How to record only the header info when using `tcpdump`How to interpret traceroute information?Is it possible to capture all network traffic using tcpdump?Tell tcpdump to skip custom headertcpdump command works only on local ipIs there a utility that allows to create structured data from tcpdump hexdumps?How to display all data using tcpdump?UDP internal routing issue when using multiple NIC'sbash script: capturing tcp traffic on a remote server sometimes works, sometimes fails. No errorstcpdump/tshark: view only outgoing TCP connections requestsHow do I return packets to the same MAC address they came from?

Can I make popcorn with any corn?

How does one intimidate enemies without having the capacity for violence?

How is it possible to have an ability score that is less than 3?

Does Unearthed Arcana render Favored Souls redundant?

Why is 150k or 200k jobs considered good when there's 300k+ births a month?

Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)

Is it legal for company to use my work email to pretend I still work there?

"You are your self first supporter", a more proper way to say it

Is a tag line useful on a cover?

What does it mean to describe someone as a butt steak?

Why "Having chlorophyll without photosynthesis is actually very dangerous" and "like living with a bomb"?

Test whether all array elements are factors of a number

I'm planning on buying a laser printer but concerned about the life cycle of toner in the machine

Watching something be written to a file live with tail

What defenses are there against being summoned by the Gate spell?

What do the dots in this tr command do: tr .............A-Z A-ZA-Z <<< "JVPQBOV" (with 13 dots)

The Clique vs. Independent Set Problem

Why does Kotter return in Welcome Back Kotter?

Do I have a twin with permutated remainders?

Why don't electron-positron collisions release infinite energy?

What is the offset in a seaplane's hull?

Why, historically, did Gödel think CH was false?

Why is no PWM signal generated using Timer 2?

Modeling an IP Address



How to record only the header info when using `tcpdump`


How to interpret traceroute information?Is it possible to capture all network traffic using tcpdump?Tell tcpdump to skip custom headertcpdump command works only on local ipIs there a utility that allows to create structured data from tcpdump hexdumps?How to display all data using tcpdump?UDP internal routing issue when using multiple NIC'sbash script: capturing tcp traffic on a remote server sometimes works, sometimes fails. No errorstcpdump/tshark: view only outgoing TCP connections requestsHow do I return packets to the same MAC address they came from?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















When running the following command



tcpdump -i deviceName 'host 1.2.3.4' -q -w /mypath/dump.pcap



the dump file contains a huge amount of data because there's a lot of traffic. However, I only need to save the header details of each packet, not the entire contents. I tried using the -q switch (for "quiet") but that's not helping.



I need Time, Source, Destination, Protocol and Length. I do not need any of the other information, and especially not the full contents of each packet.



If there's a way to ignore the contents and only write the header details to disk so as to save space? I'm getting to over a GB in a matter of minutes :(



I've seen many questions about how to increase the amount of data saved, but nothing for reducing it. Am I barking up the wrong tree?










share|improve this question

















  • 1





    See also How do I use tcpdump to capture all traffic headers.

    – Sjoerd
    Mar 27 at 12:16






  • 1





    See option -s snaplen or --snapshot-length=snaplen. See tcpdump.org/manpages/tcpdump.1.html. They seem to have increased the default. (I remember that in old times I often had to increase the value which was less than 100 at this time.)

    – Bodo
    Mar 27 at 12:20











  • I was under the impression that snaplen would only record information regarding packets below a certain size, not that it would limit what was saved to file. I'll take a look and get back to you. Thanks guys.

    – Dan Rayson
    Mar 27 at 12:37











  • Local login or remote ssh session?

    – Rui F Ribeiro
    Mar 28 at 0:43











  • @RuiFRibeiro I'm running the commands using PuTTY, if I'm honest I don't know what protocol that is, probably SCP, though.

    – Dan Rayson
    Mar 28 at 10:13

















0















When running the following command



tcpdump -i deviceName 'host 1.2.3.4' -q -w /mypath/dump.pcap



the dump file contains a huge amount of data because there's a lot of traffic. However, I only need to save the header details of each packet, not the entire contents. I tried using the -q switch (for "quiet") but that's not helping.



I need Time, Source, Destination, Protocol and Length. I do not need any of the other information, and especially not the full contents of each packet.



If there's a way to ignore the contents and only write the header details to disk so as to save space? I'm getting to over a GB in a matter of minutes :(



I've seen many questions about how to increase the amount of data saved, but nothing for reducing it. Am I barking up the wrong tree?










share|improve this question

















  • 1





    See also How do I use tcpdump to capture all traffic headers.

    – Sjoerd
    Mar 27 at 12:16






  • 1





    See option -s snaplen or --snapshot-length=snaplen. See tcpdump.org/manpages/tcpdump.1.html. They seem to have increased the default. (I remember that in old times I often had to increase the value which was less than 100 at this time.)

    – Bodo
    Mar 27 at 12:20











  • I was under the impression that snaplen would only record information regarding packets below a certain size, not that it would limit what was saved to file. I'll take a look and get back to you. Thanks guys.

    – Dan Rayson
    Mar 27 at 12:37











  • Local login or remote ssh session?

    – Rui F Ribeiro
    Mar 28 at 0:43











  • @RuiFRibeiro I'm running the commands using PuTTY, if I'm honest I don't know what protocol that is, probably SCP, though.

    – Dan Rayson
    Mar 28 at 10:13













0












0








0








When running the following command



tcpdump -i deviceName 'host 1.2.3.4' -q -w /mypath/dump.pcap



the dump file contains a huge amount of data because there's a lot of traffic. However, I only need to save the header details of each packet, not the entire contents. I tried using the -q switch (for "quiet") but that's not helping.



I need Time, Source, Destination, Protocol and Length. I do not need any of the other information, and especially not the full contents of each packet.



If there's a way to ignore the contents and only write the header details to disk so as to save space? I'm getting to over a GB in a matter of minutes :(



I've seen many questions about how to increase the amount of data saved, but nothing for reducing it. Am I barking up the wrong tree?










share|improve this question














When running the following command



tcpdump -i deviceName 'host 1.2.3.4' -q -w /mypath/dump.pcap



the dump file contains a huge amount of data because there's a lot of traffic. However, I only need to save the header details of each packet, not the entire contents. I tried using the -q switch (for "quiet") but that's not helping.



I need Time, Source, Destination, Protocol and Length. I do not need any of the other information, and especially not the full contents of each packet.



If there's a way to ignore the contents and only write the header details to disk so as to save space? I'm getting to over a GB in a matter of minutes :(



I've seen many questions about how to increase the amount of data saved, but nothing for reducing it. Am I barking up the wrong tree?







networking command-line monitoring tcpdump






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 27 at 12:11









Dan RaysonDan Rayson

1033




1033







  • 1





    See also How do I use tcpdump to capture all traffic headers.

    – Sjoerd
    Mar 27 at 12:16






  • 1





    See option -s snaplen or --snapshot-length=snaplen. See tcpdump.org/manpages/tcpdump.1.html. They seem to have increased the default. (I remember that in old times I often had to increase the value which was less than 100 at this time.)

    – Bodo
    Mar 27 at 12:20











  • I was under the impression that snaplen would only record information regarding packets below a certain size, not that it would limit what was saved to file. I'll take a look and get back to you. Thanks guys.

    – Dan Rayson
    Mar 27 at 12:37











  • Local login or remote ssh session?

    – Rui F Ribeiro
    Mar 28 at 0:43











  • @RuiFRibeiro I'm running the commands using PuTTY, if I'm honest I don't know what protocol that is, probably SCP, though.

    – Dan Rayson
    Mar 28 at 10:13












  • 1





    See also How do I use tcpdump to capture all traffic headers.

    – Sjoerd
    Mar 27 at 12:16






  • 1





    See option -s snaplen or --snapshot-length=snaplen. See tcpdump.org/manpages/tcpdump.1.html. They seem to have increased the default. (I remember that in old times I often had to increase the value which was less than 100 at this time.)

    – Bodo
    Mar 27 at 12:20











  • I was under the impression that snaplen would only record information regarding packets below a certain size, not that it would limit what was saved to file. I'll take a look and get back to you. Thanks guys.

    – Dan Rayson
    Mar 27 at 12:37











  • Local login or remote ssh session?

    – Rui F Ribeiro
    Mar 28 at 0:43











  • @RuiFRibeiro I'm running the commands using PuTTY, if I'm honest I don't know what protocol that is, probably SCP, though.

    – Dan Rayson
    Mar 28 at 10:13







1




1





See also How do I use tcpdump to capture all traffic headers.

– Sjoerd
Mar 27 at 12:16





See also How do I use tcpdump to capture all traffic headers.

– Sjoerd
Mar 27 at 12:16




1




1





See option -s snaplen or --snapshot-length=snaplen. See tcpdump.org/manpages/tcpdump.1.html. They seem to have increased the default. (I remember that in old times I often had to increase the value which was less than 100 at this time.)

– Bodo
Mar 27 at 12:20





See option -s snaplen or --snapshot-length=snaplen. See tcpdump.org/manpages/tcpdump.1.html. They seem to have increased the default. (I remember that in old times I often had to increase the value which was less than 100 at this time.)

– Bodo
Mar 27 at 12:20













I was under the impression that snaplen would only record information regarding packets below a certain size, not that it would limit what was saved to file. I'll take a look and get back to you. Thanks guys.

– Dan Rayson
Mar 27 at 12:37





I was under the impression that snaplen would only record information regarding packets below a certain size, not that it would limit what was saved to file. I'll take a look and get back to you. Thanks guys.

– Dan Rayson
Mar 27 at 12:37













Local login or remote ssh session?

– Rui F Ribeiro
Mar 28 at 0:43





Local login or remote ssh session?

– Rui F Ribeiro
Mar 28 at 0:43













@RuiFRibeiro I'm running the commands using PuTTY, if I'm honest I don't know what protocol that is, probably SCP, though.

– Dan Rayson
Mar 28 at 10:13





@RuiFRibeiro I'm running the commands using PuTTY, if I'm honest I don't know what protocol that is, probably SCP, though.

– Dan Rayson
Mar 28 at 10:13










1 Answer
1






active

oldest

votes


















1














I was in the same situation and I solved it by adding -s 96






share|improve this answer























  • Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!

    – Dan Rayson
    Mar 27 at 13:37











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f508963%2fhow-to-record-only-the-header-info-when-using-tcpdump%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














I was in the same situation and I solved it by adding -s 96






share|improve this answer























  • Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!

    – Dan Rayson
    Mar 27 at 13:37















1














I was in the same situation and I solved it by adding -s 96






share|improve this answer























  • Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!

    – Dan Rayson
    Mar 27 at 13:37













1












1








1







I was in the same situation and I solved it by adding -s 96






share|improve this answer













I was in the same situation and I solved it by adding -s 96







share|improve this answer












share|improve this answer



share|improve this answer










answered Mar 27 at 13:23









ZatarraZatarra

463




463












  • Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!

    – Dan Rayson
    Mar 27 at 13:37

















  • Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!

    – Dan Rayson
    Mar 27 at 13:37
















Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!

– Dan Rayson
Mar 27 at 13:37





Thanks Zatarra, adding this really simple bit sorted it out for me. I still get all the info I need but without the nasty overhead. Cheers!

– Dan Rayson
Mar 27 at 13:37

















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f508963%2fhow-to-record-only-the-header-info-when-using-tcpdump%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-command-line, monitoring, networking, tcpdump

Popular posts from this blog

Frič See also Navigation menuinternal link

Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

fontconfig warning: “/etc/fonts/fonts.conf”, line 100: unknown “element blank” The 2019 Stack Overflow Developer Survey Results Are In“tar: unrecognized option --warning” during 'apt-get install'How to fix Fontconfig errorHow do I figure out which font file is chosen for a system generic font alias?Why are some apt-get-installed fonts being ignored by fc-list, xfontsel, etc?Reload settings in /etc/fonts/conf.dTaking 30 seconds longer to boot after upgrade from jessie to stretchHow to match multiple font names with a single <match> element?Adding a custom font to fontconfigRemoving fonts from fontconfig <match> resultsBroken fonts after upgrading Firefox ESR to latest Firefox