Why is tcpdump output file empty?

Question

On my Red Hat Enterprise Linux Server release 6.5 when saving a tcpdump capture to a file with the -w option, the resulting file is empty:

[root@plop ~]# tcpdump -n -w tcpdump.cap
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C217 packets captured
217 packets received by filter
0 packets dropped by kernel
[root@plop ~]# cat tcpdump.cap
[root@plop ~]# ll tcpdump.cap
-rw-r-----. 1 root root 0 Aug 25 14:13 tcpdump.cap
[root@plop ~]#

I also tried to redirect the output of the command with > and &>, but I always get an empty file...

What could be the reason for this?

NB:

I can see a correct output in the terminal (many packets) when not redirecting to a file
I did the same with thsark and it worked as expected (the output file was correct)
The verison of tcpdump is tcpdump version 4.1-PRE-CVS_2012_02_01
The version of libpcap is libpcap version 1.4.0
I tried with -U option, it didn't fix the problem.

Do you have any output in the terminal when you don't try to redirect it elsewhere? — John WH Smith, Aug 25 '15 at 12:22
Disk full ? There's a known issue with tcpdump where it silently encounters disk full and doesn't grumble about it to stdout/stderr. Otherwise, try `strace` of it, to see whats happening. — steve, Aug 25 '15 at 12:45
And if you try `-c 5` (or some other small number) ? Wondering if it's being interrupted before getting flushed to disk. — Jeff Schaller, Aug 25 '15 at 12:46
@steve You're right, disk full! Please create an answer, I will happily accept it :) — sdabet, Aug 25 '15 at 12:48

score 4 · Answer 1 · answered Aug 25 '15 at 10:34

Try to add the -U option.

From the man page:

   -U
   --packet-buffered
          If  the  -w option is not specified, make the printed packet output ``packet-buffered''; i.e., as the description of the contents of each packet is printed, it will be written to the standard
          output, rather than, when not writing to a terminal, being written only when the output buffer fills.

      If the -w option is specified, make the saved raw packet output ``packet-buffered''; i.e., as each packet is saved, it will be written to the output file, rather than being written only  when
      the output buffer fills.

      The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_dump_flush() function.

Nice try...but that still doesn't work. – sdabet Aug 25 '15 at 11:57 — sdabet, Aug 25 '15 at 11:57
Try to specify the interface(s) e.g. `tcpdump -ni eth0` – dr_ Aug 25 '15 at 12:05 — dr_, Aug 25 '15 at 12:05

score 3 · Accepted Answer · answered Aug 25 '15 at 12:53

There's a known issue with tcpdump where if it fails to write to the output file (e.g. permissions or disk full) it does not report this fact.

In this case, as the output file is being created ok but no data being written, so the filesystem is likely full.

Can be confirmed by rerunning via strace and observing the write fail.

Solution is to clear space in relevant filesystem or point tcpdump at a filesystem where space exists.

score 0 · Answer 3 · answered Nov 10 '19 at 09:11

Update your tcpdump version: sudo yum install tcpdump
When I used command tcpdump -n -i "ens1f0" -e -c 20 -Q in -U -w /home/test.pcap - part of our tests created with empty pcap too. I removed part of filters and it started to create correct pcap files. This is a last version: tcpdump -n -i "ens1f0" -w /home/test.pcap

score -1 · Answer 4 · edited Oct 16 '15 at 17:53

-1

Make sure tcpdump is watching the right network interface. Or use -i any to watch on any interface.

edited Oct 16 '15 at 17:53

Raphael Ahrens

9,701
5
37
52

answered Oct 16 '15 at 17:36

Thomas Lane

1
1

Why is tcpdump output file empty?

4 Answers4