Tcpdump How to use it to capture all traffic headers

tcpdump

I'm quite new to tcpdump. I've never used it except for very trivial tasks.

Recently, I was asked to complete the following job.

What I have: A server with a network interface connected to a switch. All traffic on that switch would be mirrored to this server.
What I need: Store all these traffic to a PCAP format file. The file should include

Only outgoing or incoming traffic are interested. Traffic that travels only within the subnet is not needed and should not be logged if possible.
All multicast and broadcast traffic are not interested and should be ignored if possible
All I need is Ethernet -> IPv4 -> TCP, UDP and ICMP. Others aren't interested and should be neglected if possible
I don't need message body. Headers (Ethernet, IP and TCP/UDP/ICMP) are enough. So the body should not be logged if possible

The traffic would be ~100MByte/s during daytime and for my work, packet loss is not tolerable (it must be continuous for 24 hours).
Anyway, as is mentioned above, I don't need everything.

Question:

How can I do the job?
What should I take care of so that all data are collected smoothly without loss (almost).

Thank you.

Best Answer

My best bet would be to use something like:

 tcpdump -ieth0 -s96 -w traffic.dump 'ip or icmp or tcp or udp'

Where the "tricky" part will be to chose a correct value for the "-s" (snaplen) parameter (snaplen is the maximum length of the packet tcpdump will capture).

From the tcpdump man pages:

Snarf snaplen bytes of data from each packet rather than the default of 68 (with NIT, the minimum is actually 96). 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol information from name server and NFS packets (see below). Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in.

In this example i'm using 96 to be "almost" sure that I would capture 100% of ethernet+ip+(icmp || udp || tcp) header values.

In case your traffic have IP or TCP options (i.e. timestamps) and you want to also capture this info, then you will have to play with the snaplen parameter (i.e. increase/decrease it).

In case the length of the headers of your packet is less than snaplen, you may also capture part of the payload.

Finally, to read the traffic captured, I would use something like:

tcpdump -e -nn -vv -r traffic.dump

Where the important part is to use the "-e" option so you can get the ethernet headers printed.

This page gives you an idea about the size of the ethernet/tcp/udp headers under different circumstances and may help you to arrive to a "correct" value for the snaplen parameter.

Related Solutions

tcpdump – How to Capture ACK or SYN Packets

The pcap filter syntax used for tcpdump should work exactly the same way on wireshark capture filter.

With tcpdump I would use a filter like this.

tcpdump "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"

Check out the tcpdump man page, and pay close attention to the tcpflags.

Be sure to also check out the sections in the Wireshark Wiki about capture and display filters. Unfortunately the two types of filters use a completely different syntax, and different names for the same thing.

If you wanted a display filter instead of capture filter you would probably need to build an expression combining tcp.flags.ack, and tcp.flags.syn. I am far more familiar with capture filters though, so you'll have to work that out on your own.

http://wiki.wireshark.org/DisplayFilters
- Display filter ref: http://www.wireshark.org/docs/dfref/
- TCP display ref: http://www.wireshark.org/docs/dfref/t/tcp.html
http://wiki.wireshark.org/CaptureFilters

Linux – multicast tcpdump and subscriptions

It depends on your multicast infrastructure: For instance, you could have many multicast routers, and various rules set on your switches (making subscriptions static, or dynamic, or even banned on certain ports/nodes).

But, if you want to subscribe to a multicast group... Just subscribe. Send an IGMP JOIN packet across some infrastructure, which obviously has IGMP snooping enabled. You can generate an IGMP packet with a variety of tools.

Taking a step to a higher level, use iperf to subscribe to any multicast group. If your network infrastructure isn't too complex, and if you are "allowed" to subscribe to any multicast group, then use the following:

iperf -s -u -B 239.100.100.100 Where 239.100.100.100 is your multicast group address.

tcpdump simultaneously to get a detailed report.

Note that I believe iperf only supports IGMP v1 and v2. If you want to craft an IGMP v3 JOIN packet, it shouldn't be too hard to write a program, as you stated. But there would be a lot more tools out there that would probably do the same.

Best Answer

Related Solutions

tcpdump – How to Capture ACK or SYN Packets

Linux – multicast tcpdump and subscriptions

Related Topic