61

I need to capture traffic on a CentOS 5 server which acts as a web proxy with 2 wan interfaces and 1 LAN. In order to troubleshoot a weird proxy problem, I would like to have a capture of a full conversation. Since external connections are balanced between the two WAN interfaces, I wonder if is it possible to capture simultaneously on all interfaces.

I have used tcpdump previously but it only admits one interface at a time. I can launch 3 parallel processes to capture on all interfaces but then I end up with 3 different capture files.

What is the right way of doing this ?

Improve this question
1
  • AdamRushad is correct. You can use wireshark too. Commented Sep 23, 2016 at 19:14

4 Answers 4

Reset to default
82

According to the tcpdump man page:

On Linux systems with 2.2 or later kernels, an interface argument of ‘‘any’’ can be used to capture packets from all interfaces. Note that captures on the ‘‘any’’ device will not be done in promiscuous mode.

So you should be able to run: tcpdump -i any in order to capture data on all interfaces at the same time into a single capture file.

Improve this answer
1
  • 12
    that doesn't work if I want to capture some, but not all, of the interfaces Commented Oct 2, 2018 at 16:16
32

The way I would approach this is to dump on each interface to a separate file and then merge them. The any interface also includes lo traffic which can pollute the capture.

This also allows for analysis of the packet streams per interface without complex filtering.

I would capture in 3 terminals or by backgrounding the command with &

The flags -nn turns off dns resolution for speed, -s 0 saves the full packet and -w writes to a file.

tcpdump -i wan0 -nn -s 0 -w wan0.dump tcpdump -i wan1 -nn -s 0 -w wan1.dump tcpdump -i lan0 -nn -s 0 -w lan0.dump

I would then merge the files with the mergecap command from wireshark:

mergecap -w merged.dump wan0.dump wan1.dump lan0.dump
Improve this answer
1
  • Nice trick with mergecap :) Commented Mar 13 at 10:15
4

To capture a tcpdump on all interfaces use 

tcpdump -i any
Improve this answer
2
  • 9
    This was already given as answer 2 years ago in Adam Rushad answer. Commented Aug 1, 2019 at 14:58
  • Use "tshark -D" to find the numeric order of your interfaces (assuming 1 = wan0, 2 = wan1 and 3= lan0). You can capture on all three interfaces with "tshark -i 1 -i 2 -i 3". This worked for me. Commented Apr 8, 2021 at 13:21
4

As the others have pointed out, tcpdump -i any lets you listen on ALL interfaces. But it still can't listen on multiple specific interfaces. In my situation I wanted to listen on all interfaces except for a particularly noisy one. I found that tshark (the CLI to Wireshark) was the best solution for this:

$ tshark -l -i en0 -i llw0 -i awdl0

If you have a lot of interfaces that often change it can be cumbersome listing them all. With a little shell scripting we can get all the interfaces tshark is capable of listening on, using dumpcamp -D, exclude the ones we don't want, and then pass all of them to tshark.

For example, to listen on all interfaces except for en0 and lo0 you can do this:

$ tshark -l $(for i in $(dumpcap -D | tr -s '[:blank:]' | cut -d ' ' -f 2 | grep -E -v 'lo0|en0' ) ; do echo "-i $i"; done) Capturing on 21 interfaces ...

Cheers

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.