PCAP files generated by tcpdump are (mostly) empty

By far, the most probable reason for this is that you are trying to use a filter on VLAN tagged packets. This won’t work since tcpdump filters look for fixed locations in the packet and the VLAN tag offsets the actual bytes that are being matched. Fortunately, there is a workaround: by adding the filter vlan, all following filters will be offset by the VLAN tag size. For instance, if you want to filter ip proto \tcp on an interface receiving only VLAN tagged packets, then you must use the following filter instead:

vlan and (ip proto \tcp)

If the network interface receives both tagged and non-tagged packets, then this somewhat cumbersome filter must be used:

(ip proto \tcp) or (vlan and (ip proto \tcp))

© 2026 Cisco and/or its affiliates. All rights reserved.

For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and trademarks