David Rosal wrote:
> I'm using tcpdump-3.7.2 to capture ethernet traffic, and I'm wondering
> why it captures much less packets when I use option -w.
>
> I have done the following test:
>
> I've run "tcpdump -s0" many times for 10 seconds each time, and the
> average result is to capture about 100 packets.
> I've run "tcpdump -s0 -w dumpfile" many times for 10 seconds each time,
> and the average result is to capture only 70 or 80 packets.
> But both tests have been done in the same computer, at the same hour.
>
> Is this behaviour expected?
When you perform live analysis, you may also be capturing DNS and other
related traffic initiated by tcpdump itself. When writing to a file, no
protocol analysis is done, so this traffic is absent.
--
Jefferson Ogata <[EMAIL PROTECTED]>
NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.