How to use tcpdump to perform a packet capture on a Linux system.
To use tcpdump to make a packet capture you need the following:
As the userid with access to the device (root), cd to the temporary directory and make a sub directory.
# cd /tmp
# mkdir pc
# cd pc
To make a one minute capture of eth1 start the capture with the following command:
# tcpdump -n -nn -N -s 0 -i eth1 -w eth1.pcap
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
After one minute has elapsed, type control-c to end the capture. You should see something like the following.
5 packets captured
5 packets received by filter
0 packets dropped by kernel
The file eth1.pcap is the packet capture.
As an alternative, you can run the following command line as user root which will stop automatically after 60 seconds.
# mkdir –p /tmp/cd ; tcpdump -n -nn -N -s 0 -i eth1 -w /tmp/cd/eth1.pcap & pid=$! ; sleep 60 ; kill -1 $pid
The command options are fully explained in the man page. The options above are:
-n - do not attempt to lookup IP addresses into domain names
-nn - do not convert protocol and port numbers to names
-N - do not attempt to qualify host names
-s 0 - capture the entire packet
-i - the interface to use
-w - write raw data into the file
NOTE: If TCPDUMP is used w/o the correct switches, packets will be truncated. The "-s 0" captures the entire packet.
Result of not using -s 0 option = "Packet size limited during capture" and HTTP truncated