Packet capture is a fundamental tool for developing, debugging, and testing networking.
fx sniff is a development host command that:
Wireshark.tcpdump is a packet capturer with rich capture filter support. fx sniff internally invokes tcpdump with predefined capture filters that are necessary for Fuchsia's developer workflow. For use cases where fx sniff is not viable (e.g. when you have serial console access but without dev host connected), use tcpdump directly.
Make sure to bundle tcpdump into your set of base packages.
$ fx set core.x64 --with-base //third_party/tcpdump $ fx build
[host] $ fx sniff wlan
By default, this command captures packets for 30 seconds. To configure the duration, add the --time {sec} or -t {sec} option.
If you don't know the network interface name, run fx sniff without options. The error message shows you what interfaces are available. Alternatively, run:
[host] $ fx shell net if list
[host] $ fx sniff --view hex eth
[host] $ fx sniff --file my_packets wlan
The captured packets are first stored in the target's /tmp/ directory. After the capture is complete, the files are moved to //out/my_packets.pcapng automatically.
NOTE: Linux only.
[host] $ fx sniff --view wireshark wlan
Packet capture runs for the specified duration (--time or -t option). If a user desires to stop early, presse one of the following keys:
c, q, C, Q
This will stop both a target side process and a host side process.
fx sniff requires working ssh connectivity from the host to the target, which means that networking must be working to some degree. In some cases, networking might not be working at all. If you have access to the serial console while networking, including ssh, is not working, you must run tcpdump directly on the target. tcpdump provides a richer set of features than fx sniff.
[target] $ tcpdump -i wlan --no-promiscuous-mode
[target] $ tcpdump -i wlan --no-promiscuous-mode -w -
[target] $ tcpdump -i wlan --no-promiscuous-mode -w /tmp/my_packets.pcapng
[host] $ cd ${FUCHSIA_OUT_DIR} && fx scp "[$(fx get-device-addr)]:/tmp/my_packets.pcapng"
tcpdump help[target] $ tcpdump --help
[target] $ tcpdump -i wlan --no-promiscuous-mode "arp or port dns,dhcp" "$iface_filepath"
tcpdump uses libpcap under the hood. See pcap-filter.
fx workflow packet signaturesThere are many different kinds of services running between the Fuchsia development host and the target. Those are usually invoked by fx commands. Most of times, you are not interested in those packets generated by the fx workflows. The following table lists noteworthy signatures.
| Use | Signature | Reference |
|---|---|---|
| Logger | port 33337 | DEBUGLOG_PORT |
| Logger | port 33338 | DEBUGLOG_ACK_PORT |
| Bootserver | port 33330 | NB_SERVER_PORT |
| Bootserver | port 33331 | NB_ADVERT_PORT |
| Bootserver | port 33332 | NB_CMD_PORT_START |
| Bootserver | port 33339 | NB_CMD_PORT_END |
| Bootserver | port 33340 | NB_TFTP_OUTGOING_PORT |
| Bootserver | port 33341 | NB_TFTP_INCOMING_PORT |
| Package Server | port 8083 | docs/packages.md |
| fx shell | port 22 | devshell/shell |
| target netsvc addr | fe80::xxxx:xxff:fexx:xxxx%XX | fx device-finder list --netboot |
| host link-local addr | fe80::xxxx:xxxx:xxxx:xxxx%XX | fx device-finder list --ipv4=false --local |
| target netstack addr | fe80::xxxx:xxxx:xxxx:xxxx%XX | fx get-device-addr |
| zxdb | port 2345 | devshell/contrib/debug |
| - | port 65026 | |
| - | port 65268 | |
| - | 1900 |
Q I get the error /boot/bin/sh: tcpdump not found
A The tcpdump package is not prepared. Make sure to bundle tcpdump in the image. See prepare the image.