How to record only the header info when using `tcpdump`How to interpret traceroute information?Is it possible to capture all network traffic using tcpdump?Tell tcpdump to skip custom headertcpdump command works only on local ipIs there a utility that allows to create structured data from tcpdump hexdumps?How to display all data using tcpdump?UDP internal routing issue when using multiple NIC'sbash script: capturing tcp traffic on a remote server sometimes works, sometimes fails. No errorstcpdump/tshark: view only outgoing TCP connections requestsHow do I return packets to the same MAC address they came from?
Can I make popcorn with any corn?
How does one intimidate enemies without having the capacity for violence?
How is it possible to have an ability score that is less than 3?
Does Unearthed Arcana render Favored Souls redundant?
Why is 150k or 200k jobs considered good when there's 300k+ births a month?
Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)
Is it legal for company to use my work email to pretend I still work there?
"You are your self first supporter", a more proper way to say it
Is a tag line useful on a cover?
What does it mean to describe someone as a butt steak?
Why "Having chlorophyll without photosynthesis is actually very dangerous" and "like living with a bomb"?
Test whether all array elements are factors of a number
I'm planning on buying a laser printer but concerned about the life cycle of toner in the machine
Watching something be written to a file live with tail
What defenses are there against being summoned by the Gate spell?
What do the dots in this tr command do: tr .............A-Z A-ZA-Z <<< "JVPQBOV" (with 13 dots)
The Clique vs. Independent Set Problem
Why does Kotter return in Welcome Back Kotter?
Do I have a twin with permutated remainders?
Why don't electron-positron collisions release infinite energy?
What is the offset in a seaplane's hull?
Why, historically, did Gödel think CH was false?
Why is no PWM signal generated using Timer 2?
Modeling an IP Address
How to record only the header info when using `tcpdump`
How to interpret traceroute information?Is it possible to capture all network traffic using tcpdump?Tell tcpdump to skip custom headertcpdump command works only on local ipIs there a utility that allows to create structured data from tcpdump hexdumps?How to display all data using tcpdump?UDP internal routing issue when using multiple NIC'sbash script: capturing tcp traffic on a remote server sometimes works, sometimes fails. No errorstcpdump/tshark: view only outgoing TCP connections requestsHow do I return packets to the same MAC address they came from?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
When running the following command
tcpdump -i deviceName 'host 1.2.3.4' -q -w /mypath/dump.pcap
the dump file contains a huge amount of data because there's a lot of traffic. However, I only need to save the header details of each packet, not the entire contents. I tried using the -q
switch (for "quiet") but that's not helping.
I need Time, Source, Destination, Protocol and Length. I do not need any of the other information, and especially not the full contents of each packet.
If there's a way to ignore the contents and only write the header details to disk so as to save space? I'm getting to over a GB in a matter of minutes :(
I've seen many questions about how to increase the amount of data saved, but nothing for reducing it. Am I barking up the wrong tree?
networking command-line monitoring tcpdump
add a comment |
When running the following command
tcpdump -i deviceName 'host 1.2.3.4' -q -w /mypath/dump.pcap
the dump file contains a huge amount of data because there's a lot of traffic. However, I only need to save the header details of each packet, not the entire contents. I tried using the -q
switch (for "quiet") but that's not helping.
I need Time, Source, Destination, Protocol and Length. I do not need any of the other information, and especially not the full contents of each packet.
If there's a way to ignore the contents and only write the header details to disk so as to save space? I'm getting to over a GB in a matter of minutes :(
I've seen many questions about how to increase the amount of data saved, but nothing for reducing it. Am I barking up the wrong tree?
networking command-line monitoring tcpdump
1
See also How do I use tcpdump to capture all traffic headers.
– Sjoerd
Mar 27 at 12:16
1
See option-s snaplen
or--snapshot-length=snaplen
. See tcpdump.org/manpages/tcpdump.1.html. They seem to have increased the default. (I remember that in old times I often had to increase the value which was less than 100 at this time.)
– Bodo
Mar 27 at 12:20
I was under the impression that snaplen would only record information regarding packets below a certain size, not that it would limit what was saved to file. I'll take a look and get back to you. Thanks guys.
– Dan Rayson
Mar 27 at 12:37
Local login or remote ssh session?
– Rui F Ribeiro
Mar 28 at 0:43
@RuiFRibeiro I'm running the commands using PuTTY, if I'm honest I don't know what protocol that is, probably SCP, though.
– Dan Rayson
Mar 28 at 10:13
add a comment |
When running the following command
tcpdump -i deviceName 'host 1.2.3.4' -q -w /mypath/dump.pcap
the dump file contains a huge amount of data because there's a lot of traffic. However, I only need to save the header details of each packet, not the entire contents. I tried using the -q
switch (for "quiet") but that's not helping.
I need Time, Source, Destination, Protocol and Length. I do not need any of the other information, and especially not the full contents of each packet.
If there's a way to ignore the contents and only write the header details to disk so as to save space? I'm getting to over a GB in a matter of minutes :(
I've seen many questions about how to increase the amount of data saved, but nothing for reducing it. Am I barking up the wrong tree?
networking command-line monitoring tcpdump
When running the following command
tcpdump -i deviceName 'host 1.2.3.4' -q -w /mypath/dump.pcap
the dump file contains a huge amount of data because there's a lot of traffic. However, I only need to save the header details of each packet, not the entire contents. I tried using the -q
switch (for "quiet") but that's not helping.
I need Time, Source, Destination, Protocol and Length. I do not need any of the other information, and especially not the full contents of each packet.
If there's a way to ignore the contents and only write the header details to disk so as to save space? I'm getting to over a GB in a matter of minutes :(
I've seen many questions about how to increase the amount of data saved, but nothing for reducing it. Am I barking up the wrong tree?
networking command-line monitoring tcpdump
networking command-line monitoring tcpdump
asked Mar 27 at 12:11
Dan RaysonDan Rayson
1033
1033
1
See also How do I use tcpdump to capture all traffic headers.
– Sjoerd
Mar 27 at 12:16
1
See option-s snaplen
or--snapshot-length=snaplen
. See tcpdump.org/manpages/tcpdump.1.html. They seem to have increased the default. (I remember that in old times I often had to increase the value which was less than 100 at this time.)
– Bodo
Mar 27 at 12:20
I was under the impression that snaplen would only record information regarding packets below a certain size, not that it would limit what was saved to file. I'll take a look and get back to you. Thanks guys.
– Dan Rayson
Mar 27 at 12:37
Local login or remote ssh session?
– Rui F Ribeiro
Mar 28 at 0:43
@RuiFRibeiro I'm running the commands using PuTTY, if I'm honest I don't know what protocol that is, probably SCP, though.
– Dan Rayson
Mar 28 at 10:13
add a comment |
1
See also How do I use tcpdump to capture all traffic headers.
– Sjoerd
Mar 27 at 12:16
1
See option-s snaplen
or--snapshot-length=snaplen
. See tcpdump.org/manpages/tcpdump.1.html. They seem to have increased the default. (I remember that in old times I often had to increase the value which was less than 100 at this time.)
– Bodo
Mar 27 at 12:20
I was under the impression that snaplen would only record information regarding packets below a certain size, not that it would limit what was saved to file. I'll take a look and get back to you. Thanks guys.
– Dan Rayson
Mar 27 at 12:37
Local login or remote ssh session?
– Rui F Ribeiro
Mar 28 at 0:43
@RuiFRibeiro I'm running the commands using PuTTY, if I'm honest I don't know what protocol that is, probably SCP, though.
– Dan Rayson
Mar 28 at 10:13
1
1
See also How do I use tcpdump to capture all traffic headers.
– Sjoerd
Mar 27 at 12:16
See also How do I use tcpdump to capture all traffic headers.
– Sjoerd
Mar 27 at 12:16
1
1
See option
-s snaplen
or --snapshot-length=snaplen
. See tcpdump.org/manpages/tcpdump.1.html. They seem to have increased the default. (I remember that in old times I often had to increase the value which was less than 100 at this time.)– Bodo
Mar 27 at 12:20
See option
-s snaplen
or --snapshot-length=snaplen
. See tcpdump.org/manpages/tcpdump.1.html. They seem to have increased the default. (I remember that in old times I often had to increase the value which was less than 100 at this time.)– Bodo
Mar 27 at 12:20
I was under the impression that snaplen would only record information regarding packets below a certain size, not that it would limit what was saved to file. I'll take a look and get back to you. Thanks guys.
– Dan Rayson
Mar 27 at 12:37
I was under the impression that snaplen would only record information regarding packets below a certain size, not that it would limit what was saved to file. I'll take a look and get back to you. Thanks guys.
– Dan Rayson
Mar 27 at 12:37
Local login or remote ssh session?
– Rui F Ribeiro
Mar 28 at 0:43
Local login or remote ssh session?
– Rui F Ribeiro
Mar 28 at 0:43
@RuiFRibeiro I'm running the commands using PuTTY, if I'm honest I don't know what protocol that is, probably SCP, though.
– Dan Rayson
Mar 28 at 10:13
@RuiFRibeiro I'm running the commands using PuTTY, if I'm honest I don't know what protocol that is, probably SCP, though.
– Dan Rayson
Mar 28 at 10:13
add a comment |
1 Answer
1
active
oldest
votes
I was in the same situation and I solved it by adding -s 96
Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!
– Dan Rayson
Mar 27 at 13:37
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f508963%2fhow-to-record-only-the-header-info-when-using-tcpdump%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I was in the same situation and I solved it by adding -s 96
Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!
– Dan Rayson
Mar 27 at 13:37
add a comment |
I was in the same situation and I solved it by adding -s 96
Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!
– Dan Rayson
Mar 27 at 13:37
add a comment |
I was in the same situation and I solved it by adding -s 96
I was in the same situation and I solved it by adding -s 96
answered Mar 27 at 13:23
ZatarraZatarra
463
463
Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!
– Dan Rayson
Mar 27 at 13:37
add a comment |
Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!
– Dan Rayson
Mar 27 at 13:37
Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!
– Dan Rayson
Mar 27 at 13:37
Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!
– Dan Rayson
Mar 27 at 13:37
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f508963%2fhow-to-record-only-the-header-info-when-using-tcpdump%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-command-line, monitoring, networking, tcpdump
1
See also How do I use tcpdump to capture all traffic headers.
– Sjoerd
Mar 27 at 12:16
1
See option
-s snaplen
or--snapshot-length=snaplen
. See tcpdump.org/manpages/tcpdump.1.html. They seem to have increased the default. (I remember that in old times I often had to increase the value which was less than 100 at this time.)– Bodo
Mar 27 at 12:20
I was under the impression that snaplen would only record information regarding packets below a certain size, not that it would limit what was saved to file. I'll take a look and get back to you. Thanks guys.
– Dan Rayson
Mar 27 at 12:37
Local login or remote ssh session?
– Rui F Ribeiro
Mar 28 at 0:43
@RuiFRibeiro I'm running the commands using PuTTY, if I'm honest I don't know what protocol that is, probably SCP, though.
– Dan Rayson
Mar 28 at 10:13