Capturing network packets with tcpdump
Network sniffers such as tcpdump and wireshark, allow users to capture network traffic for diagnosing network problems. While wireshark has a graphical user interface, tcpdump captures network traffic in a shell-only (cli) environment.
- List all available interfaces to capture traffic on, you have to login as root or use sudo.
# tcpdump -D 1.eth0 2.br0 3.vnet0 4.nflog (Linux netfilter log (NFLOG) interface) 5.nfqueue (Linux netfilter queue (NFQUEUE) interface) 6.vnet1 7.any (Pseudo-device that captures on all interfaces) 8.lo
Now let us capture all http traffic on eth0 network interface –
# tcpdump -i eth0 -nn -l -s 2000 'port 80' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 2000 bytes 02:15:57.871498 IP 18.104.22.168.80 > 22.214.171.124.63884: Flags [F.], seq 3701842975, ack 1261962147, win 252, options [nop,nop,TS val 270944636 ecr 656908334], length 0 02:15:57.949342 IP 126.96.36.199.63884 > 188.8.131.52.80: Flags [.], ack 1, win 670, options [nop,nop,TS val 656923386 ecr 270944636], length 0 02:16:00.532037 IP 184.108.40.206.40387 > 220.127.116.11.80: Flags [S], seq 3960085940, win 14600, length 0 02:16:00.532089 IP 18.104.22.168.80 > 22.214.171.124.40387: Flags [S.], seq 1125577269, ack 3960085941, win 29200, options [mss 1460], length 0
This will capture everything on port 80 on the eth0 net interface.
-nn : everything (including ports and protocols)
-l : Make stdout line buffered. (useful if you want to see the data while capturing it to a file with -w option)
-s snap_len : maximum number of bytes per packet to output
-i interface : interface to capture
filter : keyworks and logical operators ( eg. ‘host gateway and port 443’)