If you “tcpdump | grep” and you have to wait some time to see the output, that’s probably because stdout is buffered via libc (eg. printf).
If you want to flush() the output at every line (aka line buffered), just use “tcpdump -l”.
Archivi tag: tcpdump
remote sniffing with tcpdump + wireshark
Today I was visualizing a remote tcpdump output with my local wireshark/ethereal.
# ssh myserver “tcpdump -w – ” | wireshark -k -i –
Strangely I found wireshark truncating or skipping some pkt.
Using -s0 remove limits on pkts’ size
# tcpdump -s 0 -w – ;
did partially solve the pkt truncation, but even more pkt were skipped!
Even fine tuning pkt size -s1000 wasn’t enough…
The solution was to dump to a shared fs… less elegant but more robust.