Wireshark · Wireshark-users: Re: [Wireshark-users] tcpdump command

[Guy Harris <guy@xxxxxxxxxxxx>]

Kaushal Shriyan wrote:

> I have to capture network traffic between an appliance and content 
> server using tcpdump command and then dump to a file and read and decode 
> it using wireshark
>
> How do i proceed
>
> I have used tcpdump -i eth0 -s 1500 -w dump src host 192.168.0.1 
> and dst host www.example.com

See other replies for why that filter isn't right (it explicitly asks to 
only see packets sent from the source host to the destination host; 
you'd want "host 192.168.0.1 and host www.example.com" - or "host 
192.168.0.1 and www.example.com"; they're equivalent" - to capture all 
traffic between 192.168.0.1 and www.example.com).

However, "-s 1500" will give you only the first 1500 bytes of an 
Ethernet packet - *including* the Ethernet header; that means that a 
full-sized Ethernet packet, with 1514 bytes (14 bytes of Ethernet header 
and 1500 bytes of payload) will only have the first 1486 bytes of 
payload captured.

The largest "-s" value is 65535; you can either do "-s 65535" or, with 
newer versions of tcpdump, "-s 0" to get the full packet.  (Wireshark 
tells dumpcap to use a snapshot length of 65535 by default, and TShark 
uses a snapshot length of 65535 by default.)

Note also that the rules for capture filters in tcpdump are exactly the 
same as they are in Wireshark and TShark (because they're implemented 
with the same code).