How to Generate Packet Captures
Last updated
Last updated
When a test is reporting loss from a location that is difficult to trace, and doesn't appear on the path visualization associated with a specific node, the ThousandEyes team might request a packet capture in order to attempt to isolate the loss.
Depending on your operating system, there are several options to run a packet capture. On linux distributions the relevant command to start capture is “tcpdump”. On Windows distributions you can run “netsh”. Packet captures can also be run using the network packet analyzer called “Wireshark” which has versions that work on all major platforms. For additional reference the following links are available for these and other options:
Ubuntu Manpage:
Netsh Command Syntax:
Wincap:
Wireshark:
Basically what happens, is you bind the capture to a specific interface, and capture packets passing through that interface. The capture is run over a specific duration to get the required data. Typically, the ThousandEyes team will request a capture over a period of approximately 30 minutes, in order to capture all relevant information. Generating a packet capture on UNIX based systems is achieved running the command "tcpdump". This document will provide instructions for obtaining packet captures using either tcpdump or Wireshark.
To start, you need to first identify which ethernet interface is being used to connect the machine to the network. In most cases, this will be eth0, but to check, run ifconfig on the host to identify the correct interface.
In this case, I only have one network interface bound, so I'm going to select that interface by appending -i eth0 to the command. This will bind the capture to the eth0 interface, and capture all the traffic requested through that interface.
If directed by the ThousandEyes team, you may be requested to reduce the amount of data being captured, by targeting a specific port or host in the request. To restrict based on port, simply append port <portnumber>. To restrict based on host, simply append host <w.x.y.z> to the command. These can be done in tandem, if required; the following commands are all syntactically valid.
We also don't want to interpret the information in real time, but rather capture it to a file that can be used by the ThousandEyes team, so we'll write to a file. This is accomplished by appending a -w <filename> to the commands.
This command will generate a 1000MB file, as soon as the first one reaches limit tcpdump will start writing the second one and the loop continues. This is very helpful if we need to catch some event in packets.
Once you have the required commands, simply start the TCP dump with appropriate parameters. Starting a TCP dump must usually be done in the context of the root user. Running as a root user is not recommended, so the command sudo is often used to run in the context of a super user account. Simply prepend sudo to the command to run a tcpdump with superuser permissions.
The capture will run until cancelled (press ctrl-c to cancel). Once the tcp dump is stopped, the number of packets captured by the request will be shown:
Once the file has been created, it should be compressed for simplicity of transfer. Simplest method of compression is to use gzip, which is bundled with linux distributions. The syntax is gzip -c uncompressedfile > targetfile.gz, which will create a compressed version of the file for email transmission.
Once the compressed file has been created, send it to the ThousandEyes team for analysis by emailing the gzipped version of the file to support@thousandeyes.com.
Since not everyone has a Mac or Linux server to use, you may need to generate a TCP dump using Windows. The easiest and most common approach to this is using Wireshark (using a GUI), documented below.
Once you've downloaded WireShark, install it and launch. The great thing about Wireshark is that everything is controllable from a single interface. Under the Capture menu, select Options.
Select the interface you wish to capture by checking the appropriate box, choose appropriate name resolution options (defaults are fine), and ensure that the option for 'use pcap-ng format' is unchecked. Once you're ready to start capturing packets, click the Start button.
Once you click the start button, WireShark will begin capturing packets, and display them in real time. This will be a very busy, color-coded interface, which is moving fast.
Once you've captured enough data, click the stop button (also found under Capture > Stop)
If you want to filter your capture to be based on a specific target IP address, click the Capture > Capture Filters option. This is a very rich expression builder; to target a specific host and port combination (similar to the example above) create a filter similar to the following:
Once you've applied the filter (if applicable), click File > Save and save the capture file. The save will take the applicable filter into account and will exclude any data not displayed in the filter list. The packet capture file will be large, so always remember to compress the file before sending to ThousandEyes support.
Use Secure Copy Protocol (SCP) to transfer the output of the TCP dump from the ThousandEyes agent to your local machine. Run the command from the machine which you are transferring the file to. Specify the file name and location to copy the file to. Thus, you'll need to include the ending space followed by ".":
First, download WireShark. This will install both the WireShark app and winpcap libraries - these are used to bind to a network adapter, and can be used to capture packets. Download WireShark from
