0

Why is there such difference in number of packets captured by tcpdump when the output is written to console and to file?

$ tcpdump
...
1681 packets captured
1681 packets received by filter
0 packets dropped by kernel

vs.

# tcpdump > /root/dump.txt 
...
11 packets captured
12 packets received by filter
0 packets dropped by kernel

In both cases I terminated the comand with Ctrl+C after few seconds.

Edit: Command tcpdump -w /root/dump.txt also captures just few packets. This behavior is consistent, I tried many times.

Improve this question
5
  • There simply was more traffic flowing during your first sample. By the way, when writing tcpdump output to a file, you should be using -w.
    – user260419
    Commented Apr 12, 2014 at 13:47
  • I tried several times. Result is the same with -w.
    – Prvaak
    Commented Apr 12, 2014 at 14:02
  • What did you try? How are you ensuring that the exact same amount of traffic is flowing for each tcpdump run?
    – Paul
    Commented Apr 12, 2014 at 14:43
  • When you run tcpdump, are you remotely logged into the machine running tcpdump, using, for example, ssh?
    – user164970
    Commented Apr 12, 2014 at 18:13
  • @GuyHarris: Yes, I am using ssh. I feel stupid. The reason for the difference is actually quite obvious :)
    – Prvaak
    Commented Apr 13, 2014 at 5:18

1 Answer 1

Reset to default
2

Yes, as you realized, the text output from tcpdump is going over your ssh connection to the host from which you ssh'ed in to the machine on which you're running tcpdump, and thus gets captured by tcpdump. With -w, tcpdump doesn't print anything per packet, so it doesn't go over the wire (unless you're saving the capture to a file on a file system mounted from a file server, such as an NFS or SMB or AFP server).

Wireshark and TShark attempt to detect that you're running Wireshark over X11 or TShark over ssh and, if you are, tweaks the capture filter under the hood to filter out X11 or ssh traffic to the host from which you're running them. For tcpdump, you might want to use a filter such as

not (host {host from which you're sshing} and port ssh)

or, if you're already using a filter, AND that filter with the one you're using, to filter out your SSH traffic.

Improve this answer
1
  • SSH is only detected and provided as a hint to Wireshark GTK/QT, not tshark.
    – Lekensteyn
    Commented Apr 14, 2014 at 17:43

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .