Using tcpdump with Linux
I find tcpdump as a very powerfull and useful tool to sniff network traffic from a Linux box. It is independent on the distro you are working and very easy to learn. It`s simplicity is inside the command line shell and can be very useful for remote troubleshooting of server and desktop systems.
It is a built in package that exists in various distros and can be used to capture received and transfered packets over a complete network or only from a host. There are a set of options and switch flags thah can be used with this command.
I will try to demonstrate a couple of them with explanation, the ones that I find useful:
- -i any listen on any interface that is available on the system
- -n do not resolve hostnames
- -c get number of certain packets and then stop (usefull in not getting to much informations)
- -e get the Ethernet header along with the capture
- -E decrypt IPSEC traffic with providing a password key
Simple usage of tcpdump for viewing packets can be done with a couple of command line options. Whether you would like to go into the details of the packets or only the basic view it can be displayed on the command line.
tcpdump -nS simple communication of packets inside the network
tcpdump -nnvvS more advanced packet view with more verbosity
tcpdump -nnvvXS a more deeper look into the package with the content details (derrived from the GUI)
We could do now an example of a displaying only two packages TCP with and inside deeper view of the content. This simple command will show us a two packets with their content and headers.
tcpdump -nnvXSs 0 -c2 tcp
A more specific network goal is not to have too many traffic displayed on the shell. This leaves the options that are not needed out of the picture, and makes troubleshooting much easier.
To see the traffic derrived from a particular host we can use the following command:
tcpdump host 192.168.1.100
Another useful command is writting a certain type of traffic inside a text file for later troubleshooting:
tcpdump -s 1514 port 21 -w output.txt
And for the final packet show command in this blog, you can use a simple switch only to filter IPV6 traffic:
tcpdump ip6
This is only a small demonstration of this powerfull tool. More can be read through the MAN pages, or from similar sysadmin books. Feel free to share and comment.
