Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.
Sign up to join this community
For tcpdump, I use this command to see the packet details:
tcpdump -vvv -i interface
and to save the packets into a pcap file:
tcpdump -i interface -w output
The details from the first command are less than the details that are being put into the pcap file using the second command.
How can I see the same details in the terminal?
The details from
tcpdump -vvv -i interfaceare less than the details that are being put into the pcap file usingtcpdump -i interface -w output.
That is correct.
With -w the full raw packet gets saved while otherwise tcpdump runs its internal parser to generate what the manual calls "a description of the packet data". (And not the "fully decoded" packet data.)
With -vvv you've also only selected one option ("even more verbose") of the command line options that tcpdump supports, but that single options doesn't cover the whole range of decoding options that is supported. There are more options in the manual that tune what gets displayed which might be useful (depending on your needs).
For example with only the -vvv option the displayed packet description does not include the information you see when you add -e.
And regardless, the capabilities and decoding powers of that tcpdump internal packet parser fall short to capabilities of a full packet analyser (with all kinds protocol decoding plugins) like Wireshark.
I often find it useful to use the --print option in combination with -w to get tcpdump to both print the parsed packet description to my console, while the full packet data gets saved to pcap file for further analyses.
I can see on the console and confirm that the event I want to analyse has been captured, stop tcpdump and then also have the pcap file to load in Wireshark for more detailed analyses.
