In this post, we are going to quickly take a TCP Dump (Capture packets) on a linux server and write the output to a CAP file that is WireShark readable.
Problem or Goal:
Used to capture and analyze packets when troubleshooting network/communication problems.
Cause:
N/A
Solution (Examples):
a) TCP Dump on a single physical interface to capture DNS (port 53) packets
#tcpdump -i eth0 -s 2000 -w /tmp/name_of_trace_file.cap port 53
b) TCP Dump on a bonded interface to capture HTTP (port 80) packets
#tcpdump -i bond1 -s 2000 -w /tmp/name_of_trace_file.cap port 80
Note: "-s 2000" limits the packet length to 2000bytes, default packet length is 1024bytes use "-s 0" to remove the packet length limit.
Problem Solved?
You can then transfer the file by SFTP to your laptop and read it with Wireshark
No comments:
Post a Comment