This command:
produces
asked 26 Feb ‘15, 13:44 Urnst66 edited 26 Feb ‘15, 14:42 Guy Harris ♦♦ |
One Answer:
Yes, you can use So first, you can convert the data into a suitable format by using Kurt Knochner's perl script, given as an answer to this question and copied here for convenience:
Assuming the output of
Once that’s done, run
Note that here I’m specifying “Raw IP” encapsulation. See http://www.tcpdump.org/linktypes.html for link types. answered 26 Feb ‘15, 15:16 cmaynard ♦♦ edited 27 Feb ‘15, 00:53 Kurt Knochner ♦
…because the packet data, in the tcpdump output, starts with the IP header, not with an Ethernet header. (26 Feb ‘15, 19:35) Guy Harris ♦♦ Thank you! That worked great. (27 Feb ‘15, 06:37) Urnst66 If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information. (27 Feb ‘15, 06:47) grahamb ♦ |
Note that if you had done
you would have had a pcap file, and wouldn’t have to do the conversion.
Note also that
-s 1500
is wrong for Ethernet; the “snapshot length” specified by the-s
flag is the total length of the packet, including the Ethernet header, not the MTU! The latest versions of tcpdump default to a large snapshot length; versions before that allow you to say-s 0
to get a large snapshot length, and, for versions older than that, you’d have to do something such as-s 262144
.