Tcpdump

From Linuxintro

tcpdump is a command that allows you to monitor your network traffic by ports and devices.

QuickStart

Let's set up a web server that has nothing but an index.html file saying "hello". Here is how we monitor traffic on it for localhost:

# tcpdump -Ai lo port 80

Once we start requesting an html page, tcpdump gets active: <source> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes 21:46:20.363064 IP6 localhost.49816 > localhost.http: Flags [S], seq 1873285701, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 0,nop,wscale 7], length 0 `....(.@...................................Po..E.........0......... ............ 21:46:20.363089 IP6 localhost.http > localhost.49816: Flags [S.], seq 302679655, ack 1873285702, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 1957802,nop,wscale 7], length 0 `....(.@.................................P... .go..F.....0......... ............ 21:46:20.363109 IP6 localhost.49816 > localhost.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0 `.... .@...................................Po..F. .h...V.(..... ........ 21:46:20.363153 IP6 localhost.49816 > localhost.http: Flags [P.], seq 1:117, ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 116 `......@...................................Po..F. .h...V....... ........GET /index.htm HTTP/1.1 User-Agent: Wget/1.16 (linux-gnu) Accept: */* Host: localhost Connection: Keep-Alive


21:46:20.363173 IP6 localhost.http > localhost.49816: Flags [.], ack 117, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0 `.... .@.................................P... .ho......V.(..... ........ 21:46:20.363500 IP6 localhost.http > localhost.49816: Flags [P.], seq 1:273, ack 117, win 342, options [nop,nop,TS val 1957803 ecr 1957802], length 272 `....0.@.................................P... .ho......V.8..... ........HTTP/1.1 200 OK Date: Wed, 18 Nov 2015 20:46:20 GMT Server: Apache Last-Modified: Fri, 30 Jan 2015 06:33:25 GMT ETag: "6-50dd8c82254d0" Accept-Ranges: bytes Content-Length: 6 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html

hallo

21:46:20.363518 IP6 localhost.49816 > localhost.http: Flags [.], ack 273, win 350, options [nop,nop,TS val 1957803 ecr 1957803], length 0 `.... .@...................................Po.... .x...^.(..... ........ 21:46:20.365359 IP6 localhost.49816 > localhost.http: Flags [F.], seq 117, ack 273, win 350, options [nop,nop,TS val 1957805 ecr 1957803], length 0 `.... .@...................................Po.... .x...^.(..... ........ 21:46:20.365417 IP6 localhost.http > localhost.49816: Flags [F.], seq 273, ack 118, win 342, options [nop,nop,TS val 1957805 ecr 1957805], length 0 `.... .@.................................P... .xo......V.(..... ........ 21:46:20.365430 IP6 localhost.49816 > localhost.http: Flags [.], ack 274, win 350, options [nop,nop,TS val 1957805 ecr 1957805], length 0 `.... .@...................................Po.... .y...^.(..... ........ ^C 10 packets captured 20 packets received by filter 0 packets dropped by kernel </source>

Saving in a file for wireshark

To save the output in a file for wireshark use

tcpdump -s 0 -Ali lo port 80 -w filename.txt

Examples

dhcp

You can watch out for dhcp communication on your network using:

tcpdump -i eth1 port 67 and port 68

SNMP

You can display incoming snmp traps using:

tcpdump -A port 162 -l | hexdump -C

See also