As per the tcpdump
man page:
-i Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loop‐
back), which may turn out to be, for example, ``eth0''.
On Linux systems with 2.2 or later kernels, an interface argument of ``any'' can be used to capture packets from all interfaces. Note that captures
on the ``any'' device will not be done in promiscuous mode.
So, looking at your output, seems that the first available interface is bluetooth0
which does not allow packet printing, and thus the error.
However, if specifying the -i
flag to any
, you're picking up any available interface that allows packet printing and that's why it works in this case.
The problem can be with tcpdump itself: If it doesn't respond quickly enough then old packets will be overwritten with new ones, which means that they are dropped.
If you capture all the bytes of each packet, it's very easy to overrun the kernel's packet capture buffer. The symptoms of this overrun are that your packet trace program will report that it dropped packets.
In the case of tcpdump, it prints a summary of how many packets were captured, filtered, and dropped when you stop the capture. For example:
$ sudo tcpdump -i en0 -w trace.pcap
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
94 packets captured
177 packets received by filter
0 packets dropped by kernel
If the dropped
count is non-zero, you need to increase the packet capture buffer size by passing the -B
option to tcpdump.
Try it also without a capture file, to see if this improves the capture ratio.
Best Answer
If you just want tcpdump to run for n seconds and then quit, you could use timeout.
For example:
Otherwise I don't believe tcpdump has an option to do this.