Packet Captures for Linux (tcpdump) and Windows (netsh trace)

Server to Server:
On server IP

tcpdump –I eth0 host

On server IP

tcpdump –I eth0 host


tcpdump -i eth0 src host -w /tmp/[outputfile]


Set a size and rotate the log files:

tcpdump –nni [interface] -C [file-size-in-MB] -W [number-of-files-to-rotate] -v –w [formatted-output-file]

Example for us using 1G of space (you can adjust it) and timestamp the output cap file:

tcpdump -nni eth0 -v -C 1000 -W 10 -w ~/"oncore-prod_`date '+%Y-%m-%d_%H:%M:%S'`.pcap"                    :space after date

If you ever need to do a packet capture on a Windows PC/Server and you don’t have or can’t install Wireshark, you can run this Windows command:

netsh trace start capture=yes overwrite=no maxSize=500 tracefile=c:\capture.etl
netsh trace stop

The ETL file can be sent to anyone to convert it to a CAP file for Wireshark. The default maxSize is 250MB but it can be changed. You can obviously change the capture name and location if you want.

This ETL file is converted using Microsoft Message Analyzer:

1. First open the ETL in MMA
2. Go to File, Save As, All Messages, Export to export it as a CAP

More Stories
Cisco Jumbo MTU Notes