6

I need to capture traffic on a CentOS 5 server which acts as a web proxy with 2 wan interfaces and 1 LAN. In order to troubleshoot a weird proxy problem, I would like to have a capture of a full conversation. Since external connections are balanced between the two WAN interfaces, I wonder if is it possible to capture simultaneously on all interfaces.

I have used tcpdump previously but it only admits one interface at a time. I can launch 3 parallel processes to capture on all interfaces but then I end up with 3 different capture files.

What is the right way of doing this ?

drcelus
  • 1,233
  • 4
  • 14
  • 27

2 Answers2

16

If you use wireshark/tshark, there is a pseudo-interface named 'any' which takes all the interfaces. tshark -i any Wireshark is available on all plateforms

Edit : The any interface depends of libpcap : tcpdump have it ! tcpdump -i any

Dom
  • 6,628
  • 1
  • 19
  • 24
  • 1
    According to https://github.com/the-tcpdump-group/tcpdump/issues/480#issuecomment-138317953 the 'any' interface doesn't support promiscuous mode. (The answer was written for tcpdump but I guess it applies for tshark too.) – pt1 Aug 18 '16 at 12:23
0

I ran into an issue where when I tried to dump broadcast traffic on any interface but tcpdump on the device replied not a broadcast link when I tried.

# tcpdump -i any broadcast -nn -v
tcpdump: not a broadcast link

I figured out I can just run multiple commands in parallel to get what I needed. It isn't the prettiest, but it worked for me.

tcpdump -i ath0 broadcast -n & tcpdump -i ath1 broadcast -n & tcpdump -i ath2 broadcast -n & tcpdump -i ath3 broadcast -n & tcpdump -i ath4 broadcast -n & tcpdump -i ath5 broadcast -n & tcpdump -i ath6 broadcast -n & tcpdump -i ath7 broadcast -n & tcpdump -i ath8 broadcast -n &

Then to kill all the parallel jobs and stop dumping:

kill `jobs -p`
Jon
  • 119
  • 7