The support has asked user to collect network packets to analyze a network issue. How can he capture the network packets and save them to a file using tcpdump command in CentOS/RHEL?
The command that can be used to capture network packets on the network is called tcpdump which is provided in an RPM package tcpdump-[version].[arch].rpm. If tcpdump is run by itself, it will dump all network traffic to the current terminal.
To capture these packets to a file, the following options need to be used:
# tcpdump -i ethX -w /tmp/network.cap
where ethX is the device in which the captured network packets are to be watched. This will continue capturing network packets until a command is run to send a break. The command is [CTRL] C.
By default tcpdump will only capture the first 68 bytes of a packet. You can use the -s 0 option to capture all the data in the network packets as shown:
# tcpdump -i ethX -s 0 -w /tmp/network.cap
The -s snaplen option is to set how many bytes of each packets should be captured. The default 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate other information. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. This should be limited to the smallest number that will capture the protocol information of interest. Setting snaplen to 0 means capturing the whole packet.
Note however that when TCP options are used 68 bytes may not be enough to capture network protocol headers. TCP options itself can take up 20 bytes extra or even more depending on which options were used. Thus a safer value would be around -s 100 bytes to capture all the network protocol headers while avoiding data.
Examples of using tcpdump command for network troubleshooting