curl shows no output in tcpdump

Question

I'm attempting to diagnose a network issue with tcpdump. I run the command

tcpdump -i eth0 -nS host nameless.host.io

When I issue either traceroute or ping commands to hit nameless.host.io I see information from tcpdump but when I use curl to retrieve content from the host

curl http://nameless.host.io/mycontent/data

the curl command returns the content I expect but I see no output from tcpdump. The host is definitely "external" so it should go out on the wires.

Why would tcpdump be silent on a successful curl command?

Answer 1

i can think of 3 different ways this can happen -

1: too many packets too fast, the packets-to-print-buffer runs full, and the kernel "drops" the packets curl sends before tcpdump has a chance to print them to you. solution would be to increase the buffer space, eg by using --buffer-size=102400 (this would dedicated about 100MB of ram to the buffer, i'm not sure what the default size is, but i think it's in the range of 1-4MB)

2: you have multiple network "interfaces", and you're listening in on the wrong one. i'm not sure how to ask curl which interface it uses, but you can explicitly tell curl to download via a specific interface, by doing curl --interface eth0 URL - and on Linux & Mac & BSD, you can get a list of available interfaces by doing sudo ifconfig (and i think the windows equivalent is in the control panel somewhere, but idk)

3: tcpdump's default user can't read the packets of the user curl is running as for some reason... turns out tcpdump by default drops into its own user called tcpdump when capturing, you could try to capture from the same user that curl runs as by using -Z curluser , or force tcpdump to capture as root by doing -Z root

Answer 2

Do you select the right interface ? (ethX,wlanX....)

Try : tcpdump -s 0 -i [interface] host nameless.host.io and tcp port http