-> root -> software -> ::software::tcpdump
Notes, hints, suggestions about using tcpdump, a pretty common and widespread tool based on libpcap to capture network packets.
Notes on this page:

tcpdump and -i any
[13]

On recent Linux kernels, tcpdump can listen on multiple interfaces.

In order to do so, just specify the 'any' virtual interface with something like: 
# tcpdump -i any

When the 'any' interface parameter is specified, interfaces are not put into promiscuos mode.

To manually set interfaces into promiscuos mode, just use something like: 
# ifconfig eth0 promisc
or 
# ip link set eth0 promisc on

Note that we don't know any way to specify selectively a list of interfaces to listen on, and we don't know any way to have an indication of the name of the interface on which a given packet was captured.

A workaround could be the '-e' parameter, to have link-level headers dumped. Note, however, that link-level headers may easily be spoofed or just wrong.

This note is available in the following categories:

Common tcpdump options
[14]

Ok, while sniffing traffic, some options might actually be useful:

when inspecting the content of the packets...

use something like '-X -s 8192 -i eth0', where '-X' indicates to print packets both in HEX and ASCII, '-s 8192' increases the number of bytes tcpdump will actually inspect, and '-i eth0' indicates to listen on 'eth0'. Note that if you want to print the content of the whole packet, with '-s' you need to specify a value higher than the MTU of the interface. You can look at the MTU of your interface by using 'ifconfig eth0' or something like 'ip link show dev eth0'.

when checking routing/firewalling/nat problems...

use the '-e' parameter, to look at the link-level headers. Note that if we do not consider NAT, all IP packets will always have as src ip the ip address of the sending machine, and as dst ip the ip address of the final destination.

Packets that need to pass a router/gateway/firewall... will have, as dst IP, the IP address of the final destination. The packet, however, will go to the router thanks to link-level addressing, which, on ethernet, will cause the packet to have the MAC address of the router as the address of the recipient.

when looking for connectivity problems with particular networks/addresses/...

use the '-vvv' parameter, and have a careful look to all the headers printed by tcpdump. Take special care in checking ICMP packets (fragmentation requested, administratively prohibited, ...), fragmentation, the TTL, and various IP/TCP options that might be set on the packet.

Also, remember to write a filter to isolate packets coming from the network you are inspecting. Watch out, however, that certain network errors might actually come from routers and/or other IP addresses than those you are filtering, so watch out not to filter ICMP packets and not to be too strict with your filters. Something like: 
 # tcpdump -n -vvv 'net xx.xx.xx.xx/24 or icmp'
Should work as expected.

Always remember to specify the '-n' parameter. Without '-n', all IP addresses and some other numbers (mainly ports and protocols) will be transformed from their numeric value into 'names'. However, this will:

  • greatly slow tcpdump down

  • create a mess if no filter has been given, or if you are inspecting DNS packets. Without '-n' ip addresses will be transformed into hostnames. Afaik, this will require DNS packets to be sent out to your own dns 'sometimes' (depending on the resolver cache), confusing the output a lot.

This note is available in the following categories:
Generated by CRON on 2012/02/14 at 06:26:35.