How to capture packages via both eth0 and lo at the same time?

Solution 1

Assuming your kernel supports it, you can run tcpdump -i any, but that will capture on all interfaces, and not just on the lo and eth0 interfaces. Also, according to the tcpdump man page, "... captures on the ''any'' device will not be done in promiscuous mode.", so if you need to place the NIC in promiscuous mode in order to capture your traffic of interest, this solution may not work for you. In that case, you could:

• Start 2 separate instances of tcpdump, one capturing on lo and the other capturing on eth0. If you write the packets to separate files, you can use a tool such as mergecap to merge them together afterward.
• Use dumpcap or tshark instead, either of which can capture on multiple interfaces.

Solution 2

Another option you can try out is to run tcpdump process on two interface parallely, like

sudo tcpdump -i lo & sudo tcpdump -i eth0 &

& will make it run in background

With this the issue of flooding of packet caused by "any" option can be moved out also, you can achieve the intention of capturing only on two interface as mentioned

Solution 3

from https://serverfault.com/questions/805006/tcpdump-on-multiple-interfaces

The way I would approach this is to dump on each interface to a separate file and then merge them. The any interface also includes lo traffic which can pollute the capture.

This also allows for analysis of the packet streams per interface without complex filtering.

I would capture in 3 terminals or by backgrounding the command with &

The flags -nn turns off dns resolution for speed, -s 0 saves the full packet and -w writes to a file.

tcpdump -i wan0 -nn -s 0 -w wan0.dump tcpdump -i wan1 -nn -s 0 -w wan1.dump tcpdump -i lan0 -nn -s 0 -w lan0.dump I would then merge the files with the mergecap command from wireshark:

mergecap -w merged.dump wan0.dump wan1.dump lan0.dump

Author by

showkey

Working at high school.

Updated on July 31, 2022