Capture network traffic simultaneously on three interfaces

Question

I need to capture traffic on a CentOS 5 server which acts as a web proxy with 2 wan interfaces and 1 LAN. In order to troubleshoot a weird proxy problem, I would like to have a capture of a full conversation. Since external connections are balanced between the two WAN interfaces, I wonder if is it possible to capture simultaneously on all interfaces.

I have used tcpdump previously but it only admits one interface at a time. I can launch 3 parallel processes to capture on all interfaces but then I end up with 3 different capture files.

What is the right way of doing this ?

Answer 1

If you use wireshark/tshark, there is a pseudo-interface named 'any' which takes all the interfaces. tshark -i any Wireshark is available on all plateforms

Edit : The any interface depends of libpcap : tcpdump have it ! tcpdump -i any

Answer 2

I ran into an issue where when I tried to dump broadcast traffic on any interface but tcpdump on the device replied not a broadcast link when I tried.

# tcpdump -i any broadcast -nn -v tcpdump: not a broadcast link 

I figured out I can just run multiple commands in parallel to get what I needed. It isn't the prettiest, but it worked for me.

tcpdump -i ath0 broadcast -n & tcpdump -i ath1 broadcast -n & tcpdump -i ath2 broadcast -n & tcpdump -i ath3 broadcast -n & tcpdump -i ath4 broadcast -n & tcpdump -i ath5 broadcast -n & tcpdump -i ath6 broadcast -n & tcpdump -i ath7 broadcast -n & tcpdump -i ath8 broadcast -n & 

Then to kill all the parallel jobs and stop dumping:

kill `jobs -p`