THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question

Revision history  [back]

Revision 2
Chuckc's avatar
3k
Chuckc
updated 2019-12-11 22:32:23 +0000

From the tcpdump man page:

       -w file
              Write the raw packets to file rather than parsing  and  printing
              them  out.  They can later be printed with the -r option.  Stan-
              dard output is used if file is ``-''.

              This output will be buffered if written to a file or pipe, so  a
              program reading from the file or pipe may not see packets for an
              arbitrary amount of time after they are received.   Use  the  -U
              flag  to  cause  packets  to  be written as soon as they are re-
              ceived.

Try:

tcpdump -i any ! host 172.xx.xx.116 -s 0 -w - | ssh [email protected] 'cat>dump.pcap'


(assuming the xx.xx are replaced to complete the IP address)

Revision 1
Chuckc's avatar
3k
Chuckc
answered 2019-12-11 22:30:29 +0000

From the tcpdump man page:

       -w file
              Write the raw packets to file rather than parsing  and  printing
              them  out.  They can later be printed with the -r option.  Stan-
              dard output is used if file is ``-''.

              This output will be buffered if written to a file or pipe, so  a
              program reading from the file or pipe may not see packets for an
              arbitrary amount of time after they are received.   Use  the  -U
              flag  to  cause  packets  to  be written as soon as they are re-
              ceived.

Try:

tcpdump -i any ! host 172.xx.xx.116 -s 0 -w - | ssh [email protected] 'cat>dump.pcap'
“cat > dump.pcap”


(assuming the xx.xx are replaced to complete the IP address)