Login
    Contents x
    Why Are PCAP Files Generated by tcpdump Empty?
    • 21 Mar 2022
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Contents

    Why Are PCAP Files Generated by tcpdump Empty?

    • Updated on 21 Mar 2022
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    PCAP files generated by tcpdump are (mostly) empty

    By far, the most probable reason for this is that you are trying to use a filter on VLAN tagged packets. This won’t work since tcpdump filters look for fixed locations in the packet and the VLAN tag offsets the actual bytes that are being matched. Fortunately, there is a workaround: by adding the filter vlan, all following filters will be offset by the VLAN tag size. For instance, if you want to filter ip proto \tcp on an interface receiving only VLAN tagged packets, then you must use the following filter instead:

    vlan and (ip proto \tcp)

    If the network interface receives both tagged and non-tagged packets, then this somewhat cumbersome filter must be used:

    (ip proto \tcp) or (vlan and (ip proto \tcp))

    © 2024 Accedian Networks Inc. All rights reserved. Accedian®, Accedian Networks®,  the Accedian logo™, Skylight™, Skylight Interceptor™ and per-packet intel™, are trademarks or registered trademarks of Accedian Networks Inc. To view a list of Accedian trademarks visit: http://accedian.com/legal/trademarks/. 

    Was this article helpful?
    What's Next
    Get In Touch
    Learn
    About Us
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout