With the Linux command "tcpdump" all traffic to and from the STARFACE can be monitored and recorded. The recording can either be output directly on the monitor or written to a dump file. This dump file can be subsequently analyzed with the program "Wireshark" (Download Wireshark).
Note: It is also possible to activate a TCPdump via the STARFACE web interface (see also "System Status of the STARFACE")
To perform a TCPdump on the STARFACE, the following steps must be performed:
Connect via ssh to STARFACE- Login with the root user (see also "Password for the Root User")
- Enter the TCPdump command and confirm with the Enter key
- Wait for the error to be recorded
- Stop the TCPdump
Note: In many fault scenarios (e.g., audio problems), the nohup tcpdump -w dump.pcap -s0 -vv -C50M -Zroot & command can be used to record the stream of data needed for analysis and to write it to a file.
The following parameters allow further specification of the TCPdump command:
| Parameter | Description |
|---|---|
| -i Interfacename | Specification of the interface for which the data packets are to be logged. |
| -s0 | Specifies that the data packets are logged in their full length. |
| -w Filename.pcap | Writes the TCPdump to a local file named ""Filename.pcap |
| -C50M | Specifies the maximum size of a dump file (e.g., 50MB) before starting to write to a new dump file. The new file will be marked with a sequential number. |
| host IP-Adresse | Specification of a single IP address |
| port Portnumber | Specification of a single port |
| -Zroot | Specification of the user |
Some examples of TCPdump commands:
| Command | Description |
|---|---|
| tcpdump | All data packets to and from the STARFACE are output directly to the monitor. |
tcpdump -i eth0 | All data packets to and from the first network card (eth0) of the STARFACE are output to the monitor. |
| tcpdump -i any | All data packets to and from each STARFACE interface are output to the monitor. |
| tcpdump port 5060 | All data packets to and from port 5060 are output to the monitor. |
| tcpdump host 192.168.1.100 | All data packets from and to the IP address "192.168.1.100" are output to the monitor. |
tcpdump -s0 port 5060 -w test.pcap | All data packets to and from port 5060 are written completely to a local file called "test.pcap". |
| tcpdump -s0 host 192.168.2.200 -w 1234.pcap | All data packets to and from the IP address "192.168.2.200" are written completely to a local file named "1234.pcap". |
| nohup tcpdump -w dump.pcap -s0 -vv -C50M -Zroot -W 10 -G -C & | All data packets to and from STARFACE are completely written to a local file called dump.pcap. When the dump file reaches a size of 50MB, it will start writing to a new file marked with a sequential number. A total of 10 files are written to 50 MB and the 11th file overwrites the first created file. The process is moved into the background so that the ssh access can be ended without the process aborting. |
| nohup tcpdump -s0 -w abcd.pcap & | All data packets to and from the STARFACE are completely written to a local file called "abcd.pcap". The process is moved into the background so that the ssh access can be ended without the process aborting. |
| nohup tcpdump -s0 -w dump.pcap -C50M -Zroot & | All data packets to and from the STARFACE are completely written to a local file called dump.pcap. When the dump file reaches a size of 50MB, it will start writing to a new file marked with a sequential number. The process is moved into the background so that the ssh access can be ended without the process aborting. |
The output of the TCPdump on the monitor or a TCPdump process not moved to the background can be ended with the key combination CTRL + C. A TCPdump running in the background can be stopped with the following command:
killall tcpdump
To analyze the created dump files it is recommended to copy them to a local computer via sFTP and open them there with the program "Wireshark".Note: A server or service restart of the STARFACE also terminates all TCPdump processes that have been moved to the background.