tcpdump allows you to save captured network packets to a file. This is useful when you want to analyze the traffic later, share it with others, or open it in a graphical tool like Wireshark.
By default, tcpdump just prints packets to the terminal, but with the right option, it can store them in a special format called pcap.
Save with -w Option
To write the output to a file, use the -w flag followed by a filename:
tcpdump -i eth0 -w capture.pcapThis tells tcpdump to capture from eth0 and save the packets in a file named capture.pcap.
You won’t see live output when using -w. It silently writes to the file.
Format of Saved File
The default format is .pcap, which is the standard used by most network tools like:
- Wireshark
- tshark
- NetworkMiner