dokucama

User Tools

Site Tools

Trace: tcpdump haproxy
network_stuff:tcpdump

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network_stuff:tcpdump [2020/11/28 22:40] jotasandokunetwork_stuff:tcpdump [2023/11/02 14:38] (current) – external edit 127.0.0.1
Line 1: Line 1:
-**__TCPDUMP__** \\ +**__TCPDUMP NOTES__** \\ 
 +[[https://softbackbone.duckdns.org/doku.php?id=network_stuff:tcpnotes|tcp_notes]]\\
 To write the tcpdump output in pcap format. If we Add capital W, that means rotate: To write the tcpdump output in pcap format. If we Add capital W, that means rotate:
   tcpdump -ni eth0 -s0 -w /var/tmp/capture.pcap   tcpdump -ni eth0 -s0 -w /var/tmp/capture.pcap
   tcpdump -ni eth0 -w /var/tmp/trace -W 48 -G 1800 -C 100 -K    # 48 files, either every 1800 seconds (=30 minutes) or every 100 MB, -K don't verify checksum   tcpdump -ni eth0 -w /var/tmp/trace -W 48 -G 1800 -C 100 -K    # 48 files, either every 1800 seconds (=30 minutes) or every 100 MB, -K don't verify checksum
   tcpdump -nni bond1 -w /var/tmp/trace -W 1 -G 20 -C 100 -K   tcpdump -nni bond1 -w /var/tmp/trace -W 1 -G 20 -C 100 -K
 +  tcpdump -e -r sflow_2022_new.pcap   # to read an existing pcap (remove -e if not interested in ethernet headers)
  
 After capture, transfer example:  After capture, transfer example: 
  
-  gk# scp root@slingshot2.nj.grapeshot.co.uk:/var/tmp/capture.pcap /home/jaime_santos/Downloads/ +  gk# scp root@slingshot2.nj.mycompany1.co.uk:/var/tmp/capture.pcap /home/jaime_santos/Downloads/ 
-  hm# scp root@gatekeeper.grapeshot.co.uk:/home/jaime_santos/Downloads/capture.pcap capture-ams.pcap+  hm# scp root@gatekeeper.mycompany1.co.uk:/home/jaime_santos/Downloads/capture.pcap capture-ams.pcap
   remote# rm /var/tmp/capture.pcap   remote# rm /var/tmp/capture.pcap
   gk# rm /var/tmp/capture.pcap   gk# rm /var/tmp/capture.pcap
Line 24: Line 25:
   tcpdump -nni any portrange 60000-60100   tcpdump -nni any portrange 60000-60100
   tcpdump -vv -e -nni any ether proto 0x8809   # LACP   tcpdump -vv -e -nni any ether proto 0x8809   # LACP
 +  tcpdump -n -i eth0 -A -x dst port 443 and greater 100  # packet lenght
  
  
Line 33: Line 35:
 -S  : To print absolute rather than relative TCP sequence numbers.\\ -S  : To print absolute rather than relative TCP sequence numbers.\\
   tcpdump -nnvvi bond0 'not (src net (10 or 172.16/12 or 192.168/16) and dst net (10 or 172.16/12 or 192.168/16))'   # EXCLUDE PRIVATE ADDRESSES   tcpdump -nnvvi bond0 'not (src net (10 or 172.16/12 or 192.168/16) and dst net (10 or 172.16/12 or 192.168/16))'   # EXCLUDE PRIVATE ADDRESSES
 +  tcpdump -nni any 'not ((dst net (10 or 172.16/12 or 192.168/16 or 169.254/16)) or host 127.0.0.1)'   # EXCLUDE PRIVATE ADDRESSES and APIPA and loopback
  
 A very simple check before tcpdump is the one below, showing which interface is passing the traffic: A very simple check before tcpdump is the one below, showing which interface is passing the traffic:
Line 92: Line 95:
  
 ---- ----
- +**LIBCAP RELATED UTILITIES**
-__NOTES ON TCP__ +
-  MSS is Announced (not really negotiated but just announced), in the 3 way handshake +
-  Window scaling is also announced in the 3 way handshake. The default window size is 64kB which is far too small. That's way w. scaling is ON 99% of the times +
-  SACK also announced in the 3 way handshake and also ON 99% of the times. If received 1,2,3 5,6 but not 4, I acknoledge 3 and 'selectively acknowledge 5 and 6.+
 \\ \\
-The ACK number for a packet is the packet's sequence number plus the data length. See this [[https://osqa-ask.wireshark.org/questions/43447/matching-tcp-packets-in-wireshark|Link]] +  tcprewrite ---dlt=enet --enet-smac=3a:85:a1:b3:c3:84 --enet-dmac=c2:54:cb:f2:ee:c8  -sflow_2022_new.pcap -o rwsflow_2022_new.pcap   # this is needed when the pcap we received is linux cooked (sometimes they miss the dst mac address so we add a dummy one 
- +  tcprewrite -C --dstipmap=192.168.97.255/32:10.100.10.142/32 -rwsflow_2022_new.pcap -o rwrwsflow_2022_new.pcap 
-\\ +  tcpreplay -i eth0 --loop 0 xxx.pcap    
-  * The __**congestion window**__ is a **sender imposed** window that was implemented to avoid overrunning some routers in the middle of the network path. The **sender, with each segment sent, increases the congestion window slightly**, i.e. the sender will allow itself more outstanding sent data. +[[https://gist.github.com/niranjan-nagaraju/4532037]]
-    * You can't 'get' that value directly from the capture file, as **it is NOT ADVERTISED, it lives in the sender** +
-  * The **__receive window__** is the amount of data the **receiver can take at once without getting overwhelmed**Managed by the receiver, who sends out window sizes to the senderThe window sizes announce the number of bytes still free in the receiver buffer, i.ethe number of bytes the sender can still send without needing an acknowledgement from the receive +
-\\ +
- +
----+
- +
- +
-TCP CONGESTION CONTROL ALGORITHMS (Reno, Cubic, Tahoe, more recently, BBR + Vegas, , Westwood) +
-[[https://medium.com/@atoonk/tcp-bbr-exploring-tcp-congestion-control-84c9c11dc3a9]] +
- +
-  * sysctl net.ipv4.tcp_congestion_control  # default is usually cubic or reno +
-  * sysctl net.ipv4.tcp_available_congestion_control  # list available suites +
-  * sysctl -w net.ipv4.tcp_congestion_control=bbr   # rebuilt suite so it takes latency as congestion, not packet losses (by google) +
- +
-To test performance: +
-  tc qdisc replace dev enp0s20f0 root netem loss 1.5% latency 70ms # introduces some latency and packet loss+
network_stuff/tcpdump.1606603254.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki