This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Catalin_Ciubot2
Contributor
‎2025-10-16 06:28 AM

no more tcpdump in file with -w

Hello,

I used to save the tcpdump in a file with the command below

g_tcpdump -nni <interface> host <x> and host <y> -s 65535 -w /var/tmp/file

This was before applying take 113 to R81.20

Now I see that is not exporting anymore the packets but when I ran

g_tcpdump -nni <interface> host <x> and host <y> -s 65535

I see the packets on console.

I don't see the problem here, could you help?

Thanks!

10 Replies
Lesley
MVP Gold
MVP Gold
‎2025-10-16 06:32 AM

[Expert@SG-s01-01:0]# gclish

[Global] SG-s01-01 > tcpdump -mcap -w /tmp/capture.cap

Capturing packets...

Write "stop" and press enter to stop the packets capture process.

1_01:

tcpdump: listening on eth1-Mgmt4, link-type EN10MB (Ethernet), capture size 96 bytes

 

Clarification about this output:
At this moment, an administrator pressed the CTRL+C keys

 

stop

Received user request to stop the packets capture process.

 

Copying captured packets from all SGMs...

Merging captured packets from SGMs to /tmp/capture.cap...

Done.

[Global] SG-s01-01>

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Catalin_Ciubot2
Contributor
‎2025-10-16 06:43 AM
In response to Lesley

Thanks, but I have to capture on a specific interface with a filter, to avoid too many packets, and maybe performance load.

Lesley
MVP Gold
MVP Gold
‎2025-10-16 07:00 AM
In response to Catalin_Ciubot2

add -i flag all tcpdump Linux flags work here

-------
Please press "Accept as Solution" if my post solved it 🙂
Catalin_Ciubot2
Contributor
‎2025-10-16 07:19 AM
In response to Lesley

Once I add

-w /var/tmp/file

to the command, is creating an empty file 1 KB.

I repeat, without sending the output to file, the command is working.

For me this looks like another bug.

Lesley
MVP Gold
MVP Gold
‎2025-10-16 07:27 AM
In response to Catalin_Ciubot2

MyChassis-ch01-01 > tcpdump -mcap -w /tmp/capture.cap -nnni eth1-Mgmt4

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-16 02:18 PM
In response to Catalin_Ciubot2

Worked fine for me last time I tried on R81.20 and R82.

Best,
Andy
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-10-16 08:59 AM

Check on all your SGMs for the /var/tmp/file output file. 

0 Kudos
Catalin_Ciubot2
Contributor
‎2025-10-17 01:43 AM
In response to emmap

We are using SMO (Single Management Object). I'm pretty sure that I was using that syntax, I mentioned previously.

Now, I discover that is the one below.

g_tcpdump -mcap -w /var/tmp/testp.pcap -nni bond1.200 host x and host y

Why syntax changed?

emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-10-19 06:50 PM
In response to Catalin_Ciubot2

As far as I am aware it's always needed the mcap flag to merge the output files. It's in the R80.20SP admin guide at least.

0 Kudos
Hauke
Participant
‎2025-10-20 02:14 AM

Same issue!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events