Linux tcpdump on a port Recipe

1. Review the security and performance implications of network trace.
2. Install tcpdump if it's not already installed.
3. As root, run the following command, replacing $PORT with the port of interest and $INTERFACE with the target network interface (e.g. an explicit interface such as eth0 or any for all interfaces; preferably, the former):

   sh -c "date >> nohup.out && (nohup tcpdump -nn -v -i $INTERFACE -B 4096 -s 80 -C 100 -W 10 -Z root -w diag_capture_$(hostname)_$(date +%Y%m%d_%H%M%S).pcap 'port $PORT' &) && sleep 1 && cat nohup.out"

   1. This captures up to 10 files of 100MB each of up to 80 bytes per packet. Change -s to 0 if you want to capture full packets although this has a higher overhead.
4. Check for any errors running the above commands in your terminal.
5. Reproduce the problem.
6. As root, stop the capture:

   pkill -INT tcpdump

7. Upload diag_capture*pcap*, a list of IP addresses that are relevant to the captured conversations and what each IP address represents (e.g. web server, WebSphere, database, etc.), and nohup.out

For background, see Linux tcpdump.

Previous Section (Linux tcpdump Recipe) | Next Section (Linux vmstat Recipe) | Back to Table of Contents