with tcpdump for Wireshark Analysis

It’s often more helpful to capture packets using tcpdump rather than wireshark, as it is available as a package in most Linux and BSD package managers. For example, you might want to do a remote capture and either don’t have GUI access or don’t have Wireshark installed on the remote machine.

Older versions of tcpdump truncate packets to 68 or 96 bytes. If this is the case, use -s to capture full-sized packets:

$ tcpdump -i <interface> -s 65535 -w <file>

You must specify the correct interface and file name to save into. In addition, you will have to terminate the capture with Ctrl+C when you believe you have captured enough packets.

About the author
Stephen Schwetz

Stephen Schwetz

I collect movies TV series and acronyms after my name. I am an active ADHD and Autistic, who suffers from all the trauma of trying to fit into a social system that doesn't work for the last 46 years

The Schwarrisons

A Neurodivergent Family Trying to Fit Their Square Pegs Into the Round Holes of Life

The Schwarrisons

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to The Schwarrisons.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.