How to install tcpdump and obtain a packet capture on AS Linux backend?
Tcpdump is a command line tool often utilized to capture packets in order to troubleshoot a networking related issue. Often the output of tcpdump (packet capture) can be read in a packet capture tool like Wireshark (which is the GUI version of tcpdump).
- To install tcpdump on RHEL8/9, do the following:
- sudo dnf install tcpdump
- sudo yum install tcpdump
- Once tcpdump is installed, type 'tcpdump' to verify successful installation, see output similar to the screenshot below:
- Hit 'Ctrl-C'
- Now, begin capturing packets. Like Wireshark, it may be required to capture traffic on the interface where network connectivity is active. To get a list of available or active interfaces type: 'ifconfig'
The output will be similar to the one below:
Note: Machines have various interfaces (virtual and physical), there might be more than one interface also.
- To perform a packet capture on eth0, the interface here appears to be the most active and has the most received packets (27,011). The goal is to get a packet capture that can be viewed in Wireshark.
The Syntax would be as follows:
- tcpdump -I eth0 -w /my/path/to/pcapfile.cap
- The above syntax instantiates a tcpdump on interface eth0 and writes/outputs the data of the packet capture to pcapfile.cap. Here is an example screenshot:
- On completing the packet capture, press 'ctrl-c' to end the capture on the interface (effectively also killing the tcpdump process)
- Verify that the packet capture exists and verify output:
Sample output: