On Mon, Aug 22, 2011 at 01:28:48PM -0700, Guy Harris wrote:
> With the "-w" flag, to get it to write out the raw packet data in pcap
> format, rather than writing out the dissected packets as text:
> tcpdump -c1000 -w /tmp/tcpdump.pcap net xxx.yy.zz.0/24
... and using "-s 0" to change the snaplen in order to capture the
entire packets is usually desirable. Otherwise, you'll only get the
first 68 bytes of every packet.