I'm running the following version of tcpdump:
I want to make tcpdump write to a file for each packet it captures. Currently, I could only see the captured packets if I quit tcpdump.
tcpdump -i em1 -w /tmp/pkts.pcap -s 1500
I need to quit to be able to open /tmp/pkts.pcap - until then I assume tcpdump is buffering. Is there a way to make tcpdump write to the file immediately instead of buffering?
Use the -U option in combination with the -woption and check if you have a version of libcap that supports pcap_dump_flush(). From the man page (version 4.3.0-1):
-U If the -w option is not specified, make the printed packet output ``packet-
buffered''; i.e., as the description of the contents of each packet is printed, it
will be written to the standard output, rather than, when not writing to a terminal,
being written only when the output buffer fills.
If the -w option is specified, make the saved raw packet output ``packet-buffered'';
i.e., as each packet is saved, it will be written to the output file, rather than
being written only when the output buffer fills.
The -U flag will not be supported if tcpdump was built with an older version of
libpcap that lacks the pcap_dump_flush() function.
