Creating a Wireshark compatible .cap file with tcpdump

Tcpdump is a useful tool to capture network packets on a Linux, UNIX, BSD, etc. system. It is nice, however, to be able to see its output in a graphical UI. Wireshark can be used to view capture files created by Tcpdump, if you use the right parameters on the tcpdump command. Run tcpdump as follows:

  1. tcpdump -s 65535 -w /path/to/file.cap

Download the .cap to your computer and import it into Wireshark.

You can also pass filters into tcpdump to get a smaller cap file. The below captures only port 80 (http traffic):

  1. tcpdump -s 65535 -w /path/to/file.cap 'src port 80 || dst port 80'

 

Leave a Reply

Your email address will not be published. Required fields are marked *