> Yes, just have to use 'tcpdump -w <filename> <some filter>' > > exemple : tcpdump -i eth0 -w /tmp/tcpdump.cap port 80 With the tweak of adding "-s 0" to capture full packets rather than only (roughly) packet headers. This is necessary if you want to later run Bro on the trace. Vern