Analyzing network traffic with tcpdump

Capturing network packets with tcpdump

Network sniffers such as tcpdump and wireshark, allow users to capture network traffic for diagnosing network problems. While wireshark has a graphical user interface, tcpdump captures network traffic in a shell-only (cli) environment.

  • List all available interfaces to capture traffic on, you have to login as root or use sudo.

# tcpdump -D
4.nflog (Linux netfilter log (NFLOG) interface)
5.nfqueue (Linux netfilter queue (NFQUEUE) interface)
7.any (Pseudo-device that captures on all interfaces)

Now let us capture all http traffic on eth0 network interface –

# tcpdump -i eth0 -nn -l -s 2000 'port 80'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 2000 bytes
02:15:57.871498 IP > Flags [F.], seq 3701842975, ack 1261962147, win 252, options [nop,nop,TS val 270944636 ecr 656908334], length 0
02:15:57.949342 IP > Flags [.], ack 1, win 670, options [nop,nop,TS val 656923386 ecr 270944636], length 0
02:16:00.532037 IP > Flags [S], seq 3960085940, win 14600, length 0
02:16:00.532089 IP > Flags [S.], seq 1125577269, ack 3960085941, win 29200, options [mss 1460], length 0

This will capture everything on port 80 on the eth0 net interface.

-nn : everything (including ports and protocols)

-l  : Make stdout line buffered.  (useful if you want to see the data while capturing it to a file with -w option)

-s snap_len : maximum number of bytes per packet to output

-i interface : interface to capture

filter : keyworks and logical operators ( eg. ‘host gateway and port 443’)


Leave a Reply

Your email address will not be published. Required fields are marked *