Capturing Every Last Packet – On Linux

Capturing packets and not missing a lot of them can be hard. If you’re monitoring TLS (including SIP over TLS), you need every single packet to be able to decode it.

Many of us have a Linux server for doing our captures. There are some great tools like gulp and n2disk (among other great work on this subject from Luca Deri). But on a vanilla Linux machine, using whatever Ethernet interfaces you have, you can still do some neat stuff.

Capture with tcpdump, not tshark

tcpdump is more efficient than tshark at raw writing to disk; e.g.,

tcpdump -s 1514 -i eth2 -w file.pcap

will tend to capture more than a similar tshark command.

Prioritize tcpdump

(b) A busy Linux box, or high packet rate, will lose some data because tcpdump or tshark are not running all the time. You can run tcpdump at a higher priority with the “nice” command and a negative nice level:

nice --adjustment=-10 tcpdump -s 1514 -i eth2 -w file.pcap

Use RAM, not disk.

Sometimes the disk system just cannot keep up with the rate of traffic, and the disk buffers aren’t large enough. Without tuning kernel disk buffers, you can make a ramdisk. This example checks to see there’s about 1660 MB of RAM doing nobody any good, and it makes a 1000 MB ramdisk using the “tmpfs” filesystem feature, and writes a big capture to it.

[root@sniffer /]# free -m
               total     used     free    shared    buffers   cached
Mem:            2010     1748      262         0        159     1239
-/+ buffers/cache:        349     1660
Swap:            3999       0     3999

# mkdir /tmp/ramdisk

# mount -t tmpfs -o size=1000m tmpfs /tmp/ramdisk/

# nice --adjustment=-10 tcpdump -s 1514 -i eth2 -w /tmp/ramdisk/ecg_sniffer_eth2_20180321.pcap

tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 1514 bytes
1199062 packets captured
1199075 packets received by filter
0 packets dropped by kernel


ECG would be glad to help with your Voice and Video Network Engineering, and 24×7 customer support. Ping us to learn more.