I've been using tcpdump (version 4.1.1) to attempt to capture wireless frames from a monitor mode interface set up by airmon-ng. I say "attempt" because so far nothing has been happening. It's very odd:
tcpdump -i mon0
The above command works fine. I see all the beacons and probe requests and every other frame imaginable displayed across my screen. However, when I attempt to write the output to a capture file using
tcpdump -i mon0 -w captures.cap
absolutely nothing gets captured including layer 3 packets that contain actual data. When I kill tcpdump, it gives me
13507 packets captured
13507 packets received by filter
0 packets dropped by kernel
(13507 is an arbitrary number in this case) and a completely empty capture file.
However, when I perform capturing with tshark or wireshark on the same interface, frames are captured to files without any problems.
I would prefer to use tcpdump instead of wireshark as it doesn't have the overhead of a GUI and it has the "-z" option which allows me to take the capture file and pass it to a shell script that copies it to another computer on my network. There is no similar functionality with tshark or wireshark and I would very much like to avoid writing a program to check for the existance of a capture file.
Do I have a fundamental misunderstanding with the way tcpdump works or is there definitely something odd going on here? Is there perhaps a better way of doing what I'm doing or am I going to have to write my own libpcap-based capture program?
