Wireshark-users: Re: [Wireshark-users] tcpdump command
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 18 May 2007 09:01:21 -0700
Kaushal Shriyan wrote:
I have to capture network traffic between an appliance and content server using tcpdump command and then dump to a file and read and decode it using wireshark 

How do i proceed
I have used tcpdump -i eth0 -s 1500 -w dump src host 192.168.0.1 and dst host www.example.com
See other replies for why that filter isn't right (it explicitly asks to only see packets sent from the source host to the destination host; you'd want "host 192.168.0.1 and host www.example.com" - or "host 192.168.0.1 and www.example.com"; they're equivalent" - to capture all traffic between 192.168.0.1 and www.example.com).
However, "-s 1500" will give you only the first 1500 bytes of an Ethernet packet - *including* the Ethernet header; that means that a full-sized Ethernet packet, with 1514 bytes (14 bytes of Ethernet header and 1500 bytes of payload) will only have the first 1486 bytes of payload captured.
The largest "-s" value is 65535; you can either do "-s 65535" or, with newer versions of tcpdump, "-s 0" to get the full packet. (Wireshark tells dumpcap to use a snapshot length of 65535 by default, and TShark uses a snapshot length of 65535 by default.)
Note also that the rules for capture filters in tcpdump are exactly the same as they are in Wireshark and TShark (because they're implemented with the same code).