Basically I want to do something like strace ssh user@host and instead of seeing the system calls, I want to watch the tcp connection packets as the connection is established.
I'm having this weird problem between two specific machines, where b can connect to a but a can't connect to b most of the time, and when it is able to connect the connection is very slow and it takes a minute just to get the ssh greeting.
Sounds like packets being dropped, so I'm looking for a way to diagnose. I know I can fire up wireshark or something (suggestions welcome) but I figured if there was something simple and specific to a process that would be handy.
you can do the sniff with tcpdump perfectly
install tcpdump
on debian,ubuntu
on centOS
listen on tcp packets
at first list your interfaces
list/capture packets on interface eth0
list/capture ONLY TCP packets on interface eth0
screenshots
tcpdump Display Available Interfaces
tcpdump Capture show Packets
So I found my problem, it turned out to be a script generating lots of iptables drop rules. I'm guessing one of the ips it was blocking was on one of the routes between the two machines, so it was intermittent. Removing the iptables rules made the problem go away.