Linux – How to make tcpdump stop the capture after a certain number of packets captured

linuxtcpdump

I am debugging a problem where two servers get stuck in a loop when communicates with each other. After a server restart the problem will start at some point, it can be in an hour
or in a day. I want to tcpdump the traffic when the problem starts so I can find out what
makes it happen.

My plan is to restart the servers then let tcpdump capture the traffic and then analyze the
result. However I would like tcpdump to stop after a few thousand packets captured to
avoid having to monitor it, since I don't know when the traffic will start.

Anyone having a suggestion?

Best Answer

See man tcpdump:

-c Exit after receiving count packets.

Related Solutions

Why Packet Loss AFTER tcpdump has logged the packet

we found the root cause of this. We had an acceptCount of 25 in our tomcat server.xml.

acceptCount is documented like this:

acceptCount

The maximum queue length for incoming connection requests when all possible request processing threads are in use. Any requests received when the queue is full will be refused. The default value is 100.

But this is not the whole story about acceptCount. Short: acceptCount is the backlog Parameter when opening the socket. So this value is important for the listen backlog, even if not all threads are busy. It is important if request are faster coming in then tomcat can accept and delegate them to waiting threads. The default acceptCount is 100. This is still a small value to feed a sudden peak in requests.

We checked the same thing with apache and nginx and had the same strange packet loss but with higher concurrency values. The corresponding value in apache is ListenBacklog which defaults to 511.

BUT, with debian (and other linux based os) the default max value for the backlog paramter is 128.

$ sysctl -a | grep somaxc
net.core.somaxconn = 128

So whatever you type in acceptCount or ListenBacklog it will not be over 128 until you change net.core.somaxconn

For a very busy webserver 128 is not enough. You should change it to something like 500, 1000 or 3000, depending on your needs.

After setting acceptCount to 1000 and net.core.somaxconn to 1000 we no longer had those dropped packets. (Now we have a bottleneck somewhere else, but this is another story..)

tcpdump – How to Capture ACK or SYN Packets

The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.

With tcpdump I would use a filter like this.

tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

Check out the tcpdump man page, and pay close attention to the tcpflags.

Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.

If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.

http://wiki.wireshark.org/DisplayFilters
- Display filter ref: http://www.wireshark.org/docs/dfref/
- TCP display ref: http://www.wireshark.org/docs/dfref/t/tcp.html
http://wiki.wireshark.org/CaptureFilters

Best Answer

Related Solutions

Why Packet Loss AFTER tcpdump has logged the packet

tcpdump – How to Capture ACK or SYN Packets

Related Topic