Tcpdump on multiple interfaces

Question

I need to capture traffic on a CentOS 5 server which acts as a web proxy with 2 wan interfaces and 1 LAN. In order to troubleshoot a weird proxy problem, I would like to have a capture of a full conversation. Since external connections are balanced between the two WAN interfaces, I wonder if is it possible to capture simultaneously on all interfaces.

I have used tcpdump previously but it only admits one interface at a time. I can launch 3 parallel processes to capture on all interfaces but then I end up with 3 different capture files.

What is the right way of doing this ?

AdamRushad is correct. You can use `wireshark` too. – Ryan Babchishin Sep 23 '16 at 19:14 — Ryan Babchishin, Sep 23 '16 at 19:14

Adam Rushad · Answer 1 · 2016-09-23T19:13:32.023

52

According to the tcpdump man page:

On Linux systems with 2.2 or later kernels, an interface argument of ‘‘any’’ can be used to capture packets from all interfaces. Note that captures on the ‘‘any’’ device will not be done in promiscuous mode.

So you should be able to run: tcpdump -i any in order to capture data on all interfaces at the same time into a single capture file.

edited Sep 23 '16 at 19:13

answered Sep 23 '16 at 19:02

Adam Rushad

646
4
5

9

that doesn't work if I want to capture some, but not all, of the interfaces – Thayne Oct 02 '18 at 16:16

score 20 · Answer 2 · answered Sep 23 '16 at 20:07

The way I would approach this is to dump on each interface to a separate file and then merge them. The any interface also includes lo traffic which can pollute the capture.

This also allows for analysis of the packet streams per interface without complex filtering.

I would capture in 3 terminals or by backgrounding the command with &

The flags -nn turns off dns resolution for speed, -s 0 saves the full packet and -w writes to a file.

tcpdump -i wan0 -nn -s 0 -w wan0.dump
tcpdump -i wan1 -nn -s 0 -w wan1.dump
tcpdump -i lan0 -nn -s 0 -w lan0.dump

I would then merge the files with the mergecap command from wireshark:

mergecap -w merged.dump wan0.dump wan1.dump lan0.dump

score 4 · Answer 3 · answered Apr 17 '18 at 09:46

4

To capture a tcpdump on all interfaces use

tcpdump -i any

answered Apr 17 '18 at 09:46

Vijay S B

185
1
4

6

This was already given as answer 2 years ago in Adam Rushad answer. – Patrick Mevzek Aug 01 '19 at 14:58
Use "tshark -D" to find the numeric order of your interfaces (assuming 1 = wan0, 2 = wan1 and 3= lan0). You can capture on all three interfaces with "tshark -i 1 -i 2 -i 3". This worked for me. – skb007 Apr 08 '21 at 13:21

Tcpdump on multiple interfaces

3 Answers3