How can I log all traffic with its exact length?
- by Legate
I want to process all packets with their size going through our gateway server (running Debian 4.0).
My idea is to use tcpdump, but I have two questions.
The command I'm currently thinking of is tcpdump -i iface -n -t -q.
Is it guaranteed that tcpdump will process all packets? What happens if the CPU is working to full capacity?
The format of the output lines is IP ddd.ddd.ddd.ddd.port > ddd.ddd.ddd.ddd.port: tcp 1260. What exactly is 1260? I have the suspicion that it is the payload in bytes of the packet, which would be exactly what I need, but I'm not sure. It might be the TCP Window Size.
Or perhaps there is an even better way of doing this? I thought about a LOG rule in iptables, but tcpdump seems easier and I don't know whether iptables can log the packet lengths.