How can I have tcpdump write to file and standard output the appropriate data?

Question

I want to have tcpdump write raw packet data into a file and also display packet analysis into standard output as the packets are captured (by analysis I mean the lines it displays normally when -w is missing). Can anybody please tell me how to do that?

Answer 1

tcpdump > output.txt if you are looking to save the output into a file in text format.

Use sudo if permission issues are there.

My exp, the data gets written continuously.

Answer 2

Here's a neat way to do what you want:

tcpdump -w - -U | tee somefile | tcpdump -r -

What it does:

• -w - tells tcpdump to write binary data to stdout
• -U tells tcpdump to write each packet to stdout as it is received, rather than buffering them and outputting in chunks
• tee writes that binary data to a file AND to its own stdout
• -r - tells the second tcpdump to get its data from its stdin

Answer 3

Since tcpdump 4.9.3 4.99.0, the --print option can be used:

tcpdump -w somefile --print

Wednesday, December 30, 2020, by mcr@sandelman.ca, denis and fxl.
  Summary for 4.99.0 tcpdump release
    [...]
    User interface:
      [...]
      Add --print, to cause packet printing even with -w.

Answer 4

If you want a way to do it without running tcpdump twice, consider:

sudo tcpdump port 80 -w $(tty) | tee /tmp/output.txt

From the interactive command prompt you could use $TTY instead of $(tty) but in a script the former wouldn't be set (though I'm not sure how common it is to run tcpdump in a script).

Side-note: it's not very Unix-y the way tcpdump by default makes you write to a file. Programs should by default write to stdout. Redirection to a file is already provided by the shell constructs. Maybe there's a good reason tcpdump is designed this way but I don't know what that is.

Answer 5

tcpdump ${ARGS} &
PID=$!
tcpdump ${ARGS} -w ${filename}
kill $PID