tcpdump only showing output after stopping it

Question

I am trying to see if I get ping packets through one interface but tcpdump shows nothing. However, as soon as I stop it (Ctrl + C), all the packets appear and the summary looks good.

For example:

11:49:45.486887 IP 11.0.0.1 > 11.0.0.9: ICMP echo reply, id 13532, seq 1, length 64

And here the summary:

10 packets captured
10 packets received by filter
0 packets dropped by kernel

I normally see the traffic "live" but I don't understand why now it is hidden until I stop tcpdump. Can somebody point me to what might be happening?

add the -n flag to your tcpdump to remove DNS lookups, this can cause this problem is you have a slow / broken DNS server. — Tim Fletcher, Sep 22 '16 at 11:56
I tried: `tcpdump -ni qr-414d2474-1b icmp` but it did not fix the problem. Thanks! — mosquetero, Sep 22 '16 at 11:57

score 8 · Accepted Answer · answered Sep 22 '16 at 12:01

8

You probably want the -l or -U option. See the info in man page ...

   -l     Make  stdout  line buffered.  Useful if you want to see the data
          while capturing it.
          ...
          -U is similar to -l in its behavior, but it will cause output to
          be  ``packet-buffered'', so that the output is written to stdout
          at the end of each packet rather than at the end of  each  line;

answered Sep 22 '16 at 12:01

Paul Haldane

4,517
1
21
32

1

Yeah, that worked! I should have read the manual but in other environments I am never adding the -l and it works. Do you know if this is something new? – mosquetero Sep 22 '16 at 12:30
1

Been there as long as I can remember. I suspect I just add it without thinking when displaying direct to terminal but mostly only needed for captures that produce little output. – Paul Haldane Sep 22 '16 at 12:48

tcpdump only showing output after stopping it

1 Answers1