Capturing with tcpdump

There are occasions when you want to capture packets using tcpdump rather than wireshark, especially when you want to do a remote capture.

Please note that the default tcpdump parameters result in a capture file where each packet is truncated, because most versions of tcpdump, will, by default, only capture the first 68 or 96 bytes of each packet.

To ensure that you capture complete packets, use the following command:

tcpdump -i <interface> -s 65535 -w <file name>

To terminate the capture with ^C (ctrl C) when you believe you have captured enough packets