When problems occur, packet capturing is sometimes helpful for troubleshooting to see what happens on the server. This article explains how you can capture packets on Linux.
To capture packets on Linux:
Start packet capturing by running the following command:
# tcpdump -i any -p -s 0 -l -w [filename.cap]
(Use arbitrary filename for filename.cap - e.g.
(If you use a remote ssh connection, it is better to exclude packets related to ssh by adding
not port ssh
Reproduce the problem.
Stop capturing by pressing Ctrl-C.
The capturing result is stored in the filename.cap file.
To check that the packets are correctly captured:
Run the following command (example):
# tcpdump -i any -p -s 0 -l -w fsigk-20070101.cap
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
*** re-produce the problem, here ***
*** Push Ctrl-C after the problem happens ***
80 packets captured80 packets received by filter0 packets dropped by kernel
# tcpdump -n -r fsigk-20070101.cap
reading from file fsigk-20070101.cap, link-type LINUX_SLL (Linux cooked)14:46:02.087325 IP 192.168.3.110.ssh > 192.168.3.100.38877: P 3536306927:3536307055(128) ack 3370430943 win 2728 <
>14:46:02.087331 IP 192.168.3.110.ssh > 192.168.3.100.38877: P 0:128(128) ack 1 win 2728 <
>14:46:02.087430 IP 192.168.3.100.38877 > 192.168.3.110.ssh: . ack 128 win 19292 <