0

Basically I want to do something like strace ssh user@host and instead of seeing the system calls, I want to watch the tcp connection packets as the connection is established.

I'm having this weird problem between two specific machines, where b can connect to a but a can't connect to b most of the time, and when it is able to connect the connection is very slow and it takes a minute just to get the ssh greeting.

Sounds like packets being dropped, so I'm looking for a way to diagnose. I know I can fire up wireshark or something (suggestions welcome) but I figured if there was something simple and specific to a process that would be handy.

Stu
  • 2,118
  • 2
  • 15
  • 21
  • so I just found tcptrack which is showing me that a SYN packet is sent to start the connection, and no SYN-ACK (or anything else) ever comes back. Now what do I do? – Stu Dec 22 '18 at 22:08
  • Sounds like a firewall allowing incoming but not outgoing, or vice versa. You can use tcpdump to dig further: https://serverfault.com/questions/217605/how-to-capture-ack-or-syn-packets-by-tcpdump – Jeremy Harris Dec 22 '18 at 22:12

2 Answers2

3

you can do the sniff with tcpdump perfectly

install tcpdump

on debian,ubuntu 

apt install tcpdump

on centOS 

yum install tcpdump

listen on tcp packets

at first list your interfaces

tcpdump -D

list/capture packets on interface eth0

tcpdump -n -i eth0

list/capture ONLY TCP packets on interface eth0

 tcpdump -i eth0 tcp

screenshots

tcpdump Display Available Interfaces

tcpdump Capture show Packets

Aysad Kozanoglu
  • 59
  • 3
-2

So I found my problem, it turned out to be a script generating lots of iptables drop rules. I'm guessing one of the ips it was blocking was on one of the routes between the two machines, so it was intermittent. Removing the iptables rules made the problem go away.

Stu
  • 2,118
  • 2
  • 15
  • 21