When trying to capture tcpdump output to a file, I get the following:
▒ò▒▒▒▒3▒X▒▒<<▒▒▒▒▒▒▒4▒4▒b 7 7▒▒3▒X▒▒<<▒▒▒▒▒▒▒4▒4▒b 7 7▒▒3▒X▒▒<<▒▒▒▒▒▒▒4▒4▒b 7 7▒▒3▒X▒<<▒▒▒▒▒▒▒4▒4▒b 7 7▒▒3▒Xu<<▒▒▒▒▒▒▒4▒4▒b 7 7▒▒3▒X▒<<▒▒▒▒▒▒▒4▒4▒b 7 7▒▒3▒X▒D<<▒▒▒▒▒▒▒4▒4▒b 7 7▒▒3▒X▒D<<▒▒▒▒▒▒▒4▒4▒b 7 7▒▒3▒X5▒<<▒▒▒▒▒▒▒4▒4▒b 7 7▒▒3▒X▒<<▒▒▒▒▒▒▒4▒4▒b
If I run tcpdump without the -w the output displays fine in the shell.
Here is the input:
tcpdump -i eth0 -Z root -w `date '+%m-%d-%y.%T.pcap'`
tcpdump -w writes the raw file, which is not meant for reading directly. You can read the file back with the tcpdump -r option as suggested in the man page:
-r Read packets from file (which was created with the -w option). Standard input is used if file is ‘‘-’’.
-w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ‘‘-’’. See pcap-savefile(5) for a description of the file format.
Another option would be to redirect the output without using the -w option:
tcpdump -i eth0 -Z root > `date '+%m-%d-%y.%T.pcap'`
But if I remember correctly you don’t get exactly what would be written with the -w option.
