Gads

tcpdump

Analyzing network traffic with tcpdump

Capturing network packets with tcpdump

Network sniffers such as tcpdump and wireshark, allow users to capture network traffic for diagnosing network problems. While wireshark has a graphical user interface, tcpdump captures network traffic in a shell-only (cli) environment.

  • List all available interfaces to capture traffic on, you have to login as root or use sudo.

# tcpdump -D
1.eth0
2.br0
3.vnet0
4.nflog (Linux netfilter log (NFLOG) interface)
5.nfqueue (Linux netfilter queue (NFQUEUE) interface)
6.vnet1
7.any (Pseudo-device that captures on all interfaces)
8.lo

Now let us capture all http traffic on eth0 network interface –


# tcpdump -i eth0 -nn -l -s 2000 'port 80'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 2000 bytes
02:15:57.871498 IP 162.247.79.245.80 > 73.55.12.65.63884: Flags [F.], seq 3701842975, ack 1261962147, win 252, options [nop,nop,TS val 270944636 ecr 656908334], length 0
02:15:57.949342 IP 73.55.12.65.63884 > 162.247.79.245.80: Flags [.], ack 1, win 670, options [nop,nop,TS val 656923386 ecr 270944636], length 0
02:16:00.532037 IP 177.103.93.18.40387 > 173.230.254.185.80: Flags [S], seq 3960085940, win 14600, length 0
02:16:00.532089 IP 173.230.254.185.80 > 177.103.93.18.40387: Flags [S.], seq 1125577269, ack 3960085941, win 29200, options [mss 1460], length 0

This will capture everything on port 80 on the eth0 net interface.

-nn : everything (including ports and protocols)

-l  : Make stdout line buffered.  (useful if you want to see the data while capturing it to a file with -w option)

-s snap_len : maximum number of bytes per packet to output

-i interface : interface to capture

filter : keyworks and logical operators ( eg. ‘host gateway and port 443’)

Leave a Reply

Your email address will not be published. Required fields are marked *