I need to capture traffic on a CentOS 5 server which acts as a web proxy with 2 wan interfaces and 1 LAN. In order to troubleshoot a weird proxy problem, I would like to have a capture of a full conversation. Since external connections are balanced between the two WAN interfaces, I wonder if is it possible to capture simultaneously on all interfaces.
I have used tcpdump previously but it only admits one interface at a time. I can launch 3 parallel processes to capture on all interfaces but then I end up with 3 different capture files.
What is the right way of doing this ?
According to the tcpdump man page:
On Linux systems with 2.2 or later kernels, an interface argument of ‘‘any’’ can be used to capture packets from all interfaces. Note that captures on the ‘‘any’’ device will not be done in promiscuous mode.
So you should be able to run:
tcpdump -i any
in order to capture data on all interfaces at the same time into a single capture file.The way I would approach this is to dump on each interface to a separate file and then merge them. The any interface also includes lo traffic which can pollute the capture.
This also allows for analysis of the packet streams per interface without complex filtering.
I would capture in 3 terminals or by backgrounding the command with &
The flags -nn turns off dns resolution for speed, -s 0 saves the full packet and -w writes to a file.
I would then merge the files with the mergecap command from wireshark:
To capture a tcpdump on all interfaces use