tcpdump on monitor-mode interface - nothing captured

Question

I've been using tcpdump (version 4.1.1) to attempt to capture wireless frames from a monitor mode interface set up by airmon-ng. I say "attempt" because so far nothing has been happening. It's very odd:

tcpdump -i mon0

The above command works fine. I see all the beacons and probe requests and every other frame imaginable displayed across my screen. However, when I attempt to write the output to a capture file using

tcpdump -i mon0 -w captures.cap

absolutely nothing gets captured including layer 3 packets that contain actual data. When I kill tcpdump, it gives me

13507 packets captured
13507 packets received by filter
0 packets dropped by kernel

(13507 is an arbitrary number in this case) and a completely empty capture file.

However, when I perform capturing with tshark or wireshark on the same interface, frames are captured to files without any problems.

I would prefer to use tcpdump instead of wireshark as it doesn't have the overhead of a GUI and it has the "-z" option which allows me to take the capture file and pass it to a shell script that copies it to another computer on my network. There is no similar functionality with tshark or wireshark and I would very much like to avoid writing a program to check for the existance of a capture file.

Do I have a fundamental misunderstanding with the way tcpdump works or is there definitely something odd going on here? Is there perhaps a better way of doing what I'm doing or am I going to have to write my own libpcap-based capture program?

Answer 1

Have you tried airodump-ng?

Not sure if it uses libpcap as capture library, but is uses pcap file format and has many options for channel selection, bssid filtering etc.

Answer 2

Seems effectively something wrong. On my Ubuntu the following works well.

sudo tcpdump -w ./test.cap

Perhaps you can try

sudo tcpdump -U -w ./test.cap

JP