Difference between revisions of "Tcpdump"
From Linuxintro
Line 1: | Line 1: | ||
− | tcpdump is a [[command]] that allows you to monitor your network traffic. Let's [[set up a web server]] that has nothing but an index.html file saying "hello". Here is how we monitor traffic on it for localhost: | + | tcpdump is a [[command]] that allows you to monitor your network traffic by ports and devices. |
+ | |||
+ | = QuickStart = | ||
+ | Let's [[set up a web server]] that has nothing but an index.html file saying "hello". Here is how we monitor traffic on it for localhost: | ||
# tcpdump -Ai lo port 80 | # tcpdump -Ai lo port 80 | ||
Once we start requesting an html page, tcpdump gets active: | Once we start requesting an html page, tcpdump gets active: |
Revision as of 21:25, 18 November 2015
tcpdump is a command that allows you to monitor your network traffic by ports and devices.
Contents
QuickStart
Let's set up a web server that has nothing but an index.html file saying "hello". Here is how we monitor traffic on it for localhost:
# tcpdump -Ai lo port 80
Once we start requesting an html page, tcpdump gets active:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes 21:46:20.363064 IP6 localhost.49816 > localhost.http: Flags [S], seq 1873285701, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 0,nop,wscale 7], length 0 `....(.@...................................Po..E.........0......... ............ 21:46:20.363089 IP6 localhost.http > localhost.49816: Flags [S.], seq 302679655, ack 1873285702, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 1957802,nop,wscale 7], length 0 `....(.@.................................P... .go..F.....0......... ............ 21:46:20.363109 IP6 localhost.49816 > localhost.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0 `.... .@...................................Po..F. .h...V.(..... ........ 21:46:20.363153 IP6 localhost.49816 > localhost.http: Flags [P.], seq 1:117, ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 116 `......@...................................Po..F. .h...V....... ........GET /index.htm HTTP/1.1 User-Agent: Wget/1.16 (linux-gnu) Accept: */* Host: localhost Connection: Keep-Alive 21:46:20.363173 IP6 localhost.http > localhost.49816: Flags [.], ack 117, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0 `.... .@.................................P... .ho......V.(..... ........ 21:46:20.363500 IP6 localhost.http > localhost.49816: Flags [P.], seq 1:273, ack 117, win 342, options [nop,nop,TS val 1957803 ecr 1957802], length 272 `....0.@.................................P... .ho......V.8..... ........HTTP/1.1 200 OK Date: Wed, 18 Nov 2015 20:46:20 GMT Server: Apache Last-Modified: Fri, 30 Jan 2015 06:33:25 GMT ETag: "6-50dd8c82254d0" Accept-Ranges: bytes Content-Length: 6 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html hallo 21:46:20.363518 IP6 localhost.49816 > localhost.http: Flags [.], ack 273, win 350, options [nop,nop,TS val 1957803 ecr 1957803], length 0 `.... .@...................................Po.... .x...^.(..... ........ 21:46:20.365359 IP6 localhost.49816 > localhost.http: Flags [F.], seq 117, ack 273, win 350, options [nop,nop,TS val 1957805 ecr 1957803], length 0 `.... .@...................................Po.... .x...^.(..... ........ 21:46:20.365417 IP6 localhost.http > localhost.49816: Flags [F.], seq 273, ack 118, win 342, options [nop,nop,TS val 1957805 ecr 1957805], length 0 `.... .@.................................P... .xo......V.(..... ........ 21:46:20.365430 IP6 localhost.49816 > localhost.http: Flags [.], ack 274, win 350, options [nop,nop,TS val 1957805 ecr 1957805], length 0 `.... .@...................................Po.... .y...^.(..... ........ ^C 10 packets captured 20 packets received by filter 0 packets dropped by kernel
Examples
dhcp
You can watch out for dhcp communication on your network using:
tcpdump -i eth1 port 67 and port 68
SNMP
You can display incoming snmp traps using:
tcpdump -A port 162 -l | hexdump -C