We have a script which calls
tcpdump -v src host <IP address> and port <port number> >>out.txt 2>>err.txt -w capture.cap
on multiple IP-s while the other parts of the script initiates some traffic in the background.
We want check if packets are coming back to us, and examine manually only those cases when we receive packages. tcpdump's error output seemed fine for this at first, but.
The question is, as the subject suggests, what's the difference between "packets captured" and "packets received by filter"? There are captures, which did not record any packets, but output "0 packets captured, 2 packets received by filter" which sounds like a contradiction, since if no packets were captures, how were 2 of them filtered? At first, we had been looking for "0 packets received by filter" but that isn't alway written to error output, when there were no packets received. So what do these numbers show?
I need to know what to look for if we want to filter those cases when no reply packets were received.
Best Answer
I hope this sheds some light on the issue. From the manpage:
And there's a mailing list entry from 2009 explaining:
Maybe the process is killed too quick? There's also a
-c N
flag telling tcpdump to exit whenN
packets were captured.Since you're issue seems pretty specialized, you could also use
libpcap
directly or via one of the hundreds of language bindings.To your question, since all you get are the captured packages in the
capture.cap
file, you could just look at the runs where it's not empty and examine these, i.e., uhm, count the lines?There probably is a better way using libpcap to return the number of entries in the capture file...