Tcpdump is a tool to dump traffic on a network.This data can be dumped to file or viewed normally.
Examples
List of network interfaces
[email protected]:~$ sudo tcpdump -D 1.eth0 2.any (Pseudo-device that captures on all interfaces) 3.lo
Capture all traffic path in eth0 then write it to file named "tcpdumpfile" and set the each file size to be around 3M without
trying to resolve IP/Port name
[[email protected] ~]# sudo tcpdump -nnxX -i eth0 -w tcpdumpfile -C 3 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 82 packets captured 166 packets received by filter 0 packets dropped by kernel
To print all packets arriving from or departing to 10.0.2.2
[[email protected] ~]# sudo tcpdump -nnvvv -i eth0 host 10.0.2.2 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 07:14:13.748986 IP (tos 0×0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 84) 10.0.2.15 > 10.0.2.2: ICMP echo request, id 56073, seq 1, length 64 07:14:13.749484 IP (tos 0×0, ttl 255, id 6544, offset 0, flags [DF], proto: ICMP (1), length: 84) 10.0.2.2 > 10.0.2.15: ICMP echo reply, id 56073, seq 1, length 64
capture all traffic dst to http port and coming form my loop back interface
[[email protected] ~]# sudo tcpdump -vvv -i lo dst port http tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes 07:18:39.937891 IP (tos 0×0, ttl 55, id 52591, offset 0, flags [none], proto: TCP (6), length: 44) localhost.36901 > 10.0.2.15.http: S, cksum 0xc515 (correct), 1306286511:1306286511(0) win 4096 <mss 1460> 07:18:40.937973 IP (tos 0×0, ttl 39, id 62265, offset 0, flags [none], proto: TCP (6), length: 44) localhost.36902 > 10.0.2.15.http: S, cksum 0xc514 (correct), 1306352046:1306352046(0) win 4096 <mss 1460>
capture all Address Resolution Protocol (ARP) packets
[[email protected] ~]# sudo tcpdump -nnevvv -c 3 arp tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 07:23:47.914195 08:00:27:ed:89:bd > ff:ff:ff:ff:ff:ff, ethertype ARP (0×0806), length 42: arp who-has 10.0.2.3 tell 10.0.2.15 07:23:47.914514 52:54:00:12:35:03 > 08:00:27:ed:89:bd, ethertype ARP (0×0806), length 60: arp reply 10.0.2.3 is-at 52:54:00:12:35:03 07:23:54.698897 08:00:27:ed:89:bd > ff:ff:ff:ff:ff:ff, ethertype ARP (0×0806), length 42: arp who-has 10.0.2.2 tell 10.0.2.15 3 packets captured 7 packets received by filter 0 packets dropped by kernel
Try to capture icmp traffic AND to or from the host 10.0.2.2
[[email protected] ~]# sudo tcpdump -nn icmp host 10.0.2.2 tcpdump: ‘icmp’ modifier applied to host [[email protected] ~]#