If this problem happens on Ubuntu, it is possible that AppArmor (Ubuntu's access control system) may be interfering with tcpdump when it attempts to read from a packet dump.
To verify this behavior:
Jan 7 10:48:50 server kernel: [1706354.881017] type=1400 audit(1389109730.217:14): apparmor="DENIED" operation="open" parent=26733 profile="/usr/sbin/tcpdump" name="/home/dev/packet.dump" pid=26734 comm="tcpdump" requested_mask="r" denied_mask="r" fsuid=0 ouid=1001
To avoid this problem, you can disable the restrictive AppArmor profile for tcpdump temporarily as follows.
If you want to disable the AppArmor profile permanently across reboots, refer to this tutorial.
Subscribe to Ask Xmodulo
Do you want to receive Linux related questions & answers published at Ask Xmodulo? Enter your email address below, and we will deliver our Linux Q&A straight to your email box, for free. Delivery powered by Google Feedburner.
Did you find this tutorial helpful? Then please be generous and support Xmodulo!