If you are managing FreeBSD or any Linux servers , you might have used the tcpdump a number of times . It’s a very handy tool for Network engineers or System administrators for troubleshooting . Sometimes you need to run it over day/night , capture the file and then analyze it in Wireshark . So let’s have a look at some of the handy commands for this .
Here igb1 is my interface name , you need to replace it with yours , the wireshark capture file needs to have a .pcap extension .
tcpdump -ni igb1 -s0 -w /tmp/testcapture.pcapYou can also add your filters with the command, for eg : if you are filtering for a specific host IP
tcpdump -ni igb1 -s0 host 192.168.150.17 -w /tmp/testcapture.pcap
Some of the older FreeBSD versions gives a sytntax error on tcpdump with the above cammand . In that case , you can use the command below. You can also filter with host ip , port number etc after igb1
tcpdump -w /testcapture.pcap -s0 -ni igb1 Now, to run it as background as a process
nohup tcpdump -w /root/testcapture.pcap -s0 -ni igb1 port 80 &This is very important , the tcpdump writes to the file in a chunk of 16kb .So if you check the size of the write file after starting it as a process , you will see only 0 .So you need to run it for some good time . And while stopping tcpdump , you need to gracefully stop the process or it will cause poroblems with your write file .
ps ax | grep tcpdump Find the process id from the above command and then use only kill -15. Do not use kill -9 , it won’t stop the process gracefully and cause issues
kill -15 tcpdumpPIDYou cannot directly cat , tail or clog a tcpdump capture file from the command line , you need to use the -r flag for that . To use the file in Wireshark , download the file locally and open in Wireshark .
tcpdump -r /testcapture.pcap