I'm quite new to tcpdump. I've never used it except for very trivial tasks.
Recently, I was asked to complete the following job.
What I have: A server with a network interface connected to a switch. All traffic on that switch would be mirrored to this server.
What I need: Store all these traffic to a PCAP format file. The file should include
- Only outgoing or incoming traffic are interested. Traffic that travels only within the subnet is not needed and should not be logged if possible.
- All multicast and broadcast traffic are not interested and should be ignored if possible
- All I need is Ethernet -> IPv4 -> TCP, UDP and ICMP. Others aren't interested and should be neglected if possible
- I don't need message body. Headers (Ethernet, IP and TCP/UDP/ICMP) are enough. So the body should not be logged if possible
The traffic would be ~100MByte/s during daytime and for my work, packet loss is not tolerable (it must be continuous for 24 hours).
Anyway, as is mentioned above, I don't need everything.
Question:
- How can I do the job?
- What should I take care of so that all data are collected smoothly without loss (almost).
Thank you.
Best Answer
My best bet would be to use something like:
Where the "tricky" part will be to chose a correct value for the "-s" (snaplen) parameter (snaplen is the maximum length of the packet tcpdump will capture).
From the tcpdump man pages:
In this example i'm using 96 to be "almost" sure that I would capture 100% of ethernet+ip+(icmp || udp || tcp) header values.
In case your traffic have IP or TCP options (i.e. timestamps) and you want to also capture this info, then you will have to play with the snaplen parameter (i.e. increase/decrease it).
In case the length of the headers of your packet is less than snaplen, you may also capture part of the payload.
Finally, to read the traffic captured, I would use something like:
Where the important part is to use the "-e" option so you can get the ethernet headers printed.
This page gives you an idea about the size of the ethernet/tcp/udp headers under different circumstances and may help you to arrive to a "correct" value for the snaplen parameter.