<main>
<article class="userContent">
<p> </p> Packet capturing on Linux <p>When problems occur, packet capturing is sometimes helpful for troubleshooting to see what happens on the server. This article explains how you can capture packets on Linux. </p> <p>To capture packets on Linux: </p> <ol><li> Start packet capturing by running the following command: <p></p><pre class="code codeBlock" spellcheck="false"># tcpdump -i any -p -s 0 -l -w [filename.cap]</pre> <p>(Use arbitrary filename for filename.cap - e.g. </p><pre class="code codeBlock" spellcheck="false">fsigk-20100101.cap</pre>.) <p>(If you use a remote ssh connection, it is better to exclude packets related to ssh by adding </p><pre class="code codeBlock" spellcheck="false">not port ssh</pre> to option.) </li> <li> Reproduce the problem. </li> <li> Stop capturing by pressing <strong>Ctrl-C</strong>. </li> </ol><p>The capturing result is stored in the <strong>filename.cap</strong> file. </p> <div>To check that the packets are correctly captured: <ol><li>Run the following command (example): <pre class="code codeBlock" spellcheck="false"> # tcpdump -i any -p -s 0 -l -w fsigk-20070101.cap tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes *** re-produce the problem, here *** *** Push Ctrl-C after the problem happens *** 80 packets captured80 packets received by filter0 packets dropped by kernel </pre> <pre class="code codeBlock" spellcheck="false"> # tcpdump -n -r fsigk-20070101.cap reading from file fsigk-20070101.cap, link-type LINUX_SLL (Linux cooked)14:46:02.087325 IP 192.168.3.110.ssh > 192.168.3.100.38877: P 3536306927:3536307055(128) ack 3370430943 win 2728 < nop,nop,timestamp 948891483 218615016 >14:46:02.087331 IP 192.168.3.110.ssh > 192.168.3.100.38877: P 0:128(128) ack 1 win 2728 < nop,nop,timestamp 948891483 218615016 >14:46:02.087430 IP 192.168.3.100.38877 > 192.168.3.110.ssh: . ack 128 win 19292 < nop,nop,timestamp 218615017 948891483 ></pre> <pre class="code codeBlock" spellcheck="false"><pre>14:46:02.087430 IP 192.168.3.100.38877 > 192.168.3.110.ssh: . ack 128 win 19292 < nop,nop,timestamp 218615017 948891483 >...</nop>,NOP,TIMESTAMP></nop>,NOP,TIMESTAMP></nop>,NOP,TIMESTAMP></nop>,NOP,TIMESTAMP></pre> </li> <li>You can also check and analyze the packet capturing result (xxx.cap) by using Wireshark on Windows and Linux. For more information on Wireshark, see <a rel="nofollow" href="http://www.wireshark.org/">http://www.wireshark.org/</a>. </li> <li>To read the file, double-click <strong>xxx.cap</strong> or select <strong>File</strong> > <strong>Open</strong>. </li> <li>To see the stream, select first the packet, right-click it and select then <strong>Following TCP Stream</strong>. </li> </ol></div> <br>
</article>
</main>