How to start and kill tcpdump within a script?

I found part of the answer on this Stack Overflow post.

To summarize, tcpdump was buffering its output before writing to the output file, and this caused issues when the script attempted to interrupt it. Adding the -U ("flush") option to tcpdump fixes this.

Also necessary were a sleep command immediately after issuing tcpdump to allow it to initialize, and also before killing it, to allow it to write to the file:

#!/bin/bash  

#start a process in the background (it happens to be a TCP HTTP sniffer on  the loopback interface, for my apache server):   

tcpdump -U -i lo -w dump.pcap 'port 80' &   
sleep 5

#.....other commands that send packets to tcpdump.....

#now interrupt the process.  get its PID:  
pid=$(ps -e | pgrep tcpdump)  
echo $pid  

#interrupt it:  
sleep 5
kill -2 $pid

For reference, from man tcpdump, under the -U option:

If  the -w option is specified, make the saved raw packet output 
``packet-buffered''; i.e., as each packet is saved,
it will be written to the output file, rather than being written only
 when the output buffer fills.

After this, the script worked fine.

Related videos on Youtube

10 : 38

Learn Wireshark in 10 minutes - Wireshark Tutorial for Beginners

Vinsloev Academy

542

13 : 01

TCPdump

Mauri sec

43

04 : 02

How to kill a command executed from a script? (3 Solutions!!)

Roel Van de Paar

7

08 : 52

Nexus Capture Tcpdump in Nexus Switch 9K

VPC Network

5

02 : 07

Ubuntu: How to start and kill tcpdump within a script?

Roel Van de Paar

5

02 : 24

Kill tcpdump process spawned by ssh when ssh dies

Roel Van de Paar

4

Author by

Life5ign

Updated on September 18, 2022