TCP Tracing – Part 2 – Keep PCAP Sizes Reasonable

I’ve been doing quite some tracing on the TCP/IP layer recently and especially at higher speeds over links that support hundreds- to thousands of megabits per second, pcap dump files are getting rather large. Fortunately, both Wireshark and tcpdump offer an option to cut packets after a configurable length. That’s perfect for throughput tracing, as I’m only interested in what is happening on the TCP layer and not in the content of the packets. So here are the commands I usually use to dump large data transfers on an interface for later analysis:

sudo tcpdump -i INTERFACE -s 100 host xxx.xxx.xxx.xxx -w "FILENAME.pcap"

The important part is the “-s 100” parameter which instructs tcpdump to cut packets after 100 bytes. This reduces the size of a tracefile from hundreds of megabytes to just a few megabytes.

For generating traffic, I use iperf3 with standard settings:

# Downlink
iperf3 -c xxx.xxx.xxx.xxx -p xxxx -t 60 -R

# Uplink
iperf3 -c xxx.xxx.xxx.xxx -p xxxx -t 60

The IP address of the iperf3 server is given with the -c parameter, -p is required if a non-standard TCP port is used and -t specifies the time during which traffic should be generated. And finally, -R specifies the ‘reverse’ mode, i.e. the server sending data to the client. When omitted, the client sends data as fast as it can to the server.

So here we go, happy tracing!