My best bet would be to use something like:
tcpdump -ieth0 -s96 -w traffic.dump 'ip or icmp or tcp or udp'
Where the "tricky" part will be to chose a correct value for the "-s" (snaplen) parameter (snaplen is the maximum length of the packet tcpdump will capture).
From the tcpdump man pages:
Snarf snaplen bytes of data from each
packet rather than the default of 68
(with NIT, the minimum is actually
96). 68 bytes is adequate for IP,
ICMP, TCP and UDP but may truncate
protocol information from name server
and NFS packets (see below). Packets
truncated because of a limited
snapshot are indicated in the output
with ``[|proto]'', where proto is the
name of the protocol level at which
the truncation has occurred. Note that
taking larger snapshots both increases
the amount of time it takes to process
packets and, effectively, decreases
the amount of packet buffering. This
may cause packets to be lost. You
should limit snaplen to the smallest
number that will capture the protocol
information you're interested in.
In this example i'm using 96 to be "almost" sure that I would capture 100% of ethernet+ip+(icmp || udp || tcp) header values.
In case your traffic have IP or TCP options (i.e. timestamps) and you want to also capture this info, then you will have to play with the snaplen parameter (i.e. increase/decrease it).
In case the length of the headers of your packet is less than snaplen, you may also capture part of the payload.
Finally, to read the traffic captured, I would use something like:
tcpdump -e -nn -vv -r traffic.dump
Where the important part is to use the "-e" option so you can get the ethernet headers printed.
This page gives you an idea about the size of the ethernet/tcp/udp headers under different circumstances and may help you to arrive to a "correct" value for the snaplen parameter.
capinfos is what you are looking for:
$ capinfos ddos.cap
File name: ddos.cap
File type: Wireshark/tcpdump/... - libpcap
File encapsulation: Ethernet
Packet size limit: file hdr: 65535 bytes
Number of packets: 1000000
File size: 189073212 bytes
Data size: 173073188 bytes
Capture duration: 2 seconds
Start time: Fri Jul 5 16:35:04 2013
End time: Fri Jul 5 16:35:07 2013
Data byte rate: 69839025.27 bytes/sec
Data bit rate: 558712202.18 bits/sec
Average packet size: 173.07 bytes
Average packet rate: 403523.08 packets/sec
SHA1: 34d758e6445061855ca4397729098f469f411fe3
RIPEMD160: 14f430231fc2962cd86ddb8edb8daf75a5d07af8
MD5: 5893809fb02d1a20997629a9a501842b
Strict time order: False
Pay attention to the Data bit rate.
What might help here is if someone could edit the original script
above instead of capturing 2000 packets and dropping the rest, to
capture all packets for a duration of lets say 5 seconds when the
threshold hits.
How about this:
tcpdump -n -s0 -w $dumpdir/dump.`date +"%Y%m%d-%H%M%S"`.cap &
sleep 5 && pkill -HUP -f /usr/sbin/tcpdump
Best Answer
According to this mail message to the Wireshark-dev mailing list "[Napatech provides] a custom libpcap that works with their card (and wire/tshark)." It should work with tcpdump as well. If you have questions about it. the best thing to do would be to contact Napatech.