Networking

Use tcpdump for network debugging


Tcpdump is an extremely useful network packet tracing system. While not as feature-rich as programs such as Wireshark, its packet "dump" output can be used as input by other programs to analyze the dump. In a pinch, and for network debugging, tcpdump works wonders.

For instance, if you were interested in viewing the incoming packets to port 80 in real-time, i.e., to see where packets were coming from or being sent to, you would use:

# tcpdump -i eth1 tcp port 80

This will monitor the interface eth1 for all traffic being sent to or from port 80. Suppose you suspect your system of high amounts of outbound traffic to other Web sites; you can tune this command further so that it only watches outbound traffic to port 80, ignoring all inbound traffic on port 80:

# tcpdump -i eth1 tcp dst port 80 and src host 192.168.0.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
15:23:02.435235 IP localsystem.47270 > frontal2.mandriva.com.http: S 1119588236:1119588236(0) win 5840 <mss 1460,sackOK,timestamp 5110073 0,nop,wscale 2>
15:23:02.603021 IP localsystem.47270 > frontal2.mandriva.com.http: . ack 2575114973 win 1460 <nop,nop,timestamp 5110114 53440877>
...

In the above example, the IP address 192.168.0.10 is the IP address associated with the interface eth1 on the system, and frontal2.mandriva.com is the remote address being contacted.

As you can see from the output, tcpdump provides a lot of information. If you don't need all the extraneous information and just want to see the connections directly, use:

# tcpdump -q -i eth1 tcp dst port 80 and src host 192.168.0.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
15:23:53.198419 IP localsystem.47271 > frontal2.mandriva.com.http: tcp 0
15:23:53.366309 IP localsystem.47271 > frontal2.mandriva.com.http: tcp 0
...

If you are only interested in IP addresses, use the -n option. This will not translate host or port numbers into names, so 192.168.0.10 would not be translated to "localsystem" (the hostname associated with the IP), and port 80 would not be translated to "http."

In a pinch, despite being a command-line tool, tcpdump can make network diagnosis and troubleshooting easy. The output can be dumped to a file for later analysis, or you can view it in real-time for quick on-the-job diagnostics. It uses a very flexible command line that allows you to fine-tune and customize exactly what packets you want to see. Tcpdump is typically included with every Linux distribution, although it may not be installed by default.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

5 comments
gizeh1976
gizeh1976

Nice instructions, do you know which instruction I can use in order to send packets to my network from another terminal in order to detect them with the tcpdump commnad

jacksondkg
jacksondkg

Useful program and options. I have been using this tool for about two years, it has been very helpful. Show novice, how to install the program.

eranmann
eranmann

tshark, the command line version of wireshark (http://www.wireshark.org) provide much more comprehensive solution, including deep parsing of gazillions of protocols.

nils_pat
nils_pat

but it doesnt come by default. you have to install it specifically. If I am not making mistake i feel tcpdump comes with every os.

Photogenic Memory
Photogenic Memory

I didn't know I had this installed in my system. I thought I just had wireshark just for the GUI. I just typed "tshark" in Bash with no other paramters and it's recording so much detailed information about my system, the network, and all the packets it's encountering! Amazing and so much more verbose the tcpdump! In addition; IT'S EASIER TO UNDERSTAND!? Thank you for posting. P.S. All that needed now is to redirect the command out put to a text file bia > or >> amd it makes for a great read at your leisure.