Taking a packet trace on Linux using tcpdump

This document (7001152) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Desktop
SUSE Linux Enterprise Server

Situation

How to take a packet trace (LAN trace, packet capture) from Linux using tcpdump.
 

Resolution

tcpdump -i any -s0 -w /tmp/capture.cap
 
-i any = Capture on all interfaces
-s0 = Captures maximum size of packets, without this packets will possibly be truncated.
-w /tmp/capture.cap = Output file for capture

[Please note, this is not an exhaustive list of options, but it covers the basics.  Check the man pages for a complete list]
 
After capturing the packets is complete, press <Ctrl><c> to stop capturing.

Additional Information

Advanced:
To create a rolling trace, for situation where you are trying to capture a random issue without filling up the partition space, various command options are available.  We recommend the following (these are case-sensitive):
-C file_size (in millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
-W count -- Used in conjunction with -C, this will limit the number of files created to the specified number, overwriting files from the beginning, thus creating a rotating buffer.
 
IE
tcpdump -i <eth device> -s 0 -C <file_size> -W <number of files> -w </path/to/trace.cap>
 
For roughly 9.6 MB files, rotating through three files, the following command is used:
tcpdump -i eth0 -s 0 -C 10 -W 3 -w /home/myTrace.cap
 
You will see the following traces being created:
myTrace.cap0
myTrace.cap1
myTrace.cap2
 
After myTrace.cap2 is full, the tcpdump command will overwrite myTrace.cap0
 
For roughly 955 MB files, rotating through 8 files, use the following:
tcpdump -i eth0 -s 0 -C 1000 -W 8 -w /some/other/location/serverTrace.cap
 
You will see the following traces created:
serverTrace.cap0
serverTrace.cap1
.... and so on
serverTrace.cap8
 
When dealing with larger traces, and trying to capture a specific issue, it is usually not necessary to send in all of the traces to SUSE Support.  Typically the issue will be in the last one or two traces (depending on the settings used and the amount of traffic on the wire at the time).
 
-------------------------
 
Ethereal or Wireshark can also be used on Linux to take a packet trace.  See the following TID for more detail:
3892415 - How to use Wireshark to capture a packet trace
 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7001152
  • Creation Date: 14-Aug-2008
  • Modified Date:05-Mar-2021
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center