4. Capturing Traffic for Offline Analysis

If Wireshark isn’t available on the host that you want to analyze, you can capture traffic from the console/terminal. Then you can use Wireshark to display/analyze the captured traffic offline (instead of as live traffic).

4.1. Shared Memory and Packet Capture

By default, Connext enables the shared memory transport alongside UDP. When two DomainParticipants are on the same host, they will typically communicate over shared memory. Because shared memory traffic does not pass through a network interface, Wireshark, Tshark, and tcpdump cannot capture it. This means you may see discovery traffic (which uses multicast UDP) in your capture, but user data traffic may still be absent.

If you need to capture user data traffic with Wireshark or Tshark, you have two options:

Disable the shared memory transport so that all communication uses UDP, which is visible to packet capture tools. Add the following snippet to your QoS XML configuration:
```
<domain_participant_qos>
    <transport_builtin>
        <mask>UDPv4</mask>
    </transport_builtin>
</domain_participant_qos>
```
This code forces all traffic onto the UDPv4 transport. Remember to remove this setting when you are done debugging because shared memory provides significantly better performance for same-host communication.
Use the Connext Network Capture feature, which can capture shared memory traffic directly. See Using Connext Network Capture below.

4.2. Using tcpdump or Tshark

To capture traffic from the console/terminal, use tcpdump or Tshark. To learn about these tools, enter tcpdump --help or tshark --help.

Note

On some hosts, you may need administrator permissions to capture traffic. If you happen to need them and you don’t run as sudo/admin, you will not see any interfaces available to capture. Just close Wireshark and rerun it as sudo/admin.

4.3. Using Connext Network Capture

Connext features a built-in network capture tool, enabling you to record RTPS traffic directly from your DDS application without running external tools like Wireshark or tcpdump. When enabled, each DomainParticipant generates a pcap-based capture file that can be opened in Wireshark for analysis.

Network capture offers several advantages over traditional packet capture tools:

It can capture traffic on transports that are not visible to OS-level capture tools, such as shared memory.
It can include additional metadata, such as security-related information that is not present in a raw network capture.
It can exclude user data payload from the capture to reduce file size when only protocol-level analysis is needed.

However, network capture only records traffic exchanged by the DomainParticipants in your application. It does not capture other network traffic on the system’s interfaces. For full network-level capture, use Wireshark, Tshark, or tcpdump.

For complete documentation on enabling, configuring, and using the Connext network capture feature, including the API reference and shared memory capture considerations, see the Network Capture chapter in the RTI Connext Core Libraries User’s Manual.