When dealing with network traffic analysis, capturing only the necessary data is crucial for efficiency and storage management. In this scenario, we need to:
- Capture only incoming/outgoing traffic (excluding intra-subnet communication)
- Filter out multicast and broadcast traffic
- Focus on Ethernet/IPv4 with TCP/UDP/ICMP headers only
- Exclude packet payloads to reduce file size
- Maintain continuous 24/7 capture without packet loss
The core command structure for this task would be:
tcpdump -i [interface] -s [snaplen] -w [output.pcap] [filters]Here's the complete solution addressing all requirements:
tcpdump -i eth0 -s 96 -w traffic.pcap \
'(src net not 192.168.1.0/24 and dst net not 192.168.1.0/24) and \
not multicast and not broadcast and \
(ip proto \\tcp or ip proto \\udp or ip proto \\icmp)'- -i eth0: Capture from specific interface
- -s 96: Snap length to capture only headers (Ethernet+IP+TCP=14+20+20=54 bytes minimum, 96 gives buffer)
- -w traffic.pcap: Output file in PCAP format
- Filter components:
- Excludes intra-subnet traffic (replace 192.168.1.0/24 with your subnet)
- Filters out multicast/broadcast
- Includes only TCP/UDP/ICMP over IPv4
For high-volume traffic (100MB/s), consider these optimizations:
tcpdump -i eth0 -s 96 -C 1000 -W 48 -w traffic.pcap \
-B 4096 --immediate-mode \
'(src net not 192.168.1.0/24 and dst net not 192.168.1.0/24) and \
not multicast and not broadcast and \
(ip proto \\tcp or ip proto \\udp or ip proto \\icmp)'Additional parameters:
- -C 1000: Rotate files every 1000MB
- -W 48: Maintain 48 files before overwriting
- -B 4096: Larger buffer (in KB)
- --immediate-mode: Use packet-mmap for better performance
For even better performance, consider Wireshark's dumpcap:
dumpcap -i eth0 -s 96 -b filesize:1000 -b files:48 -w traffic.pcap \
-B 4096 \
-f '(ip and not (src net 192.168.1.0/24 and dst net 192.168.1.0/24)) and \
not multicast and not broadcast and \
(tcp or udp or icmp)'Check for dropped packets with:
tcpdump -i eth0 -s 96 -w /dev/null 2>&1 | grep -i "packets dropped"Or continuously monitor with:
watch -n 1 'cat /sys/class/net/eth0/statistics/rx_dropped'- Increase ring buffer size:
ethtool -G eth0 rx 4096 - Use NIC offloading:
ethtool -K eth0 gro off gso off tso off - Consider dedicated capture hardware for 100MB/s+ traffic
- Use separate storage device for capture files
When dealing with mirrored switch traffic at 100MB/s rates, we need precise filtering to avoid storage overload while ensuring zero packet loss. The key requirements are:
- Exclude intra-subnet communications (requires subnet knowledge)
- Filter out multicast/broadcast traffic
- Capture only IPv4 with TCP/UDP/ICMP over Ethernet
- Truncate packet payloads to save storage
Here's the comprehensive command that meets all requirements:
tcpdump -i eth0 -s 96 -w capture.pcap \
'((ip and (tcp or udp or icmp)) and not (dst net 192.168.1.0/24 and src net 192.168.1.0/24)) \
and not (multicast or broadcast)' \
-C 1000 -W 50 -K -n
-s 96: Snaps only headers (14B Ethernet + 20B IP + max 60B TCP/UDP)
Filter breakdown:
ip and (tcp or udp or icmp)- IPv4 with desired protocolsnot (dst net 192.168.1.0/24...)- Excludes internal subnet trafficnot (multicast or broadcast)- Drops unwanted traffic types
For 100MB/s continuous capture:
sysctl -w net.core.rmem_max=16777216
sysctl -w net.core.netdev_max_backlog=50000
nice -n -20 tcpdump [previous_command]Additional recommendations:
- Use separate physical interface for capture
- Write to high-speed storage (NVMe preferred)
- Monitor with
iftop -i eth0 -Bduring capture
To verify capture quality:
tcpdump -r capture.pcap -nn -c 10 -tttRotate files automatically by adding:
-G 3600 -z /path/to/compress_script.shWhere compress_script.sh contains:
#!/bin/bash
gzip "$@"