TCPDUMP tips and tricks

Multiple tcpdump processes in tmux

Useful on KVM hypervisors with dozens of vnet interfaces.

#!/bin/bash

# create a master tmux session
tmux new-session -s 'tcpdump'

# create each tcpdump process in a new tmux window
for interface in \
$(ip a|grep -v "^ "|awk '{print $2}'|cut -d ':' -f 1|egrep -v "lo|br")
do
  tmux new-window -t "tcpdump:$interface" \
  -n "vnet$interface" "tcpdump -s 17000 -G 1800 \
  -w "$(hostname)-$interface-%Y%m%d-%H%M%S.pcap" \
  -Svni $interface udp"
done

Capture HTTP requests

The trick is to filter on the destination first, to only get requests from the client to the server, and then to select the TCP PUSH packets only, using the tcpflags filter.

tcpdump -s 1500 -SvnAi any tcp and port 8080 and dst webserver.example.net and "tcp[tcpflags] & (tcp-push) != 0"

Rollover capture files

Create series of capture files (maximum of 200 files, -W) that will have a size of 20MB (-C).

sudo tcpdump -w testcapture.pcap -W 200 -C 20 -SvnAi eth2 tcp and port 80

en/ressources/astuces/tcpdump.txt · Last modified: 2013/01/03 16:05 by julien

Show pagesource Old revisions