How to capture traffic with tcpdump linux

HowtTos / December 17, 2019 / By:

Contents

  1. How to monitor all packages for a  Network device?
  2. How to monitor all traffic for a specific port(HTTP)?
  3. How to monitor all traffic for a specific protocol?
  4. How to set  cron jobs  for  tcpdump?
  5. How to display all FTP sessions to host?
  6. How to use  Wireshark to view detailed information about packages?
  7. How to check packages which come from a specific host and port?
  8. How to find out a specific network interface switch port number?
  9. Some  Useful Information:

Tcpdump is a  network traffic monitoring tool which uses for analyzing network packages. This knowledgebase describes how to capture all traffic for a specific port or protocol in Linux with  "tcpdump" tool. This method can save lots of time while debugging network or server related problems.

  • How to monitor all packages for a  Network device?

#tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

  • How to monitor all traffic for a specific port(HTTP)?

#tcpdump -i eth0 'port 8080'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
#tcpdump -ni eth0 'dst 192.168.1.5 and tcp and port http'[/shell]

Capture all packages for port  8080  and print only packets that contain data.

#tcpdump 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
#tcpdump -vv -x -X -s 1500 -i eth1 'port 25'

  • How to monitor all traffic for a specific protocol?

#tcpdump -i eth0 ip
#tcpdump -i eth0 arp
#tcpdump -i eth0 udp
#tcpdump -i eth0 tcp
#tcpdump -i eth0 icmp
Option Details
-vv Get more verbose output
-x Print the data of each packet.
-s Capture full  packet size.By default  it's setted  to  68
-i Network  interface
-w Write the raw packets to a file rather than parsing and printing them out
-c Exit after receiving count packets that  specified.
-n Convert host adress to name

  • How to set  cron jobs  for  tcpdump?

Let's say every day for a specific  time your server getting a problem with network or package problem. You think that it can be related to a hacker attack. So you need to define a  cron job to find out the problem root cause.

This crontab job will capture  50000 packages at 01:00 for every day. Then you can check this file at a specified time.

#crontab  -e
0 1 * * * /usr/sbin/tcpdump -n -c 50000 -w /tmp/port.80..80.txt >/dev/null 2>&1 
#tcpdump -X -vv -r /tmp/port.80.80.txt

  • How to display all FTP sessions to host?

#tcpdump -i eth1 'dst hostxx and (port 21 or 20'

  • How to use  Wireshark to view detailed information about packages?

#tcpdump -n -i eth0 -s 0 -w outputx.txt src or dst port 8080

  • How to check packages which come from a specific host and port?

#tcpdump -s0 -nn -i eth1 host x.x.x.x and port 22

  • How to find out a specific network interface switch port number?

#tcpdump -nn -v -i eth5 -s 1500 -c 1 'ether[20:2]==0x2000'       // switch port  information with Cisco Discovery Protocol(CDP)
#tcpdump -v -i eth5 -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)' // Vendor-neutral Data Link Layer protocol (LLDP)
#tcpdump -v -i eth5 -s 1500 -c 1 'ether[20:2] == 0x2000' 2>&1 |egrep 'Device-ID|Port-ID|VLAN'

Some  Useful Information:

UDP  Header 
  0      7 8     15 16    23 24    31  
 +--------+--------+--------+--------+ 
 |     Source      |   Destination   | 
 |      Port       |      Port       | 
 +--------+--------+--------+--------+ 
 |                 |                 | 
 |     Length      |    Checksum     | 
 +--------+--------+--------+--------+ 
 |                                   | 
 |              DATA ...             |
 +-----------------------------------+
TCP Header 
	0                   1                   2                   3   
	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|          Source Port          |       Destination Port        |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                        Sequence Number                        |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                    Acknowledgment Number                      |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|  Data |       |C|E|U|A|P|R|S|F|                               |
	| Offset|  Res. |W|C|R|C|S|S|Y|I|            Window             | 
	|       |       |R|E|G|K|H|T|N|N|                               |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|           Checksum            |         Urgent Pointer        |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                    Options                    |    Padding    |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                             data                              |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
IP  Header 
	0                   1                   2                   3   
	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|Version|  IHL  |Type of Service|          Total Length         |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|         Identification        |Flags|      Fragment Offset    |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|  Time to Live |    Protocol   |         Header Checksum       |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                       Source Address                          |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                    Destination Address                        |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                    Options                    |    Padding    |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	|                            DATA ...                           |
	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Tagged In:

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Turk Telekom. I provide hardware and software support for the IT Infrastructure and Operations tasks.

205 Total Posts
Follow Me

Related Post

TCP 3-Way Handshake
October 19, 2019

TCP 3-Way Handshake