When network issues arise and I find myself in need of some good, old fashioned, packet capture, I usually turn to tcpdump. tcpdump gives me a nice easy way to capture packets from the command line that I can either look at live, or analyze later - perhaps using
Often when I set up a capture, I am looking for an event that happens periodically, but one that I often cannot replicate. It could be an issue that I only see once every 24 hours or so. I want to set up a capture to continuously collect data that I can analyze after the next event. Usually I have a couple of restrictions (often in terms of free space on my capture host) so I will need to set up a way to manage capture files so that I don’t run out of space. What follows is a breakdown of the command I use most often to capture packets.
tcpdump -i eth0 -nnvvXS -s 0 -W 100 -G 3600 -C 100 -w %Y-$m-%dT%T%z.pcap
Here is the breakdown:
-i eth0indicates the interface I wish to capture from.
-nnvvXSthis is several flags in one.
-nndon’t do DNS or Port name resolution.
-nwould only prevent hostname resolution.
-vvincreases the verbosity (I think you can use up to three ‘v’s to get even more).
-Xprints packet data in ASCII and hex.
-XXwould include the ethernet header too, and that can be useful at times.
-Sprints absolute TCP sequence numbers.
-s 0defines the snap length - the default is 65535 bytes, and ‘0’ sets it to the same - this is an old habit that I need to break.
-W 100Defines a file count of 100.
-G 3600defines the number of seconds that should elapse before a new capture file is created (3600 = 1 hour.)
-Cindicates the maximum size any single capture file should be in megabytes.
-w %Y-%m-%dT%T%z.pcapis simply the output filename in strftime - you could use anything here like
output.pcapif you wanted, but if you want files captured circularly by time (using
-G) then you need to have a strftime string in the filename.
This of course will capture every packet, if you want to filter the packets before you capture them, there are some create examples at A tcpdump Primer.
Here are some references that I use often: