When network issues arise and I find myself in need of some good, old fashioned, packet capture, I usually turn to tcpdump. tcpdump gives me a nice easy way to capture packets from the command line that I can either look at live, or analyze later - perhaps using Ethereal Wireshark.
Often when I set up a capture, I am looking for an event that happens periodically, but one that I often cannot replicate. It could be an issue that I only see once every 24 hours or so. I want to set up a capture to continuously collect data that I can analyze after the next event. Usually I have a couple of restrictions (often in terms of free space on my capture host) so I will need to set up a way to manage capture files so that I don’t run out of space. What follows is a breakdown of the command I use most often to capture packets.
tcpdump -i eth0 -nnvvXS -s 0 -W 100 -G 3600 -C 100 -w %Y-$m-%dT%T%z.pcap
Here is the breakdown:
tcpdump self expanitory-i eth0 indicates the interface I wish to capture from.-nnvvXS this is several flags in one.
-nn don’t do DNS or Port name resolution. -n would only prevent hostname resolution.-vv increases the verbosity (I think you can use up to three ‘v’s to get even more).-X prints packet data in ASCII and hex. -XX would include the ethernet header too, and that can be useful at times.-S prints absolute TCP sequence numbers.-s 0 defines the snap length - the default is 65535 bytes, and ‘0’ sets it to the same - this is an old habit that I need to break.-W 100 Defines a file count of 100.-G 3600 defines the number of seconds that should elapse before a new capture file is created (3600 = 1 hour.)-C indicates the maximum size any single capture file should be in megabytes.-w %Y-%m-%dT%T%z.pcap is simply the output filename in strftime - you could use anything here like output.pcap if you wanted, but if you want files captured circularly by time (using -G) then you need to have a strftime string in the filename.This of course will capture every packet, if you want to filter the packets before you capture them, there are some create examples at A tcpdump Primer.
Here are some references that I use often: