Home / ubuntu / Questions / 1100347
Accepted
Krisz
Asked: 2018-12-13 06:55:43 +0800 CST

Tcpdump stop ungracefully

  • 772

I am looking for a reliable solution to do package capture for test automation.

Right now, tcpdump has been used with the following command.

sudo tcpdump -i ens160  -w filename.pcap -G 60 -W 1

I stop tcpdump with:

kill -s SIGINT <pid>

1 out of 20 time tcpdump fails to exit properly, and the pcap file will be damaged.

Is there any way to make sure tcpdump will exit properly?

networking wireshark tcpdump

1 Answers

  1. Best Answer

    There are two ways to avoid a truncated dump file:

    1. As suggested by Doug Smythies, use termination signal (SIGTERM) instead of SIGINT to kill the tcpdump process:

      kill <pid>

    2. Tell tcpdump to write packet directly to file as each packet is saved (option -U). This way, even using SIGINT, the file will not be truncated. From man tcpdump :

       -U
   --packet-buffered
          If the -w option is not specified, make the  printed  packet
          output  ``packet-buffered''; i.e., as the description of the
          contents of each packet is printed, it will  be  written  to
          the standard output, rather than, when not writing to a ter‐
          minal, being written only when the output buffer fills.

          If the -w option is specified, make  the  saved  raw  packet
          output  ``packet-buffered'';  i.e., as each packet is saved,
          it will be written to the output  file,  rather  than  being
          written only when the output buffer fills.

          The  -U flag will not be supported if tcpdump was built with
          an older version of libpcap that lacks the pcap_dump_flush()
          function.
    • 1