LinuxQuestions.org - How to convert Tcpdump output file to a Pcap format?

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - How to convert Tcpdump output file to a Pcap format? (https://www.linuxquestions.org/questions/linux-networking-3/how-to-convert-tcpdump-output-file-to-a-pcap-format-864025/)

How to convert Tcpdump output file to a Pcap format?

Hi All,

How to convert Tcpdump output file to a Pcap format? Is there such way?

This is what i mean:

tcpdump -i eth0 >> test.out

Now i want to convert test.out to Pcap so It's readable via Wireshark.

Thanks in advance for your help :)

Quote:

Originally Posted by gabriel01 (Post 4265792)

Try with the parm -w to capture directly in pcap format:

Code:

tcpdump -i eth0 -w test.pcap

Hope this helps!

Use tcpdump's -w option:

tcpdump -i eth0 -w test.out

output of tcpdump is plain text generated by SOME of the fields in the header, thus many informations about a packet have been lost and total reconstruction is impossible. If you want to compare output of two programs, capture packets with tcpdump and log them as binaries.

Code:

sudo tcpdump -i eth0 -w test.out

After that you will be able to read from a file by

Code:

sudo tcpdump -i eth0 -r test.out

and as well to use it with wireshark. Also I may suggest you to modify snap length of captured packets to maximum 65535 or 0(if 0 is passed to -s argument it is interpreted as maximum which is 2^16 = 65535). Default is 68 or 96B(depending on the platform) and sometimes it isn't enough for all headers to be captured and dumped to binaries for later analysis. So, code with snap length modification would be

Code:

sudo tcpdump -i eth0 -w test.out -s 65535

. No need to use -s when reading from a file!

I have a small how to on this topic, i hope it will be help for others:
Use tcpdump to capture pcap wireshark dump file
http://linuxexplore.com/2012/06/07/u...ireshark-dump/