Combine packet stream from multiple interfaces in to one file on Linux

Hi

I wanna capture a stream of packets coming into my server via specifically eth1 and eth2. I have few more interfaces too. But I don’t want them to be monitored. I need only eth1 and eth2.

Can somebody guide me to get these packet traces into a one pcap file?

like -i eth1 -i eth2 . Bu this is not working. Is there any other way to do it?

Thank you
Luke

How about capturing them using two command and merge it later?

You run these two commands on two terminals or use something like screen/tmux

tcpdump -i eth1 -nn -s 0 -w eth1.bin
tcpdump -i eth2 -nn -s 0 -w eth2.bin

Next merge it:

mergecap -w final.bin eth1.bin eth2.bin

The mergecap command is part of wireshark package. So you need to install wireshark-common on a Debian or Ubuntu Linux.

Hi Vivek,

Thank you so much for the idea and the guidance. So far, I also tried the same steps that you have mentioned.
Every 15sec each pcaps roll out for the next one in both network interfaces. I wanna know if the file generating has been completed. Then only i can merge them.
for that I can use lsof to identify if the is still open. if not then i can merge them together. But for this task I might have lot of work to do. I was thinking , is there a way to handle everything within tecpdump.

Thank you once again .

Luke.


Linux sysadmin blog - Linux/Unix Howtos and Tutorials - Linux bash shell scripting wiki