Capturing packets and not missing a lot of them can be hard. If you're monitoring TLS (including SIP over TLS), you need every single packet to be able to decode it.
Many of us have a Linux server for doing our captures. There are some great tools like gulp and n2disk (among other great work on this subject from Luca Deri). But on a vanilla Linux machine, using whatever Ethernet interfaces you have, you can still do some neat stuff.
Capture with tcpdump, not tshark
tcpdump is more efficient than tshark at raw writing to disk; e.g.,
tcpdump -s 1514 -i eth2 -w file.pcap
will tend to capture more than a similar tshark command.
Prioritize tcpdump
(b) A busy Linux box, or high packet rate, will lose some data because tcpdump or tshark are not running all the time. You can run tcpdump at a higher priority with the "nice" command and a negative nice level:
nice --adjustment=-10 tcpdump -s 1514 -i eth2 -w file.pcap
Use RAM, not disk.
Sometimes the disk system just cannot keep up with the rate of traffic, and the disk buffers aren't large enough. Without tuning kernel disk buffers, you can make a ramdisk. This example checks to see there's about 1660 MB of RAM doing nobody any good, and it makes a 1000 MB ramdisk using the "tmpfs" filesystem feature, and writes a big capture to it.
[root@sniffer /]# free -m
total used free shared buffers cached
Mem: 2010 1748 262 0 159 1239
-/+ buffers/cache: 349 1660
Swap: 3999 0 3999
# mkdir /tmp/ramdisk
# mount -t tmpfs -o size=1000m tmpfs /tmp/ramdisk/
# nice --adjustment=-10 tcpdump -s 1514 -i eth2 -w /tmp/ramdisk/ecg_sniffer_eth2_20180321.pcap
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 1514 bytes
1199062 packets captured
1199075 packets received by filter
0 packets dropped by kernel
ECG would be glad to help with your Voice and Video Network Engineering, and 24x7 customer support. Ping us to learn more.
