Linux tcpdump Recipe

  1. Review the security and performance implications of network trace.
  2. Install tcpdump if it's not already installed.
  3. As root, run the following command, replacing $INTERFACE with the target network interface (e.g. an explicit interface such as eth0 or any for all interfaces; preferably, the former):
    sh -c "date >> nohup.out && (nohup tcpdump -nn -v -i $INTERFACE -B 4096 -s 80 -C 500 -W 10 -Z root -w diag_capture_$(hostname)_$(date +%Y%m%d_%H%M%S).pcap &) && sleep 1 && cat nohup.out"
    1. This captures up to 10 files of 500MB each of up to 80 bytes per packet. Change -s to 0 if you want to capture full packets although this has a higher overhead.
  4. Check for any errors running the above commands in your terminal.
  5. Reproduce the problem.
  6. Stop the capture:
    pkill -INT tcpdump
  7. Upload diag_capture*pcap*, a list of IP addresses that are relevant to the captured conversations and what each IP address represents (e.g. web server, WebSphere, database, etc.), and nohup.out

For background, see Linux tcpdump.