Login
Contents x
Why Are PCAP Files Generated by tcpdump Empty?
  • 21 Mar 2022
  • 1 Minute to read
  • Contributors
  • Print
  • PDF
Contents

Why Are PCAP Files Generated by tcpdump Empty?

  • Updated on 21 Mar 2022
  • 1 Minute to read
  • Contributors
  • Print
  • PDF
Article summary

PCAP files generated by tcpdump are (mostly) empty

By far, the most probable reason for this is that you are trying to use a filter on VLAN tagged packets. This won’t work since tcpdump filters look for fixed locations in the packet and the VLAN tag offsets the actual bytes that are being matched. Fortunately, there is a workaround: by adding the filter vlan, all following filters will be offset by the VLAN tag size. For instance, if you want to filter ip proto \tcp on an interface receiving only VLAN tagged packets, then you must use the following filter instead:

vlan and (ip proto \tcp)

If the network interface receives both tagged and non-tagged packets, then this somewhat cumbersome filter must be used:

(ip proto \tcp) or (vlan and (ip proto \tcp))

© 2024 Cisco and/or its affiliates. All rights reserved.
 
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks


Was this article helpful?
What's Next
© 2024 Cisco Privacy Statement Cookies Legal
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout