All Products
Search
Document Center

Instructions on packet capture during network exceptions

Last Updated: Dec 14, 2018

Captured packets can be used to analyze exceptions that occur when a source server accesses a target server. This article describes common packet capture tools and the packet capture procedure. Once packets are captured, you can send them to Alibaba Cloud for analysis.

Note: Before you capture packets, we recommend first troubleshooting the exception by referring to why the server can be pinged but the port cannot be accessed, and analyzing the exception using the link testing tool for ping packet loss or ping failure.

Introduction to common packet capture tools

Linux OS and Windows OS use different packet capture tools:

Packet capture tool for Linux

In Linux, tcpdump is normally used for packet capture and analysis. It is pre-installed on almost all versions of Linux. For information about how to obtain and install tcpdump, see tcpdump official documents.

tcpdump example

  1. tcpdump [ -AbdDefhHIJKlLnNOpqStuUvxX# ] [ -B buffer_size ]
  2. [ -c count ]
  3. [ -C file_size ] [ -G rotate_seconds ] [ -F file ]
  4. [ -i interface ] [ -j tstamp_type ] [ -m module ] [ -M secret ]
  5. [ --number ] [ -Q in|out|inout ]
  6. [ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ]
  7. [ -W filecount ]
  8. [ -E spi@ipaddr algo:secret,... ]
  9. [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
  10. [ --time-stamp-precision=tstamp_precision ]
  11. [ --immediate-mode ] [ --version ]
  12. [ expression ]

Common parameters (case sensitive)

  • -s is used to set the packet capture length. If –s is set to 0, the packet capture length is automatically set to an appropriate value.
  • -w is used to export the packet capture result to a file, rather than analyze it in the console and print it.
  • -i is used to specify the interface (network adapter) to be listened to.
  • -vvv is used to export detailed interaction data.
  • expression is a regular expression used to filter messages. It includes the following:
    • Keyword about the type: It includes host (host), net (network), and port (port).
    • Keyword determining the transfer direction: It includes src (source), dst (destination), dst or src (destination or source), dst and src (destination and source).
    • Keyword about the protocol used: It includes icmp, ip, arp, rarp, tcp, udp, and other protocol types.

For more information about more parameter descriptions and usage, see the Manpage of tcpdump.

Common usage and sample output

  • Capture data interacted between a specified port and a specified network adapter.

    • Command:

      1. tcpdump -s 0 -i eth0 port 22
    • Sample output:

      1. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      2. listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
      3. 20:24:59.414951 IP 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], seq 442372:442536, ack 53, win 141, length 164
      4. 20:24:59.415002 IP 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], seq 442536:442700, ack 53, win 141, length 164
      5. 20:24:59.415052 IP 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], seq 442700:442864, ack 53, win 141, length 164
      6. 20:24:59.415103 IP 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], seq 442864:443028, ack 53, win 141, length 164
  • Capture interaction data sent from a specified network adapter to a specified port of a specified IP address, and export the interaction data in the console.

    • Command:

      1. tcpdump -s 0 -i eth1 -vvv port 22
    • Sample output:

      1. tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
      2. 20:24:20.991006 IP (tos 0x10, ttl 64, id 22747, offset 0, flags [DF], proto TCP (6), length 316)
      3. 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], cksum 0x2504 (incorrect -> 0x270d), seq 133624:133900, ack 1, win 141, length 276
      4. 20:24:20.991033 IP (tos 0x0, ttl 53, id 2348, offset 0, flags [DF], proto TCP (6), length 92)
      5. 42.120.74.107.43414 > 172.16.2.226.ssh: Flags [P.], cksum 0x4759 (correct), seq 1:53, ack 129036, win 15472, length 52
      6. 20:24:20.991130 IP (tos 0x10, ttl 64, id 22748, offset 0, flags [DF], proto TCP (6), length 540)
      7. 172.16.2.226.ssh > 42.120.74.107.43414: Flags [P.], cksum 0x25e4 (incorrect -> 0x5e78), seq 133900:134400, ack 53, win 141, length 500
      8. 20:24:20.991162 IP (tos 0x0, ttl 53, id 2349, offset 0, flags [DF], proto TCP (6), length 40)
      9. 42.120.74.107.43414 > 172.16.2.226.ssh: Flags [.], cksum 0xf39e (correct), seq 53, ack 129812, win 15278, length 0
  • Capture ping interaction data sent to a specified IP address, and export the interaction data in the console.

    • Command:

      1. tcpdump -s 0 -i eth1 -vvv dst 223.5.5.5 and icmp
    • Sample output:

      1. tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
      2. 20:26:00.368958 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
      3. 172.16.2.226 > public1.alidns.com: ICMP echo request, id 55097, seq 341, length 64
      4. 20:26:01.369996 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
      5. 172.16.2.226 > public1.alidns.com: ICMP echo request, id 55097, seq 342, length 64
      6. 20:26:02.371058 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
      7. 172.16.2.226 > public1.alidns.com: ICMP echo request, id 55097, seq 343, length 64
      8. 20:26:03.372181 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
      9. 172.16.2.226 > public1.alidns.com: ICMP echo request, id 55097, seq 344, length 64
  • Capture all interface data in the system and store the data to a specified file.

    • Command:

      1. tcpdump -i any -s 0 -w test.cap
    • Sample output:

      1. tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

Packet capture tool for Windows

In Windows, Wireshark is normally used for packet capture and analysis. It is a free open-source tool.

For information about how to obtain and install Wireshark, see Wireshark official website.

Capture packets using Wireshark

  1. Install and start Wireshark.

  2. Select Capture > Options.

  3. In the Wireshark Capture Options interface, select the network adapters that you want to capture packets based on their interface names or corresponding IP addresses, and click Start.

    wireshark-capture-en

  4. Select Capture > Stop to stop packet capture after sufficient packets are captured.

  5. Select File > Save to save the packet capture result to a specified file.

For more information about how to use Wireshark, see Wireshark official documents.

Send packets to Alibaba Cloud for analysis

When exceptions occur, you can capture data packets and send them to Alibaba Cloud After-Sales Technical Support who will help solve your problem. Packets must be captured simultaneously on both the source server and the target server to facilitate comparative analysis. The procedure is as follows:

  1. Determine the network adapters that the source server and the target server use to perform data interaction.

  2. If the source server accesses the public network though NAT sharing, access a website, such as ip.taobao.com, to obtain the public network IP address corresponding to the local network.

  3. Use an appropriate tool from the preceding information in this article to capture packets from the target port deployed on the target server IP address. Alternatively, you can perform complete packet capture and save the captured data.

  4. Use an appropriate tool from the preceding information in this article to capture packets from the source port IP address. Alternatively, you can perform complete packet capture and save the captured data.

  5. Attach the captured data to a ticket and submit the ticket in the system. Alibaba Cloud After-Sales Technical Support will then further troubleshoot the problem and reply to you through the ticket.

Note: If the size of the captured data is greater than the attachment size limit (2 MB currently) in the ticket system, package and compress the file and upload it to online storage of a third party, or use Object Storage Service (OSS) management console to upload the file and obtain the access URL (if you have bought Alibaba Cloud OSS). Contact Alibaba Cloud After-Sales Technical Support and report the access URL for the captured data.