Analyzing network traffic with tcpdump

Capturing network packets with tcpdump

Network sniffers such as tcpdump and wireshark, allow users to capture network traffic for diagnosing network problems. While wireshark has a graphical user interface, tcpdump captures network traffic in a shell-only (cli) environment.

• List all available interfaces to capture traffic on, you have to login as root or use sudo.

# tcpdump -D
1.eth0
2.br0
3.vnet0
4.nflog (Linux netfilter log (NFLOG) interface)
5.nfqueue (Linux netfilter queue (NFQUEUE) interface)
6.vnet1
7.any (Pseudo-device that captures on all interfaces)
8.lo


Now let us capture all http traffic on eth0 network interface –

# tcpdump -i eth0 -nn -l -s 2000 'port 80'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 2000 bytes
02:15:57.871498 IP 162.247.79.245.80 > 73.55.12.65.63884: Flags [F.], seq 3701842975, ack 1261962147, win 252, options [nop,nop,TS val 270944636 ecr 656908334], length 0
02:15:57.949342 IP 73.55.12.65.63884 > 162.247.79.245.80: Flags [.], ack 1, win 670, options [nop,nop,TS val 656923386 ecr 270944636], length 0
02:16:00.532037 IP 177.103.93.18.40387 > 173.230.254.185.80: Flags [S], seq 3960085940, win 14600, length 0
02:16:00.532089 IP 173.230.254.185.80 > 177.103.93.18.40387: Flags [S.], seq 1125577269, ack 3960085941, win 29200, options [mss 1460], length 0

This will capture everything on port 80 on the eth0 net interface.
-nn : everything (including ports and protocols)
-l  : Make stdout line buffered.  (useful if you want to see the data while capturing it to a file with -w option)
-s snap_len : maximum number of bytes per packet to output
-i interface : interface to capture
filter : keyworks and logical operators ( eg. ‘host gateway and port 443’)