What is a tcpdump file?

A tcpdump file is a collection of data that has been written to it using the tcpdump utility.

The data contained within the file includes records of the IP packets received by your server over a particular period of time, usually 10 minutes. These files can be very large, depending on the duration of your time period, and it is best to write them out to disk immediately after you have finished capturing packets.

When writing a tcpdump file, you should always capture packets in promiscuous mode. Doing so will ensure that you capture packets received from all sources, including broadcast (eg. IPv4) traffic. However, if the destination addresses are not known, you may need to add an address filter to restrict packets captured to one specific host. It is also worth setting a capture mask to stop packets being captured when the source port is already being read by the listening netfilter module.

Once you have generated a file containing data to analyse, use a packet analysis tool to look at it. The best tool for this is tcpdumntool, which is provided with the default iptables package: tcpdump -V. This is an incredibly useful command and all the options have now been covered in more detail elsewhere in this book, but it is essential that you understand the basics before you start using this command. When you run tcpdump, the information displayed is exactly what you see on a normal network interface, such as eth0. This can be used to identify the exact nature of the data as it arrives at your server, and even in some cases it is a good way to validate some information that you have captured.

Capturing all of the data received on an interface will mean that you end up with quite a large tcpdump file, and tcpdump isn't the only application that can save a packet capture. We have seen in chapter 9 that the iptables utility can capture IP traffic, and later in this chapter we will learn how to use it to log all traffic arriving at our server on eth0.

# A quick word on tcpdump options. The only options you need to know about are -i and -w, which allow you to specify the output file name or dump into memory. The default option (and the file you should be saving) is -s 0, which captures all packets and saves them into memory.

What is the output file name of tcpdump?

I tried this but it doesn't output anything.

This is probably due to the "file not found"? Am I right?168.3.tcpdump

I figured it out! Instead of using tcpdump use netstat -s like this. It outputs everything in the file that I am looking for. In my case, it was, 192.1 so this worked out. You need the file type instead of the file name. The file name won't change no matter how much you edit it. Head -1 Hope they will add them someday. Anyway, that's why it outputs everything in the file.

How to create a PCAP file with tcpdump?

I am using Ubuntu 13.

10 and I have tried using the tool tpcap, it works very well. But then I needed a packet analyzer (I need to create a PCAP file with tcpdump in my case). This is how I did it:
Cp -rf /usr/share/tcpdump/test-pcap . Touch test-pcap-file.pcap tcpdump -n -v -s 0 -X -r test-pcap-file.pcap But what do I do with it after? There are multiple files in test-pcap-file.pcap like: tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes. 42:40.126914 IP 192.168.34001 > 192. Should I just delete them all? What should I do?
The reason your tpcap test doesn't work is because tcpdump is dumping to a file that already contains valid packets. Tcpdump will not re-run from scratch. When tcpdump runs with the -c switch it reads packets from the specified file, it does not try to re-open the file.

If you just want to dump the entire file into a file you can use the command: tcpdump -c file.pcap Or if you have tshark available you can use the command: tshark -f file.pcap -s ip.dst -e ip.src
Or if you want something simpler: tshark -r file.pcap -T fields To read back from the pcap file created you would use the regular unix read command.