Packet capturing on Linux When problems occur, packet capturing is sometimes helpful for troubleshooting to see what happens on the server. This article explains how you can capture packets on Linux.
To capture packets on Linux:
- Start packet capturing by running the following command:
# tcpdump -i any -p -s 0 -l -w [filename.cap]
(Use arbitrary filename for filename.cap - e.g.
fsigk-20100101.cap
.) (If you use a remote ssh connection, it is better to exclude packets related to ssh by adding
not port ssh
to option.) - Reproduce the problem.
- Stop capturing by pressing Ctrl-C.
The capturing result is stored in the filename.cap file.
To check that the packets are correctly captured:
- Run the following command (example):
# tcpdump -i any -p -s 0 -l -w fsigk-20070101.cap tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes *** re-produce the problem, here *** *** Push Ctrl-C after the problem happens *** 80 packets captured80 packets received by filter0 packets dropped by kernel
# tcpdump -n -r fsigk-20070101.cap reading from file fsigk-20070101.cap, link-type LINUX_SLL (Linux cooked)14:46:02.087325 IP 192.168.3.110.ssh > 192.168.3.100.38877: P 3536306927:3536307055(128) ack 3370430943 win 2728 < nop,nop,timestamp 948891483 218615016 >14:46:02.087331 IP 192.168.3.110.ssh > 192.168.3.100.38877: P 0:128(128) ack 1 win 2728 < nop,nop,timestamp 948891483 218615016 >14:46:02.087430 IP 192.168.3.100.38877 > 192.168.3.110.ssh: . ack 128 win 19292 < nop,nop,timestamp 218615017 948891483 >
<pre>14:46:02.087430 IP 192.168.3.100.38877 > 192.168.3.110.ssh: . ack 128 win 19292 < nop,nop,timestamp 218615017 948891483 >...</nop>,NOP,TIMESTAMP></nop>,NOP,TIMESTAMP></nop>,NOP,TIMESTAMP></nop>,NOP,TIMESTAMP>
- You can also check and analyze the packet capturing result (xxx.cap) by using Wireshark on Windows and Linux. For more information on Wireshark, see http://www.wireshark.org/.
- To read the file, double-click xxx.cap or select File > Open.
- To see the stream, select first the packet, right-click it and select then Following TCP Stream.