Tcpdump is a network traffic monitoring tool which uses for analyzing network packages. This knowledgebase describes how to capture all traffic for a specific port or protocol in Linux with "tcpdump" tool. This method can save lots of time while debugging network or server related problems.
-
How to monitor all packages for a Network device?
#tcpdump -i eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
-
How to monitor all traffic for a specific port(HTTP)?
#tcpdump -i eth0 'port 8080' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
#tcpdump -ni eth0 'dst 192.168.1.5 and tcp and port http'[/shell]
Capture all packages for port 8080 and print only packets that contain data.
#tcpdump 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' #tcpdump -vv -x -X -s 1500 -i eth1 'port 25'
-
How to monitor all traffic for a specific protocol?
#tcpdump -i eth0 ip #tcpdump -i eth0 arp #tcpdump -i eth0 udp #tcpdump -i eth0 tcp #tcpdump -i eth0 icmp
Option | Details |
-vv | Get more verbose output |
-x | Print the data of each packet. |
-s | Capture full packet size.By default it's setted to 68 |
-i | Network interface |
-w | Write the raw packets to a file rather than parsing and printing them out |
-c | Exit after receiving count packets that specified. |
-n | Convert host adress to name |
-
How to set cron jobs for tcpdump?
Let's say every day for a specific time your server getting a problem with network or package problem. You think that it can be related to a hacker attack. So you need to define a cron job to find out the problem root cause.
This crontab job will capture 50000 packages at 01:00 for every day. Then you can check this file at a specified time.
#crontab -e 0 1 * * * /usr/sbin/tcpdump -n -c 50000 -w /tmp/port.80..80.txt >/dev/null 2>&1
#tcpdump -X -vv -r /tmp/port.80.80.txt
-
How to display all FTP sessions to host?
#tcpdump -i eth1 'dst hostxx and (port 21 or 20'
-
How to use Wireshark to view detailed information about packages?
#tcpdump -n -i eth0 -s 0 -w outputx.txt src or dst port 8080
-
How to check packages which come from a specific host and port?
#tcpdump -s0 -nn -i eth1 host x.x.x.x and port 22
-
How to find out a specific network interface switch port number?
#tcpdump -nn -v -i eth5 -s 1500 -c 1 'ether[20:2]==0x2000' // switch port information with Cisco Discovery Protocol(CDP) #tcpdump -v -i eth5 -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)' // Vendor-neutral Data Link Layer protocol (LLDP) #tcpdump -v -i eth5 -s 1500 -c 1 'ether[20:2] == 0x2000' 2>&1 |egrep 'Device-ID|Port-ID|VLAN'
Some Useful Information:
UDP Header |
0 7 8 15 16 23 24 31
+--------+--------+--------+--------+
| Source | Destination |
| Port | Port |
+--------+--------+--------+--------+
| | |
| Length | Checksum |
+--------+--------+--------+--------+
| |
| DATA ... |
+-----------------------------------+
|
TCP Header |
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |C|E|U|A|P|R|S|F| |
| Offset| Res. |W|C|R|C|S|S|Y|I| Window |
| | |R|E|G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
IP Header |
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| DATA ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|