Re: [tcpdump-workers] Does option -w influence the packet capture?

[Jefferson Ogata]

David Rosal wrote:
> I'm using tcpdump-3.7.2 to capture ethernet traffic, and I'm wondering
> why it captures much less packets when I use option -w.
> 
> I have done the following test:
> 
> I've run "tcpdump -s0" many times for 10 seconds each time, and the
> average result is to capture about 100 packets.
> I've run "tcpdump -s0 -w dumpfile" many times for 10 seconds each time,
> and the average result is to capture only 70 or 80 packets.
> But both tests have been done in the same computer, at the same hour.
> 
> Is this behaviour expected?

When you perform live analysis, you may also be capturing DNS and other
related traffic initiated by tcpdump itself. When writing to a file, no
protocol analysis is done, so this traffic is absent.

-- 
Jefferson Ogata <[EMAIL PROTECTED]>
NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

[tcpdump-workers] Does option -w influence the packet capture?

[David Rosal]

Hi.
I'm using tcpdump-3.7.2 to capture ethernet traffic, and I'm wondering 
why it captures much less packets when I use option -w.

I have done the following test:
I've run "tcpdump -s0" many times for 10 seconds each time, and the 
average result is to capture about 100 packets.
I've run "tcpdump -s0 -w dumpfile" many times for 10 seconds each time, 
and the average result is to capture only 70 or 80 packets.
But both tests have been done in the same computer, at the same hour.

Is this behaviour expected?
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.