Capture network traffic simultaneously on three interfaces

networkingpacket-capturetcpdump

I need to capture traffic on a CentOS 5 server which acts as a web proxy with 2 wan interfaces and 1 LAN. In order to troubleshoot a weird proxy problem, I would like to have a capture of a full conversation. Since external connections are balanced between the two WAN interfaces, I wonder if is it possible to capture simultaneously on all interfaces.

I have used tcpdump previously but it only admits one interface at a time. I can launch 3 parallel processes to capture on all interfaces but then I end up with 3 different capture files.

What is the right way of doing this ?

Best Answer

If you use wireshark/tshark, there is a pseudo-interface named 'any' which takes all the interfaces. tshark -i any Wireshark is available on all plateforms

Edit : The any interface depends of libpcap : tcpdump have it ! tcpdump -i any

Related Solutions

Tcpdump: capture one of several vlans

I remembered that you can examine the packet bytes directly. So looking directly into the ethernet header works:

tcpdump -vv -i eth1 '( vlan and ( ether[14:2] & 0xfff == 1000 or ether[14:2] & 0xfff == 501 ) ) and ( ip host 10.1.1.98 or ip host 10.1.1.99 )'

Don't forget the :2, this is a 2 byte field -- I got stuck on this for a while.

Tcpdump on a capture card

According to this mail message to the Wireshark-dev mailing list "[Napatech provides] a custom libpcap that works with their card (and wire/tshark)." It should work with tcpdump as well. If you have questions about it. the best thing to do would be to contact Napatech.

Best Answer

Related Solutions

Tcpdump: capture one of several vlans

Tcpdump on a capture card

Related Topic