Latest posts by Adam Bertram (see all)
- Create a certificate-signed RDP shortcut via Group Policy - Fri, Aug 9 2019
- Monitor web server uptime with a PowerShell script - Tue, Aug 6 2019
- How to build a PowerShell inventory script for Windows Servers - Fri, Aug 2 2019
The packet-sniffing utility tcpdump is able to read, parse, and display network activity coming to and going from your computer. On most *nix operating systems, tcpdump is available, but it also has a Windows brother called WinDump.
You may already have tcpdump installed. It comes with many flavors of Linux. To find out, type which tcpdump in your terminal. On CentOS, it's at /usr/sbin/tcpdump. If it's not installed, you can install it using sudo yum install -y tcpdump or via the available packager manager on your system like apt-get.
The simplest usage lets you begin monitoring packets on any network interface you have by running tcpdump -i any. The -i argument indicates an interface. You will then immediately begin seeing network activity fly by, which will seem overwhelming. Who knew so much went on under the hood?
If you have multiple network interfaces on the machine you're running tcpdump on, you can limit that monitoring down to a single interface. But first you'll need to figure out what that interface is called. To do this, run tcpdump -D. This command will return a list of all interfaces tcpdump detects.
Once you know the interface you'd like to monitor (usually eth0), you can then begin monitoring packets on that interface by providing the interface name to the -i argument, for example, tcpdump -i eth0.
Without providing additional arguments, tcpdump will return all packets continuously. One way to limit the number of packets returned is by using the -c argument. This argument allows you to provide the maximum number of packets to return. For example, if I'd like to monitor and capture only 1,000 packets on the eth0 interface, I could use tcpdump -i eth0 -c 1000.
In the first screenshot, you can see that tcpdump resolves the hosts and ports your machine is communicating with to names. When troubleshooting network problems, it's sometimes easier to see the IP addresses and port numbers instead. To prevent converting IP addresses and ports to names, you can use the -nn argument. The first n prevents hostname resolution and the second n prevents port name conversion.
One common issue admins run into when monitoring network activity is that they have SSHed or RDPed into a machine remotely. By default, tcpdump will capture all network activity, and you'd like to prevent it from capturing the network activity you yourself are generating by being connected to the server.
You can filter out traffic meeting specific criteria in tcpdump. For example, to include only traffic to and from (src/dst) a particular IP address, use host X.X.X.X. To include only traffic to and from a particular port, you can use port XX.
For example, when SSHing to a remote computer and running tcpdump, you'll want to filter out all the traffic on SSH to and from your host. The filtering logic in tcpdump also lets you build complex expressions. In this example, I'd like to exclude all SSH traffic that's only originating from or going to an IP address.
tcpdump "not (host X.X.X.X and port 22)"
Perhaps you'd like to limit output by a specific protocol. To do this, you can use the proto expression followed by the protocol name prefaced with two backslashes like tcpdump proto \\icmp. There are many different ways to filter output.
Finally, a common use of tcpdump is to perform the raw capture and process the results via another tool like Wireshark. You can capture output using the -w argument and provide the path of the file to capture to, like tcpdump -w packets.pcap.
tcpdump is a great tool to capture network activity for network monitoring and troubleshooting purposes. Through its many ways to capture traffic and its detailed filtering capabilities, it allows administrators to hone in on exactly the kind of traffic they need to capture.