Combine packet stream from multiple interfaces in to one file on Linux

networking
tcpdump
linux

#1

Hi

I wanna capture a stream of packets coming into my server via specifically eth1 and eth2. I have few more interfaces too. But I don’t want them to be monitored. I need only eth1 and eth2.

Can somebody guide me to get these packet traces into a one pcap file?

like -i eth1 -i eth2 . Bu this is not working. Is there any other way to do it?

Thank you
Luke


#2

How about capturing them using two command and merge it later?

You run these two commands on two terminals or use something like screen/tmux

tcpdump -i eth1 -nn -s 0 -w eth1.bin
tcpdump -i eth2 -nn -s 0 -w eth2.bin

Next merge it:

mergecap -w final.bin eth1.bin eth2.bin

The mergecap command is part of wireshark package. So you need to install wireshark-common on a Debian or Ubuntu Linux.


#3

Hi Vivek,

Thank you so much for the idea and the guidance. So far, I also tried the same steps that you have mentioned.
Every 15sec each pcaps roll out for the next one in both network interfaces. I wanna know if the file generating has been completed. Then only i can merge them.
for that I can use lsof to identify if the is still open. if not then i can merge them together. But for this task I might have lot of work to do. I was thinking , is there a way to handle everything within tecpdump.

Thank you once again .

Luke.