Estou a tentar capturar o tcpdump para o tráfego de um porto em um arquivo, mas este não parece ser para capturar todos os pacotes. Comando eu uso é a seguinte:

tcpdump-w tdump.dat porta 22

Porque é que não é capturar todos os pacotes?

Aqui é a minha experiência:
root @ pmode-client6 adc-demo] # tcpdump porta 22
tcpdump: escutar na eth0
00:06:45.290838 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 4216814594 win 65415 (DF)
00:06:45.290865 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 1:69 (68) ack 0 win 11792 (DF) [tos 0x10]
00:06:45.995979 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 1:69 (68) ack 0 win 11792 (DF) [tos 0x10]
00:06:46.394715 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 69 win 65347 (DF)
00:06:46.394750 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 69:513 (444) ack 0 win 11792 (DF) [tos 0x10]
00:06:46.795739 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 513 win 64903 (DF)
00:06:46.795751 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 513:809 (296) ack 0 win 11792 (DF) [tos 0x10]
00:06:47.300580 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 809 win 64607 (DF)
00:06:47.300590 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 809:1105 (296) ack 0 win 11792 (DF) [tos 0x10]
00:06:47.697982 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 1105 win 64311 (DF)
00:06:47.697993 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 1105:1401 (296) ack 0 win 11792 (DF) [tos 0x10]
00:06:48.106128 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 1401 win 65535 (DF)
00:06:48.106137 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 1401:1697 (296) ack 0 win 11792 (DF) [tos 0x10]
00:06:48.598476 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 1697 win 65239 (DF)
00:06:48.598483 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 1697:1993 (296) ack 0 win 11792 (DF) [tos 0x10]
00:06:49.007872 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 1993 win 64943 (DF)
00:06:49.007884 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 1993:2289 (296) ack 0 win 11792 (DF) [tos 0x10]
00:06:49.512090 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 2289 win 64647 (DF)
00:06:49.512100 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 2289:2585 (296) ack 0 win 11792 (DF) [tos 0x10]
00:06:49.913489 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 2585 win 64351 (DF)
00:06:49.913496 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 2585:2881 (296) ack 0 win 11792 (DF) [tos 0x10]
00:06:50.315388 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 2881 win 65535 (DF)
00:06:50.315401 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 2881:3177 (296) ack 0 win 11792 (DF) [tos 0x10]
00:06:50.813982 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 3177 win 65239 (DF)
00:06:50.813989 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 3177:3473 (296) ack 0 win 11792 (DF) [tos 0x10]
00:06:51.042979 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh: P 0:88 (88) ack 3177 win 65239 (DF)

26 pacotes recebidos pelo filtro
0 pacotes caíram kernel

[root @ pmode-client6 adc-demo] # tcpdump-w tdump.dat porta 22
tcpdump: escutar na eth0

6 pacotes recebidos pelo filtro
0 pacotes caíram kernel
[root @ pmode-client6 adc-demo] # tcpdump-r tdump.dat porta 22
00:08:56.741761 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 4216835054:4216835106 (52) ack 3917910214 win 11792 (DF) [tos 0x10]
00:08:57.157589 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 52 win 65483 (DF)
00:08:57.157610 172.21.76.96.ssh> SJC-vpn6-65.cisco.com.2654: P 52:120 (68) ack 1 win 11792 (DF) [tos 0x10]
00:08:57.562987 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh:. ack 120 win 65415 (DF)
00:09:06.055469 SJC-vpn6-65.cisco.com.2654> 172.21.76.96.ssh: P 1:89 (88) ack 120 win 65415 (DF)

Ambos os comandos foram executados por 10 secs. Na verdade Eu executei o comando com a opção-w por 15 segundos, mas ainda os pacotes capturados no despejo são apenas 6 são comparados a 26 pacotes sem salvar o arquivo opção. Qualquer motivo? O que eu posso fazer para capturar todos?

-Satish