- Always specify a packet limit count in the event one forgets to cancel the dump. Useful if left running in a screen or tmux or ilo / drac console session. And of course set a TMOUT variable in bash to avoid staying logged in.
tcpdump -c 60000
- When saving to a capture file always use tmpfs when possible as writing to a slower medium may increase the amount of packets that are discarded by libpcap. Even if one has fast SSD's or NVME this can avoid unnecessary writes. Compress what one actually wishes to keep in the tmpfs RAM disk before writing to storage.
- Always use -p to avoid putting the interface into promiscuous mode thus avoiding syslog messages that may draw attention from the wrong groups unless one knows they need the interface in that mode.
- In the event that the network is a bottleneck (it usually is not, its usually CPU) increase the default buffer size
tcpdump -B65536 *(and other options)*
If using name resolution have a local instance of a DNS recursive daemon that will cache PTR records for a longer than usual time to avoid abusing your network DNS or upstream DNS provider. Unbound is a great resolver for overriding the minimum TTL on PTR records. Otherwise always disable DNS resoution:
tcpdump -NNnn *(and other options)*
- If getting a lot of checksum errors because the interface is changing or messing with checksums or just does not support it, disable checking them and reduce CPU load a tiny bit
Bender•47m ago
- Always specify a packet limit count in the event one forgets to cancel the dump. Useful if left running in a screen or tmux or ilo / drac console session. And of course set a TMOUT variable in bash to avoid staying logged in.
- When saving to a capture file always use tmpfs when possible as writing to a slower medium may increase the amount of packets that are discarded by libpcap. Even if one has fast SSD's or NVME this can avoid unnecessary writes. Compress what one actually wishes to keep in the tmpfs RAM disk before writing to storage. - Always use -p to avoid putting the interface into promiscuous mode thus avoiding syslog messages that may draw attention from the wrong groups unless one knows they need the interface in that mode.- In the event that the network is a bottleneck (it usually is not, its usually CPU) increase the default buffer size
If using name resolution have a local instance of a DNS recursive daemon that will cache PTR records for a longer than usual time to avoid abusing your network DNS or upstream DNS provider. Unbound is a great resolver for overriding the minimum TTL on PTR records. Otherwise always disable DNS resoution: - If getting a lot of checksum errors because the interface is changing or messing with checksums or just does not support it, disable checking them and reduce CPU load a tiny bit