Manualshelf

User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 1.5
221222223224225226227228229230
Related command line tools
215
D.3. tcpdump: Capturing with tcpdump for
viewing with Wireshark
There are occasions when you want to capture packets using tcpdump rather than wireshark, especially
when you want to do a remote capture and do not want the network load associated with running Wireshark
remotely (not to mention all the X traffic polluting your capture).
However, the default tcpdump parameters result in a capture file where each packet is truncated, because
most versions of tcpdump, will, by default, only capture the first 68 or 96 bytes of each packet.
To ensure that you capture complete packets, use the following command:
tcpdump -i <interface> -s 65535 -w <some-file>
You will have to specify the correct interface and the name of a file to save into. In addition, you will
have to terminate the capture with ^C when you believe you have captured enough packets.
Note!
tcpdump is not part of the Wireshark distribution. You can get it from: http://
www.tcpdump.org for various platforms.
D.4. dumpcap: Capturing with dumpcap for
viewing with Wireshark
Dumpcap is a network traffic dump tool. It captures packet data from a live network and writes the
packets to a file. Dumpcap's native capture file format is libpcap format, which is also the format used by
Wireshark, tcpdump and various other tools.
Without any options set it will use the pcap library to capture traffic from the first available network
interface and write the received raw packet data, along with the packets' time stamps into a libpcap file.
Packet capturing is performed with the pcap library. The capture filter syntax follows the rules of the pcap
library.