What is tcpdump?
In the manpage the entry sentence of the description describes it in good words “… Tcpdump prints out a description of the contents of packets on a network interface…”
It will help you to capture each network in-going and out-going packet on your interface and display it directly on your command line or save it to a file for further analysis with Wireshark.
Tcpdump command allows you to set a “capture filter” to be able to save only packets which are interested for you.
You want to get a first feeling about capture filter, refer to Introduction to Wireshark – Part 2.
How can I capture network traffic with tcpdump?
First of all you need tcpdump installed on your Linux instance if not already available.
You can install tcpdump with the command (requirement root permissions): yum install tcpdump
After the installation you should be able to find tcpdump at following location: /usr/sbin/tcpdump
There are now two ways to capture network traffic:
- Capture network traffic and show it directly on the command line
Use the following command to show your network traffic for interface eth0: /usr/sbin/tcpdump -i eth0 -vvv
- Capture network traffic and save it to a file
Use the following command to save your network traffic for interface eth0 to a file called tcpdump.pcap in folder /tmp/: /usr/sbin/tcpdump -i eth0 -w /tmp/tcpdump.pcap
There is an additional option you can set which is important to know: “-s” bytes of data from each packet.
If you don’t specify the -s option it will capture the default size (262144 bytes). Sometimes to save file space you can choose to capture only the first bytes of a packet.
Other examples to capture network traffic:
- Use the following command to save your network traffic for interface eth0 to a file called tcpdump.pcap in folder /tmp/ and capture only packets related to IP address 10.1.2.3: /usr/sbin/tcpdump -i eth0 -w /tmp/tcpdump.pcap host 10.1.2.3
You can also use the tcpdump command within a script. I created a script to help you capturing network traffic:
I already mentioned it on my other pages:
Daily (even hourly) I use sentences like “let’s take a tcpdump…” or “I think the best way to start attacking that problem is with a tcpdump…“.
It has been very helpful in my career and usually it always leads to the right path of the problem.
Check also my article “Schedule TCPDUMP with CRON”.