Packet Captures for Linux (tcpdump) and Windows (netsh trace)


=====Linux:
Server to Server:
On server IP 172.20.202.2:

tcpdump –I eth0 host 172.20.204.138

On server IP 172.20.204.138:

tcpdump –I eth0 host 172.20.202.2

or

tcpdump -i eth0 src host 54.172.24.91 -w /tmp/[outputfile]

or

Set a size and rotate the log files:

tcpdump –nni [interface] -C [file-size-in-MB] -W [number-of-files-to-rotate] -v –w [formatted-output-file]

Example for us using 1G of space (you can adjust it) and timestamp the output cap file:

tcpdump -nni eth0 -v -C 1000 -W 10 -w ~/"oncore-prod_`date '+%Y-%m-%d_%H:%M:%S'`.pcap"                    :space after date

=====Windows:
If you ever need to do a packet capture on a Windows PC/Server and you don’t have or can’t install Wireshark, you can run this Windows command:

netsh trace start capture=yes overwrite=no maxSize=500 tracefile=c:\capture.etl
netsh trace stop

The ETL file can be sent to anyone to convert it to a CAP file for Wireshark. The default maxSize is 250MB but it can be changed. You can obviously change the capture name and location if you want.

This ETL file is converted using Microsoft Message Analyzer:

1. First open the ETL in MMA
2. Go to File, Save As, All Messages, Export to export it as a CAP

More Stories
Types of HTTP Error and Status Codes