Using Tcpdump


Size can be limited with -C (megabytes); max number of files with -W. For example:

tcpdump -i eth0 -s 0 -w -C 500 -W 200 host

Makes files up to 200 files of 500 MB each. Use editcap or tshark to filter out the parts you need after the fact.

Splitting Files

editcap can be used to split captures into smaller files or to make a new file with only packets from a certain time period.

For example:

editcap -A "2009-12-14 13:04:00" -B "2009-12-14 13:06:00" 20091214T1305-1min.pcap


  • Proxying/tunneling: I'd like to tell my program to connect to an intermediary (with Wireshark installed) so I can monitor it more easily. Maybe use a proxy server, or make the intermediate machine into a simple router.
  • Decrypting: if I have the private key for SSH or SSL/TLS, can I decrypt the traffic in Wireshark?
    • Try ssldump
