tcpdump into a file correctly
 

What I do want is something like:
as you of course know, it wont work.
If I pipe into a file using bash, tcpdstat is obviously not fine with the file format. Help me a bit please.

Apart from explicitly setting snaplen to zero and tacking on the BPF last as seems customary, why shouldn't it work? If you run it verbosely, without resolving any addresses and ports and without writing to a file what does it say?

Without writing to a file everything is ok. But the exact problem is - I want to write it to a file in the order tcpdstat expects it(the order -w option meant to create, maybe im wrong). I believe its not hard, I just don't know how. And maybe another question by the way, I know about snort and stuff, but if I would make a little script for an easy hand-check, how could I make a process(utility with given arguments) to run for several seconds, count until some of the values reached the sought-for point and finish its job? I have tried with "read", "at", "sleep", combinig sed+awk, but unsuccessfully.

I don't get what you're saying. There is nothing that suggests either tcpdump writes packets to file or that tcpdstat reads packets from file in any order other than FIFO.

I could've given you a link, but its russian. And I'm home now, and no google cloud ;) sorry, I'll try to translate and clarificate better tomorrow. But it is exactly what im talking about. I even got an idea, what exactly I have explained wrong
must've been .pcap.
"tcpdstat - Get protocol statistics from tcpdump pcap files". And please, if someone could throw some notes on the second part of the question?

It is quite okay, just try to understand that the output of option '-w' is not a human readable text-file.

Sure, just post the link.


It kind of depends on what "sought-for point" means. If "sought-for point" means a packet counter then there's 'tcpdump -c' or 'tshark -c', elif it means input bytes there's 'cut -b' or 'dd count=' or 'od -N', elif it's a simple counter your could ((N++)) in BASH. Else if it means some combination, like \( total pkt count and 3 SYN ACKs and within 10 seconds \) then you best explain what you're trying to accomplish: (pseudo) script welcome.

Thank you, even tho I'm not the best explainer out there, the info you gave me is exactly what I've been seeking for. And if you still want the link, here goes http://www.bit-team.com/index.php?showtopic=3930 Short story is, he explains how to use all these utilities for good taking cisco as example. But he is talking superficially, so I kind of interpret it for myself.

What's been created with tcpdump -w gets read with tcpdump -r.