I don't always capture packets, but when I do I use tcpdump

2006-11-07 16:22 PST

When network issues arise and I find myself in need of some good, old fashioned, packet capture, I usually turn to tcpdump. tcpdump gives me a nice easy way to capture packets from the command line that I can either look at live, or analyze later - perhaps using Ethereal Wireshark.

Often when I set up a capture, I am looking for an event that happens periodically, but one that I often cannot replicate. It could be an issue that I only see once every 24 hours or so. I want to set up a capture to continuously collect data that I can analyze after the next event. Usually I have a couple of restrictions (often in terms of free space on my capture host) so I will need to set up a way to manage capture files so that I don’t run out of space. What follows is a breakdown of the command I use most often to capture packets.

tcpdump -i eth0 -nnvvXS -s 0 -W 100 -G 3600 -C 100 -w %Y-$m-%dT%T%z.pcap

Here is the breakdown:

This of course will capture every packet, if you want to filter the packets before you capture them, there are some create examples at A tcpdump Primer.

Here are some references that I use often: