"tail -f" using "tcpdump -r"

Question

To display content of pcap file , we use :

tcpdump -r /Path/to/syscontection.pcap;

However, this command line does not follow the pcap file on realtime , like tail -f which follows a plain text .

OR

OR

tcpdump acts exactly what you want when running with no parameters. — Ipor Sircer, Sep 19 '16 at 14:28
Possible duplicate of [How to process/pipe TCPDUMPs output in realtime](http://unix.stackexchange.com/questions/15989/how-to-process-pipe-tcpdumps-output-in-realtime). I also recommend checking the [man page](https://linux.die.net/man/8/tcpdump) before asking a question, it might save you some time. — Hatclock, Sep 19 '16 at 14:30
This is not a duplicate question. He is asking about tcpdump's input not output. — rudimeier, Sep 19 '16 at 14:49

rudimeier · Accepted Answer · 2016-09-19T14:35:22.763

14

tail -c +1 -f /Path/to/syscontection.pcap | tcpdump -l -r -

edited Sep 19 '16 at 14:35

answered Sep 19 '16 at 14:29

rudimeier

This will not work when we want to read from multiple files, what will be the solution for `tcpdump -l -r file1,file2` e.g. ? `tail -c +1 -f file1 -f file2 | tcpdump -l -r -` will not work since tail will output some extra lines while tailing multiple files – Dipto Apr 09 '21 at 13:14
1

@Dipto I guess you could simply two or more of these pipe command lines in backround. `( tail -c +1 -f a.pcap | tcpdump -l -r - & tail -c +1 -f b.pcap | tcpdump -l -r - & )` – rudimeier Apr 13 '21 at 23:08
Thanks. But what I found is `tcpdump -r /Path/to/pcap` is able to follow the file in realtime as it is. May be OP is facing another problem https://superuser.com/questions/735017/why-does-tcpdump-take-so-long-to-read-pcap-files/735053#735053 – Dipto Apr 16 '21 at 11:58

1 Answers1