gremwell
asked on
How to sniff network traffic on linux without interruption on interface down events
I sniff traffic on network interface (with tcpdump or wireshark). My problem is that if the interface goes down and then up again the sniffer stops sniffing. I don't like it.
Any ideas how to make sure _all_ packets get intercepted?
Any ideas how to make sure _all_ packets get intercepted?
tcpdump doesnt bring your interface down. Just run it, it will simply display all traffics on the nic without interfering existing traffic.
/Kvistofta
/Kvistofta
ASKER
rfc1180: It is not very convenient to carry around a switch + additional system + extra cables.
kvistofta: The interface goes down for number of reason, indeed not related to tcpdump. However, when the interface goes down, tcpdump/wireshark stop sniffing and do not continue automatically when interface is up again.
All I want is to run wireshark in the morning and let it log all the traffic I generate during the day. I reconfigure/repatch my network interface very often and it is extremely inconvenient that I always have to remember to switch to Wireshark, save old file, and restart the same capturing. This is counter-productive.
I have a partial solution -- run 'snort' in background and watch pcap files it generates Wireshark. But this way I'm not getting live updates in Wireshark... Just now I though it should be possible to feed snort's pcap files to wireshark via pipe (something like http://www.commandlinefu.com/commands/view/4487/analyze-traffic-remotely-over-ssh-w-wireshark)...
kvistofta: The interface goes down for number of reason, indeed not related to tcpdump. However, when the interface goes down, tcpdump/wireshark stop sniffing and do not continue automatically when interface is up again.
All I want is to run wireshark in the morning and let it log all the traffic I generate during the day. I reconfigure/repatch my network interface very often and it is extremely inconvenient that I always have to remember to switch to Wireshark, save old file, and restart the same capturing. This is counter-productive.
I have a partial solution -- run 'snort' in background and watch pcap files it generates Wireshark. But this way I'm not getting live updates in Wireshark... Just now I though it should be possible to feed snort's pcap files to wireshark via pipe (something like http://www.commandlinefu.com/commands/view/4487/analyze-traffic-remotely-over-ssh-w-wireshark)...
mirror port in managed switch to achieve uninterrupted packets on that interface
switch ( port mirroring ) is ideal no one can know ( expect the concerned ) what is happening and at the same time it is less taxing on interface
tks
ASKER
Guys, I'm sorry, but I'm really not interested in switches... Why should I possibly need extra hardware? I just need to log all traffic on my laptop's port, that is all. Pretty please don't mention switches again. Thanks in advance.
>rfc1180: It is not very convenient to carry around a switch + additional system + extra cables.
you never mentioned your requirements; typically, with no requirements, defaults will be used.
>tcpdump/wireshark stop sniffing and do not continue automatically when interface is up again.
Correct, this is by design. Again, this is the facts of networking; typical NICs will stay active, if they are bouncing then there is something physically wrong with the hardware and/or drivers (You need a reliable system).
>just need to log all traffic on my laptop's port
if that is all you need then you do not need extra hardware; run wireshark and capture the packets; but do not expect to capture ALL network traffic without some type of extra hardware and cables.
Billy
you never mentioned your requirements; typically, with no requirements, defaults will be used.
>tcpdump/wireshark stop sniffing and do not continue automatically when interface is up again.
Correct, this is by design. Again, this is the facts of networking; typical NICs will stay active, if they are bouncing then there is something physically wrong with the hardware and/or drivers (You need a reliable system).
>just need to log all traffic on my laptop's port
if that is all you need then you do not need extra hardware; run wireshark and capture the packets; but do not expect to capture ALL network traffic without some type of extra hardware and cables.
Billy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>I wonder what do you mean by this. As I have said I want to log traffic send to/from my laptop.
Yes, but you stated "I just need to log all traffic on my laptop's port"; the statement leaves it open for interpretation. The type of traffic that you want logged (Captured) will be only traffic destined to the laptop and any traffic that was sourced by the laptop; any other traffic sourced and destined elsewhere in the network you will not be able to capture. I just want to make sure that you are clear on that and that there is no misunderstanding.
>I have just found this http://www.tcpdump.org/libpcap-changes.txt
There you go, I have never had an issue like this so I never had to investigate.
Good Luck
Billy
Yes, but you stated "I just need to log all traffic on my laptop's port"; the statement leaves it open for interpretation. The type of traffic that you want logged (Captured) will be only traffic destined to the laptop and any traffic that was sourced by the laptop; any other traffic sourced and destined elsewhere in the network you will not be able to capture. I just want to make sure that you are clear on that and that there is no misunderstanding.
>I have just found this http://www.tcpdump.org/libpcap-changes.txt
There you go, I have never had an issue like this so I never had to investigate.
Good Luck
Billy
if I am not Wrong you to analyze you own laptop network traffic
Right
tcpdump and similar tools are there use them only pitfall are as to my mind
Too much of Hard disk activity ( will slow down system and your normal operations will be slow )
Processor too will do most of time devote to tcp dump process ( will slow down system and your normal operations will be slow )
if too much on internet browsing it pose alarm of hard disk getting full
these are the primary things man the list will exceed....................
Tks
You might get away with monitoring your interface with ifplugd and do something everytime the link comes up.
something like this:
ifplugd -i eth0 -r /home/gremwel/script/start
something like this:
ifplugd -i eth0 -r /home/gremwel/script/start
ASKER
As I have mentioned earlier, I have a solution -- upgrade to libpcap 1.0. This is was what I was after as it solves the problem described in OP -- interruption of sniffing when the interface goes down.
Thanks again for everyone participation.
Thanks again for everyone participation.
The best way to sniff traffic is to have a dedicated reliable system just for Wireshark (Or tcpdump). If your switch supports SPAN (Port mirroring), then this is the recommended path for any long term solution. For short term solution, then any old system that is fairly reliable will suite your needs, but you might run into issues as you are experiencing.
Here is some more information:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml
Billy