I'm capturing traffic from a microtik router to my linux server and writing to a big file. I'm searching for a way to feed from the current file end forward since it is a several GB file and I can't afford to read from the start, but tshark (or tcpdump) needs to read the header first, otherwise it terminates with "Unrecognized libpcap format". So tail -f does not work. Any ideas?
Asked
Active
Viewed 568 times
1 Answers
1
So, I found a quick way to get something similar to what I was looking for by getting the pcap header first and then tail from the current file end, using something like this:
(dd if=<CAPTUREFILE> bs=1 count=24; tail -c 0 -f <CAPTUREFILE>) | tcpdump -nn -r -
The only problem is that using this method I can't get some of the last packets, which is what I was looking for.
Kostas Papadimakis
- 31
- 3