How to View Live Packet Capture in Real-Time While Using tcpdump -w Option


9 views

When using tcpdump's -w flag to save packets to a file, the default behavior suppresses packet display in the terminal. This creates a blind spot during network troubleshooting sessions where immediate feedback is crucial.

sudo tcpdump -i eth0 -w output.pcap -v

The -v (verbose) flag forces packet display while still writing to file. For more detailed output:

sudo tcpdump -i eth0 -w output.pcap -n -v

For complete control over the display format while capturing:

sudo tcpdump -i eth0 -l | tee output.txt

Or to simultaneously capture to pcap and display:

sudo tcpdump -i eth0 -w - | tee output.pcap | tcpdump -r - -n

For complex debugging sessions:

tmux new-session -s packet_capture \
"sudo tcpdump -i eth0 -w output.pcap; \
tmux split-window -h 'sudo tcpdump -r output.pcap -n'; \
tmux attach"

When capturing high-volume traffic:

  • Use -c [count] to limit packets
  • Add BPF filters to reduce noise: tcpdump -i eth0 'port 80' -w http.pcap -v
  • For very busy interfaces, consider -s [snaplen] to capture only headers

Debugging HTTP traffic with real-time display:

sudo tcpdump -i eth0 -w http_capture.pcap -n 'tcp port 80' -v \
| grep --line-buffered "HTTP"

This captures full packets to file while showing only HTTP lines in terminal.

When combining display with capture, be aware of:

  • Terminal scrollback buffer limits (especially for long sessions)
  • Potential packet drops during high-volume captures
  • Disk I/O contention when writing large capture files

When running tcpdump with the -w flag, the tool intentionally suppresses packet display to optimize performance for file writing. This is by design, as printing packets to console while simultaneously writing to a file would significantly slow down the capture process.

sudo tcpdump -i eth0 -w output.pcap
# No packet output appears during capture

To simultaneously capture packets to a file and view them in real-time, use the -U (unbuffered) and -l (line buffered) flags combined with tee:

sudo tcpdump -i eth0 -U -w - | tee raw.pcap | tcpdump -r - -l

This command pipeline:

  • Captures packets to memory buffer (-U)
  • Writes raw output to stdout (-w -)
  • Stores copy in raw.pcap via tee
  • Displays packets in real-time through the second tcpdump instance

For GUI-based real-time analysis, pipe tcpdump output to Wireshark:

sudo tcpdump -i eth0 -w - | wireshark -k -i -

When analyzing high-traffic interfaces, consider these optimizations:

sudo tcpdump -i eth0 -B 4096 -U -w - | \
  tee full_capture.pcap | \
  tcpdump -r - -l -c 100 'port 80'

This configuration:

  • Sets 4MB buffer size (-B 4096)
  • Shows only HTTP traffic
  • Limits display to first 100 packets (-c 100)

Combine display filters with capture filters for efficiency:

sudo tcpdump -i eth0 -U -w - 'tcp port 443' | \
  tee ssl_traffic.pcap | \
  tcpdump -r - -l -X 'host 192.168.1.100'