Troubleshooting
Problem
Resolving The Problem
Background
Encryption
If you are capturing non-encrypted traffic (for example, HTTP without TLS), it may include sensitive data and the capture files should be treated sensitively.
If you are capturing encrypted traffic (for example, HTTP with TLS), depending on the negotiated cipher, even if you have the private key, it's usually impossible to decrypt the traffic without advanced diagnostics.
What to capture
Ideally, capture both sides of a network conversation. For example, if packets are lost on a source host, they will not be visible if the network capture is only taken on the destination host.
Overhead
Gathering network traces has an impact on response times, throughput, and disk usage. These impacts must be carefully reviewed before enabling network traces in a production environment.
The main determinants of the impacts are how many bytes per packet are captured and whether any filtering is done (for example, by port). If impact is a concern, minimize the number of bytes per packet and/or filter to particular ports. More generally, run a performance test in a performance environment without network tracing as a baseline and then run another test with network tracing and compare relative values of key performance indicators.
There are downsides to reducing how much is captured. For example, if you use port filtering to capture HTTP traffic and there is a slow DNS response time related to handling that traffic, then that will not be immediately seen. In general, for encrypted traffic that you plan to decrypt, you should capture the entire packet to allow for the decryption.
Linux
Preparation
If tcpdump is not installed, install it using operating system tools. For example:
- Modern Fedora, RHEL, CentOS, ubi, and ubi-init:
- sudo dnf install -y tcpdump
- Older Fedora, RHEL, and CentOS:
- sudo yum install -y tcpdump
- Debian and Ubuntu:
- sudo apt-get update && DEBIAN_FRONTEND=noninteractive TZ=${TZ:-UTC} sudo apt-get -y install tcpdump
- Alpine:
- sudo apk update && sudo apk add tcpdump
Capture without port filtering
sudo sh -c "date >> nohup.out && (nohup tcpdump -nn -v -i $INTERFACE -B 4096 -s 0 -C 1024 -W 10 -Z root -w diag_capture_$(hostname)_$(date +%Y%m%d_%H%M%S).pcap &) && sleep 3 && cat nohup.out"
a. This example captures up to 10 files (-W) of 1024MB (-C) each, so up to 10GB. Ensure sufficient disk space is available and increase these values as much as possible to capture maximum data.
b. This example captures the entire packet (-s 0). To minimize bytes per packet, set -s to 80 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.
sudo pkill -INT tcpdump
Capture with port filtering
sudo sh -c "date >> nohup.out && (nohup tcpdump -nn -v -i $INTERFACE -B 4096 -s 0 -C 1024 -W 10 -Z root -w diag_capture_$(hostname)_$(date +%Y%m%d_%H%M%S).pcap 'port $PORT' &) && sleep 3 && cat nohup.out"
a. This example captures up to 10 files (-W) of 1024MB (-C) each, so up to 10GB. Ensure sufficient disk space is available and increase these values as much as possible to capture maximum data.
b. This example captures the entire packet (-s 0). To minimize bytes per packet, set -s to 80 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.
sudo pkill -INT tcpdump
It might be possible to capture network traffic without root access with certain configuration but this option is not covered in this document.
Linux on OpenShift
Gather tcpdump for a particular pod: https://access.redhat.com/solutions/4569211
AIX
Capture without port filtering
startsrc -s iptrace "-a -b -B -L 2147483648 -S 1500 diag_aixiptrace.bin"
a. This command captures up to 2 files of 2GB each. Change -L as needed.
b. This command captures up to 1500 bytes per packet. To minimize bytes per packet, set -S to 80 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.
stopsrc -s iptrace
Capture with port filtering
startsrc -s iptrace "-a -b -B -p $PORT -L 2147483648 -S 1500 diag_aixiptrace.bin"
a. This command captures up to 2 files of 2GB each. Change -L as needed.
b. This command captures up to 1500 bytes per packet. To minimize bytes per packet, set -S to 80 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.
stopsrc -s iptrace
Windows
Capture without port filtering
netsh trace start provider=Microsoft-Windows-TCPIP persistent=yes capture=yes packettruncatebytes=1500 tracefile=C:\diag_networktrace.etl maxSize=10240 perf=no
a. This command captures up to 10GB each of total data. Change maxSize in MB as needed.
b. This command capture up to 1500 bytes per packet. To minimize bytes per packet, set packettruncatebytes to 80 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.
netsh trace stop
Capture with port filtering
netsh does not have an option to filter by a TCP port. It can filter by source or destination IP address (run: netsh trace show capturefilterHelp). Alternatively, you may use the Windows (pktmon) instructions below taking into account the caveats in the introduction or install Wireshark and use a port capture filter; however, Microsoft suggests that Wireshark’s capture technology is less performant.
z/OS
See https://www.ibm.com/support/pages/how-collect-packet-traces-and-other-tcpip-related-traces-zos
IBM i
See https://www.ibm.com/docs/en/ssw_ibm_i_73/rzaku/rzakupdf.pdf#page=20
Solaris
Capture without port filtering
nohup snoop -r -o diag_$(hostname)_$(date +"%Y%m%d_%H%M").snoop -s 1500 -q -d $INTERFACE &
a. This command captures up to 1500 bytes per packet. To minimize bytes per packet, set -S to 80 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.
kill ${PID}
Capture with port filtering
nohup snoop -r -o diag_$(hostname)_$(date +"%Y%m%d_%H%M").snoop -s 1500 -q -d $INTERFACE "port $PORT" &
a. This command captures up to 1500 bytes per packet. To minimize bytes per packet, set -S to 80 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.
kill ${PID}
HP-UX
Capture without port filtering
nohup nettl -tn all -e all -f diag_networktrace &
kill ${PID}
Windows (pktmon)
Windows (pktmon)
Capture without port filtering
pktmon start --capture --pkt-size 1500 --file-size 10240 --log-mode circular
a. This command captures up to 10GB of total data. Change file-size in MB as needed.
b. This command captures up to 1500 bytes per packet. To minimize bytes per packet, set pkt-size to 80 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.
c. If you receive the error, "Packet monitor is already started," then first run "pktmon stop" and then re-run the "start" command.
pktmon stop
pktmon etl2pcap PktMon.etl
Capture with port filtering
pktmon filter add -t tcp -p %PORT%
pktmon start --capture --pkt-size 1500 --file-size 10240 --log-mode circular
a. This command captures up to 10GB of total data. Change file-size in MB as needed.
b. This command captures up to 1500 bytes per packet. To minimize bytes per packet, set pkt-size to 80 for IPv4 and 128 for IPv6 traffic. You can go lower but it’s sometimes useful to have at least some of the TCP packet.
c. If you receive the error, "Packet monitor is already started," then first run "pktmon stop" and then re-run the "start" command.
pktmon stop
pktmon etl2pcap PktMon.etl
Notes:
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
11 October 2024
UID
ibm16471353