How to capture traffic with tcpdump and a sliding window or sort of “logrotate”

networkingtcpdumptroubleshooting

I want to capture some traffic with tcpdump for troubleshooting. The problem is, the error is not reproducible. To not fill up the hole disks with captures, I would like to capture the traffic with some sort of sliding window.

Let's say I write the capture to a file and when the file reaches a size of 1GB it will drop the oldest packets and write the new ones. This way I would only get the traffic for some hours but hopefully enough to have the right packets when the user calls.

I couldn't find an option for tcpdump. Has someone an idea how to solve this?

Best Answer

The -c option can help you with this:

   -c     Exit after receiving count packets.

So this would get you a circular traffic.dmp file:

while :
do
 tcpdump -i eth0 -c 50000 -C 1 -w traffic.dmp
done

If you dropped it in a for loop you could get a series of files:

for file in 1 2 3 4 5
do
 tcpdump -i eth0 -c 50000 -C 1 -w traffic${file}.dmp
done

. Just adjust the numbers after you figure out some number that is not to big for your disk to capture a few hours worth of packets.

-C also looks interesting:

   -C     Before writing a raw packet to a  savefile,  check  whether  the
          file  is  currently  larger than file_size and, if so, close the
          current savefile and open a new one.  Savefiles after the  first
          savefile  will  have the name specified with the -w flag, with a
          number after it, starting at 1 and continuing upward.  The units
          of  file_size  are  millions  of  bytes  (1,000,000  bytes,  not
          1,048,576 bytes).

Related Solutions

Linux – tcpdump and congestion window

I asume that you have a recently modern Linux kernel (> 2.6.8 IIRC) wich has TCP window autoscaling enabled? (sysctl net.ipv4.tcp_window_scaling should be 1)

You can specifically add tcp.window_size as an additional column (Edit->Preferences->User Interface->Columns-> Add custom (tcp.window_size) to wireshark while doing your measurements and post that here.

tcpdump – How to Capture ACK or SYN Packets

The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.

With tcpdump I would use a filter like this.

tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

Check out the tcpdump man page, and pay close attention to the tcpflags.

Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.

If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.

http://wiki.wireshark.org/DisplayFilters
- Display filter ref: http://www.wireshark.org/docs/dfref/
- TCP display ref: http://www.wireshark.org/docs/dfref/t/tcp.html
http://wiki.wireshark.org/CaptureFilters

Best Answer

Related Solutions

Linux – tcpdump and congestion window

tcpdump – How to Capture ACK or SYN Packets

Related Topic