Difference between revisions of "Remote monitoring"

From Klaus' wiki
Jump to: navigation, search
(Created page with "Sometimes it can be difficult to determine why a network application doesn't work as expected. Wireshark and Tcpdump are two utilities that can help you monitor the packets go...")
(No difference)

Revision as of 15:10, 4 February 2018

Sometimes it can be difficult to determine why a network application doesn't work as expected. Wireshark and Tcpdump are two utilities that can help you monitor the packets going back and forth between two computers.

Wireshark is a graphical overlay to tcpdump, which is the workhorse tapping the packets directly from the ethernet interface. See more over at [1]

Wireshark can read dumps made by tcpdump, so on your development board you can set-up tcpdump (see man tcpdump) to dump captured packets into a file.

Wireshark can read the output file from tcpdump if you move to your development host and present the packets in a nice graphical way.

If you have a network connection to your development board you can watch the traffic live by issuing a command like this:

$] ssh root@target_IP_address -p 22 tcpdump -U -s0 'not port 22' -i enp6s0 -w - | wireshark-qt -k -i -

What this command does is that it creates a SSH connection to the target on target_IP_address and normally it is port 22 ssh listens on, but you may have configured it to listen on another port. (ssh root@target_IP_address -p 22)

Over at the target we execute tcpdump with a number of commandline arguments of which two are of interest (tcpdump -U -s0 'not port 22' -i enp6s0 -w -): The port number that the ssh connection is made on (typical port 22) - we don't want to have that traffic to clutter up our dump. Second point of interest is the ethernet adapter, here it is enp6s0, but it could also be like eth0 or similar.

Use

ip a

to determine the name of the interface to listen to on the development board.

The final dash (-) before the pipe (|) is a redirection of the standard output to the pipe and as you can see wireshark reads from what comes through the pipe. The -k option tells Wireshark to start immediately. The graphical version of Wireshark comes on some systems in either wireshark-gtk or wireshark-qt for GTK based desktops (like GNOME) or qt base desktops (like KDE).