Reputation: 338
How to capture packages via both eth0 and lo at the same time?
There are two net interfaces on my pc.
netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 27186 0 0 0 20784 0 0 0 BMRU
lo 65536 0 42025 0 0 0 42025 0 0 0 LRU
Packages via lo can captured by.
sudo tcpdump -i lo
Packages via eth0 can captured by.
sudo tcpdump -i eth0
How to capture packages via both eth0 and lo at the same time?
sudo tcpdump -i eth0 -i lo can not work.
sudo tcpdump -i eth0 -i lo = sudo tcpdump -i eth0=sudo tcpdump
Upvotes: 4
Views: 29066
Answers (3)
Reputation: 610
from https://serverfault.com/questions/805006/tcpdump-on-multiple-interfaces
The way I would approach this is to dump on each interface to a separate file and then merge them. The any interface also includes lo traffic which can pollute the capture.
This also allows for analysis of the packet streams per interface without complex filtering.
I would capture in 3 terminals or by backgrounding the command with &
The flags -nn turns off dns resolution for speed, -s 0 saves the full packet and -w writes to a file.
tcpdump -i wan0 -nn -s 0 -w wan0.dump tcpdump -i wan1 -nn -s 0 -w wan1.dump tcpdump -i lan0 -nn -s 0 -w lan0.dump I would then merge the files with the mergecap command from wireshark:
mergecap -w merged.dump wan0.dump wan1.dump lan0.dump
Upvotes: 1
Reputation: 334
Another option you can try out is to run tcpdump process on two interface parallely, like
sudo tcpdump -i lo & sudo tcpdump -i eth0 &
& will make it run in background
With this the issue of flooding of packet caused by "any" option can be moved out also, you can achieve the intention of capturing only on two interface as mentioned
Upvotes: 2
Reputation: 6254
Assuming your kernel supports it, you can run tcpdump -i any, but that will capture on all interfaces, and not just on the lo and eth0 interfaces. Also, according to the tcpdump man page, "... captures on the ''any'' device will not be done in promiscuous mode.", so if you need to place the NIC in promiscuous mode in order to capture your traffic of interest, this solution may not work for you. In that case, you could:
- Start 2 separate instances of
tcpdump, one capturing onloand the other capturing oneth0. If you write the packets to separate files, you can use a tool such asmergecapto merge them together afterward. - Use
dumpcaportsharkinstead, either of which can capture on multiple interfaces.
Upvotes: 4
Related Questions
- how to capture package at a specific port on any interface using tshark
- How to capture traffic from multiple interfaces using pcap
- tcpdump: How to capture arrival / outgoing interface for a packet?
- capture network traffic on two different ports simultaneously
- Capture incoming traffic in tcpdump
- Capturing on a non-default interface with tcpdump
- two instances of tcpdump at the same time?
- tcpdump: capture outgoing packets on virtual interfaces that has an unknown link type to libpcap?
- libpcap - capture packets from all interfaces
- How to save the packages received by a network interface or some port in a file and resend the packages received when needed?