-1

Can you please help me to get an idea, how to do the following requirement?

I have two ethernet ports on a server. Eth0 and Eth1. Both interfaces are carrying traffic. I want to capture packet-dump both of the interfaces and merge into one file.

Thank you Luke

Luke Devon
  • 11
  • 4
  • 1
    https://serverfault.com/questions/805006/tcpdump-on-multiple-interfaces – Marged May 12 '18 at 10:09
  • Welcome to Stack Overflow! Unfortunately questions like these are [off-topic](https://stackoverflow.com/help/on-topic) for Stack Overflow, and therefore should be asked here: [ServerFault](https://serverfault.com). – sɐunıɔןɐqɐp May 12 '18 at 10:29
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Web Applications Stack Exchange](http://webapps.stackexchange.com/), [Webmaster Stack Exchange](http://webmasters.stackexchange.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. – jww May 13 '18 at 02:59

1 Answers1

-1

As the answers to Tcpdump on multiple interfaces provide, which @Marged linked to above, you can run tcpdump (or tshark or dumpcap) specifying -i any as the interface if you don't mind capturing traffic on all interfaces. And if you only want traffic on those 2 specific interfaces, then you can simultaneously run 2 separate instances of the capture tool, one capturing on the eth0 interface, the other capturing on the eth1 interface and then merge the two capture files together using a tool such as mergecap.

Alternatively - and much simpler in my opinion - is to just use a single instance of either dumpcap or tshark to capture traffic on both interfaces to a single capture file with no merging of separate capture files needed at all. As the man pages for those tools indicate, "This option can occur multiple times. When capturing from multiple interfaces, the capture file will be saved in pcapng format."

For example:

tshark -i eth0 -i eth1 -w eth0_eth1.pcapng
Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23
  • Hi Chris, can I rotate the above command every 15sec and can we compress into tar.gz at the end of the 15 sec ? likewise, it will generate a number of files until thsark process been stopped. – Luke Devon May 13 '18 at 03:06
  • As the `dumpcap` and `tshark` man pages indicate, you use the `-b duration:value` option (where *value* is the number of seconds) to specify how long to capture packets before switching to the next file. Since neither `dumpcap` nor `tshark` support writing compressed capture files (yet), you will have to come up with an alternate solution to handle that yourself. Peter Wu has already opened a bug report requesting support for writing compressed capture files by these tools, but thus far nobody has implemented it. The bug is here: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9311 – Christopher Maynard May 13 '18 at 15:58