When troubleshooting network issues on a multi-homed system like a CentOS web proxy server with multiple WAN interfaces and a LAN interface, capturing complete conversations becomes challenging. Traditional tcpdump usage only allows monitoring one interface at a time, which isn't sufficient when traffic is load-balanced across multiple interfaces.
The most efficient approach is to create an interface group and capture traffic from all interfaces simultaneously. Here's how to implement this:
# Create an interface group
sudo ip link add name proxygroup type bridge
# Add all relevant interfaces to the group
sudo ip link set eth0 master proxygroup
sudo ip link set eth1 master proxygroup
sudo ip link set eth2 master proxygroup
# Bring up the group interface
sudo ip link set proxygroup up
# Capture traffic on the group interface
sudo tcpdump -i proxygroup -w combined_capture.pcap
If interface grouping isn't feasible, you can run multiple tcpdump instances and merge the captures later:
# Capture on each interface in separate terminals
sudo tcpdump -i eth0 -w wan1.pcap &
sudo tcpdump -i eth1 -w wan2.pcap &
sudo tcpdump -i eth2 -w lan.pcap &
# Merge captures using mergecap (from Wireshark package)
mergecap -w full_capture.pcap wan1.pcap wan2.pcap lan.pcap
To focus on specific client-server conversations across interfaces, use BPF filters:
# Capture HTTP traffic to/from specific client
sudo tcpdump -i proxygroup -w http_capture.pcap 'tcp port 80 and (host 192.168.1.100 or host 10.0.0.1)'
# Capture complete TCP sessions including handshake and termination
sudo tcpdump -i proxygroup -w tcp_sessions.pcap 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'
When capturing on multiple high-traffic interfaces:
- Use buffer size options:
-B 4096 - Limit capture size:
-C 100 -W 5(100MB files, keep 5 rotations) - Consider using
dumpcapfor more efficient capturing
For regular monitoring, create a systemd service:
[Unit]
Description=Multi-interface packet capture
After=network.target
[Service]
ExecStart=/usr/sbin/tcpdump -i proxygroup -w /var/log/captures/proxy_%F_%T.pcap -G 3600 -C 100
Restart=always
[Install]
WantedBy=multi-user.target
When troubleshooting network issues on a multi-homed system like a CentOS 5 web proxy server with multiple WAN interfaces, capturing complete conversations becomes complex. The standard tcpdump approach of monitoring one interface at a time creates fragmented data when traffic is load-balanced across interfaces.
The traditional method of running separate tcpdump instances:
tcpdump -i eth0 -w wan1.pcap &
tcpdump -i eth1 -w wan2.pcap &
tcpdump -i eth2 -w lan.pcapThis creates three separate capture files that must be merged manually, making correlation difficult.
For Linux systems, we can use more sophisticated approaches:
Method 1: Using a Capture Bridge
# Create a virtual bridge interface
brctl addbr capture-bridge
brctl addif capture-bridge eth0
brctl addif capture-bridge eth1
brctl addif capture-bridge eth2
# Capture on the bridge interface
tcpdump -i capture-bridge -w combined.pcapMethod 2: BPF Filter Magic
tcpdump -i any '((inbound and (dst host proxy_ip)) or
(outbound and (src host proxy_ip)))' -w full_conversation.pcapWhen implementing these solutions:
- Monitor system resource usage during capture
- Consider using
-Cand-Woptions for large captures - Filter unnecessary traffic with BPF expressions
For analyzing the captured data:
# Merge separate files if needed
mergecap -w merged.pcap wan1.pcap wan2.pcap lan.pcap
# Filter specific conversations
tshark -r combined.pcap -Y "ip.addr == client_ip" -w filtered.pcap