Difference between revisions of "Network recording for error finding"
From SOUND4wiki
(Created) |
m |
||
| Line 5: | Line 5: | ||
This can be done by using [https://www.wireshark.org/ Wireshark], or its command-line version [https://www.tcpdump.org/ tcpdump] under Linux or Windows. | This can be done by using [https://www.wireshark.org/ Wireshark], or its command-line version [https://www.tcpdump.org/ tcpdump] under Linux or Windows. | ||
| − | === Wireshark === | + | ===Wireshark=== |
To use Wireshark, you need to have a user logged in and a graphical desktop interface. | To use Wireshark, you need to have a user logged in and a graphical desktop interface. | ||
| − | # Launch Wireshark | + | #Launch Wireshark |
| − | # Go into Capture->Options | + | #Go into Capture->Options |
| − | # In the Input Tab: | + | #In the Input Tab: |
| − | ## Select the network interface | + | ##Select the network interface |
| − | ## Optionally set a [https://www.tcpdump.org/manpages/pcap-filter.7.html filter] | + | ##Optionally set a [https://www.tcpdump.org/manpages/pcap-filter.7.html filter] |
| − | ### To select conversation with one host IP, set in the capture filter : <code>host 192.168.1.12</code> | + | ###To select conversation with one host IP, set in the capture filter : <code>host 192.168.1.12</code> |
| − | ### To select only TCP protocol set <code>tcp</code> or to select udp set <code>udp</code> | + | ###To select only TCP protocol set <code>tcp</code> or to select udp set <code>udp</code> |
| − | ### To select only conversation for one port set <code>port 80</code> | + | ###To select only conversation for one port set <code>port 80</code> |
| − | ### To select only TCP push packets <code>(tcp and (tcp[tcpflags] & (tcp-push) != 0)</code> | + | ###To select only TCP push packets <code>(tcp and (tcp[tcpflags] & (tcp-push) != 0)</code> |
| − | ### You can combine all those with <code>and</code>, <code>or</code>, <code>not</code> and use parenthesis <code>(</code> <code>)</code>. | + | ###You can combine all those with <code>and</code>, <code>or</code>, <code>not</code> and use parenthesis <code>(</code> <code>)</code>. |
| − | ### Example: to get all HTTP traffic with 173.236.178.205: <code>host 173.236.178.205 and port 80 and (tcp and (tcp[tcpflags] & (tcp-push) != 0))</code> | + | ###Example: to get all HTTP traffic with 173.236.178.205: <code>host 173.236.178.205 and port 80 and (tcp and (tcp[tcpflags] & (tcp-push) != 0))</code> |
| − | # Go to the Output Tab and | + | #Go to the Output Tab and |
| − | ## Select a base file name for storage | + | ##Select a base file name for storage |
| − | ## Select pcapng format | + | ##Select pcapng format |
| − | ## Check "Create a new file automatically" | + | ##Check "Create a new file automatically" |
| − | ## Check "When time is a multiple of" and choose for instance 15 minutes. | + | ##Check "When time is a multiple of" and choose for instance 15 minutes. |
| − | ## Check "Use a ring buffer with" and select enough files to cover the time you need from detection to handling. To cover 24 hours with 15 minutes files, you need 24*4=96 files. | + | ##Check "Use a ring buffer with" and select enough files to cover the time you need from detection to handling. To cover 24 hours with 15 minutes files, you need 24*4=96 files. |
| − | # Go to the Options Tab: | + | #Go to the Options Tab: |
| − | ## Uncheck "Update list of packets in real-time" to avoid memory increasing too much if you let it run for days | + | ##Uncheck "Update list of packets in real-time" to avoid memory increasing too much if you let it run for days |
Depending on what you record and how big the traffic is, you should select a proper time range for each file. | Depending on what you record and how big the traffic is, you should select a proper time range for each file. | ||
| Line 32: | Line 32: | ||
When you detect a problem, you can then go to the storage folder of files, and copy the one with match the time when the problem happened, so it will not be deleted in next ring buffer. | When you detect a problem, you can then go to the storage folder of files, and copy the one with match the time when the problem happened, so it will not be deleted in next ring buffer. | ||
| − | === Tcpdump === | + | ===Tcpdump=== |
This works exactly as Wireshark, but in command-line, so you can run it in a Linux [https://linux.die.net/man/1/screen screen] virtual TTY or a with <code>nohup tcpdump ... &</code>. | This works exactly as Wireshark, but in command-line, so you can run it in a Linux [https://linux.die.net/man/1/screen screen] virtual TTY or a with <code>nohup tcpdump ... &</code>. | ||
| Line 43: | Line 43: | ||
Manual can be found [https://www.tcpdump.org/manpages/tcpdump.1.html here]. | Manual can be found [https://www.tcpdump.org/manpages/tcpdump.1.html here]. | ||
| − | === Standalone === | + | ===Standalone=== |
You do not have access to the OS in the Standalone processors, but you can use a switch [[wikipedia:Port_mirroring|port mirroring]] to record all conversation. | You do not have access to the OS in the Standalone processors, but you can use a switch [[wikipedia:Port_mirroring|port mirroring]] to record all conversation. | ||
| − | # Configure the switch to mirror the port of the Standalone processor you want to monitor | + | #Configure the switch to mirror the port of the Standalone processor you want to monitor |
| − | # Connect your recording PC to the mirroring port | + | #Connect your recording PC to the mirroring port |
| − | # Use Wireshark or Tcpdump to record the traffic. | + | #Use Wireshark or Tcpdump to record the traffic. |
| + | |||
| + | [[Category:Troubleshoot]] | ||
Revision as of 08:37, 4 August 2021
Sometimes, you can have occasional network errors, like stream disconnecting, without having a clue of why.
A good help is to record the network exchanges continuously, so you can get back the network capture afterwards to analyze it.
This can be done by using Wireshark, or its command-line version tcpdump under Linux or Windows.
Wireshark
To use Wireshark, you need to have a user logged in and a graphical desktop interface.
- Launch Wireshark
- Go into Capture->Options
- In the Input Tab:
- Select the network interface
- Optionally set a filter
- To select conversation with one host IP, set in the capture filter :
host 192.168.1.12 - To select only TCP protocol set
tcpor to select udp setudp - To select only conversation for one port set
port 80 - To select only TCP push packets
(tcp and (tcp[tcpflags] & (tcp-push) != 0) - You can combine all those with
and,or,notand use parenthesis(). - Example: to get all HTTP traffic with 173.236.178.205:
host 173.236.178.205 and port 80 and (tcp and (tcp[tcpflags] & (tcp-push) != 0))
- To select conversation with one host IP, set in the capture filter :
- Go to the Output Tab and
- Select a base file name for storage
- Select pcapng format
- Check "Create a new file automatically"
- Check "When time is a multiple of" and choose for instance 15 minutes.
- Check "Use a ring buffer with" and select enough files to cover the time you need from detection to handling. To cover 24 hours with 15 minutes files, you need 24*4=96 files.
- Go to the Options Tab:
- Uncheck "Update list of packets in real-time" to avoid memory increasing too much if you let it run for days
Depending on what you record and how big the traffic is, you should select a proper time range for each file.
When you detect a problem, you can then go to the storage folder of files, and copy the one with match the time when the problem happened, so it will not be deleted in next ring buffer.
Tcpdump
This works exactly as Wireshark, but in command-line, so you can run it in a Linux screen virtual TTY or a with nohup tcpdump ... &.
For instance:
tcpdump -i en0 -w /var/tmp/capture-%m-%d-%H-%M-%S-%s.pcapng -W 96 -G 900 "host 192.168.1.12 and tcp and port 80"
will capture from interface en0 filtering all HTTP traffic with 192.168.1.2, and save it to files in /var/tmp/capture-....pcapng (filling the name with date/time) every 900 seconds (so 15 minutes), and limited to 96 files (so 1 day = 24*4).
Manual can be found here.
Standalone
You do not have access to the OS in the Standalone processors, but you can use a switch port mirroring to record all conversation.
- Configure the switch to mirror the port of the Standalone processor you want to monitor
- Connect your recording PC to the mirroring port
- Use Wireshark or Tcpdump to record the traffic.
