Analyzing network traffic with tcpdump
Capturing network packets with tcpdump
Network sniffers such as tcpdump and wireshark, allow users to capture network traffic for diagnosing network problems. While wireshark has a graphical user interface, tcpdump captures network traffic in a shell-only (cli) environment.
- List all available interfaces to capture traffic on, you have to login as root or use sudo.
# tcpdump -D 1.eth0 2.br0 3.vnet0 4.nflog (Linux netfilter log (NFLOG) interface) 5.nfqueue (Linux netfilter queue (NFQUEUE) interface) 6.vnet1 7.any (Pseudo-device that captures on all interfaces) 8.loNow let us capture all http traffic on eth0 network interface –
# tcpdump -i eth0 -nn -l -s 2000 'port 80' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 2000 bytes 02:15:57.871498 IP 162.247.79.245.80 > 73.55.12.65.63884: Flags [F.], seq 3701842975, ack 1261962147, win 252, options [nop,nop,TS val 270944636 ecr 656908334], length 0 02:15:57.949342 IP 73.55.12.65.63884 > 162.247.79.245.80: Flags [.], ack 1, win 670, options [nop,nop,TS val 656923386 ecr 270944636], length 0 02:16:00.532037 IP 177.103.93.18.40387 > 173.230.254.185.80: Flags [S], seq 3960085940, win 14600, length 0 02:16:00.532089 IP 173.230.254.185.80 > 177.103.93.18.40387: Flags [S.], seq 1125577269, ack 3960085941, win 29200, options [mss 1460], length 0This will capture everything on port 80 on the eth0 net interface.
-nn : everything (including ports and protocols)
-l : Make stdout line buffered. (useful if you want to see the data while capturing it to a file with -w option)
-s snap_len : maximum number of bytes per packet to output
-i interface : interface to capture
filter : keyworks and logical operators ( eg. ‘host gateway and port 443’)