Save packets into file

-w file“ option is used to save capture packets into a file instead of printing them in standard output: 

  1. # tcpdump -w enp0s3.pcap
  2. tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
  3. ^C7 packets captured
  4. 9 packets received by filter
  5. 0 packets dropped by kernel

If printing packet is also needed when saving to file, “--print“ optin can help: 

  1. # tcpdump --print -w enp0s3.pcap
  2. tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
  3. 09:27:48.456071 IP 192.168.35.211.ssh > 10.217.133.114.63884: Flags [P.], seq 485718701:485718745, ack 2592535797, win 317, length 44
  4. 09:27:48.456311 IP 192.168.35.211.ssh > 10.217.133.114.63884: Flags [P.], seq 44:104, ack 1, win 317, length 60
  5. ......

The file can be read through “-r“ option: 

  1. $ tcpdump -r enp0s3.pcap
  2. reading from file enp0s3.pcap, link-type EN10MB (Ethernet)
  3. 09:27:48.456071 IP 192.168.35.211.ssh > 10.217.133.114.63884: Flags [P.], seq 485718701:485718745, ack 2592535797, win 317, length 44
  4. 09:27:48.456311 IP 192.168.35.211.ssh > 10.217.133.114.63884: Flags [P.], seq 44:104, ack 1, win 317, length 60
  5. ......

If there are multiple files to read, create a new file to store paths for these files (one per line), then use “-V“ option to read them: 

  1. # tcpdump -w enp0s3_0.pcap
  2. ......
  3. # tcpdump -w enp0s3_1.pcap
  4. ......
  5. # cat pcap_file.txt
  6. enp0s3_0.pcap
  7. enp0s3_1.pcap
  8. # tcpdump -V pcap_file.txt
  9. reading from file enp0s3_0.pcap, link-type EN10MB (Ethernet)
  10. 11:33:35.806380 IP 192.168.35.211.ssh > 10.217.133.114.62443: Flags [P.], seq 1938680568:1938680612, ack 2008981114, win 317, length 44
  11. 11:33:35.806574 IP 192.168.35.211.ssh > 10.217.133.114.62443: Flags [P.], seq 44:160, ack 1, win 317, length 116
  12. 11:33:35.806710 IP 192.168.35.211.ssh > 10.217.133.114.62443: Flags [P.], seq 160:196, ack 1, win 317, length 36
  13. 11:33:35.807941 IP 10.217.133.114.62443 > 192.168.35.211.ssh: Flags [.], ack 44, win 16316, length 0
  14. 11:33:35.808168 IP 10.217.133.114.62443 > 192.168.35.211.ssh: Flags [.], ack 196, win 16278, length 0
  15. 11:33:35.890102 STP 802.1d, Config, Flags [none], bridge-id 8000.00:09:e8:e0:1e:97.8083, length 43
  16. 11:33:36.629550 IP 192.168.35.145.45715 > 239.255.255.250.ssdp: UDP, length 166
  17. 11:33:37.631041 IP 192.168.35.145.45715 > 239.255.255.250.ssdp: UDP, length 166
  18. reading from file enp0s3_1.pcap, link-type EN10MB (Ethernet)
  19. 11:33:41.703389 IP 192.168.35.211.ssh > 10.217.133.114.62443: Flags [P.], seq 1040:1084, ack 497, win 317, length 44
  20. 11:33:41.703663 IP 192.168.35.211.ssh > 10.217.133.114.62443: Flags [P.], seq 1084:1200, ack 497, win 317, length 116
  21. 11:33:41.703802 IP 192.168.35.211.ssh > 10.217.133.114.62443: Flags [P.], seq 1200:1236, ack 497, win 317, length 36
  22. 11:33:41.705086 IP 10.217.133.114.62443 > 192.168.35.211.ssh: Flags [.], ack 1084, win 16425, length 0
  23. ......