Packet Capturing and Analayzing packets Using TCPDUMP on Centos, Fedora, Ubuntu and other Linux Distros

Many a times Linux System Admin2 face problem in network latency, connectivity the servers hampers the services which impact to the business. Using linux basic tools can not really solve it but you can identify the issues faced by the host to host or host to the device.

Here we will be using tcpdump tool to capture packet after which you can analyse the data and conclude with errors host.
If you have installed linux properly tcpdump is by default installed on to your system, and if not you can install it finding the relevant packages for your distros

RPM Based Linux can google for "tcpdump +rpm" and Debian can google for "tcpdump +deb", you will get enough results to finish installing the TCPDUMP package onto your system.

After installing, check if tcpdump is installed successfully executing the below command

 #>which tcpdump

Should return the binary location of the package installed

/usr/sbin/tcpdump

After confirming you can run tcpdump with various options passing to the command to check for the options

[root@ashwin ~]# tcpdump --help
tcpdump version 3.9.8
libpcap version 0.9.8
Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
		[ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]
		[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
		[ -W filecount ] [ -y datalinktype ] [ -Z user ]
		[ expression ]

We will be capturing packets for 2 minutes and analyze for any issues with hosts connecting to and from.

Running the below command will capture all the packets transferring between the hosts through the Network Interface Cards and will be redirected to a file

tcpdump -n -i bond0 -e -vvv > output.log

Once you have captured packets for 5 minutes press Ctrl + z to end and proceed with analyzing the file "output.log"


Example :

2.39.omserv > 11.240.240.141.nfs: ., cksum 0x1eba (correct), 156:156(0) ack 28961 win 30782
18:41:21.397883 00:a0:98:10:7a:05 > 00:21:5a:4c:a6:3e, ethertype IPv4 (0x0800), length 1514: (tos 0x0, ttl 64, id 26738, offset 0, flags [DF], proto: TCP (6), length: 1500) 11.240.240.141.2049 > 11.240.240.39.33554432: reply ERR 1448

In the above line its clear that a partition is mounted on the host using NFS protocol from other hosts having IP 11.240.240.141 which is having issues while transferring data to host bearing IP 11.240.240.39 Error "reply ERR 1448"

You can find great detail in the output of tcpdump, Also you can use wireshark to read the output.txt and get a better clarity of the data transmission hence lot of network latency can be resolved.

Enjoy.