Time-based Packet Capture with tcpdump: Difference between revisions
|  Created page with "Category:General Linux = Time-based Packet Capture with tcpdump = Efficiently capture network traffic for a specific time interval using tcpdump's built-in file rotation. This method is ideal for monitoring a container's network interface without needing external scripts or cron jobs, and it automatically resets the capture file.  == Command == This command captures traffic on the `vethec9ed9c` interface, saving it to a single file that is overwritten every 10 minute..." | No edit summary | ||
| Line 1: | Line 1: | ||
| [[Category:General Linux]] | [[Category:General Linux]] | ||
| = Time-based Packet Capture with tcpdump = | = Time-based Packet Capture with tcpdump = | ||
| Efficiently capture network traffic for a specific time interval using tcpdump's built-in file rotation. This method is ideal for monitoring  | Efficiently capture network traffic for a specific time interval using tcpdump's built-in file rotation. This method is ideal for monitoring network interfaces without needing external scripts or cron jobs, as it automatically resets the capture file after a set duration. | ||
| ==  | == Choosing Your Capture Method == | ||
| This command  | Before running the command, decide what traffic you need to see. This will determine which command and interface you use. | ||
| < | |||
| * '''Specific Container/VM Interface:''' Use this when you want to see all traffic entering or leaving a specific virtual machine or Docker container. You must first identify its virtual interface (`veth`) on the host. | |||
| * '''Specific Host and Port:''' Use this when you want to see all traffic to or from a specific service (e.g., a web server or database) regardless of which interface it uses. This is often the most practical method for troubleshooting application-level issues. | |||
| == Capture Commands == | |||
| Here are two primary methods for time-rotated captures. All examples save to a single file that is overwritten every 10 minutes. | |||
| === Method 1: Capture by Specific Interface === | |||
| This command is ideal for monitoring all traffic on a known interface, like a container's `veth` adapter. | |||
| <syntaxhighlight lang="bash"> | |||
| sudo tcpdump -i vethec9ed9c -w /tmp/capture.pcap -G 600 -W 1 | sudo tcpdump -i vethec9ed9c -w /tmp/capture.pcap -G 600 -W 1 | ||
| </ | </syntaxhighlight> | ||
| === Method 2: Capture by Host and Port === | |||
| This command captures traffic related to a specific host and port, which is useful for monitoring a backend service. | |||
| <syntaxhighlight lang="bash"> | |||
| sudo tcpdump -i any -w /tmp/capture.pcap -G 600 -W 1 'host hostname.asd.local and port 12345' | |||
| </syntaxhighlight> | |||
| == Parameter Breakdown == | == Parameter Breakdown == | ||
| * <code>-i  | * <code>-i <interface></code>: Specifies the network interface to monitor (e.g., <code>vethec9ed9c</code>, <code>eth0</code>, or <code>any</code>). | ||
| * <code>-w /tmp/capture.pcap</code>: Writes the raw packet output to a file. This is required  | * <code>-w /tmp/capture.pcap</code>: Writes the raw packet output to a file. This is required to use the rotation feature. | ||
| * <code>-G 600</code>: Sets the rotation interval. It  | * <code>-G 600</code>: Sets the rotation interval in seconds. It triggers a file rotation every 600 seconds (10 minutes). | ||
| * <code>-W 1</code>: Limits the number of capture files to one. When the  | * <code>-W 1</code>: Limits the number of capture files to one. When the interval from <code>-G</code> elapses, tcpdump overwrites this single file. | ||
| * <code>'host ... and port ...'</code>: A filter expression to capture only the traffic that matches the specified criteria. Always enclose filters in single quotes to prevent shell interpretation. | |||
| == Running as a Background Process == | |||
| To run a capture continuously, it's best to run it as a background process using `nohup` and `&`. This ensures the capture continues even if your terminal session closes. | |||
| <syntaxhighlight lang="bash"> | |||
| nohup sudo tcpdump -i any -w /tmp/capture.pcap -G 600 -W 1 'host hostname.asd.local and port 12345' & | |||
| </syntaxhighlight> | |||
| To stop the capture, find its process ID and use the `kill` command: | |||
| <syntaxhighlight lang="bash"> | |||
| # Find the Process ID (PID) of tcpdump | |||
| pgrep tcpdump | |||
| # Stop the process using its PID | |||
| sudo kill <PID> | |||
| </syntaxhighlight> | |||
Revision as of 09:28, 27 August 2025
Time-based Packet Capture with tcpdump
Efficiently capture network traffic for a specific time interval using tcpdump's built-in file rotation. This method is ideal for monitoring network interfaces without needing external scripts or cron jobs, as it automatically resets the capture file after a set duration.
Choosing Your Capture Method
Before running the command, decide what traffic you need to see. This will determine which command and interface you use.
- Specific Container/VM Interface: Use this when you want to see all traffic entering or leaving a specific virtual machine or Docker container. You must first identify its virtual interface (`veth`) on the host.
- Specific Host and Port: Use this when you want to see all traffic to or from a specific service (e.g., a web server or database) regardless of which interface it uses. This is often the most practical method for troubleshooting application-level issues.
Capture Commands
Here are two primary methods for time-rotated captures. All examples save to a single file that is overwritten every 10 minutes.
Method 1: Capture by Specific Interface
This command is ideal for monitoring all traffic on a known interface, like a container's `veth` adapter.
sudo tcpdump -i vethec9ed9c -w /tmp/capture.pcap -G 600 -W 1
Method 2: Capture by Host and Port
This command captures traffic related to a specific host and port, which is useful for monitoring a backend service.
sudo tcpdump -i any -w /tmp/capture.pcap -G 600 -W 1 'host hostname.asd.local and port 12345'
Parameter Breakdown
- -i <interface>: Specifies the network interface to monitor (e.g.,- vethec9ed9c,- eth0, or- any).
- -w /tmp/capture.pcap: Writes the raw packet output to a file. This is required to use the rotation feature.
- -G 600: Sets the rotation interval in seconds. It triggers a file rotation every 600 seconds (10 minutes).
- -W 1: Limits the number of capture files to one. When the interval from- -Gelapses, tcpdump overwrites this single file.
- 'host ... and port ...': A filter expression to capture only the traffic that matches the specified criteria. Always enclose filters in single quotes to prevent shell interpretation.
Running as a Background Process
To run a capture continuously, it's best to run it as a background process using `nohup` and `&`. This ensures the capture continues even if your terminal session closes.
nohup sudo tcpdump -i any -w /tmp/capture.pcap -G 600 -W 1 'host hostname.asd.local and port 12345' &
To stop the capture, find its process ID and use the `kill` command:
# Find the Process ID (PID) of tcpdump
pgrep tcpdump
# Stop the process using its PID
sudo kill <PID>
