.svg?sv=2022-11-02&spr=https&st=2024-11-08T18%3A39%3A34Z&se=2024-11-08T18%3A49%3A34Z&sr=c&sp=r&sig=DKGzfraDdaor9VTKANC7aukrCT8vjtswG7YMQAia%2Fnw%3D){kind=logo}
Why Are PCAP Files Generated by tcpdump Empty?
- 21 Mar 2022
- 1 Minute to read
- Contributors
- Print
- PDF
Why Are PCAP Files Generated by tcpdump Empty?
- Updated on 21 Mar 2022
- 1 Minute to read
- Contributors
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
PCAP files generated by tcpdump are (mostly) empty
By far, the most probable reason for this is that you are trying to use a filter on VLAN tagged packets. This won’t work since tcpdump filters look for fixed locations in the packet and the VLAN tag offsets the actual bytes that are being matched. Fortunately, there is a workaround: by adding the filter vlan, all following filters will be offset by the VLAN tag size. For instance, if you want to filter ip proto \tcp on an interface receiving only VLAN tagged packets, then you must use the following filter instead:
vlan and (ip proto \tcp)
If the network interface receives both tagged and non-tagged packets, then this somewhat cumbersome filter must be used:
(ip proto \tcp) or (vlan and (ip proto \tcp))
© 2024 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks
Was this article helpful?