Linux tcpdump on a port Recipe
- Review the security and performance implications of network trace.
- Install
tcpdump
if it's not already installed. - As root, run the following command, replacing
$PORT
with the port of interest and$INTERFACE
with the target network interface (e.g. an explicit interface such aseth0
orany
for all interfaces; preferably, the former):sh -c "date >> nohup.out && (nohup tcpdump -nn -v -i $INTERFACE -B 4096 -s 80 -C 100 -W 10 -Z root -w diag_capture_$(hostname)_$(date +%Y%m%d_%H%M%S).pcap 'port $PORT' &) && sleep 1 && cat nohup.out"
- This captures up to 10 files of 100MB each of up to 80 bytes per
packet. Change
-s
to 0 if you want to capture full packets although this has a higher overhead.
- This captures up to 10 files of 100MB each of up to 80 bytes per
packet. Change
- Check for any errors running the above commands in your terminal.
- Reproduce the problem.
- As root, stop the capture:
pkill -INT tcpdump
- Upload
diag_capture*pcap*
, a list of IP addresses that are relevant to the captured conversations and what each IP address represents (e.g. web server, WebSphere, database, etc.), andnohup.out
For background, see Linux tcpdump.