Link to home
Create AccountLog in
Avatar of lloydr1l
lloydr1l

asked on

tcpdump, where are the capture logs stored?

If I use putty to run tcpdump with the -w switch creating a log file, logged in as root, where is the log file saved?  I can't seem to locate it.
ASKER CERTIFIED SOLUTION
Avatar of HalldorG
HalldorG
Flag of Iceland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of lloydr1l
lloydr1l

ASKER

So I would need to provide a path then, ok makes sense.   But what if I just put tcpdump -w capture.log?  Where would that be located?
Just tried a test, tcpdump -i eth1 host xxx.xxx.xxx.xxx -w /tmp/capture.log

But when I go to that directory, no capture.log    ?
And are you getting any traffic to host xxx.xxx.xxx.xxx

try without the filter.

The file is created ok using
tcpdump -i eth0 /tmp/log.log

and reading the file afterwards with
tcpdump -r /tmp/log.log
also works

Yes, I was getting traffic to the host.  Using "tcpdump -i eth1 /tmp/capture.log" without the -w switch yields a syntax error.  I did know about reading the file using the -r switch, but if I wanted to output for later, I can't seem to find it.
There should be a -w my typo
And you are sure that the traffic is going through eth0 as you are getting the log on console when not sending it to the file?
Well it's eth1, but yes, I can see the traffic.  If I were to leave out the -w capturefile part, all the captured packets stream by on the screen.
And there is plenty of diskspace on the machine?
Absolutely, almost 70 G free.   Here is some additional information if helpful.  I am using Putty through WinSCP, and sshing into a ClarkConnect box.  Using WinSCP to move around the directory structure.  Doing this does not reveal the capture log (as of yet).
Sorry out of ideas for now
Anyone else?
Actually the tcpdump file is located in the work directory, it mean if the file located in /root directory cause the tcpdump then the dump file will be located there
I looked in the root directory, and could not find the file though.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
As I mentioned, I was using WinSCP3 to do all this.  The issue was that I needed to refresh the view to see the capture.  If I was simply using putty and an "ls" command the file would show up there, but not in WinSCP3, until I did a refresh.  Thanks for the help.