Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Also from the title of tcpdump, does it capture more than the TCP protocol despite the name?

Yes. The name is historical; it originally dissected only a few protocols, and was primarily intended for observing TCP's behavior, but, as I was reminded when I booted an old Ubuntu 7.x VM I had lying around, on which I'd unpacked an Ethereal 0.2.0 source tree (yes, the very first Wireshark release, as I remember, from before it was renamed to Wireshark), that only handled IP, UDP, and TCP (and probably Ethernet). tcpdump acquired a bunch of additional dissectors over time, just as Ethereal/Wireshark did - and it was always capable of capturing all traffic, it just doesn't dissect every protocol (also true of Wireshark - it can capture all traffic, even traffic it can't dissect).

Also from the title of tcpdump, does it capture more than the TCP protocol despite the name?

Yes. The name is historical; it originally dissected only a few protocols, and was primarily intended for observing TCP's behavior, but, as I was reminded when I booted an old Ubuntu 7.x VM I had lying around, on which I'd unpacked an Ethereal 0.2.0 source tree (yes, the very first Wireshark release, as I remember, from before it was renamed to Wireshark), that only handled IP, UDP, and TCP (and probably Ethernet). tcpdump acquired a bunch of additional dissectors over time, just as Ethereal/Wireshark did - and it was always capable of capturing all traffic, it just doesn't dissect every protocol (also true of Wireshark - it can capture all traffic, even traffic it can't dissect).

tcpdump uses the same capture library that Wireshark uses to capture traffic (libpcap and the WinPcap and Npcap Windows ports of libpcap), and also uses libpcap to read and write capture files. libpcap's original file format was "pcap" format, which was also Wireshark's original file format; Wireshark's primary file format is pcapng, which libpcap can read (with some limitations) but currently can't write (except on macOS). Wireshark can read both pcap and pcapng files, so it can read capture files written by tcpdump.

NOTE: if you're going to capture with tcpdump, use the -w flag, so it writes out a pcap file, not a printout of the dissection of packets.