Linux

Analyzing network traffic with tcpdump

Capturing network packets with tcpdump

Network sniffers such as tcpdump and wireshark, allow users to capture network traffic for diagnosing network problems. While wireshark has a graphical user interface, tcpdump captures network traffic in a shell-only (cli) environment.

  • List all available interfaces to capture traffic on, you have to login as root or use sudo.

# tcpdump -D
1.eth0
2.br0
3.vnet0
4.nflog (Linux netfilter log (NFLOG) interface)
5.nfqueue (Linux netfilter queue (NFQUEUE) interface)
6.vnet1
7.any (Pseudo-device that captures on all interfaces)
8.lo

Now let us capture all http traffic on eth0 network interface –


# tcpdump -i eth0 -nn -l -s 2000 'port 80'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 2000 bytes
02:15:57.871498 IP 162.247.79.245.80 > 73.55.12.65.63884: Flags [F.], seq 3701842975, ack 1261962147, win 252, options [nop,nop,TS val 270944636 ecr 656908334], length 0
02:15:57.949342 IP 73.55.12.65.63884 > 162.247.79.245.80: Flags [.], ack 1, win 670, options [nop,nop,TS val 656923386 ecr 270944636], length 0
02:16:00.532037 IP 177.103.93.18.40387 > 173.230.254.185.80: Flags [S], seq 3960085940, win 14600, length 0
02:16:00.532089 IP 173.230.254.185.80 > 177.103.93.18.40387: Flags [S.], seq 1125577269, ack 3960085941, win 29200, options [mss 1460], length 0

This will capture everything on port 80 on the eth0 net interface.

-nn : everything (including ports and protocols)

-l  : Make stdout line buffered.  (useful if you want to see the data while capturing it to a file with -w option)

-s snap_len : maximum number of bytes per packet to output

-i interface : interface to capture

filter : keyworks and logical operators ( eg. ‘host gateway and port 443’)

daniel

Share
Published by
daniel
Tags: tcpdump

Recent Posts

GCP for Linux System administrators

Linux System Admins Journey to Google Cloud Platform As a Linux system administrator, you have…

10 months ago

Top 5 Troubleshooting Tools for Network Professionals in Linux

As a network professional, troubleshooting is a crucial part of your daily routine. To streamline…

10 months ago

netstat equivalent tool

The net-tools set of packages had been deprecated years back, although the commands are still…

2 years ago

GCP GKE – run kubectl through bastion host

Re-posting my answer to a Google cloud platform's Google Kubernetes Engine (GKE) related question in…

4 years ago

Spoof User Agent in http calls

Recently I was trying to download numerous files from a certain website using a shell…

5 years ago

Terraform – show logging

Enabling logging in terraform for debugging

5 years ago