tcpdump capturing packets only when interface is specified

2

I have tried 3 different ways of capturing a stream of packets coming into my server. Two of them work and the third does not. I am trying to determine why it is missed by the third approach:

tcpdump -i eth1 udp port 5052
tcpdump -i eth1 -p udp port 5052
tcpdump -i any udp port 5052
tcpdump udp port 5052 #Does not work

My theory was that the any approach was failing because the capture was non-promiscuous and it must be getting dropped by iptables somewhere. However, even when I make the first capture non-promiscuous (by explicitly setting -p) it captures the packets. What else could be different between the two?

UPDATE: I realized that I was not doing exactly what I thought. There are actually 4 variations and the one that is failing is only when I don't specify an interface. What would be different between no -i flag and -i any?

Pace

Posted 2015-04-29T15:54:01.163

Reputation: 131

1With no -i flag, tcpdump will use the first network - this might not be what you want (eth0 in your case) – Eugen Rieck – 2015-04-29T16:56:18.410

Ah, yes, that would indeed explain the issue. – Pace – 2015-04-29T17:14:20.223

Answers

1

When you start tcpdump, it tells you which interface it listens on:

# tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

The manual page is very clear about the matter:

-i Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback). Ties are broken by choosing the earliest match.

This means that as long as you have a configured eth0 interface, eth1 will never be selected as default capture interface.

Matyas Koszik

Posted 2015-04-29T15:54:01.163

Reputation: 141

Asked: 2015-04-29T15:54:01.163

Viewed: 567 times

Active: 2015-09-05T13:44:46.437