{"id":1057,"date":"2014-11-03T20:09:26","date_gmt":"2014-11-03T20:09:26","guid":{"rendered":"https:\/\/trouble.org\/?p=1057"},"modified":"2014-11-03T20:09:43","modified_gmt":"2014-11-03T20:09:43","slug":"getting-tcpdump-to-write-to-pcap-format","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=1057","title":{"rendered":"getting tcpdump to write to pcap format"},"content":{"rendered":"

I wouldn’t think I’d be writing something like this, but…..<\/p>\n

Apple changed the default of tcpdump to writeout pcap-ng format,
\nwhich wireshark doens’t understand by default. Wasn’t sure what
\nwas up, but a quick search didn’t get any hits… turns out the
\n-y flag is the key (at least, Mavericks+.)<\/p>\n

$ sudo<\/span> tcpdump -w<\/span> \/<\/span>tmp\/<\/span>1<\/span>
\ntcpdump: data link<\/span> type<\/span> PKTAP
\ntcpdump: listening on pktap, link-type PKTAP (<\/span>Packet Tap)<\/span>, capture size<\/span> 65535<\/span> bytes
\n^C68 packets captured
\n71<\/span> packets received by filter
\n0<\/span> packets dropped by kernel
\n
\n$ sudo<\/span> tcpdump -y<\/span> RAW -w<\/span> \/<\/span>tmp\/<\/span>2<\/span>
\ntcpdump: data link<\/span> type<\/span> RAW
\ntcpdump: listening on pktap, link-type RAW (<\/span>Raw IP)<\/span>, capture size<\/span> 65535<\/span> bytes
\n^C873 packets captured
\n879<\/span> packets received by filter
\n0<\/span> packets dropped by kernel
\n
\n$ sudo<\/span> file<\/span> \/<\/span>tmp\/<\/span>[<\/span>12<\/span>]<\/span>
\n
\n\/<\/span>tmp\/<\/span>1<\/span>: data
\n\/<\/span>tmp\/<\/span>2<\/span>: tcpdump capture file<\/span> (<\/span>little-endian)<\/span> - version 2.4<\/span> (<\/span>raw IP, capture length 65535<\/span>)<\/span>
\n
\n$<\/div><\/div>\n

Amusingly Apple’s own file command doesn’t even recognize the new format.
\nTime to alias tcpdump until things get sorted out.<\/p>\n

Not impressed with Apple’s documentation on this one.<\/p>\n","protected":false},"excerpt":{"rendered":"

I wouldn’t think I’d be writing something like this, but….. Apple changed the default of tcpdump to writeout pcap-ng format, which wireshark doens’t understand by default. Wasn’t sure what was up, but a quick search didn’t get any hits… turns out the -y flag is the key (at least, Mavericks+.) $ sudo tcpdump -w \/tmp\/1 […]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33,6],"tags":[292,291],"class_list":["post-1057","post","type-post","status-publish","format-standard","hentry","category-dinosaur","category-tech","tag-like-cats-i-hate-undocumented-change","tag-tcpdump"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1057","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1057"}],"version-history":[{"count":5,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1057\/revisions"}],"predecessor-version":[{"id":1062,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1057\/revisions\/1062"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1057"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1057"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1057"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}