Tcpdump

Remember to turn off TSO GSO

Before start capturing your packets to troubleshoot, remember to turn off tso and gso. Segment offloading is to let your NIC deal with packet processing, such as packet fragmentation and retransmission. This generally is good but hides your real packet transmission. In linux, you can disable this features by executing below commands.
ethtool -K tso off gso off

Capture TCP packet to a host:port

tcpdump -i -s 0 -vv -nn "tcp and host 1.2.3.4 and 443 "

  • -s 0: do not truncate packets

Capture TCP packet of a subnet

tcpdump -i -s 0 -vv -nn "tcp and net 192.168.0.0/16"

Capture UDP packet of specific bytes

tcpdump -i -s 0 -vv -nn "udp[10:4] = 0x01020304"

Filter out a tcpdump file to another file

tcpdump -r-w "tcp and port 8080"

Comments

comments