Sometime we need capture raw data for analysis purpose.
If we have manageable switch, we can make port mirror and connect that port with wireshark installed PC.
The other way is capture traffic in localhost with tcpdump.
The clue is make tcpdump data file that compatible with wireshark format.
The basic :
tcpdump -i eth0 -v -w wiresharhfile.cap -xX -s 0
That command will make file wiresharhfile.cap.
You can put “host” for capture data from specific computer
tcpdump -i eth0 host 192.168.6.100 -v -w wiresharhfile.cap -xX -s 0 tcpdump -i eth0 'host 192.168.6.100 or host 192.168.6.70' -v -w wiresharhfile.cap -xX -s 0 tcpdump -i eth1 -v -w `date '+%Y%m%d_%H%M%S'`_wiresharhfile.cap -xX -s 0