Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to sniff network traffic on linux without interruption on interface down events

Posted on 2010-09-06
11
Medium Priority
?
1,438 Views
Last Modified: 2012-05-10
I sniff traffic on network interface (with tcpdump or wireshark). My problem is that if the interface goes down and then up again the sniffer stops sniffing. I don't like it.

Any ideas how to make sure _all_ packets get intercepted?
0
Comment
Question by:gremwell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33611643
>My problem is that if the interface goes down and then up again the sniffer stops sniffing. I don't like it.

The best way to sniff traffic is to have a dedicated reliable system just for Wireshark (Or tcpdump). If your switch supports SPAN (Port mirroring), then this is the recommended path for any long term solution. For short term solution, then any old system that is fairly reliable will suite your needs, but you might run into issues as you are experiencing.

Here is some more information:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

Billy
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33611781
tcpdump doesnt bring your interface down. Just run it, it will simply display all traffics on the nic without interfering existing traffic.

/Kvistofta
0
 
LVL 3

Author Comment

by:gremwell
ID: 33611926
rfc1180: It is not very convenient to carry around a switch + additional system + extra cables.

kvistofta: The interface goes down for number of reason, indeed not related to tcpdump. However, when the interface goes down, tcpdump/wireshark stop sniffing and do not continue automatically when interface is up again.

All I want is to run wireshark in the morning and let it log all the traffic I generate during the day. I reconfigure/repatch my network interface very often and it is extremely inconvenient that I always have to remember to switch to Wireshark, save old file, and restart the same capturing. This is counter-productive.

I have a partial solution -- run 'snort' in background and watch pcap files it generates Wireshark. But this way I'm not getting live updates in Wireshark... Just now I though it should be possible to feed snort's pcap files to wireshark via pipe (something like http://www.commandlinefu.com/commands/view/4487/analyze-traffic-remotely-over-ssh-w-wireshark)...

0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 1

Expert Comment

by:99star
ID: 33611996

 mirror port in managed switch to achieve uninterrupted packets on that interface
switch ( port mirroring ) is ideal     no one can know ( expect the concerned ) what is happening and at the same time it is less taxing on interface

tks
0
 
LVL 3

Author Comment

by:gremwell
ID: 33612053
Guys, I'm sorry, but I'm really not interested in switches... Why should I possibly need extra hardware? I just need to log all traffic on my laptop's port, that is all. Pretty please don't mention switches again. Thanks in advance.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33612101
>rfc1180: It is not very convenient to carry around a switch + additional system + extra cables.
you never mentioned your requirements; typically, with no requirements, defaults will be used.

>tcpdump/wireshark stop sniffing and do not continue automatically when interface is up again.
Correct, this is by design. Again, this is the facts of networking; typical NICs will stay active, if they are bouncing then there is something physically wrong with the hardware and/or drivers (You need a reliable system).

>just need to log all traffic on my laptop's port
if that is all you need then you do not need extra hardware; run wireshark and capture the packets; but do not expect to capture ALL network traffic without some type of extra hardware and cables.

Billy
0
 
LVL 3

Accepted Solution

by:
gremwell earned 0 total points
ID: 33612236
> you never mentioned your requirements; typically, with no requirements, defaults will be used.

I'm truly sorry that my question was not clear enough. Indeed I should have mentioned mobility requirements from the start.

> typical NICs will stay active, if they are bouncing then there is something physically wrong with the
> hardware and/or drivers

Not necessarily. I often need to restart DHCP client or switch from one connection to another during the day. I know that I cause interface-down events.

> but do not expect to capture ALL network traffic without some type of extra hardware and cables

I wonder what do you mean by this. As I have said I want to log traffic send to/from my laptop.

I have just found this http://www.tcpdump.org/libpcap-changes.txt: "ignore ENETDOWN so we can continue to capture packets if the interface goes down and comes back up again.". Apparently tcpdump 4.0 distributed with Ubuntu 10 does what I want. Time to upgrade...


Thanks to everyone for considering my problem.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33612299
>I wonder what do you mean by this. As I have said I want to log traffic send to/from my laptop.
Yes, but you stated "I just need to log all traffic on my laptop's port"; the statement leaves it open for interpretation. The type of traffic that you want logged (Captured) will be only traffic destined to the laptop and any traffic that was sourced by the laptop; any other traffic sourced and destined elsewhere in the network you will not be able to capture. I just want to make sure that you are clear on that and that there is no misunderstanding.

>I have just found this http://www.tcpdump.org/libpcap-changes.txt
There you go, I have never had an issue like this so I never had to investigate.

Good Luck
Billy
0
 
LVL 1

Expert Comment

by:99star
ID: 33612794

if I am not Wrong you to analyze you own laptop network traffic
  Right

tcpdump and similar tools are there use them only pitfall are as to my mind
    Too much of Hard disk activity ( will slow down system and your normal operations will be slow  )
    Processor too will do most of time devote to tcp dump process ( will slow down system and your normal operations will be slow  )
   if too much on internet browsing it pose alarm of hard disk getting full
   these are the primary things man the list will exceed..........................
Tks
0
 
LVL 7

Expert Comment

by:expert1010
ID: 33615927
You might get away with monitoring your interface with ifplugd and do something everytime the link comes up.

something like this:
ifplugd -i eth0 -r /home/gremwel/script/starttcpdump
0
 
LVL 3

Author Comment

by:gremwell
ID: 33625619
As I have mentioned earlier, I have a solution -- upgrade to libpcap 1.0. This is was what I was after as it solves the problem described in OP -- interruption of sniffing when the interface goes down.

Thanks again for everyone participation.
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question