How to capture packages via both eth0 and lo at the same time?

Question

There are two net interfaces on my pc.

netstat -i
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0     27186      0      0 0         20784      0      0      0 BMRU
lo        65536 0     42025      0      0 0         42025      0      0      0 LRU

Packages via lo can captured by.

sudo tcpdump  -i lo 

Packages via eth0 can captured by.

sudo tcpdump  -i eth0 

How to capture packages via both eth0 and lo at the same time?
sudo tcpdump -i eth0 -i lo can not work.
sudo tcpdump -i eth0 -i lo = sudo tcpdump -i eth0=sudo tcpdump

Answer 1

Assuming your kernel supports it, you can run tcpdump -i any, but that will capture on all interfaces, and not just on the lo and eth0 interfaces. Also, according to the tcpdump man page, "... captures on the ''any'' device will not be done in promiscuous mode.", so if you need to place the NIC in promiscuous mode in order to capture your traffic of interest, this solution may not work for you. In that case, you could:

• Start 2 separate instances of tcpdump, one capturing on lo and the other capturing on eth0. If you write the packets to separate files, you can use a tool such as mergecap to merge them together afterward.
• Use dumpcap or tshark instead, either of which can capture on multiple interfaces.