I am trying to capture tcpdump for traffic to a port in a file but this does not seem to capture all the packets. Command I use is :

tcpdump -w tdump.dat port 22

Why is it not capturing all the packets ?

Here is my experiment:
root@pmode-client6 adc-demo]# tcpdump port 22
tcpdump: listening on eth0
00:06:45.290838 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 4216814594 win 65415 (DF)
00:06:45.290865 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 1:69(68) ack 0 win 11792 (DF) [tos 0x10]
00:06:45.995979 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 1:69(68) ack 0 win 11792 (DF) [tos 0x10]
00:06:46.394715 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 69 win 65347 (DF)
00:06:46.394750 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 69:513(444) ack 0 win 11792 (DF) [tos 0x10]
00:06:46.795739 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 513 win 64903 (DF)
00:06:46.795751 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 513:809(296) ack 0 win 11792 (DF) [tos 0x10]
00:06:47.300580 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 809 win 64607 (DF)
00:06:47.300590 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 809:1105(296) ack 0 win 11792 (DF) [tos 0x10]
00:06:47.697982 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 1105 win 64311 (DF)
00:06:47.697993 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 1105:1401(296) ack 0 win 11792 (DF) [tos 0x10]
00:06:48.106128 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 1401 win 65535 (DF)
00:06:48.106137 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 1401:1697(296) ack 0 win 11792 (DF) [tos 0x10]
00:06:48.598476 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 1697 win 65239 (DF)
00:06:48.598483 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 1697:1993(296) ack 0 win 11792 (DF) [tos 0x10]
00:06:49.007872 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 1993 win 64943 (DF)
00:06:49.007884 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 1993:2289(296) ack 0 win 11792 (DF) [tos 0x10]
00:06:49.512090 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 2289 win 64647 (DF)
00:06:49.512100 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 2289:2585(296) ack 0 win 11792 (DF) [tos 0x10]
00:06:49.913489 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 2585 win 64351 (DF)
00:06:49.913496 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 2585:2881(296) ack 0 win 11792 (DF) [tos 0x10]
00:06:50.315388 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 2881 win 65535 (DF)
00:06:50.315401 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 2881:3177(296) ack 0 win 11792 (DF) [tos 0x10]
00:06:50.813982 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 3177 win 65239 (DF)
00:06:50.813989 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 3177:3473(296) ack 0 win 11792 (DF) [tos 0x10]
00:06:51.042979 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: P 0:88(88) ack 3177 win 65239 (DF)

26 packets received by filter
0 packets dropped by kernel

[root@pmode-client6 adc-demo]# tcpdump -w tdump.dat port 22
tcpdump: listening on eth0

6 packets received by filter
0 packets dropped by kernel
[root@pmode-client6 adc-demo]# tcpdump -r tdump.dat port 22
00:08:56.741761 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 4216835054:4216835106(52) ack 3917910214 win 11792 (DF) [tos 0x10]
00:08:57.157589 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 52 win 65483 (DF)
00:08:57.157610 172.21.76.96.ssh > sjc-vpn6-65.cisco.com.2654: P 52:120(68) ack 1 win 11792 (DF) [tos 0x10]
00:08:57.562987 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: . ack 120 win 65415 (DF)
00:09:06.055469 sjc-vpn6-65.cisco.com.2654 > 172.21.76.96.ssh: P 1:89(88) ack 120 win 65415 (DF)

Both the commands were run for 10 secs. In fact I ran the command with -w option for 15 secs but still the captured packets in the dump are are just 6 compared to 26 packets without the file save option. Any reason ? What I can I do to capture all ?

-Satish

You can use snoop to capture packets

check the man pages for details

#snoop -x0 port 22

This is not the answer I am looking for. I believe tcpdump is a widely used free utility to capture network packets in a file. Can someone else update me on using tcpdump to capture all the packets in a file ?

In the future, if you want good answers to your questions, please do not use small fonts or colored fonts.

I, for one, find your original post very difficult to read. I think most readers will quickly go to "next post" when they encounter a post that is an eye strain

Sounds like some bottleneck in the system, perhaps a problem with the buffers. Try instead. Using a pipe should bring relief.

I got over the problem. Actually, when you display the ssh dump over a remote monitor, even the bytes transferred for the display will be captured and will result in more packets in the tcpdump compared to if we want to run the tcpdump just on the host.