Packet capturing on Linux

This discussion has a more recent version.
JaliJali Posts: 1,777 F-Secure Employee

When problems occur, packet capturing is sometimes helpful for troubleshooting to see what happens on the server. This article explains how you can capture packets on Linux.

To capture packets on Linux:

  1. Start packet capturing by running the following command:

    # tcpdump -i any -p -s 0 -l -w [filename.cap]

    (Use arbitrary filename for filename.cap - e.g.

    fsigk-20100101.cap
    .)

    (If you use a remote ssh connection, it is better to exclude packets related to ssh by adding

    not port ssh
    to option.)
  2. Reproduce the problem.
  3. Stop capturing by pressing Ctrl-C.

The capturing result is stored in the filename.cap file.

To check that the packets are correctly captured:
  1. Run the following command (example):
              
                # tcpdump -i any -p -s 0 -l -w fsigk-20070101.cap
                
    
              
              tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
              
    
              *** re-produce the problem, here ***
              
    
              *** Push Ctrl-C after the problem happens ***
              
    
              80 packets captured80 packets received by filter0 packets dropped by kernel
            
                # tcpdump -n -r fsigk-20070101.cap
                
    
              
              reading from file fsigk-20070101.cap, link-type LINUX_SLL (Linux cooked)14:46:02.087325 IP 192.168.3.110.ssh > 192.168.3.100.38877: P 3536306927:3536307055(128) ack 3370430943 win 2728 <
              nop,nop,timestamp
              948891483
              218615016
              >14:46:02.087331 IP 192.168.3.110.ssh > 192.168.3.100.38877: P 0:128(128) ack 1 win 2728 <
              nop,nop,timestamp
              948891483
              218615016
              >14:46:02.087430 IP 192.168.3.100.38877 > 192.168.3.110.ssh: . ack 128 win 19292 <
              nop,nop,timestamp
              218615017
              948891483
              >
    <pre>14:46:02.087430 IP 192.168.3.100.38877 > 192.168.3.110.ssh: . ack 128 win 19292 <
              nop,nop,timestamp
              218615017
              948891483
              >...</nop>,NOP,TIMESTAMP></nop>,NOP,TIMESTAMP></nop>,NOP,TIMESTAMP></nop>,NOP,TIMESTAMP>
  2. You can also check and analyze the packet capturing result (xxx.cap) by using Wireshark on Windows and Linux. For more information on Wireshark, see http://www.wireshark.org/.
  3. To read the file, double-click xxx.cap or select File > Open.
  4. To see the stream, select first the packet, right-click it and select then Following TCP Stream.
Sign In or Register to comment.